JPCERTCC/LogonTracer

LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph.

LogonTracer is a tool designed to investigate malicious logon activity by visualizing and analyzing Windows Active Directory event logs. It can detect and display logon-related events such as successful logon (4624), logon failure (4625), Kerberos authentication (4768), Kerberos service ticket (4769), NTLM authentication (4776), and assigning special privileges (4672). LogonTracer uses PageRank, Hidden Markov model and ChangeFinder to detect malicious hosts and accounts from event log. It also allows users to display event logs in a chronological order.

To use LogonTracer, users can refer to the LogonTracer wiki for more details. Additionally, a YouTube video is available to demonstrate how to use LogonTracer. LogonTracer is written in Python and uses Neo4j for database. It also uses Neo4j JavaScript driver for connects to Neo4j using the binary protocol, Cytoscape for visualizing a graph network, and Flask as a microframework for Python.

In conclusion, LogonTracer is a powerful tool to investigate malicious logon activity by visualizing and analyzing Windows Active Directory event logs. It uses various techniques to detect malicious hosts and accounts from event log and allows users to display event logs in a chronological order. It is written in Python and uses Neo4j for database, as well as other tools for visualization and connection.

📓 JPCERTCC/LogonTracer

👉🏽 LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. 👉🏽 LogonTracer investigates malicious logon activity through Windows Active Directory event logs. 👉🏽 It visualizes and analyzes logon-related events such as successful logon and logon failure. 👉🏽 LogonTracer detects Kerberos authentication and service ticket events. 👉🏽 It also identifies NTLM authentication and assigning special privileges events. 👉🏽 LogonTracer uses PageRank, Hidden Markov model, and ChangeFinder to detect malicious hosts and accounts. 👉🏽 The tool allows users to display event logs in a chronological order for easy investigation. 👉🏽 To use LogonTracer, users can refer to the LogonTracer wiki for detailed instructions. 👉🏽 A YouTube video is available to demonstrate how to use LogonTracer effectively. 👉🏽 LogonTracer is written in Python and utilizes Neo4j as its database. 👉🏽 It utilizes other tools like Cytoscape and Flask for data visualization and connection.

🔗 source link: https://github.com/JPCERTCC/LogonTracer

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/jpcertcclogontracer

#LogonTracer #MaliciousLogonInvestigation #WindowsActiveDirectory #EventLogs #Visualization