LogonTracer - Investigate Malicious Windows Logon By Visualizing And Analyzing Windows Event Log - KitPloit - PenTest Tools for your Security Arsenal ☣
2018-07-17 23:55:20 Author: www.kitploit.com(查看原文) 阅读量:99 收藏

Investigate malicious logon by visualizing and analyzing Windows active directory event logs.

Concept
LogonTracer associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

More details are described in the following documents:


Additional Analysis
LogonTracer uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log.

With LogonTracer, it is also possible to display event logs in a chronological order.

Use LogonTracer
To use LogonTracer, you can:

Documentation
If you want to know more details, please check the LogonTracer wiki.

Architecture
LogonTracer is written in Python and uses Neo4j for database. The following tools are used.

LogonTracer - Investigate Malicious Windows Logon By Visualizing And Analyzing Windows Event Log LogonTracer - Investigate Malicious Windows Logon By Visualizing And Analyzing Windows Event Log Reviewed by Lydecker Black on 5:53 PM Rating: 5


文章来源: https://www.kitploit.com/2018/07/logontracer-investigate-malicious.html?m=1
如有侵权请联系:admin#unsafe.sh