The object you identified is what we call a "token." Its a byte-pattern in a session that should be rather constant where-ever the condition appears, in this case, the RDP protocol login.
In hex, it is actually 5 doublets of 00 followed by the "Cookie: mstshash=" and that appears to be fairly common in the several pcaps I found for RDP.
Here is the parser I put together. It identifies the token in question, then captures the variable between the token and a carriage return and alerts that meta out into the username key.
<?xml version="1.0" encoding="utf-8"?>
<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="parsers.xsd">
<parser name="RDP-User" desc="This extracts the RDP Username">
<declaration>
<token name="tcookiestart" value="�����Cookie: mstshash=" />
<number name="vPosition" scope="stream" />
<string name="vusername" scope="stream" />
<meta name="meta" key="username" format="Text" />
</declaration>
<match name="tcookiestart">
<find name="vPosition" value="
" length="512">
<read name="vusername" length="$vPosition">
<register name="meta" value="$vusername" />
</read>
</find>
</match>
</parser>
</parsers>
Save that text as a .parser file in your c:\program data\netwitness\parsers directory. Then close investigator and reopen it. Now import your rdp pcap and it should populate the username key. Let me know if you have any issues.
BTW, there are other tokens in the protocol negotiations, including the machine name and whether or not clipboard access is allowed, but I couldn't determine a good token to use. I do see DUCA in common, but there is variable space in between that token and the machine name. Tougher to do and requires more programming logic than I can muster. Maybe someone else on the community can try to extract the machinename tokens and add it to this thread?
