Logon Tracer – Investigate & Visualize Malicious Windows Logon

By
Harisuthan
-
0

OVERVIEW

In terms of basic security, Login authentication provides an individual to gain access to a computer system by identifying and authenticating themselves. In which the user gets authorized by their password, in terms of active defense it became the key factor to monitor the log-on activity to prevent attackers from getting into their organization.

Tool: Logon tracer [open source]

Logon tracker is used to investigating malicious logon by visualizing and analyzing Windows Active Directory event logs. It uses various algorithms like PageRankHidden Markov model, and ChangeFinder to detect malicious hosts and accounts from event logs.

Pre-requirements

  1. Python 3
  2. Neo4j for a graph database.
  3. Neo4j JavaScript driver for connects to Neo4j using the binary protocol.
  4. Cytoscape for visualizing a graph network.
  5. Flask is a microframework for Python.

Also Read: APT-Hunter – Threat Hunting Tool For Windows Event Logs

Deployment/Installation

The installation and deployment are been done by two major methods

  1. Using Docker
  2. Local Deployment

Docker Deployment

A simple two-line command help to deploy the logon tracker in your host machine

  1. $ docker pull jpcertcc/docker-logontracer
  2. $ docker run detach  –publish=7474:7474 –publish=7687:7687 –publish=8080:8080 -e LTHOSTNAME=[IP_Address]  jpcertcc/docker-logontracer
  1. Events can be directly get forwarded or it can be imported mainly for finding anomaly login activity

Note: The manual update file formats: EVTX, XML

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

  1. A process of examining a suspicious log-on activity in-range of date and events id are more user friendly and accurate.

Features of logontracer

  1. Centralized dashboard
  2. Easy deployment
  3. Graph & virtualization
  4. Import/Export logins events
  5. Exclusively used for host based threat intel [to observe suspicious login attempts]

Important Event ID to be monitored

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

Demo

Conclusion

For a proactive defense, it has been mandatory to monitor high-sensitivity IT assets to prevent external intruders.  Logon tracker is a simple and user-friendly tool for its easy deployment and high virtualization.

Reference

  1. https://github.com/JPCERTCC/LogonTracer
Previous articleWindows Service Creation and Malware Detection Methods
Next articleThreat Hunting using DNS logs – Soc Incident Response Procedure
Harisuthan
Harisuthan
https://www.socinvestigation.com
A Cyber Security Aspirant Security Researcher | Red-Teamer |

LEAVE A REPLY

Please enter your comment!
Please enter your name here