Using RDP without leaving traces: the MSTSC public mode
Have you ever wondered what the “/public” command-line option in MSTSC actually does? It enables “public mode” in the RDP client, a feature somewhat similar to “incognito mode” in web browsers. This is a feature meant to be used on a “public” or “shared” computer, where users might want to prevent credentials, session details, and cached images from being stored locally.
For forensic analysts, the traces left behind by a malicious attacker using MSTSC on a compromised system can be a gold mine of information. Here are a list of all the features affected by the RDP public mode: Using RDP without leaving traces: the MSTSC public mode
