Automatically generated based on tag:
Title | Type | Summary | Location |
---|---|---|---|
ETW - Remote Desktop - Source host | Page | Source host initiating a Remote Desktop access. Main events: Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational. Event ID 1024: "RDP ClientActiveX is trying to connect to the server (<HOSTNAME>)". Event ID 1102: "The client has initiated a multi-transport connection to the server <IP>". Event ID 1029: "Base64(SHA256(UserName)) is = <HASH>". |
Channel: Microsoft-WindowsTerminalServicesRDPClient/Operational. Events: 1024, 1029, 1102. |
Jumplists | Page | Introduced in Windows 7, Jumplists are linked to a taskbar user experience-enhancing feature that allows users to "jump" to files, folders or others elements by right-clicking on open applications in the Windows taskbar. Information of interest: target file absolute path, size, attributes, and Modified, Access, and Birth timestamps (updated whenever the file is "jumped" to). Remote desktop connections made using the Windows built-in mstsc.exe client will generate an entry in the AutomaticDestinations JumpList that may reference the remote host. |
AutomaticDestinations: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\<APP_ID>.automaticDestinations-ms CustomDestinations: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\<APP_ID>.customDestinations-ms |
RDP - Processes | Page | The following processes are related to RDP activity: - mstsc.exe: Windows built-in RDP. The remote host may (but not necessarily) specified using the command-line parameter "/v:". - rdpclip.exe: RDP Clipboard Monitor, executed on the remote host every time a remote interactive RDP session is successfully established. - TSTheme.exe: TSTheme Server Module, starting with Windows 7, executed on the remote host every time a remote interactive RDP session is successfully established and upon session closure. |
|
RDP Bitmap Cache | Page | The RDP Bitmap Cache contains partial image captures, in the bitmap format, of the remote host screen from Remote Desktop sessions. This feature is implemented to reduce the amount of data sent by the server. Information of interest: small bitmap images, with a width of 64 pixels and a height of up to 64 pixels, that represent pieces of the content displayed in past Remote Desktop sessions of the user. Thousands of tiles may be available for a given user RDP Bitmap Cache folder. |
"bcache*.bmc" and "cache????.bin" files under the "Terminal Server Client\Cache" directory. Windows XP / Windows Server 2003: <SYSTEMDRIVE>:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\* Windows 7 and later: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Terminal Server Client\Cache\* |
Registry - Terminal Server Client\Servers | Page | The Terminal Server Client\Servers registry key tracks the remote hosts the associated user connected to using the built-in mstsc.exe Remote Desktop client. Information of interest: IP address of the remote host and eventual saved username associated with the remote host. The the last write timestamp may be an indicator of the first access to the remote host. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\<IP> |
View on GitHub