Skip to main content

RDP Bitmap Cache - Detect and Hunt

This Playbook is part of the RDPCacheHunting Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

Playbook: Automated Collection and Forensic Analysis of RDP Sessions Cache Data#

This playbook automates the collection and forensic analysis of RDP sessions cache data. It involves the following steps:

Step 1: Collect Cache Files and Convert to Image#

The first step is to collect the cache files from RDP sessions and convert them into an image format.

Step 2: Extract Readable Text from the Image#

Once the cache files are converted into an image, the playbook extracts readable text from the image to facilitate analysis.

Step 3: Build Indicators of Compromise (IOCs) from Text#

In this step, the extracted text is used to build indicators of compromise (IOCs) for further investigation and threat hunting.

Step 4: Enrich Extracted Indicators for Further Hunting#

Finally, the playbook enriches the extracted indicators by adding additional context and information, enhancing their usefulness for further hunting and analysis.

Note: It is important to customize and adapt this playbook to fit specific use cases and environments. Additionally, ensure compliance with legal and privacy requirements when collecting and analyzing data.

Feel free to modify and enhance this playbook according to your requirements.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Retrieve File from Endpoint - Generic V3
  • Threat Hunting - Generic




  • Set
  • PreProcessImage
  • StringSimilarity
  • StringSifter
  • UnzipFile
  • SetGridField
  • BMCTool


  • xdr-file-retrieve
  • lolbas-get-indicators
  • image-ocr-extract-text
  • rasterize-image
  • splunk-search
  • extractIndicators
  • rasterize-pdf
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
ShouldCollectRDPCacheWhen set to True, will use XDR to get RDP cache files from the endpoints. When set to False will try and use existing cache files from context.falseRequired
EndpointIDsA comma-separated list of endpoint ID's to retrieve cache files from.Optional
FilePathThe path of the file to retrieve or use wildcard for multiple files.
For example:
C:\Users\administrator\AppData\Local\Microsoft\Terminal Server Client\Cache*Optional
HostnameHostname of the machine on which the file is located. For PS remote it can also be an IP address.Optional
min_scoreStringSifter - Limit output to strings with score >= min-score.Optional
limitStringSifter - Limit output to the top limit ranked strings.Optional
similiarity_thresholdStringSimilarity - The similarity threshold to show results for, a value between 0 < x >1.0.3Optional
QRadarTimeFrameThe time frame for the QRadar hunting query.LAST 7 DAYSOptional
SplunkEarliestTimeThe earliest time for the Splunk hunting query.-7d@dOptional
SplunkLatestTimeThe latest time for the Splunk hunting query,nowOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

RDP Bitmap Cache - Detect and Hunt