Tracing registry keys can be used to indicate that a program has initiated a network connection leveraging the Windows Remote Access Server (RAS) through the rasapi32.dll and rasman.dll libraries.
- Behavioral - Execution (TA0002)
- Execution - Evidence of Execution
- Network - Evidence of Network Activity
- Windows 11
- Windows 10
- Windows 8
- Windows 7
🔋 Live System:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
🔌 Offline system:
- File:
%SystemRoot%\System32\Config\SOFTWARE - Key:
SOFTWARE\Microsoft\Tracing
- RegistryExplorer (Eric Zimmerman)
Within the SOFTWARE\Microsoft\Tracing key, there may be multiple subkeys with the following name formats of interest:
{EXECUTABLE_FILENAME}_RASMANCS{EXECUTABLE_FILENAME}_RASAPI32
These filenames will not include the executable extension .exe.
The Last Write Timestamp of the registry key provides the first time an executable has loaded rasapi32.dll and rasman.dll in order to establish a remote network connection, typically to download a file.
Important
Subsequent activity of this nature will not update the Last Write Timestamp of the registry key.