Skip to content

Investigate malicious Windows logon by visualizing and analyzing Windows event log

License

Notifications You must be signed in to change notification settings

ZeArioch/LogonTracer

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Arsenal

Concept

LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

More details are described in the following documents:

LogonTracer sample

Additional Analysis

LogonTracer uses PageRank, Hidden Markov model and ChangeFinder to detect malicious hosts and accounts from event log.
PageRank List
With LogonTracer, it is also possible to display event logs in a chronological order.
Timeline

Use LogonTracer

To use LogonTracer, you can:

Documentation

If you want to know more details, please check the LogonTracer wiki.

Demonstration

Following YouTube's video shows how to use LogonTracer.

LogonTracer_Demonstration

Architecture

LogonTracer is written in Python and uses Neo4j for database. The following tools are used.

About

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • JavaScript 42.0%
  • Python 35.1%
  • HTML 20.6%
  • Dockerfile 2.1%
  • CSS 0.2%