Windows RDP Vulnerability Exposes Image Fragments to Attackers
Key Takeaways Windows Remote Desktop Protocol (RDP) sessions automatically save visual fragments to a local bitmap cache. Attackers can easily extract and reconstruct these cached image fragments...
Key Takeaways
- Windows Remote Desktop Protocol (RDP) sessions automatically save visual fragments to a local bitmap cache.
- Attackers can easily extract and reconstruct these cached image fragments without elevated privileges, turning them into readable screenshots of past RDP activity.
- This vulnerability exposes sensitive data, including internal tools, documents, emails, and even credentials, remaining on disk long after sessions end.
- Widely used by threat groups, the RDP bitmap cache serves as a powerful reconnaissance tool, yet it can also act as an indicator of compromise if tampered with.
- Mitigation involves enhanced monitoring, security tool configuration, and the option to disable the RDP bitmap cache via Group Policy.
Uncovering the Hidden Trail of RDP Sessions
During a typical Windows Remote Desktop session, the operating system routinely stores visual elements of the active display. Recent findings by SCYTHE Labs reveal that these seemingly innocuous fragments can be easily gathered by malicious actors and reassembled into detailed screenshots of previous RDP activity.
Table Of Content
This process is surprisingly straightforward, requiring no special administrative permissions and taking only a few minutes with readily available, free tools. Organizations utilizing Remote Desktop Protocol (RDP) could inadvertently be leaving a digital breadcrumb trail of highly sensitive information, ripe for exploitation.
The RDP Bitmap Cache: A Performance Feature Turned Risk
Windows incorporates a performance-enhancing feature known as the RDP Bitmap Cache, designed to accelerate the loading of remote connections. This cache functions by storing small image tiles of the active session directly onto the local hard drive. Similar to how a web browser saves thumbnails to speed up page loads, these RDP tiles capture everything displayed on the screen during a remote session.
The stored data can include a wide array of confidential information: open internal applications, sensitive documents, email content, and even login credentials entered into visible fields. A critical aspect of this issue is that the cache persists on the disk long after the RDP connection has terminated. Crucially, these files reside within a standard user directory, meaning an attacker does not need administrator-level privileges to access them.
Threat intelligence indicates that RDP accounts for nearly one-third of all security vulnerabilities across the global enterprise attack surface. Prominent threat groups such as BianLian, Medusa, and Scattered Spider frequently leverage RDP access, effectively transforming this default caching mechanism into an potent, often undetected, reconnaissance asset during an intrusion.
Extraction and Reconstruction: How Attackers Exploit the Cache
Adversaries can readily pinpoint the RDP cache folder, as its location is consistent across all Windows machines within the local application data path. A common tactic involves using a simple PowerShell command to compress the entire cache directory into a zip archive. This archive is then exfiltrated over standard HTTPS, allowing it to blend seamlessly with normal outbound network traffic, before the attacker deletes the zip file to obscure their actions.
Once the extracted files are in their possession, attackers employ two key open-source tools to visualize the stolen data. First, an application like bmc-tools parses the raw cache files, breaking them down into thousands of tiny image tiles. Following this, a visualization tool such as RdpCacheStitcher meticulously arranges these scattered tiles, akin to solving a jigsaw puzzle, to reconstruct the original session screen.
Even imperfect or partial image reconstructions can yield sufficient environmental details to inform and propel subsequent phases of a cyberattack. Conversely, this cache can also serve as a vital indicator of compromise, even when threat actors attempt to cover their tracks. Attackers who utilize RDP during an intrusion often delete the entire cache directory before logging out. Consequently, discovering an empty bitmap cache on a workstation with a history of extensive Remote Desktop usage is highly suspicious. Security teams should interpret this sudden absence of evidence as a strong signal to initiate an immediate investigation.
What You Should Do
- Verify that endpoint detection and response (EDR) systems are configured to flag unauthorized access attempts to the local RDP cache folder.
- Ensure that outbound HTTPS transfers of compressed archives from temporary directories trigger immediate alerts within your security monitoring tools.
- Test if your security solutions detect PowerShell compression commands specifically targeting the local application data directory.
- Consider disabling the RDP bitmap cache entirely through a standard Windows Group Policy setting to eliminate this risk.
- Integrate RDP cache review checks into your incident response playbook to actively search for unusually missing cache files during investigations.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.