�ݺ�ߣ

MUS2020 - Putting Together the RDPieces

Brian Moran
Consultant
BriMor Labs
May 28, 2020
Putting Together the RDPieces

A Brief List of Topics
• RDP - WTF?
(YOU: But Brian, we don’t really see much of this right
meow)
(ME: Perhaps, but this is why you should care)
• Evidence
• Step 3? Nope, not here
• Research
• Stuff with Things
• Profit? ̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

I Feel So Seen
• Hello, my name is Brian Moran
• 13+ years Air Force career
– 17ish years mobile exploitation &
DFIR focus
– Started BriMor Labs in 2014
• Very happy since!
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

I Feel So Seen (Cont)
• You may know me from a variety of things, but I am very proud of
the #DFIRFitin2020 challenge that was organized with the help of
Kathryn Hedley (@4enzikat0r)
– You can still join us! Details at https://www.dfirfitin2020.com
– Covers roughly 860 miles from Nashville to Austin
• Also helped organize the #MVSDFIRFit2020 event, which raised
$4,000 for charity!
• And, lastly, had a blast doing the color commentary on the
#MVS2020CTF on May 12!
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

What is this RDP Thing?
• “Remote Desktop Protocol (RDP) is a proprietary protocol
developed by Microsoft, which provides a user with a
graphical interface to connect to another computer over a
network connection”
– This means someone can do stuff with things on another
computer, whether it is in the next room or halfway around the
world
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

What Does That Have To Do With
My Investigations?
• Lateral movement in an environment
• Remote connection(s) to known/suspected malicious systems
• Unauthorized access
• Ransomware investigations
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

How I Got Interested in This Topic
• Working what seemed to be a typical ransomware case
– YARC
• This particular attacker actually cleaned up after themselves
– Cleared Event Logs
– Cleared “Recent” data
– Step 3 isn’t here either
• This made answering the usual questions (who, what, how,
when, data access, data exfil, etc, EXTREMELY difficult)
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

How I Got Interested in This Topic
• Fortunately, the attacker did not clean up the RDP Bitmap
Cache files
– Since didn’t have much else to go on, this was at least
evidence of “something had happened”
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

WTF is RDP Bitmap Cache?
• Let’s visit the source (
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr
/2da3e165-d1ba-4b65-8909-7a0f7f858d69 )
“A Persistent Bitmap Cache is a store that contains bitmap images that were sent
to the client by using the Cache Bitmap (Revision 2) Secondary Drawing Order
([MS-RDPEGDI] section 2.2.2.2.1.2.3). Unlike the Bitmap Caches described in
section 3.2.1.13, Persistent Bitmap Caches are not bound to the lifetime of a given
RDP connection and their contents are persisted even after the RDP connection is
closed.”
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Yeah, That Doesn’t Help
• Okay, that admittedly was a lot
While it is not technically 100% accurate, a better way to
think of it is kind of like taking snapshots of the entire screen
during an RDP session, which are written to disk on the
endpoint that the RDP session originated from
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Yeah, That Doesn’t Help
• Okay, that admittedly was a lot
While it is not technically 100% accurate, a better way to
think of it is kind of like taking snapshots of the entire screen
during an RDP session, which are written to disk on the
endpoint that the RDP session originated from.
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Oh, That Is Better, Thank You!
• The location of the RDP Bitmap Cache files has shifted over
the years, but for the most part they can be found under the
path “%USERPROFILE%AppDataLocalMicrosoftTerminal
Server ClientCache”
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

More Technical Details
• On older systems, you will usually have a file with a .bmc
extension
• Windows 7 and newer systems, you will likely see files that
are named “Cache####.bin” (these are incrementally
numbered starting at 0000)
• Both file types contain what are essentially small chunks of
screenshots that are saved of the remote desktop
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

More Reading (AFTER This
Presentation, please!)
• https://www.allthingsdfir.com/do-you-even-bitmap-cache-bro/
• https://countuponsecurity.com/tag/rdp-bitmap-cache/
• https://cbtgeeks.com/2018/05/22/digital-forensics-on-rdp-cache/
• RDP Cache Forensics - 13Cubed:
https://www.youtube.com/watch?v=NnEOk5-Dstw
• https://www.brimorlabsblog.com/2019/06/phinally-using-photoshop
-to-phacilitate.html (Hey, that one is mine!)
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Well Brian, We Can Read. So Why
Are You Here?
• Well, part of the reason is because, like everything else that I
do, I want to find an easier way to get usable information
from this data source
• Also, I really enjoyed the Magnet User Summit last year, and
wanted a good reason to come back and speak again!
– Although this time, it is virtual. Which makes it full of The
Cyber
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

