ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT034
  • Created: 31st May 2024
  • Updated: 26th July 2024
  • Contributor: The ITM Team

Terminal Service Client Registry Key

When Remote Desktop is used to create a connection to a remote machine, it creates entries in the Windows registry that persist after the session has ended. These registry entries can be used in an investigation to provide insight into what remote system(s) a user account has connected to.

Registry keys are created under the Servers key for each remote system that has been connected to, with the name being the IP address of the remote system. These artifacts are located in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers.

This artifact can be analyzed using the standard Registry Editor, or a third party tool such as RegistryExplorer.

Sections

ID Name Description
IF027.004Remote Access Tool (RAT) Deployment

The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.

 

RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). 

 

Functionality typically includes:

 

  • Full GUI or shell access
  • File system interaction
  • Screenshot and webcam capture
  • Credential harvesting
  • Process and registry manipulation
  • Optional keylogging and persistence modules

 

Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (mshta, rundll32). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.