Ready to learn?

RDP Bitmap cache

๐Ÿ”’ย Secure Bits ๐Ÿ’ก
๐—ฌ๐—ผ๐˜‚๐—ฟ ๐—ฅ๐——๐—ฃ ๐˜€๐—ฒ๐˜€๐˜€๐—ถ๐—ผ๐—ป ๐—บ๐—ถ๐—ด๐—ต๐˜ ๐—น๐—ฒ๐—ฎ๐˜ƒ๐—ฒ ๐—ฎ ๐˜ƒ๐—ถ๐˜€๐˜‚๐—ฎ๐—น ๐˜๐—ฟ๐—ฎ๐—ถ๐—นโ€ฆ

Did you know thatย Remote Desktop Protocol (RDP)ย ๐—ฐ๐—ฎ๐—ฐ๐—ต๐—ฒ๐˜€ ๐—ณ๐—ฟ๐—ฎ๐—ด๐—บ๐—ฒ๐—ป๐˜๐˜€ of your screen on the client?

๐Ÿ–ผ๏ธ Theseย bitmap cachesย are stored locally to improve performance โ€” but they ๐—ฐ๐—ฎ๐—ป ๐—ฎ๐—น๐˜€๐—ผ ๐—ฟ๐—ฒ๐˜ƒ๐—ฒ๐—ฎ๐—น ๐˜„๐—ต๐—ฎ๐˜ ๐˜„๐—ฎ๐˜€ ๐˜€๐—ฒ๐—ฒ๐—ป ๐—ฑ๐˜‚๐—ฟ๐—ถ๐—ป๐—ด ๐˜†๐—ผ๐˜‚๐—ฟ ๐˜€๐—ฒ๐˜€๐˜€๐—ถ๐—ผ๐—ป. For forensic investigators (or attackers), that meansย possible insight into screen content from previous RDP activity.

๐Ÿ“ย ๐—™๐—ถ๐—น๐—ฒ ๐—น๐—ผ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป:
%UserProfile%AppDataLocalMicrosoftTerminal Server ClientCache*.bin

๐Ÿงฐ ๐—ช๐—ฎ๐—ป๐˜ ๐˜๐—ผ ๐—ฒ๐˜…๐˜๐—ฟ๐—ฎ๐—ฐ๐˜ ๐—ฎ๐—ป๐—ฑ ๐—ฟ๐—ฒ๐—ฐ๐—ผ๐—ป๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜ ๐˜๐—ต๐—ฒ๐—บ?
Check out:ย bmc-tools-pyย โ€” it can turn the cache into a full image collage.

Did you know about this “feature”?

buy a course