You Put Files In, You Get Usable
Data Out
• Step 1: Extract the data from the RDP Bitmap Cache file(s)
– I always use the -b flag … you should too
• In my opinion, best current option for this is the Python script
from the ANSSI (agence nationale la sécurité des systèmes
d’information) github repository
– https://github.com/ANSSI-FR/bmc-tools
Note: Use Python v2
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Step 2: We now have results. Folder structure probably looks
like this:
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Step 3: http://www.whatisstep3.com
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Step 4: Now you have a whole bunch of bitmap images
(usually 6000+) that are 64 x 64, and one large bitmap file
with all of the tiles lined up (see next slide)
– You can now manually rearrange the individual bitmap
images, in hopes of “reconstructing” screen shots that are
automatically taken, and stored, during the RDP session
– This is a challenging, and tedious task
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Many hours later …
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out - Manual Reconstruction
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• On average, it takes between 20-40 hours to go through and
manually rebuild RDP Bitmap Cache data
– Fine if you have the time (or cough cough billable hours) to
do that
• Wanted to make an easier way to at least make slices, and
focus on individual slices rather than rebuilding the entire
picture
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• First thought was
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Started mapping out math, data visualization, statistics, etc.
that I thought would be needed
– If Bitmap Cache 0000 leaves Chicago at 2:30, and
Bitmap Cache 0001 leaves Sandusky, Ohio at 3:15,
when will Ron Swanson
be able to get bacon?
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Enter imagemagick, which as it turns out, does almost
everything that I was hoping to find out, and more, already
– https://imagemagick.org/index.php
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Now that I found where the mathiness would come from, I
had to work on ensuring that my formulas worked fairly well,
were broad enough to capture less than ideal circumstances,
but at the same time, didn’t accidentally match too much
• So relieved that I wouldn’t have to do terribly complex data
manipulation
– However, it is worth noting that Python absolutely sucks
for doing even moderately advanced mathiness, but Perl
handles it all like a champ. Long Live Perl!
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• The next hurdle was deciding “how” to do this most efficiently
– Thankfully, my photography hobby (which I do not focus
on nearly enough anymore) came into play
– Alcohol helped too
– Wait. What WAS Step 3?
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• When matching puzzle pieces, you generally look for shapes
that go together … and the shapes are determined by the
edges …
... hmmm … this line of thinking might actually take me
somewhere. Maybe. Possibly.
Probably need another drink … I mean, RDP Bitmap Cache inspiration juice
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• So, maybe if I just take the edges of each slice, and figure out
how many colors, the color variance/standard deviation, and
some file name spatial awareness, maybe I could generate
some useful data
• After trial and error, deciding that the edge should be 5 pixels
in width/height, depending on if we are matching left/right or
top/bottom
– It’s not perfect, but it is at least a decent solution!
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Used imagemagick to make a total of four new files (filename
+ L/R/T/B) for each 5x64 or 64x5 slice
• Pushed the resulting mathiness to a SQLite database that is in
memory (for returning faster results)
• The formula can (and undoubtedly will) evolve over time, but
it’s much easier building SQLite queries than computing
mathematical statistics of files!
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Introducing: RDPieces.pl
• Perl script that automates everything I just talked about
– Runs cross platform (Windows, macOS, *nix)
• macOS/*nix may require some additional modules
• On Windows, use Strawberry Perl (the best Perl)
– Requires imagemagick to be installed
– Script cleans up after itself, deleting temporary data
directory
• At some point, might make a cool logo for it
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• In my testing, there are roughly 400 results to review per
bitmap cache (compared to ~6400 files)
• Put limits on the maximum/minimum size of the slices,
because that is how math works
• Script also saves a folder with the rebuilt bitmap image, and
the original files used to build the bitmap image, if you want
to manually manipulate the files a bit.
– Much easier than doing it all manually
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020
Example of RDPieces.pl running

Data Out
• Example screenshots
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Because we have the original files that the slice was
comprised of, we can then go back and try to rebuild a more
complete picture with other slices and/or images
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Hey, that isn’t too shabby, right?
• We can see that
– Windows command prompt was used
– User ran commands “ping” and “ipconfig”
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out - The Next Generation
• This is going to be a continuing project
– Very much welcome feedback, comments, thoughts on
ways to improve it
• My only caveat is that I want to keep this project entirely
open source.
– If Microsoft will not release technical details of how they
are doing/rebuilding it, at least we as a community can
band together to try to come up with a solution!
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Cool Story Bro, Where Can I Get It?
• You can download the Perl script here:
– https://github.com/brimorlabs/rdpieces
• Again, my only caveat is that I want to
keep this project entirely open source
– I am sure there are different,
and probably better,
ways to perform mathiness
– Sharing is caring
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Data Out
• Heather (@LitMoose) summed it up best:
“It is like putting together an adult jigsaw puzzle, but for forensic
analysts”
She also said something to the effect of “it’s kind of relaxing”,
which makes me question things about her
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Naughty By Nature said it best …
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020

Questions?
̶#̶M̶U̶S̶2̶0̶2̶0̶ #MVS2020
Brian Moran
Twitter: @brianjmoran
Email: brian@brimorlabs.com
#DFIRFitin2020 Challenge: https://www.dfirfitin2020.com

�ݺ�ߣ

MUS2020 - Putting Together the RDPieces

More Related Content

MUS2020 - Putting Together the RDPieces