Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- using System;
- using System.Collections.Generic;
- using System.Diagnostics;
- using System.Diagnostics.Eventing.Reader;
- using System.Linq;
- using System.Net.Http;
- using System.Runtime.InteropServices;
- using System.Text;
- using System.Threading;
- using System.Threading.Tasks;
- using System.Web.Script.Serialization;
- namespace RDP_Bruteforce_Protect
- {
- class Program
- {
- [DllImport("Kernel32")]
- public static extern bool SetConsoleCtrlHandler(HandlerRoutine Handler, bool Add);
- public delegate bool HandlerRoutine(CtrlTypes CtrlType);
- public enum CtrlTypes
- {
- CTRL_C_EVENT = 0,
- CTRL_BREAK_EVENT,
- CTRL_CLOSE_EVENT,
- CTRL_LOGOFF_EVENT = 5,
- CTRL_SHUTDOWN_EVENT
- }
- private static bool ConsoleCtrlCheck(CtrlTypes ctrlType)
- {
- Console.ForegroundColor = ConsoleColor.DarkYellow;
- Console.WriteLine(" Disposing Event-Log-Watcher");
- Console.ForegroundColor = ConsoleColor.White;
- // Stop listening to events
- watcher.Enabled = false;
- if (watcher != null)
- {
- watcher.Dispose();
- }
- Thread.Sleep(1000);
- Environment.Exit(0);
- return true;
- }
- static void Main(string[] args)
- {
- Console.ForegroundColor = ConsoleColor.White;
- SetConsoleCtrlHandler(new HandlerRoutine(ConsoleCtrlCheck), true);
- subscribeAsync();
- }
- static EventLogWatcher watcher = null;
- public static void subscribeAsync()
- {
- try
- {
- EventLogQuery subscriptionQuery = new EventLogQuery(
- "Security", PathType.LogName, "*[EventData[(Data[@Name='LogonType']='10') or (Data[@Name='LogonType']='7')] and System[(EventID='4624')]] or *[EventData[(Data[@Name='LogonType']='3') or (Data[@Name='LogonType']='7')] and System[(EventID='4625')]]");
- watcher = new EventLogWatcher(subscriptionQuery);
- watcher.EventRecordWritten +=
- new EventHandler<EventRecordWrittenEventArgs>(EventLogEventRead);
- watcher.Enabled = true;
- Console.WriteLine(" --------------------------------------");
- Console.WriteLine(" ---- LISTENING RDP LOGIN ATTEMPTS ----");
- Console.WriteLine(" --------------------------------------");
- while (true)
- {
- // keep running
- }
- }
- catch (EventLogReadingException e)
- {
- Console.WriteLine("Error reading the log: {0}", e.Message);
- }
- finally
- {
- // Stop listening to events
- watcher.Enabled = false;
- if (watcher != null)
- {
- watcher.Dispose();
- }
- }
- Console.ReadKey();
- }
- static Errors ErrorHandler = new Errors();
- static HttpClient httpClient = new HttpClient();
- public static async void EventLogEventRead(object obj,
- EventRecordWrittenEventArgs arg)
- {
- if (arg.EventRecord != null)
- {
- String[] xPathRefs = new String[] { };
- if (arg.EventRecord.Id == 4624)
- {
- xPathRefs = new String[] {
- "Event/System/TimeCreated/@SystemTime",
- "Event/EventData/Data[@Name='TargetUserName']",
- "Event/EventData/Data[@Name='IpAddress']",
- "Event/EventData/Data[@Name='LogonType']"
- };
- }
- else
- {
- xPathRefs = new String[] {
- "Event/System/TimeCreated/@SystemTime",
- "Event/EventData/Data[@Name='TargetUserName']",
- "Event/EventData/Data[@Name='IpAddress']",
- "Event/EventData/Data[@Name='LogonType']",
- "Event/EventData/Data[@Name='FailureReason']",
- "Event/EventData/Data[@Name='WorkstationName']"
- };
- }
- // Place those strings in an IEnumberable object
- IEnumerable<String> xPathEnum = xPathRefs;
- // Create the property selection context using the XPath reference
- EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
- IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
- string country = string.Empty;
- try
- {
- var json = await httpClient.GetStringAsync("https://api.ipgeolocationapi.com/geolocate/" + logEventProps[2]);
- var jsonDeserialized = new JavaScriptSerializer().Deserialize<dynamic>(json);
- country = jsonDeserialized["name"];
- }
- catch (Exception e)
- {
- //Console.WriteLine(e);
- country = "-";
- }
- Console.WriteLine(" Time:\t\t" + logEventProps[0]);
- Console.WriteLine(" User:\t\t" + logEventProps[1]);
- if (arg.EventRecord.Id == 4624)
- {
- Console.Write(" Status:\t");
- Console.ForegroundColor = ConsoleColor.DarkGreen;
- Console.WriteLine("LOGIN SUCCEED");
- Console.ForegroundColor = ConsoleColor.White;
- }
- else
- {
- Console.Write(" Status:\t");
- Console.ForegroundColor = ConsoleColor.DarkRed;
- Console.WriteLine("LOGIN FAILED");
- Console.ForegroundColor = ConsoleColor.White;
- Console.WriteLine(" Reason:\t" + ErrorHandler.FailureReasons[logEventProps[4].ToString()]);
- if (Environment.MachineName == logEventProps[5].ToString())
- {
- Console.WriteLine(" Remote-PC:\tNOT A REMOTE MACHINE");
- }
- else
- {
- Console.WriteLine(" Remote-PC:\t" + logEventProps[5]);
- }
- }
- Console.WriteLine(" IP:\t\t" + logEventProps[2]);
- Console.WriteLine(" Country:\t" + country);
- Console.WriteLine(" Logon-Type:\t" + logEventProps[3]);
- Console.WriteLine(" --------------------------------------");
- }
- else
- {
- Console.WriteLine("The event instance was null.");
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement