After a recent engagement, I was asked to put together a short demo to explain how easy it is/was to steal a disconnected RDP session once local administrator privileges have been obtained.
In this demo video you can see that access to a file server has been obtained as local administrator and that there is a disconnected session of the ecorp.local domain admin user test_user.
Using the local administrator account on the file server, we create a scheduled task which runs using the session of test_user and executes an action to add a new domain admin account called PWNED to the ecorp.local domain.
Hopefully this little video illustrates the dangers of both local administrator privileges and also not logging out of RDP sessions. These issues are both as old as time however are still prevelent in most networks and allow for a quick win when pentesting.