Live Discover Query - RDP history

REVIEWED by Sophos

As RDP is always a hot topic in the world of security, it might be helpful to gain a report of perhaps who is connecting to where.

The default RDP client, mstsc.exe maintains a history of the computers connected to under the following key to pre-populate the drop-down list:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Default\

They are stored as individual string values, MRU0, MRU1, MRU2, etc.. Therefore the following query could be used:

select data,path from registry where key like 'HKEY_USERS\%\SOFTWARE\Microsoft\Terminal Server Client\Default' and data <> '';

May be adapted for a specific address of a server:

select data as 'Remote RDP Address', path from registry where key like 'HKEY_USERS\%\SOFTWARE\Microsoft\Terminal Server Client\Default' and data <> '' and data ='wibble.wobble.com';

Maybe useful but of course there is nothing stopping the keys being removed.

Jak

jak

Parents

Karl_Ackerman over 4 years ago

Well, if the keys have been removed in the last 90 days we should be able to see the delete of the registry key in the Sophos_registry_journal. Anyone want to write that query? If so Just post and I can help out. Thanks
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Comment

Karl_Ackerman over 4 years ago

Well, if the keys have been removed in the last 90 days we should be able to see the delete of the registry key in the Sophos_registry_journal. Anyone want to write that query? If so Just post and I can help out. Thanks
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Children

No Data

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Live Discover Query - RDP history