GitHub - JPCERTCC/LogonTracer: Investigate malicious Windows logon by visualizin...
source link: https://github.com/JPCERTCC/LogonTracer
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Concept
LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.
- 4624: Successful logon
- 4625: Logon failure
- 4768: Kerberos Authentication (TGT Request)
- 4769: Kerberos Service Ticket (ST Request)
- 4776: NTLM Authentication
- 4672: Assign special privileges
More details are described in the following documents:
Additional Analysis
LogonTracer uses PageRank, Hidden Markov model and ChangeFinder to detect malicious hosts and accounts from event log.
With LogonTracer, it is also possible to display event logs in a chronological order.
Use LogonTracer
To use LogonTracer, you can:
Documentation
If you want to know more details, please check the LogonTracer wiki.
Demonstration
Following YouTube's video shows how to use LogonTracer.
Architecture
LogonTracer is written in Python and uses Neo4j for database. The following tools are used.
- Python 3
- Neo4j for a graph database.
- Neo4j JavaScript driver for connects to Neo4j using the binary protocol.
- Cytoscape for visualizing a graph network.
- Flask is a microframework for Python.
Recommend
-
129
investigate.vim A plugin for looking documentation on the word under the cursor. You can choose to open it in a browser, with Dash on OS X, or with an arbitrary shell command. E...
-
46
前言 事件日志分析是安全事件调查中极其重要的一环。如果网络由Active Directory管理(以下称为AD),则可以通过分析AD事件日志来识别。对于此类调查,直接在AD事件查看器中进行详细分析十分的困难; 常见的方法是将日志导出为...
-
29
一、前言 最近在做着一些日志分析的活,刚好看到LogonTracer这款工具,于是就参考着网上仅有的文章去搭建了,搭建过程中会多少遇到一些问题,也就顺手将其记录到这篇文章中了,希望这篇文章能帮助到第一次搭建这款工具的小伙伴...
-
6
There have been several recent reports of fake updaters that spoof Google Chrome, Mozilla Firefox, and Internet Explorer landing...
-
3
CoVariants: SARS-CoV-2 Mutations and Variants of Interest Emma B. Hodcroft1 1Institute of Social and Preventive Medicine, University of Bern, Bern, Switzerland Please cite and link back to this site if you use this reso...
-
10
Performance is essential to your success, which makes it core to ours. To help ensure the browser doesn’t slow you down, we always keep performance in mind as we continue to improve Microsoft Edge. However, for the times that your browser isn...
-
6
Description GHunt is a modulable OSINT tool designed to evolve over the years, and incorporates many techniques to investigate Google accounts, or objects. It currently has email and document m...
-
9
Lazarus Research This repository publishes analysis reports and analysis tools for Operation Dream Job and Operation JTrack for Lazarus. Tools Python tools for analyzing malware. blindingcan_rc4_post_decode.py...
-
11
New feature added by Microsoft to Windows Defender Windows Defender, or as Microsoft calls it, Microsoft Defender, has recently been updated with a new feature supposed to protect Windows devices ag...
-
5
Protocol vulnerability allows launching malicious Windows Search by just opening Word file...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK