Detections
- Home
- - Detections
- -DT034
- ID: DT034
- Created: 31st May 2024
- Updated: 26th July 2024
- Contributor: The ITM Team
Terminal Service Client Registry Key
When Remote Desktop is used to create a connection to a remote machine, it creates entries in the Windows registry that persist after the session has ended. These registry entries can be used in an investigation to provide insight into what remote system(s) a user account has connected to.
Registry keys are created under the Servers
key for each remote system that has been connected to, with the name being the IP address of the remote system. These artifacts are located in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers
.
This artifact can be analyzed using the standard Registry Editor, or a third party tool such as RegistryExplorer.