RDP Saved Password (.rdp file)
Detects DPAPI-encrypted saved passwords stored in Windows Remote Desktop Protocol (.rdp) configuration files. The characteristic line "password 51:b:<base64-blob>" contains a DPAPI ciphertext blob representing a saved RDP credential. These files are frequently found on file shares, workstations, and in source-control repositories and represent a high-severity finding because the blob can be decrypted on the originating machine under the same user context. Mirrors Snaffler rule KeepRdpPasswords.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the literal token "51:b:" is unique to the RDP file format's password storage mechanism and does not appear in other file types. The trailing base64 blob of at least 16 characters confirms a real credential rather than a truncated or template placeholder. False positive rate is extremely low.
- Jurisdictions
- global
- Regulations
- Computer Fraud and Abuse Act (CFAA), Criminal Code Act 1995 (Cth), Cybersecurity Maturity Model Certification (CMMC), Network and Information Systems (NIS) Directive
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials, security, configuration
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
password\s+51:b:[A-Za-z0-9+/=]{16,}Corroborative evidence keywords
[object Object], [object Object], prompt for credentials, rdp, remote desktop, .rdp, [object Object]
Proximity: 300 characters
Should match
full address:s:10.0.0.5 username:s:admin password 51:b:01000000D08C9DDF0115D1118C7A00C04FC297EB01000000— Realistic .rdp file with full address, username, and DPAPI password blobfull address:s:rdpserver.corp.local username:s:CORP\jsmith password 51:b:AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA— Domain-joined RDP file with corporate server and UPN-style usernamepassword 51:b:AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAHXy9kQlWzUGvP2nMlQ==— Standalone password line with valid base64 DPAPI blob including paddingscreen mode id:i:2 full address:s:192.168.1.100 prompt for credentials:i:0 password 51:b:01000000D08C9DDF0115D111AABBCCDD— Full .rdp file snippet with screen mode, address, credential prompt disabled, and saved passwordusername:s:localadmin password 51:b:AQAAANC+MNd8BFdERjHoABCDEFGHIJKLMNOP— Local account credential blob without domain prefix
Should not match
password 51:b:— Password line with empty blob (no base64 content) should not matchpassword 51:b:short— Blob shorter than 16 characters should not matchpassword=51b01000000D08C9DDF0115D1118C7A00C04FC297EB— Malformed line using equals sign instead of space and colon notationpassword 52:b:01000000D08C9DDF0115D1118C7A00C04FC297EB— Type 52 (different encoding type) should not match — only type 51 is the DPAPI blob marker
Known false positives
- Documentation or tutorial files that include example .rdp configuration snippets with fabricated credential blobs may trigger the pattern. Mitigation: Review surrounding file context; documentation files typically lack valid DPAPI blob lengths and are co-located with explanatory prose rather than other .rdp property lines.
- Backup or archived .rdp files where the DPAPI blob is no longer decryptable (e.g. machine has been re-imaged) still match the structural pattern even though the credential cannot be recovered. Mitigation: Flag for review regardless — the presence of a saved-password blob indicates credential hygiene risk even if decryption is not currently possible.