Ctrlk

Introduction
Windows Artifacts
Windows DFIR & MITTR
SOC Related
- Cached Credentials
- Domain Controller Password Spraying

Powered by GitBook

On this page

Was this helpful?

Windows Artifacts
Account Usage
RDP

Source System Artifacts - Quick Reference

security.evtx:

Event ID 4648 – Logon specifying alternate credentials

Current logged-on User Name
Alternate User Name
Destination Host Name/IP
Process Name

Microsoft-WindowsTerminalServicesRDPClient%4Operational.evtx Event ID 1024 - Destination Host Name Event ID 1102 - Destination IP Address

Remote desktop destinations are tracked per-user
- NTUSER\Software Microsoft\Terminal Server Client\Servers
ShimCache – SYSTEM
- mstsc.exe Remote Desktop Client
BAM/DAM – SYSTEM – Last Time Executed
- mstsc.exe Remote Desktop Client
AmCache.hve – First Time Executed
- mstsc.exe
UserAssist – NTUSER.DAT
- mstsc.exe Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
RecentApps – NTUSER.DAT
- mstsc.exe Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
- RecentItems subkey tracks connection destinations and times

Jumplists
- C:\Users<Username> AppData\Roaming\Microsoft\Windows Recent\AutomaticDestinations\
  - {MSTSC-APPID}- automaticDestinations-ms
    Tracks remote desktop connection destination and times
Prefetch – C:\Windows\Prefetch
- mstsc.exe-{hash}.pf
Bitmap Cache
C:\USERS<USERNAME> AppData\Local\Microsoft\Terminal Server Client\Cache
- bcache##.bmc
- cache####.bin

PreviousRDP NextDestination System Artifacts - Quick Reference

Last updated 1 year ago

Was this helpful?