Detections
- Home
- - Detections
- -DT034
- ID: DT034
- Created: 31st May 2024
- Updated: 23rd October 2025
- MITRE ATT&CK®: DS0024
- Contributor: The ITM Team
Terminal Service Client Registry Key
When Remote Desktop is used to create a connection to a remote machine, it creates entries in the Windows registry that persist after the session has ended. These registry entries can be used in an investigation to provide insight into what remote system(s) a user account has connected to.
Registry keys are created under the Servers key for each remote system that has been connected to, with the name being the IP address of the remote system. These artifacts are located in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers.
This artifact can be analyzed using the standard Registry Editor, or a third party tool such as RegistryExplorer.
Sections
| ID | Name | Description |
|---|---|---|
| IF027.004 | Remote Access Tool (RAT) Deployment | The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.
RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode).
Functionality typically includes:
Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins ( |
MITRE ATT&CK® Mapping (1)
ATT&CK Enterprise Matrix Version 17.1