Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/TheKingOfDuck/logonTracer

Windows系统安全登录日志分析工具logonTracer汉化修正版
https://github.com/TheKingOfDuck/logonTracer

Last synced: 22 days ago
JSON representation

Windows系统安全登录日志分析工具logonTracer汉化修正版

Host: GitHub
URL: https://github.com/TheKingOfDuck/logonTracer
Owner: TheKingOfDuck
Created: 2019-05-15T15:11:17.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2019-05-16T06:08:26.000Z (over 5 years ago)
Last Synced: 2024-11-16T17:07:42.552Z (27 days ago)
Language: JavaScript
Homepage:
Size: 980 KB
Stars: 170
Watchers: 5
Forks: 63
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - TheKingOfDuck/logonTracer - Windows系统安全登录日志分析工具logonTracer汉化修正版 (JavaScript)

README

        # logonTracer

日志分析工具logonTracer汉化修正版

**I hate firex3m...**

修复了一个原本存在的严重bug。

* [logonTracer基础使用指南](https://github.com/TheKingOfDuck/logonTracer/wiki) 

 

  
  

  [![Arsenal](https://rawgit.com/toolswatch/badges/master/arsenal/usa/2018.svg)](https://www.toolswatch.org/2018/05/black-hat-arsenal-usa-2018-the-w0w-lineup/)   

## Concept

  **LogonTracer** is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.  

  This tool can visualize the following event id related to Windows logon based on [this research](https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf).  

  * **4624**: Successful logon  

  * **4625**: Logon failure  

  * **4768**: Kerberos Authentication (TGT Request)  

  * **4769**: Kerberos Service Ticket (ST Request)  

  * **4776**: NTLM Authentication  

  * **4672**: Assign special privileges  

  More details are described in the following documents:     

  * [Visualise Event Logs to Identify Compromised Accounts - LogonTracer -](http://blog.jpcert.or.jp/2017/11/visualise-event-logs-to-identify-compromised-accounts---logontracer-.html)  

  * [イベントログを可視化して不正使用されたアカウントを調査](https://www.jpcert.or.jp/magazine/acreport-logontracer.html) (Japanese)  

  ![LogonTracer sample](images/sample.png)  

## Additional Analysis

  LogonTracer uses [PageRank](https://en.wikipedia.org/wiki/PageRank), [Hidden Markov model](https://en.wikipedia.org/wiki/Hidden_Markov_model) and [ChangeFinder](https://pdfs.semanticscholar.org/c5bc/7ca31914d3cdfe1b2932cbc779875e645bbb.pdf) to detect malicious hosts and accounts from event log.  

  ![PageRank List](images/rank.png)  

  With LogonTracer, it is also possible to display event logs in a chronological order.  

  ![Timeline](images/timeline.png)  

## Use LogonTracer

  To use LogonTracer, you can:  

  * [Install](https://github.com/JPCERTCC/LogonTracer/wiki/how-to-install)

  * [Use docker](https://github.com/JPCERTCC/LogonTracer/wiki/jump-start-with-docker)

## Documentation

  If you want to know more details, please check [the LogonTracer wiki](https://github.com/JPCERTCC/LogonTracer/wiki).

## Demonstration

  Following [YouTube's video](https://www.youtube.com/watch?v=aX-vTd7-moY) shows how to use LogonTracer.

  [![LogonTracer_Demonstration](https://img.youtube.com/vi/aX-vTd7-moY/0.jpg)](https://www.youtube.com/watch?v=aX-vTd7-moY)

## Architecture

  LogonTracer is written in Python and uses Neo4j for database. The following tools are used.  

  * Python 3

  * [Neo4j](https://neo4j.com) for a graph database.  

  * [Neo4j JavaScript driver](https://github.com/neo4j/neo4j-javascript-driver) for connects to Neo4j using the binary protocol.  

  * [Cytoscape](http://www.cytoscape.org/) for visualizing a graph network.

  * [Flask](http://flask.pocoo.org/) is a microframework for Python.