Windows RDP Cache File Deletion

Author: Teoderick Contreras, Splunk
Source: upstream

This detection identifies the deletion of RDP bitmap cache files—specifically .bmc and .bin files—typically stored in the user profile under the Terminal Server Client\Cache directory. These files are created by the native Windows Remote Desktop Client (mstsc.exe) and store graphical elements from remote sessions to improve performance. Deleting these files may indicate an attempt to remove forensic evidence of RDP usage. While rare in legitimate user behavior, this action is commonly associated with defense evasion techniques used by attackers or red teamers who wish to hide traces of interactive remote access. When observed in conjunction with recent logon activity, RDP session indicators, or script execution, this behavior should be treated as potentially malicious. Monitoring for deletion of these files provides valuable visibility into anti-forensic actions that often follow lateral movement or hands-on-keyboard activity.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1070.004` Indicator Removal: File Deletion

Event coverage

Provider	Event ID	Title
Sysmon	23	FileDelete (File Delete archived)
Sysmon	26	FileDeleteDetected (File Delete logged)

Stages and Predicates

Stage 1: `search`

search EventCode IN ("23", "26") TargetFilename IN ("*\\Terminal Server Client\\Cache\\*.bmc", "*\\Terminal Server Client\\Cache\\cache*.bin")

Stage 2: `stats`

stats BY action, dest, dvc, file_path, file_hash, file_name, file_modify_time, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user, user_id, vendor_product

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	in	`"23"` corpus 6 (splunk 6) `"26"` corpus 6 (splunk 6)
`TargetFilename`	in	`"\\Terminal Server Client\\Cache\\.bmc"` corpus 2 (splunk 2) `"\\Terminal Server Client\\Cache\\cache.bin"` corpus 2 (splunk 2)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Excessive File Deletion In WinDefender Folder [splunk]
Windows ConsoleHost History File Deletion [splunk]
Windows Data Destruction Recursive Exec Files Deletion [splunk]
Windows Default Rdp File Deletion [splunk]
Windows High File Deletion Frequency [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Excessive File Deletion In WinDefender Folder [splunk]
Windows ConsoleHost History File Deletion [splunk]
Windows Data Destruction Recursive Exec Files Deletion [splunk]
Windows Default Rdp File Deletion [splunk]
Windows High File Deletion Frequency [splunk]