Source System Artifacts - Quick Reference

security.evtx:

Event ID 4648 – Logon specifying alternate credentials

Microsoft-WindowsTerminalServicesRDPClient%4Operational.evtx Event ID 1024 - Destination Host Name Event ID 1102 - Destination IP Address

Remote desktop destinations are tracked per-user
- NTUSER\Software Microsoft\Terminal Server Client\Servers
ShimCache – SYSTEM
- mstsc.exe Remote Desktop Client
BAM/DAM – SYSTEM – Last Time Executed
- mstsc.exe Remote Desktop Client
AmCache.hve – First Time Executed
- mstsc.exe
UserAssist – NTUSER.DAT
- mstsc.exe Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
RecentApps – NTUSER.DAT
- mstsc.exe Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
- RecentItems subkey tracks connection destinations and times

Jumplists
- C:\Users<Username> AppData\Roaming\Microsoft\Windows Recent\AutomaticDestinations\
  - {MSTSC-APPID}- automaticDestinations-ms
    Tracks remote desktop connection destination and times
Prefetch – C:\Windows\Prefetch
- mstsc.exe-{hash}.pf
Bitmap Cache
C:\USERS<USERNAME> AppData\Local\Microsoft\Terminal Server Client\Cache
- bcache##.bmc
- cache####.bin

Last updated 1 year ago

Was this helpful?