Introduction

Much of modern detection still revolves around the network layer, be it IP addresses, geolocation, and infrastructure reputation. As attackers increasingly rely on VPNs, proxies, and compromised hosts to perpetrate attacks, these signals become less reliable.

As a long-time follower of the Huntress blog, one detection theme that consistently stands out is the use of environmental mismatches — signals such as unusual or uncommon hostnames that deviate from established naming conventions within client environments. These subtle inconsistencies often reveal compromised systems hiding in plain sight.

Consequently, I was inspired to revisit my earlier research on RDP forensics under RDP Forensics Part 1 (Keyboard Layout Fingerprinting) and Part 2 (Timezone, OS Type, and Display Resolution) to explore whether similar anomaly-based logic could be applied to RDP client artifacts.

By leveraging RDP client fingerprints to develop baseline profiles for users and devices within an environment, defenders can identify deviations that reveal identity-layer compromise, even when RDP sessions appear legitimate, authorized, and routine.

Why RDP Artifacts Matter

When an RDP session is established, the client sends a surprising amount of local system metadata to the destination server, including but not limited to keyboard layout, timezone, operating system type, and display resolution. This information is used to negotiate the session with the destination server as part of the RDP connection sequence, and crucially, are generated before the traffic enters any VPN, TOR circuit, or proxy tunnel.

As shown in my previous research, some of these metadata attributes, particularly keyboard layout and display resolution, may persist across multiple hops and can serve as resilient indicators even when attackers employ multi-layered obfuscation techniques.

The "Fog": How Attackers Hide

Attackers rarely connect directly to their targets. Instead, they weave a complex web of intermediate nodes designed to break or obscure the digital breadcrumb trail between the attacker and the target.

None
The "Fog": Multilayered Web of Obfuscation
  • Source IP Masking: Initial connections are routed through encrypted connections to VPS providers or proxy services. This creates the first layer of separation, ensuring that if the connection is logged, it points to a commercial data center or generic IP addresses rather than the attacker's true location.
  • TOR: By using onion-routing, attackers bounce traffic through random global nodes, making it difficult to correlate the entry point with the exit point.
  • Compromised SOHO Routers: By hijacking small office/home office (SOHO) routers, attackers leverage residential IP addresses to connect to targets. Because these IPs are associated with legitimate ISP customers, they are less likely to be flagged by automated threat intelligence IP reputation lists that block known data centers/VPN exit nodes.
  • Botnets & Proxy Chains: Attackers proxy chain multiple compromised devices to further obfuscate the attack source.

All of this effort typically focuses on hiding the attacker at the network layer.

Penetrating the "Fog"

Despite the use of these techniques, one key limitation remains: they consistently fail to hide application-layer fingerprints. VPNs, TOR, and proxy services encrypt and relay traffic, yet they do not modify the application-layer metadata sent by the RDP client itself. That information is collected locally, then passed untouched through the encrypted tunnel before being delivered in full, unfiltered view of the target system.

None

RDP Hopping Isn't a Silver Bullet

Attackers also frequently rely on RDP hopping, making RDP connections or "hops" through one or more compromised hosts before reaching the final target. Unlike VPNs and proxies, RDP hopping can mask application-layer fingerprints as only client metadata from the final hop is forwarded to the target system.

None
RDP Hopping: APT1 bounces through "hop point" systems via RDP before accessing victim system.

However, my research shows that certain source client metadata such as keyboard layout and display resolution may still leak through to the victim system.

None

Turning RDP Artifacts into Detection Signals

Using the same anomaly-based logic employed by Huntress, I offer four practical ways to hunt RDP intruders in your environment:

Locale Mismatches:

  • Hypothesis: An attacker connecting via RDP from a non-native region may expose a keyboard layout that does not match the geographic or ethno-linguistic profile of the assigned user.
  • Hunt For: Input Locale IDs that are inconsistent with the expected geographic or ethno-linguistic profile of the assigned user.
  • Value: Detects compromised credentials being used by offshore threat actors.
None
You can change your face but you forgot to 언어를 바꿔라

Impossible Hardware (Display Resolution Profiling):

  • Hypothesis: An attacker using virtual machines or custom hardware builds may use non-standard default monitor resolutions that differ from the standard corporate workstation fleet (e.g. 1920 x 1080).
  • Hunt For: (1) RDP sessions with square or low-resolution displays (e.g. 800 x 600, 1024 x 768) that are common defaults for virtual machines used by attackers; (2) Extremely large or unusual display resolutions that do not match the company's standard issue monitors.
  • Value: Surfaces "headless" or virtual machine-based RDP clients that default to low-resolution settings to conserve bandwidth.
None

Unexpected Clients:

  • Hypothesis: An attacker may connect using specific operating systems (e.g. Kali Linux) that are never or rarely used in the victim environment.
  • Hunt For: Operating system types and versions that are not part of the company's managed device inventory.
  • Value: Detects the use of non-corporate, attacker-controlled platforms.

Timezone Anomalies:

  • Hypothesis: An attacker operating from a different geographic region than the authorized user may inadvertently reveal his or her local timezone even if they are using a VPN or proxy.
  • Hunt For: Client timezones that are inconsistent with the expected timezone of the assigned user.
  • Value: Detects compromised credentials being used by offshore threat actors.

Conclusion

As attackers continue to invest significant effort in hiding their true origin and blending into trusted networks, network-layer indicators alone are no longer sufficient to distinguish legitimate access from compromise. RDP forensics shifts the focus beyond the IP address and toward the subtle, persistent application-layer fingerprints left behind by the RDP client.

By baselining these artifacts across users and devices in the environment, defenders can uncover RDP sessions that appear legitimate but are anything but.