Create Custom.Windows.Applications.RemoteDesktopBitmapCache.yaml

[AustinBollinger-dfir]

This allows 1-by-1 for .bin files to be fetched from client endpoints, and then taking .png files off the Windows endpoints for analysis. Will update, adding QoL improvements.

[CLAassistant]

All committers have signed the CLA.

[AustinBollinger-dfir]

Update:

• Have submitted false positive reports to various AV/detection vendors.
• I have noticed that since submitting to VirusTotal, detections have increased from 11, to 14, then 20+, etc. Oh so fun(!)
• Once the false positive reports are all in (submitting today), expect the fp detections to go away. Detections (fp) are just because Nuitka was used for compiling the Python
• Thankfully, the hashes should not ever be changed - that helps

[AustinBollinger-dfir]

I got Microsoft to de-list it as a false-positive. Wow!! Quick responsiveness.. modern definitions will NOT improperly detect. Same cannot be said for all EDR/AV engines (but I am actively working at getting the false-positive removed for more widespread usability)

[mgreen27]

@AustinBollinger-dfir ive written a native parser for BIN files using our binary parser. Works pretty well, I'll add it to the main project/Rapid7 Labs repo soon.

[mgreen27]

https://docs.velociraptor.app/artifact_references/pages/windows.forensics.rdpcache/