Visualizing Windows Active Directory Event Logs: LogonTracer

2018-06-25T02:30:29
ID N0WHERE:172811
Type n0where
Reporter N0where
Modified 2018-06-25T02:30:29

Description

Investigate malicious logon by visualizing and analyzing Windows active directory event logs. LogonTracer associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.

This tool can visualize the following event id related to Windows logon based on this research .

  • 4624 : Successful logon
  • 4625 : Logon failure
  • 4768 : Kerberos Authentication (TGT Request)
  • 4769 : Kerberos Service Ticket (ST Request)
  • 4776 : NTLM Authentication
  • 4672 : Assign special privileges

LogonTracer uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log.

Architecture

LogonTracer is written in Python and uses Neo4j for database. The following tools are used.

Although event logs analysis is crucial in incident investigation, it can be a time-consuming process if you do not know what to analyse and where to begin. This tool offers easy event log analysis by visualising the relations among accounts and hosts.

Visualizing Windows Active Directory Event Logs: LogonTracer Wiki

Visualizing Windows Active Directory Event Logs: LogonTracer Download