RDPCacheHunting

What Does This Pack Do?

This pack offers a set of tools to detect suspicious activity in RDP cache files on a system. It helps you search, collect, and analyze the contents of these files to identify potential indicators of compromise (IOCs).

Getting Started / How to Set up the Pack

To get started with this pack, follow the instructions below:

Go to Marketplace and install this pack.
Create a new job and select the incident type "RDP Sessions".
Add any additional details to the job.
Refer to the pack's documentation for further instructions.

Additional Technical Details

This RDP Cache Hunting pack provides an efficient way to investigate potential suspicious activity on your Remote Desktop Protocol (RDP) connections.

It allows you to collect RDP bitmap cache files using XDR, CarbonBlack, or Powershell, extract tiles from them, process the collages, and extract text from the tiles. You can then search the extracted text for indicators of compromise (IOCs) using the MITRE ATT&CK Software list and Mandiant Stringsifter ML ranking capabilities.

The overall score of the pack is determined by summing up the similarity ratios for the strings and tools found in the similarity check (with a maximum score of 5 per finding) and the Stringsifter rank of any executable found using 'extractindicators'. If the score is 0, no suspicious strings were found.

This pack will help you detect potential internal RDP sessions on predefined hosts, identify any suspicious activity, and provide you with the collage processed for further analysis.

Name	Description
SetRDPOverallScore	Sets the overall score for the strings similarity scoring for the text extracted from the RDP cache image.
Indicators-type	Health Check dynamic section, showing the top ten categories of the failed integrations in a pie chart.

Name	Description
RDPCacheHunting Strings Similarity
RDPCacheHunting String Sifter

Name	Description
RDP Sessions Hunting

Name	Description
RDP Sessions

Name	Description
RDP Bitmap Cache - Detect and Hunt	Playbook: Automated Collection and Forensic Analysis of RDP Sessions Cache Data This playbook automates the collection and forensic analysis of RDP sessions cache data. It involves the following steps: Step 1: Collect Cache Files and Convert to Image The first step is to collect the cache files from RDP sessions and convert them into an image format. Step 2: Extract Readable Text from the Image Once the cache files are converted into an image, the playbook extracts readable text from the image to facilitate analysis. Step 3: Build Indicators of Compromise (IOCs) from Text In this step, the extracted text is used to build indicators of compromise (IOCs) for further investigation and threat hunting. Step 4: Enrich Extracted Indicators for Further Hunting Finally, the playbook enriches the extracted indicators by adding additional context and information, enhancing their usefulness for further hunting and analysis. Note: It is important to customize and adapt this playbook to fit specific use cases and environments. Additionally, ensure compliance with legal and privacy requirements when collecting and analyzing data. Feel free to modify and enhance this playbook according to your requirements.
Set RDP Bitmap Cache Overall Score	This playbook sets the RDP bitmap cache overall score

Name	Description
Windows Date and Time
Windows Executables
Windows File Path

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
LOLBAS Feed	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Image OCR	By: Cortex XSOAR
StringSifter	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Splunk	By: Cortex XSOAR

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Image OCR	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
LOLBAS Feed	By: Cortex XSOAR
StringSifter	By: Cortex XSOAR

Incident Fields

New: RDPCacheHunting String Sifter
New: RDPCacheHunting Strings Similarity
New: RDPCacheHunting String Sifter
New: RDPCacheHunting Strings Similarity

Incident Types

New: RDP Sessions Hunting
New: RDP Sessions

Indicator Types

New: Windows Date and Time
New: Windows Executables
New: Windows File Path

Layouts

New: RDP Sessions
New: This layout presents all gathered data from RDP cache hunting.
New: This incident type represents an RDP session hunt (Available from Cortex XSOAR 6.9.0).

Playbooks

New: RDP Bitmap Cache - Detect and Hunt

New: ## Playbook: Automated Collection and Forensic Analysis of RDP Sessions Cache Data
This playbook automates the collection and forensic analysis of RDP sessions cache data. It involves the following steps:

Step 1: Collect Cache Files and Convert to Image

The first step is to collect the cache files from RDP sessions and convert them into an image format.

Step 2: Extract Readable Text from the Image

Once the cache files are converted into an image, the playbook extracts readable text from the image to facilitate analysis.

Step 3: Build Indicators of Compromise (IOCs) from Text

In this step, the extracted text is used to build indicators of compromise (IOCs) for further investigation and threat hunting.

Step 4: Enrich Extracted Indicators for Further Hunting

Finally, the playbook enriches the extracted indicators by adding additional context and information, enhancing their usefulness for further hunting and analysis.

Note: It is important to customize and adapt this playbook to fit specific use cases and environments. Additionally, ensure compliance with legal and privacy requirements when collecting and analyzing data.
Feel free to modify and enhance this playbook according to your requirements.
New: This playbook automates the collection and forensic analysis of RDP sessions cache data by collecting the cache files and converting it to an image, extracting readable text from the image and building IOC's from text and finally enriching any extracted indicators for further hunting (Available from Cortex XSOAR 6.9.0).

New: Set RDP Bitmap Cache Overall Score

New: This playbook sets the RDP bitmap cache overall score
New: This playbook sets the RDP bitmap cache overall score (Available from Cortex XSOAR 6.9.0).

Scripts

New: Indicators-type

New: Health Check dynamic section, showing the top ten categories of the failed integrations in a pie chart.
New: Health Check dynamic section, showing the top ten categories of the failed integrations in a pie chart. (Available from Cortex XSOAR 6.9.0).

New: SetRDPOverallScore

New: Sets the overall score for the strings similarity scoring for the text extracted from the RDP cache image.
New: Sets the overall score for the strings similarity scoring for the text extracted from the RDP cache image. (Available from Cortex XSOAR 6.9.0).