Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| ETW - Authentication - Source host | Page | Source host of a remote access. Main events: Event ID 4648: "A logon was attempted using explicit credentials". Event ID 4624: "An account was successfully logged on", with LogonType 9. |
Channel: Security. Events: 4648, 4624 (LogonType 9). |
| ETW - PowerShell remoting - Source host | Page | Source host initiating a PowerShell remoting / WinRM access. Main events: Channel: Microsoft-Windows-Windows Remote Management/Operational. Event ID 6: "Creating WSMan Session. The connection string is: <REMOTE_HOST>/wsman?PSVersion=XXX". |
Channel: Microsoft-Windows-Windows Remote Management/Operational. Events: 2, 4, 6, 8, 12, 15, 16, 30, 31, 33, 80, 162, 166. |
| ETW - Remote Desktop - Source host | Page | Source host initiating a Remote Desktop access. Main events: Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational. Event ID 1024: "RDP ClientActiveX is trying to connect to the server (<HOSTNAME>)". Event ID 1102: "The client has initiated a multi-transport connection to the server <IP>". Event ID 1029: "Base64(SHA256(UserName)) is = <HASH>". |
Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational. Events: 1024, 1029, 1102. |
| RDP - Processes | Page | The following processes are related to RDP activity: - mstsc.exe: Windows built-in RDP. The remote host may (but not necessarily) specified using the command-line parameter "/v:". - rdpclip.exe: RDP Clipboard Monitor, executed on the remote host every time a remote interactive RDP session is successfully established. - TSTheme.exe: TSTheme Server Module, starting with Windows 7, executed on the remote host every time a remote interactive RDP session is successfully established and upon session closure. |
|
| RDP Bitmap Cache | Page | The RDP Bitmap Cache contains partial image captures, in the bitmap format, of the remote host screen from Remote Desktop sessions. This feature is implemented to reduce the amount of data sent by the server. Information of interest: small bitmap images, with a width of 64 pixels and a height of up to 64 pixels, that represent pieces of the content displayed in past Remote Desktop sessions of the user. Thousands of tiles may be available for a given user RDP Bitmap Cache folder. |
"bcache*.bmc" and "cache????.bin" files under the "Terminal Server Client\Cache" directory. Windows XP / Windows Server 2003: <SYSTEMDRIVE>:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\* Windows 7 and later: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Terminal Server Client\Cache\* |
| Registry - Map Network Drive MRU | Page | The Map Network Drive MRU registry key references the recently used network shares. Information of interest: UNC path of the network shares (such as "<IP | HOSTNAME>\<SHARE_NAME>"). Values are ordered in a most recently used list. The timestamp of access of the most recently access share can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat. Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU |
| Registry - MountPoints2 | Page | The MountPoints2 registry key references the currently or previously mapped drives (such as the system drive, USB devices, or network shares) mounted by the associated user. Information of interest: each drive is represented by a subkey, which is named as either the volume GUID, a letter, or, for network shares "##<IP | HOSTNAME>#<SHARE_NAME>". |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat. Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 |
| Registry - Terminal Server Client\Servers | Page | The Terminal Server Client\Servers registry key tracks the remote hosts the associated user connected to using the built-in mstsc.exe Remote Desktop client. Information of interest: IP address of the remote host and eventual saved username associated with the remote host. The the last write timestamp may be an indicator of the first access to the remote host. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\<IP> |
| WMI - Processes | Page | The following processes are related to WMI activity: - wmic.exe: client command line utility to interact with WMI (locally or on a remote computer). The PowerShell Invoke-WmiMethod cmdlet can be used as an alternative to wmic. - WmiPrvSE.exe: WMI Provider Host program that is executed to run WMI commands. If a program is executed through WMI, it will be spawned as a child of a wmiprvse.exe process. |
View on GitHub