How do we know if System "A" connected to other systems using Remote Desktop in past?
We can retrieve IP addresses with which RDP connections were established in past along with last time stamp.
You can find all machines where RDP was done under below key :
"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
You can see all IP addresses along with DOMAIN/USERNAME used to connect to system via RDP
If you want to retrieve date and timestamp of last modification of these registry keys - (Which in turn indicates when RDP connection was established with system) then,
Export registry key as a ".txt" file and you will be able to see "Last Write Time" which is not the case if you export the key as ".reg" - That's the trick!
No comments:
Post a Comment