Many computer infect with Trojan or RAT, attacker can spy victim computer, grab any data, put keylogger and do something horrible on your computer. LogonTracer maybe can help a little bit, this tool will analyze/detect windows logon and automatically create a visual report, and if malicious logon detect you can see the report.
LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.
- 4624: Successful logon
- 4625: Logon failure
- 4768: Kerberos Authentication (TGT Request)
- 4769: Kerberos Service Ticket (ST Request)
- 4776: NTLM Authentication
- 4672: Assign special privileges
More details are described in the following documents :
- Visualise Event Logs to Identify Compromised Accounts – LogonTracer –
- イベントログを可視化して不正使用されたアカウントを調査 (Japanese)
LogonTracer uses PageRank, Hidden Markov model and ChangeFinder to detect malicious hosts and accounts from event log.
With LogonTracer, it is also possible to display event logs in a chronological order.
To use LogonTracer, you can :
If you want to know more details, please check the LogonTracer wiki.
Following YouTube’s video shows how to use LogonTracer.
LogonTracer is written in Python and uses Neo4j for database. The following tools are used.
- Python 3
- Neo4j for a graph database.
- Cytoscape for visualizing a graph network.
- Flask is a microframework for Python.