TL;DR: If the remote server allows Restricted Admin login, it is possible to login via RDP by passing the hash using the native Windows RDP client
mstsc.exe. (You'll need mimikatz or something else to inject the hash into the process)
On engagements it is usually only a matter of time to get your hands on NTLM hashes.
These can usually be directly used to authenticate against other services / machines and enable lateral movement.
Powershell / PSExec, SMB and WMI are usual targets to pass the hash to, but it is also possible to use it to establish a RDP session on a remote host.
Searching the Internet on how to do this unfortunately always leads to using xfreerdp, but I wasn't able to find anything on the Internet regarding how to do this directly using the provided RDP client
mstsc.exe, so I had to find out on my own.
How does it work?
Interestingly, it was quite easy to find out, so here is how to do it with
mimikatz (you'll need local admin):
sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:"mstsc.exe /restrictedadmin"
This will open a new RDP window. If it still shows the user you are currently logged on with, just ignore it - everything will just work ;-)
Enter the domain name / IP of the target server and if the target server allows Restricted Admin Mode, you will be logged in, otherwise the server will tell you that you are not allowed to log in.
Why does it work?
RDP Restricted Admin Mode builds upon Kerberos. Taking a look at the network traffic, one can see that the RDP client requests a ticket on behalf of the impersonated user which is no problem since the hash is all we need to authenticate against Kerberos.
Restricted Admin Mode is disabled, what can I do?
A registry key controls if a server accepts Restricted Admin sessions. If you have the NTLM hash of a user that has privileges to set registry keys, you can use for example Powershell to enable it and log in via RDP afterwards:
mimikatz.exe "sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:powershell.exe"
A new Powershell window will pop up:
Enter-PSSession -Computer <Target> New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force
Now, your RDP should work fine.