|
| 1 | +title: "Remote Access Service" |
| 2 | +category: "remote-access" |
| 3 | + |
| 4 | + |
| 5 | +description: "Two registry keys named <executable_name>_RASAPI32 and <executable_name>_RASMANCS are created the first time an application interacts with the Remote Access Service by loading rasapi32.dll and rasman.dll. This behavior allows analysts to confirm that a specific application has made an internet connection and to identify the timestamp of the first connection." |
| 6 | + |
| 7 | +paths: |
| 8 | + - "HKLM\\Software\\Microsoft\\Tracing\\<executable_name>_RASAPI32" |
| 9 | + - "HKLM\\Software\\Microsoft\\Tracing\\<executable_name>_RASMANCS" |
| 10 | + |
| 11 | +details: |
| 12 | + what: | |
| 13 | + Two registry keys named <executable_name>_RASAPI32 and <executable_name>_RASMANCS are created the first time an application interacts with the Remote Access Service by loading rasapi32.dll and rasman.dll. |
| 14 | +
|
| 15 | + forensic_value: | |
| 16 | + Provides the ability to confirm that a specific application has made an internet connection and to identify the timestamp of the first connection by inspecting the registry keys timestamp. |
| 17 | +
|
| 18 | + structure: | |
| 19 | + The registry key that will be created upon loading rasapi32.dll and rasman.dll will have a name of "ExecutableName_ServiceName", e.g., "svchost_RASAPI32", "svchost_RASMANCS". The value names inside the two registry keys are identical. "FileDirectory" is the path where Windows Tracing will output trace logs if enabled, "EnableFileTracing" and "EnableConsoleTracing" will have a value of 0 if disabled, and 1 if enabled. If they were enabled, a trace logs will be found in C:\Windows, but this file have no clear forensic value. |
| 20 | +
|
| 21 | + examples: |
| 22 | + - "HKLM\\Software\\Microsoft\\Tracing\\powershell_RASAPI32" |
| 23 | + - "HKLM\\Software\\Microsoft\\Tracing\\powershell_RASMANCS" |
| 24 | + |
| 25 | + tools: |
| 26 | + - name: "Registry Explorer" |
| 27 | + url: "https://ericzimmerman.github.io/#!index.md" |
| 28 | + description: "Advanced registry browser" |
| 29 | + |
| 30 | +limitations: |
| 31 | + - "Provide the timestamp of the first connection only, as the keys will be created once." |
| 32 | + - "If the application has already made network connections before the malicious one, the registry keys will already be created and the timestamp of the malicious connection will not be captured" |
| 33 | + - "This artifact only prove that a network connection has been made, it does not provide any information on the connection itself, e.g., IP Address " |
| 34 | + |
| 35 | +correlation: |
| 36 | + required_for_definitive_conclusions: |
| 37 | + - "Network traffic logs showing actual communication" |
| 38 | + - "The System Resource Usage Monitor (SRUM) showing the duration of the connection, the bandwidth usage, and the user who ran the application" |
| 39 | + |
| 40 | + strengthens_evidence: |
| 41 | + - "Process execution logs (Event ID 4688 or Sysmon Event ID 1) showing the actual execution of the application" |
| 42 | + |
| 43 | +metadata: |
| 44 | + windows_versions: |
| 45 | + - "Windows 10" |
| 46 | + - "Windows 11" |
| 47 | + - "Windows Server 2019" |
| 48 | + - "Windows Server 2022" |
| 49 | + |
| 50 | + criticality: "low" |
| 51 | + |
| 52 | + investigation_types: |
| 53 | + - "incident-response" # Emergency response situations |
| 54 | + - "malware-analysis" # Analyzing malicious software |
| 55 | + - "timeline-analysis" # Reconstructing sequence of events |
| 56 | + - "behavioral-analysis" # Understanding user/system behavior |
| 57 | + - "initial-access" # How attackers got in |
| 58 | + - "program-execution" # What programs were run |
| 59 | + - "remote-access" # Remote access tools/methods |
| 60 | + - "data-exfiltration" # Data theft and staging |
| 61 | + |
| 62 | + |
| 63 | + tags: |
| 64 | + - "remote-access" |
| 65 | + - "windows-tracing" |
| 66 | + |
| 67 | + references: |
| 68 | + - title: "Tracing Malicious Downloads" |
| 69 | + url: "https://www.allthingsdfir.com/tracing-malicious-downloads/" |
| 70 | + type: "blog" |
| 71 | + |
| 72 | + retention: |
| 73 | + default_location: "SOFTWARE Registry hive file" |
| 74 | + persistence: "Survives reboots and application uninstallation" |
| 75 | + volatility: "Persistent until explicitly deleted" |
| 76 | + |
| 77 | + related_artifacts: |
| 78 | + - "SRUM" |
| 79 | + |
| 80 | +author: |
| 81 | + name: "Abdullah Almutairi" |
| 82 | + github: "psexecsvc" |
| 83 | + |
| 84 | +contribution: |
| 85 | + date_added: "2025-08-13" |
| 86 | + last_updated: "2025-08-13" |
| 87 | + version: "1.0" |
| 88 | + reviewed_by: "Reviewer Name" # Optional |
0 commit comments