A C# script that logs failed RDP events, including the country of origin and timestamp of each attempt. This project can be used in conjunction with Microsoft Sentinel and Azure to create a visual map of login attempts.
This script was developed for the following SOC project blog:How to Visualize Failed RDP Events Using C# & GeoIP2 in Azure
I couldn't find practical .NET examples for similar needs, so I hope this helps others.
- Logs failed RDP login attempts with country of origin.
- Utilizes MaxMind’s GeoIP2 database locally for accurate location data.
- Designed to run in a Windows environment as a Windows service, making it suitable for SOC and security-focused deployments.
-
.NET SDK: Install the .NET SDK if you want to compile the application yourself.
- Download from Microsoft .NET SDK.
-
.NET Runtime: If you only want to run the compiled application, download the .NET Runtime.
- Available at Microsoft .NET Runtime.
-
MaxMind GeoIP2 Country Database: Create a MaxMind account and download the free GeoLite2 Country database (
.mmdbfile).- Visit the MaxMind GeoIP2 Download Page.
-
Initialize a .NET Console Project:
dotnet new console -n GeoLogger cd GeoLogger dotnet add package MaxMind.GeoIP2 dotnet add package Microsoft.Extensions.Hosting.WindowsServices -
Replace
Program.cs: Copy and replace the defaultProgram.csin your project folder with theProgram.csfile from this repository. -
Update Paths:
- In
Program.cs, replace:<REPLACE_WITH_DATABASE_PATH>with the path to your.mmdbGeoIP database file.<REPLACE_WITH_OUTPUT_LOCATION>with your preferred output log file path.
- In
-
Build and Run the Program:
- To run directly:
dotnet run
- Alternatively, to compile and run as an executable:
dotnet publish -c Release -o ./output
- To run directly:
-
Download the
.exefrom Releases:- Ensure the .NET Runtime is installed (see above).
-
Keep Files in
C:\MaxMind:- Place your
.mmdbfile inC:\MaxMindto simplify paths.
- Place your
-
Run the .exe:
- Execute the
.exeto start logging failed RDP events.
- Execute the
