A while ago I was searching for the option to observe activity of potential hackers accessing a vulnerable server (with simple admin password) to see what kind of tools and tactics they are going to use … As server was exposed to the internet via RDP protocol (tcp 3389) I needed an option to view inside RDP session and if possible without being seen by those who would get into the server.

So using VNC or something like that was not an option as it is not possible (or is at least difficult and probably not so incognito as needed in this case) to monitor RDP session (but only “console” session).

After a bit of research I found out that the option that I have seen many times in Windows Defender Firewall with Advanced Security called Remote desktop – Shadow (TCP-in) can be used in such cases … I never explored what this feature means or how it works until I was searching for a solution for my observation mission. 🙂

After a bit of DuckDuckGoing I found out that there is an excellent blog post regarding this feature, written by colleague Arris Huijgen who explains this option into detail – so I invite you to take a look at his blog post Spying on users using Remote Desktop Shadowing – Living off the Land. Well I have created a quick video to show you how it works so you can get better idea and decide – or to absolutely prohibit it in your environment (but hey, you can do it if you know it exists, right? 🙂 ) or use it and understand the potential risks it may bring…