{"id":19963747,"url":"https://github.com/cyberark/precog","last_synced_at":"2025-10-16T18:57:26.032Z","repository":{"id":41541780,"uuid":"125351972","full_name":"cyberark/PreCog","owner":"cyberark","description":"Discover \"HotSpots\" - potential spots for credentials theft","archived":false,"fork":false,"pushed_at":"2018-04-12T19:12:26.000Z","size":143,"stargazers_count":23,"open_issues_count":0,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-06-12T04:52:50.423Z","etag":null,"topics":["cyber","defense","network","powershell","secure"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-03-15T10:38:45.000Z","updated_at":"2023-09-23T12:11:54.000Z","dependencies_parsed_at":"2022-09-04T09:21:46.258Z","dependency_job_id":null,"html_url":"https://github.com/cyberark/PreCog","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FPreCog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FPreCog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FPreCog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FPreCog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/PreCog/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224374770,"owners_count":17300712,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cyber","defense","network","powershell","secure"],"created_at":"2024-11-13T02:17:17.972Z","updated_at":"2025-10-16T18:57:20.996Z","avatar_url":"https://github.com/cyberark.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PreCog\n\nDiscover \"HotSpots\" - potential spots for credentials theft.\n\n# The main goal\nDiscover and mitigate HotSpots machines in your network - those dangerous spots could be abused by attackers to steal privileged accounts credential.\n\nThose risky spots are used by attackers for lateral movement and privilege escalation through the network until they achieved their desired “Domain Admin” credentials.\n\nMore details could be found in our blog post:  \nhttps://www.cyberark.com/threat-research-blog/predicting-risk-credential-theft-foresight/\n\nShare your thoughts with us:  \nLavi Lazarovitz ([@LaviLazarovitz](https://twitter.com/LaviLazarovitz)), Asaf Hecht ([@Hechtov](https://twitter.com/Hechtov))\n*********************************************************************************************\n#############################################################################################\n# Tool description\nWhat is PreCog?  \nPreCog is a PowerShell tool aimed to implement credentials theft precognition by detecting HotSpots in the network. The tool analyzes event logs from domain connected machines through WEF (Windows Event Forwarding) server and follows the privileged account activity on those machines.  \nThe analysis identifies machine HotSpots that have open logon sessions from both - Tier 0 privileged account (e.g. Domain Admin) and another account that has lower local admin rights on the detected machine spot. This last account might have been compromised by a potential attacker and so the credentials of the Tier 0 account might be at risk.  \nTherefore, by discovering and eliminating those HotSpots, the risk can be mitigated and future possible credentials theft attempts are prevented.\n\n# PreCog’s optional parameters:\n*\t$days:  \nSets how many days back the tool will analyze. By default it’s set to only analyze the past 7 mins.\n*\t$eventLogCollectorName:  \nSet PreCog to query a remote WEF server, $eventLogCollectorName should be the name of the remote WEF server. The default is the current machine where the script is running.\n*\t$sleepTime:  \nSets the sleep duration time between each log reading check by the PreCog of the WEF’s logs storage. $sleepTime defines a sleeping time in seconds (by default it’s 1 second).\n*\t$noRawData:  \nSwitch parameter to cancel saving of the raw output file of the analyzed logs - the \"LogsRawSavedData.csv\" file.\n*\t$quietMode:  \nSwitch parameter used to reduce the number of messages to be printed out during the tool’s execution window. In the regular operation mode the tool will print out each event log that was processed with few more information like the account name, computer and logonID.\n* $logFolderName:  \nThe channel name of the forwarded logs, by default it's the regular built-in \"ForwardedEvents\" channel.\n\n# Execution command examples:\n```\n*\t. .\\PreCog.ps1\n```\nSimple execution with default configuration.\n```\n*\t. .\\PreCog.ps1 -eventLogCollectorName RemoteWEF-Name -noRawData -quietMode\n```\nPreCog will be executed and fetch the event logs from the “RemoteWEF-Name” (it requires the permission to read those logs, and a network connectively to that WEF server). In this configuration example, PreCog will not save the raw information of the analyzed logs, and it will be running in a quiet mode - it will only print out to the screen if there are new Cold and Hot Spots that were detected.\n\u003cbr /\u003e\n\u003cbr /\u003e\n*********************************************************************************************\n#############################################################################################\n#############################################################################################\n\u003cbr /\u003e\n\u003cbr /\u003e\n# Full technical details\nPreCog queries WEF and analyzes 4 important event logs:\n*\t4624 - An account was successfully logged on.\n*\t4672 - Special privileges assigned to new logon.\n*\t4647 - User initiated logoff.\n*\t4634 - An account was logged off.\n\nThose event logs provide the PreCog the ability to follow the logon sessions on each of the monitored machines.  \nThe tool also process a few more event logs with the intention of detecting machines that were restarted and therefore their active logon sessions list should be reset. The event IDs that imply on a machine’s restart are: 4608 - “Windows is starting up”, 6005 - “Event Log service was started”, 6006 - “The Event log service was stopped” and 6008 - \"There was unexpected shutdown”.\n\nThe tool includes two folders and two scripts in its home folder. \nA look of PreCog’s home folder:\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"600\" height=\"145\" src=\"https://github.com/Hechtov/Photos/blob/master/HotSpots/1.png\"\u003e\n\u003c/p\u003e\nThe folder “Accounts lists” includes two csv files containing the lists of the privileged accounts in Tier 0 and Tier 1. Those accounts will be monitored by the PreCog tool.\nThe two csv lists are:\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"300\" height=\"98\" src=\"https://github.com/Hechtov/Photos/blob/master/HotSpots/2.png\"\u003e\n\u003c/p\u003e\nThe structure of the privileged account lists:\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"600\" height=\"276\" src=\"https://github.com/Hechtov/Photos/blob/master/HotSpots/2-1.png\"\u003e\n\u003c/p\u003e\nPreCog correlates the AccountSID attribute from the csv lists with the SID attribute of the monitored event logs.\n\nWhen you start the PreCog tool it will show the privilege accounts that were loaded and will be monitored.  \nIt will look like this:\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"600\" height=\"485\" src=\"https://github.com/Hechtov/Photos/blob/master/HotSpots/3.png\"\u003e\n\u003c/p\u003e\n\nNote - on first execution of PreCog - the list of “Tier 0 - most privileged accounts.csv” will be created automatically! It will be done by running the “ACLight2” tool script. ACLight is a special discovery tool that will discover the network’s most sensitive privileged accounts (more information on the ACLight tool could be seen in its official GitHub page:  \nhttps://github.com/cyberark/ACLight  \nAnd in the following blogpost:  \nhttps://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/.\n\nPreCog’s first step is to check if it indeed has the Tier 0 list. If the file doesn’t exist ACLight2 will be executed. In addition - the two list of accounts - Tier 0 and Tier 1, could be modified manually, by adding the account’s details line with its name, domain and SID (the user’s Security Identifier). After PreCog loaded the accounts lists it progresses to the next step of analyzing the historic event logs. When past event logs analysis is completed, it will progress to perform live monitoring of the logs. \n\nLet’s move forward to describe the **Results folder**:\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"600\" height=\"183\" src=\"https://github.com/Hechtov/Photos/blob/master/HotSpots/4.png\"\u003e\n\u003c/p\u003e\nAt first, the results folder should be empty. When the tool runs, the following csv files will be created, depends on the logs that the WEF server receives:\n\n1. Each of the monitored machines will have a separated csv file with the name format of:  \n**[ComputerName]-liveConnections.csv**  \nThis csv file will follow the live logon sessions on each machine and will be updated automatically when those are created and terminated. The file will be first created on the first logon event that will be analyzed from that specific machine. When a sign out event log is processed, the corresponding user will be removed from the active session list in the machine’s liveConnection file.\nAn example for this file live connection csv file:\n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"1000\" height=\"79\" src=\"https://github.com/Hechtov/Photos/blob/master/HotSpots/5.png\"\u003e\n\u003c/p\u003e \nYou can see in the above example that “w10-research.research.com” machine host 3 active logon sessions (each has a unique logon ID). Two accounts are logged on, “win10_localAdmin” and “Administrator”.  \nThe liveConnection file contains more information on the monitored logged-on sessions, like: The account’s SID, domain name, time of the logged event the level of privileges associated with the account (local admin right, Tier 1 or Tier 0 privileges).  \n   \n  2. **Main-LiveStatus:**  \nThis is the main analysis results file. There will be only one **“Main-LiveStatus.csv”** results file. \n\u003cp align=\"center\"\u003e\n  \u003cimg width=\"1000\" height=\"85\" src=\"https://github.com/Hechtov/Photos/blob/master/HotSpots/6.png\"\u003e\n\u003c/p\u003e \nIn the above example, we can see that there is an active Hot Spot!  \nIt’s the w10-research machine. The “Administrator” account, a Tier 0 privileged account, is logged-on while in the same time there is a non-Tier 0 account that is logged-on and it has local admin rights - it’s “win10_localAdmin” account.  \nOne can also notice that the machine ws-research-8.research.com is a “Cold Spot”. That is because PreCog detected that the “Administrator” account was logged-on to that computer.  \nAnother important thing to note is the historic spots! When a relevant sign out event log will be processed, the line of the Hot Spot will be changed to a historic spot - the term HISTORYspot will be added as a prefix to the computer name, as seen above. Moreover, the termination time of the HotSpot will be registered under the EndTime field.\n\n3.\tLogsRawSavedData  \nThis is a raw file with all the event logs that PreCog analyzed. The file isn’t needed for the standard operation tasks. \n\n4.\tACLight folder  \nThe folder will include the results of the ACLight2 if it was executed properly at the initial step of PreCog (to build the Tier 0 account list).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fprecog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2Fprecog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fprecog/lists"}