Tracing registry keys can be used to indicate that a program has initiated a network connection leveraging the Windows Remote Access Server (RAS) through the rasapi32.dll
and rasman.dll
libraries.
- Behavioral - Execution (TA0002)
- Execution - Evidence of Execution
- Network - Evidence of Network Activity
- Windows 11
- Windows 10
- Windows 8
- Windows 7
🔋 Live System:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
🔌 Offline system:
- File:
%SystemRoot%\System32\Config\SOFTWARE
- Key:
SOFTWARE\Microsoft\Tracing
- RegistryExplorer (Eric Zimmerman)
Within the SOFTWARE\Microsoft\Tracing
key, there may be multiple subkeys with the following name formats of interest:
{EXECUTABLE_FILENAME}_RASMANCS
{EXECUTABLE_FILENAME}_RASAPI32
These filenames will not include the executable extension .exe
.
The Last Write Timestamp of the registry key provides the first time an executable has loaded rasapi32.dll
and rasman.dll
in order to establish a remote network connection, typically to download a file.
Important
Subsequent activity of this nature will not update the Last Write Timestamp of the registry key.