Query Details
RDP Trace Removal Detection
Query
**RDP Trace Removal Detection**
By analyzing login sequences, screen tile caches, clipboard data, and session memory, analysts can now reconstruct full attacker activity during Remote Desktop sessions—even if the adversary tries to cover their tracks.
The following KQL Query helps to identify when a ransomware attack attempts to remove the mentioned evidence via script which will be identified as executed command.
```
DeviceProcessEvents
| where ProcessCommandLine has_all ("delete", "\\Software\\Microsoft\\Terminal Server Client\\Default")
or ProcessCommandLine has_all ("delete", "\\Software\\Microsoft\\Terminal Server Client\\Servers")
or ProcessCommandLine has_all ("add", "\\Software\\Microsoft\\Terminal Server Client\\Servers")
| project Timestamp, DeviceName,DeviceId, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, ReportId
```
Explanation
This KQL query is designed to detect potential ransomware activity by monitoring for specific commands that attempt to delete or modify evidence of Remote Desktop Protocol (RDP) sessions. Here's a simplified explanation:
-
Purpose: The query aims to identify when a ransomware attack tries to erase or alter traces of RDP sessions, which are crucial for understanding attacker activities.
-
How it Works:
- It looks for processes that execute commands containing the word "delete" or "add" in conjunction with specific registry paths related to RDP session data.
- These registry paths (
\\Software\\Microsoft\\Terminal Server Client\\Defaultand\\Software\\Microsoft\\Terminal Server Client\\Servers) store information about RDP connections.
-
Output:
- The query retrieves and displays details such as the timestamp of the event, the device name and ID, the account name, the file name involved, the full command line of the process, the initiating process's file name, and a report ID.
- This information helps analysts investigate and understand the context of the suspicious activity.
In essence, the query is a tool for security analysts to detect and investigate attempts to tamper with RDP session evidence, which could indicate malicious activity like ransomware attacks.
Details
Sergio Albea
Released: July 18, 2025
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsTimestampDeviceNameDeviceIdAccountNameFileNameProcessCommandLineInitiatingProcessFileNameReportId
Operators
wherehas_allorproject