Name:Windows RDP Bitmap Cache File Creation id:5f8671b6-07a7-425d-b3da-c39a53f2a6ae version:1 date:2025-07-30 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:This detection identifies the creation of Remote Desktop Protocol (RDP) bitmap cache files on a Windows system, typically located in the user’s profile under the Terminal Server Client cache directory. These files (*.bmc, cache*.bin) are generated when a user initiates an RDP session using the built-in mstsc.exe client. Their presence can indicate interactive remote access activity and may be useful in detecting lateral movement or unauthorized RDP usage. Monitoring this behavior is especially important, as attackers may attempt to delete or suppress these artifacts to evade forensic analysis. Data_source:
-Sysmon EventID 11
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\Terminal Server Client\\Cache\\*.bmc", "*\\Terminal Server Client\\Cache\\cache*.bin") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `windows_rdp_bitmap_cache_file_creation_filter`
how_to_implement:To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed. known_false_positives:False positives will be present, filter as needed or restrict to critical assets on the perimeter. References: -https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 -https://thelocalh0st.github.io/posts/rdp/ drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Windows RDP Artifacts and Defense Evasion' asset_type:Endpoint mitre_attack_id: - 'T1021.001' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint
