Giter Club home page Giter Club logo

logontracer's Introduction

LogonTracer

Investigate malicious logon by visualizing and analyzing Windows active directory event logs.
LogonTracer uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log.
This tool can visualize the following event id related to Windows logon based on this research.

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

LogonTracer sample

More details are described in the following documents:
https://www.jpcert.or.jp/magazine/acreport-logontracer.html (Japanese)
http://blog.jpcert.or.jp/2017/11/visualise-event-logs-to-identify-compromised-accounts---logontracer-.html (English)

Requirements

The following tools are used

Usage

Install

  1. Download and install Neo4j community edition.

  2. Clone or download LogonTracer.

$ git clone https://github.com/JPCERTCC/LogonTracer.git
  1. Install Neo4j JavaScript driver to static directory.
$ cd LogonTracer/static
$ npm install neo4j-driver
  1. Install Python modules.
$ pip3 install -r requirements.txt

or

$ pip3 install numpy py2neo python-evtx lxml changefinder flask

If statsmodels installation fails, install numpy first.

  1. Start the Neo4j server.

How to Use

Start LogonTracer

Start LogonTracer by the following command option -r.
Use -h to see help message.

$ python3 logontracer.py -r -o 8080 -u neo4j -p password -s localhost

Access http://[LogonTracer_Server]:8080/ via Web browser.

Import EVTX

Import the event log using Web GUI or logontracer.py.

Use Web GUI

Event log can be imported with upload EVTX button.
Upload EVTX File

Use python script

Event log can be imported by logontracer.py option -e.

$ python3 logontracer.py -e Security.evtx -z +9 -u neo4j -p password -s localhost

Search and visualize the event log

Using the navigation bar to search for account name, host name, IP address, event id and event count.
Export button can download graph data of CSV, JPG, PNG and JSON.
Web GUI Navigation Bar
Using the side-bar to search for account names matching specific criteria.
Web GUI Side Bar

  • All users: Visualizing all users and hosts.
  • SYSTEM privileges: Visualizing users with system privileges.
  • RDP Logon: Visualizing RDP logon users and hosts (Logon type: 10).
  • Network Logon: Visualizing logon users and hosts from remote network (Logon type: 3).
  • Batch Logon: Visualizing batch server logon (Logon type: 4).
  • Service Logon: Visualizing Services Control Manager logon (Logon type: 5).
  • ms14-068 exploit failure: Visualizing the error log that the ms14-068 exploit failed.
  • Logon failure: Visualizing users who failed to log on.
Node details
  • Node Red SYSTEM privileges account
  • Node Blue Standard user account
  • Node Green IP address and host

PageRank

PageRank is an algorithm for checking the importance of web pages.
LogonTracer uses PageRank to examine the importance of accounts and hosts in a domain network.
An account with high PageRank logs on to many hosts and may be used by the attackers' lateral movement.
PageRank List

Timeline

Timeline button displays hourly event log counts in time series.
Hosts with drastic changes are highlighted.
For anomaly detection using this index, use change point analysis algorithm Change Finder.
For downloading timeline summary and detailed CSV data, click "Download".
PageRank List

Docker Image

If you are using Docker, you can pull the following image.
https://hub.docker.com/r/jpcertcc/docker-logontracer/

$ docker run \
   --detach \
   --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 \
   -e LTHOSTNAME=[IP Address] \
   jpcertcc/docker-logontracer

Notes

Event logs that LogonTracer analyzes are not recorded by default settings.
If you have not enabled the audit policy, you need to enable the audit policy.
You can change the audit policy from Local Group Policy Editor (gpedit.msc).

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object

By enabling the following items, the event ID will be recorded.

  • Account Logon
    • Audit Credential Validation
    • Audit Kerberos Authentication Service
    • Audit Kerberos Service Ticket Operations
  • Logon/Logoff
    • Audit Logon
    • Audit Special Logon

logontracer's People

Contributors

deese avatar shu-tom avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.