Suspicious RDP Bitmap Cache Access

# *Suspicious RDP Bitmap Cache Access* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1005 | Data from Local System | https://attack.mitre.org/techniques/T1005/ | | T1083 | File and Directory Discovery | https://attack.mitre.org/techniques/T1083/ | #### Description This rule monitors for unauthorized access to RDP Bitmap Cache files, which attackers target to visually reconstruct past administrative sessions and harvest sensitive data. By explicitly excluding legitimate RDP managers like mstsc.exe or Royal TS, any interaction from alternative processes serves as a high-fidelity indicator of internal reconnaissance or credential harvesting. The detection triggers immediately when an unapproved binary reads, copies, or renames these cache artifacts. Upon an alert, immediately isolate the affected host to prevent potential lateral movement. Analyze the initiating process command line for suspicious scripts or unauthorized tools, and verify if there is any valid administrative justification for low-level file forensics. If a compromise is confirmed, promptly rotate credentials for all privileged accounts that have historically logged into that endpoint. #### Author <Optional> - **Name: Benjamin Zulliger** - **Github: https://github.com/benscha/KQLAdvancedHunting** - **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/** ## Defender XDR ```KQL // Definition of allowed RDP managers and system processes let AllowedRDPManagers = pack_array( "mstsc.exe", // Standard Windows Client "msrdc.exe", // Windows 365 / Azure Virtual Desktop Client "RocketRemoteDesktop.exe", // Rocket Remote Desktop "RTS2App.exe", // Royal TS "mRemoteNG.exe", // mRemoteNG "RDCMan.exe", // Microsoft Remote Desktop Connection Manager "svchost.exe" // System profile handling ); // Monitor direct file interactions within the specific cache path DeviceFileEvents | where Timestamp > ago(14d) // Focus strictly on the sensitive folder path | where FolderPath has @"\Microsoft\Terminal Server Client\Cache" // Any process interacting with this folder that is not an allowed RDP manager is highly suspicious | where not(InitiatingProcessFileName in~ (AllowedRDPManagers)) // Focus on reading existing cache files or creating copies elsewhere (Exfiltration) | where ActionType in~ ("FileRead", "FileCreated", "FileRenamed") | order by Timestamp desc ```

Explanation

This query is designed to detect suspicious activities related to Remote Desktop Protocol (RDP) Bitmap Cache files on a system. Here's a simplified breakdown:

Purpose: The query aims to identify unauthorized access to RDP Bitmap Cache files. These files can be used by attackers to reconstruct past RDP sessions and potentially extract sensitive information.
Allowed Processes: It defines a list of legitimate RDP management applications and system processes that are allowed to interact with these cache files. These include standard RDP clients like mstsc.exe, msrdc.exe, and others like Royal TS and mRemoteNG.
Monitoring Criteria:
- The query looks at file events from the last 14 days.
- It specifically monitors a folder path associated with RDP cache files: \Microsoft\Terminal Server Client\Cache.
- It flags any file interactions (like reading, creating, or renaming files) by processes not in the allowed list as suspicious.
Action: If such unauthorized access is detected, it suggests immediate actions like isolating the affected host to prevent further unauthorized access and analyzing the process that initiated the action for any suspicious behavior.
Response: If a security breach is confirmed, it recommends rotating credentials for all privileged accounts that have accessed the compromised system.

Overall, this query is a security measure to detect and respond to potential internal reconnaissance or credential harvesting activities by monitoring unauthorized access to sensitive RDP cache files.

KQL Search

Suspicious RDP Bitmap Cache Access

Query

Explanation

Details

Actions