Windows RDP Bitmap Cache File Creation

name: Windows RDP Bitmap Cache File Creation
id: 5f8671b6-07a7-425d-b3da-c39a53f2a6ae
version: 2
date: '2026-03-10'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: This detection identifies the creation of Remote Desktop Protocol (RDP) bitmap cache files on a Windows system, typically located in the user’s profile under the Terminal Server Client cache directory. These files (*.bmc, cache*.bin) are generated when a user initiates an RDP session using the built-in mstsc.exe client. Their presence can indicate interactive remote access activity and may be useful in detecting lateral movement or unauthorized RDP usage. Monitoring this behavior is especially important, as attackers may attempt to delete or suppress these artifacts to evade forensic analysis.
data_source:
    - Sysmon EventID 11
search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\Terminal Server Client\\Cache\\*.bmc", "*\\Terminal Server Client\\Cache\\cache*.bin") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `windows_rdp_bitmap_cache_file_creation_filter`'
how_to_implement: To successfully implement this search, you must ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. If you are utilizing Sysmon, ensure you have at least version 2.0 of the Sysmon TA installed.
known_false_positives: False positives will be present, filter as needed or restrict to critical assets on the perimeter.
references:
    - https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344
    - https://thelocalh0st.github.io/posts/rdp/
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A rdp bitmap cache has been identified on $dest$.
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Windows RDP Artifacts and Defense Evasion
    asset_type: Endpoint
    mitre_attack_id:
        - T1021.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog