RDPThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API hooking, extract the clear-text credentials and save them to a file.
An aggressor script accompanies it, which is responsible for managing the state, monitoring for new processes and injecting the shellcode in mstsc.exe. The DLL has been converted to shellcode using the sRDI project (https://github.com/monoxgas/sRDI). When enabled, RdpThief will get the process list every 5 seconds, search for mstsc.exe, and inject to it.
When the aggressor script is loaded on Cobalt Strike, three new commands will be available:
- rdpthief_enable – Enables the hearbeat check of new mstsc.exe processes and inject into them.
- rdpthief_disable – Disables the hearbeat check of new mstsc.exe but will not unload the already loaded DLL.
- rdpthief_dump – Prints the extracted credentials if any.
Also Read – SCShell : Fileless Lateral Movement Tool That Relies On ChangeServiceConfigA To Run Command
Screenshot
![](data:image/svg+xml;charset=utf-8,<svg height="400px" width="1000px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Demo Video
Recent Posts
SpyAI : Intelligent Malware With Advanced Capabilities
SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…
Proxmark3 : The Ultimate Tool For RFID Security And Analysis
The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…
Awesome Solana Security : Enhancing Program Development
The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…
IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow
The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…
AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities
AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…
Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation
Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…