RDP Bitmap Cache. Windows developed RDPโsmall chunks of screenshots. The size of each is 64x64 bit. And also, there is 1 huge sprite with all of them.
%USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache
- older -
.bmc - newer -
Cache####.binwhere # is a number starting from0
In case you investigate a successful RDP login to a specific machine, note that only in the case of the RDP login the โWorkstation Nameโ field in the โNetwork Informationโ section does not refer to the source machine name instead it refers to the name of the machine that recorded the event log (Target machine). be careful because such wrong information may miss leading your incident investigations. For the example in the screenshot, the โpbeeslyโ account logged on the โSCARNTONโ hostname from the
172.18.39.2source machine IP. If you want to find the source machine name you can use the Event IDs 4778 or 4779 recorded in the security events instead. https://www.linkedin.com/posts/mostafa-yahia-701b4b15a_in-case-you-investigate-a-successful-rdp-activity-7004505487912112130-W6Oo?utm_source=share&utm_medium=member_desktop