Overview
TheRDCManFiles command searches for Remote Desktop Connection Manager (RDCMan) configuration files on the system. RDCMan is a Microsoft tool for managing multiple RDP connections, and its .rdg files contain server lists, connection settings, and sometimes stored credentials.
Important: User commands run for the current user if not elevated and for ALL users if elevated.
Syntax
Output
The command returns:- RDCMan .rdg file locations
- File paths and names
- File sizes and timestamps
- User context for each configuration file
- Potential credential storage indicators
Use Cases
Red Team
- Credential Harvesting: Extract RDP credentials from RDCMan configuration files
- Network Mapping: Discover RDP-accessible servers and infrastructure
- Lateral Movement: Identify targets for RDP-based lateral movement
- Infrastructure Discovery: Map organizational server topology
- Target Prioritization: Find production vs. development servers from group names
Blue Team
- Asset Discovery: Document RDP-accessible systems in the environment
- Credential Hygiene: Identify users storing RDP credentials in RDCMan
- Security Audit: Review RDP access patterns and configurations
- Incident Response: Track RDP connections during investigations
- Compliance Monitoring: Ensure remote access aligns with policies
Example Output
Privilege Context
- Non-Elevated: Searches for RDCMan files for the current user only
- Elevated: Searches for RDCMan files for ALL users on the system, providing comprehensive RDP connection discovery
Remote Execution
This command does not support remote execution (not marked with + in the command list).Detection Considerations
Indicators
- File system enumeration for .rdg files
- Access to common RDCMan storage locations (Documents, Desktop, etc.)
- Reading XML configuration files
- Enumeration across multiple user profiles
Defensive Monitoring
- Monitor access to .rdg files by non-RDCMan processes
- Alert on automated enumeration of RDCMan configurations
- Track processes reading RDCMan XML files
- Log bulk access to .rdg files across multiple users
- Detect credential dumping tools accessing RDCMan data
- Monitor for exfiltration of .rdg files
RDCMan File Contents
- Server hostnames and IP addresses
- Server group organization revealing infrastructure
- Usernames for RDP connections
- Passwords (encrypted but can be decrypted)
- Connection settings and preferences
- Gateway configurations
Security Considerations
- RDCMan stores passwords encrypted with DPAPI
- Encryption key is user-specific and recoverable
- Passwords can be decrypted with user context or DPAPI master keys
- .rdg files are XML and easily parseable
- Files often contain complete server inventories
Security Recommendations
- Discourage storing passwords in RDCMan files
- Use network-level authentication and SSO where possible
- Implement file access monitoring on .rdg files
- Regularly audit RDCMan usage and configurations
- Consider using enterprise RDP management solutions
- Rotate credentials if .rdg files are compromised
- Enable RDP connection auditing
Related Commands
- RDPSavedConnections: Lists saved RDP connections from the registry
- RDPSessions: Shows current incoming RDP sessions
- RDPsettings: Displays Remote Desktop settings
- PuttySessions: Enumerates saved Putty/SSH sessions
- WindowsCredentialFiles: Finds Windows credential DPAPI blobs
- DpapiMasterKeys: Lists DPAPI master keys needed for decryption