A new technique where attackers leverage forgotten artifacts from Remote Desktop Protocol (RDP) sessions to reconstruct sensitive information long after connections have ended.

The technique exploits the RDP bitmap cache, a performance optimization feature that stores screen elements locally as small tiles. While designed to enhance connection speed by caching static elements rather than repeatedly transmitting them, these cached tiles persist after sessions end, creating an unintentional record of remote activities.

“The RDP bitmap cache is a witness to remote desktop interactions, providing insights into past activities,” Pen Test Partners said to Cyber Security News. “What makes this technique particularly dangerous is that attackers can view credentials entered during RDP sessions even when traditional logging mechanisms have been disabled”.

Data Exfiltrated Via RDP Bitmap Cache Technique

In a recent case study, Pen Test Partners investigated a data breach where an attacker had deliberately wiped traditional evidence including Windows Event Logs, TerminalServices logs, and Security event logs. Despite these anti-forensic measures, investigators discovered the RDP bitmap cache folder remained intact.

Using specialized tools including BMC-Tools and RdpCacheStitcher, investigators extracted and reconstructed over 8,000 bitmap cache files from the compromised system.

The resulting images revealed critical information about the attack, including evidence of reconnaissance tools, PowerShell scripts, malware alerts, and even exposed credentials from password manager windows.

“The reconstructed tiles revealed the hostname of the remote machine being accessed, which allowed us to pivot our analysis to a secondary host,” explained the Pen Test Partners team. This breakthrough helped reconstruct the full attack chain despite the attacker’s attempts to cover their tracks.

What concerns security experts is that the same forensic techniques are now being weaponized by attackers. The process involves extracting cache files from the Terminal Server Client Cache directory and using visual placement heuristics to reassemble meaningful screen content.

BMC-Tools extracts individual tiles from cache files, while RdpCacheStitcher provides a graphical interface with placement algorithms that compare edge patterns and pixel similarities between tiles to recreate coherent images.

Organizations are advised to implement enhanced monitoring of RDP sessions, regularly clear bitmap caches, and consider automated tools that detect unusual access to cache directories.

Security teams should also incorporate RDP cache analysis into their incident response playbooks, as these artifacts may provide critical evidence when traditional logs are unavailable.

As remote work continues to be standard practice, understanding the security implications of technologies like RDP becomes increasingly important, particularly as attackers develop sophisticated methods to exploit overlooked features for data exfiltration.

Get your 14-day ANY.RUN trial today and protect what matters most.