RDP-Parser

What is it

RDP-Parser extracts RDP activities from Microsoft Windows Event Logs. This tool has been designed for any investigation involving exploitation of RDP service. It supports Evt and Evtx formats.

How it works

This is a command line tool and there is no installer. You should unzip and copy the program where you want to use it.

Open a command line in the directory where the program is. You can print help message using "RDP-Parser --h":

usage: RDP-Parser [options]
Options and arguments:
--p     : Path: default is current or C:\Windows\System32\winevt\Logs
--t     : Type: 1: minimal (default, event with IP addresses only, less event details)
          2: minimal with all IP addresses
          3: normal (event with IP addresses only)
          4: normal with all IP addresses
          5: full (all RDP and login events)
--s     : Date start: [format: yyyy-mm-dd]
--e     : Date end: [format: yyyy-mm-dd]
--r     : Report format: 1: xlsx (default), 2: text, 3: html
--l     : Data strings on a single line
--o     : Open report at the end
--b     : Copy all Event logs from live system.
--h     : Print this help message and exit
Examples:
- RDP-Parser (without any argument): Print *minimal* type for Event Logs in current
  dir or system
- RDP-Parser --t 2 --s 2018-01-01 --e 2019-01-01: Print *normal* type for Event
  Logs in current dir or system, all events in 2018
			

More details about options:

  • --p: By default, RDP-Parser will check in the current directory, so you can copy the program in the same folder as the Event Logs you want to parse. If there is no given path and current directory doesn't contain Event Logs, RDP-Parser will copy the live system Event Logs in the current directory. This command require admin priviledge and it doesn't work for old format logs.
  • --t: There are three types of report:
    • 1: minimal: This is the default type. The report will contain following columns: TimeGenerated, Source, EventID and Details. Only events with public IP addresses will be extracted and all details will be removed except IP address.
    • 2: minimal with all IP addresses: Same as type 1, but it also includes private IP addresses.

    • XLSX Report Type 2

    • 3: normal: The report will contain all columns and all details. Columns are: TimeGenerated, Timewritten, Computer, Source, RecordNumber, Category, EventID, EventType and Details. Only events with public IP addresses will be extracted but all details will be included.
    • 4: normal with all IP addresses: Same as type 3, but it also includes private IP addresses.

    • XLSX Report Type 4

    • 5: full: All events related to RDP or login activities will be included. Included events IDs are:
      • New format (evtx):
        • From Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx, event ids 21 to 25, 39 and 40;
        • From Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx, event ids 261 and 1149;
        • From Security.evtx, event ids 4624, 4625, 4634, 4647, 4778 and 4779;
        • From System.evtx, event ids 56.
      • Old format (security.evt or SecEvent.Evt):
        • Event ids 528 to 540, 552, 682 and 683. Also, all events that contain IP addresses involved with RDP activities will be included. Some events may be not extracted (See known problems about this).
  • --l: With this option, all strings in Details column are on a single line.
  • --b: This is the backup function. It copies all Event logs from live system. All other options will be ignored. This command require admin priviledge and it doesn't work for old format logs.

In the command line interface, RDP-Parser provides some important informations about logs as the date and time of the first entry, the last entry and the total number of entries.

RDP-Parser 1.0
***********************************************************************
Listing Event Logs in E:\DevPerl\RDP-Parser...
Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx found.
Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational found.
Security.evtx found.
System.evtx found.

Parsing E:\DevPerl\RDP-Parser\Security.evtx...
First entry date: 2018-09-15 11:25:37
Last entry date: 2018-09-15 12:26:54
Number of entries: 3877

Parsing E:\DevPerl\RDP-Parser\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx...
First entry date: 2018-09-15 11:02:16
Last entry date: 2018-09-15 12:26:26
Number of entries: 75

Parsing E:\DevPerl\RDP-Parser\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx...
First entry date: 2018-09-15 11:24:09
Last entry date: 2018-09-15 12:25:02
Number of entries: 9

Parsing E:\DevPerl\RDP-Parser\System.evtx...
First entry date: 2018-09-15 11:25:37
Last entry date: 2018-09-15 12:27:29
Number of entries: 542

83 activities have been found.
Creating report_2018-09-23_07-57-16.xlsx...
Report has been created.
			

What do you need

  • Windows XP SP2 or newer

Version History

1.0 (2018-09-23) First release.

Known Problems

  • For old format (evt), parsing string for event id 528 (and probably the whole range 528 to 540) is buggy, so you won't get all events, because strings are not correctly parsed.

License

Copyright (c) 2018 Alain Rioux

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.

Feedback

If you have any problem, suggestion, comment, or you found a bug in my utility, contact the author.

Credits

  • The icon of RDP-Parser have been created by Saki (Alexandre Moore) (http://sa-ki.deviantart.com) and distributed under GNU General Public License.

Download

Source code is hosted on SourceForge and GitHub. Binaries are hosted on SourceForge.

Download 
			RDP-Parser

If you want to download the standalone version or an older version, check on SourceForge.

 

Credits to Free Website Templates for the template of this Website