Convert Figma logo to code with AI

JPCERTCC logoLogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log

2,717
442
2,717
19
View on GitHub

Top Related Projects

Neo23x0's avatar

Loki

3,367

Loki - Simple IOC and YARA Scanner

google's avatar

grr

4,747

GRR Rapid Response: remote live forensics for incident response

TheHive-Project's avatar

TheHive

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

MISP's avatar

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

palantir's avatar

windows-event-forwarding

1,216

A repository for using windows event forwarding for incident detection and response

Quick Overview

LogonTracer is a tool for visualizing and analyzing Windows active directory event logs. It helps investigate malicious logon by visualizing and analyzing event logs, creating an interactive graph of relationships between accounts and hosts based on Windows event logs.

Pros

  • Provides a visual representation of logon events, making it easier to identify patterns and anomalies
  • Supports various log formats, including Windows Event Log and Sysmon
  • Offers a web-based interface for easy access and collaboration
  • Includes features for timeline analysis and filtering of events

Cons

  • Requires significant setup and configuration, which may be challenging for less technical users
  • Limited to Windows environments and specific log formats
  • May require substantial system resources for processing large log datasets
  • Documentation could be more comprehensive for advanced use cases

Getting Started

  1. Clone the repository:

    git clone https://github.com/JPCERTCC/LogonTracer.git

  2. Install dependencies:

    pip install -r requirements.txt

  3. Set up Neo4j database:

    • Download and install Neo4j
    • Create a new database and set a password

  4. Configure LogonTracer:

    • Edit config.py to set your Neo4j credentials and other settings

  5. Run LogonTracer:

    python3 logontracer.py

  6. Access the web interface at http://localhost:8080

For detailed instructions and advanced usage, refer to the project's README and documentation.

Competitor Comparisons

Neo23x0 logo

Loki

3,367

Loki - Simple IOC and YARA Scanner

Pros of Loki

  • Broader scope: Detects various types of malware and suspicious files, not limited to logon events
  • Portable and lightweight: Can be run from a USB stick without installation
  • Regular updates: Frequently updated with new IOCs and detection rules

Cons of Loki

  • Less specialized: May not provide as detailed analysis for logon-related events
  • Higher false positive rate: Due to its broader scope, it may generate more false positives
  • Resource-intensive: Scanning large systems can be time-consuming and resource-heavy

Code Comparison

LogonTracer (Python):

def get_event_id(self, event):
    return event.get("Event", {}).get("System", {}).get("EventID", None)

Loki (Python):

def scan_path(self, path):
    for root, directories, files in os.walk(path):
        for filename in files:
            try:
                filePath = os.path.join(root, filename)
                self.scan_file(filePath)
            except Exception as e:
                log.error("Error while scanning file %s - %s" % (filePath, e))

The code snippets show that LogonTracer focuses on parsing specific event logs, while Loki scans entire file systems for suspicious files and patterns. This reflects their different approaches: LogonTracer's specialized focus on logon events versus Loki's broader malware detection capabilities.

google logo

grr

4,747

GRR Rapid Response: remote live forensics for incident response

Pros of GRR

  • More comprehensive incident response and remote live forensics capabilities
  • Scalable architecture for enterprise-level deployments
  • Active development and support from Google

Cons of GRR

  • Steeper learning curve and more complex setup
  • Requires more resources to deploy and maintain
  • May be overkill for smaller organizations or specific logon analysis tasks

Code Comparison

LogonTracer (Python):

def parse_evtx(evtx_file, output_dir):
    parser = PyEvtxParser(evtx_file)
    for record in parser.records():
        event = xmltodict.parse(record["data"])
        # Process event data

GRR (Python):

class CollectArtifactFlow(flow.GRRFlow):
    def Start(self):
        self.CallClient(
            server_stubs.ArtifactCollector,
            artifact_list=self.args.artifact_list,
            use_tsk=self.args.use_tsk,
            next_state="ProcessResults"
        )

LogonTracer focuses specifically on Windows logon events and provides visualization, while GRR offers a broader range of remote forensics capabilities. LogonTracer is more lightweight and easier to set up for its specific use case, whereas GRR provides a more comprehensive but complex solution for enterprise-level incident response and forensics.

TheHive-Project logo

TheHive

3,357

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Pros of TheHive

  • More comprehensive incident response platform with case management capabilities
  • Integrates with various security tools and threat intelligence platforms
  • Supports collaboration among team members with real-time updates

Cons of TheHive

  • Steeper learning curve due to its extensive features
  • Requires more resources to set up and maintain
  • May be overkill for organizations primarily focused on logon analysis

Code Comparison

TheHive (Python):

def create_case(title, description, severity):
    case = Case(title=title, description=description, severity=severity)
    case.save()
    return case

LogonTracer (Python):

def parse_event_log(log_file):
    events = []
    for event in win32evtlog.ReadEventLog(log_file):
        events.append(parse_event(event))
    return events

TheHive offers a more comprehensive API for managing cases and incidents, while LogonTracer focuses specifically on parsing and analyzing Windows event logs for logon-related activities.

MISP logo

MISP

5,245

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Pros of MISP

  • More comprehensive threat intelligence platform with broader functionality
  • Larger community and ecosystem for sharing threat data
  • Supports a wide range of data types and formats for threat intelligence

Cons of MISP

  • Steeper learning curve due to its complexity
  • Requires more resources to set up and maintain
  • May be overkill for organizations primarily focused on logon analysis

Code Comparison

MISP (Python):

@staticmethod
def get_uuid():
    return str(uuid.uuid4())

def __init__(self):
    self.uuid = self.get_uuid()

LogonTracer (JavaScript):

function getUniqueId() {
  return Math.random().toString(36).substr(2, 9);
}

const id = getUniqueId();

While both projects use different languages, this comparison shows how they generate unique identifiers. MISP uses Python's built-in UUID module, while LogonTracer uses a custom JavaScript function for generating a unique string.

palantir logo

windows-event-forwarding

1,216

A repository for using windows event forwarding for incident detection and response

Pros of Windows Event Forwarding

  • Comprehensive Windows event collection and forwarding solution
  • Scalable for enterprise environments
  • Integrates well with existing Windows infrastructure

Cons of Windows Event Forwarding

  • Limited to Windows environments
  • Requires more setup and configuration
  • Less focused on specific threat detection scenarios

Code Comparison

Windows Event Forwarding (WEF.ps1):

$EventCollectorServer = "collector.domain.com"
$SubscriptionList = Get-WEFSubscriptionList -ComputerName $EventCollectorServer
foreach ($Subscription in $SubscriptionList) {
    Write-Host "Subscription: $($Subscription.Name)"
}

LogonTracer (logontracer.py):

def get_event_logs(self):
    for event in self.evtx_file.records():
        if event.get("Event", {}).get("System", {}).get("EventID") in self.event_ids:
            yield event

The Windows Event Forwarding code focuses on managing subscriptions, while LogonTracer's code is tailored for parsing specific event logs related to logon activities.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Arsenal Version Docker pull test

Concept

LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

More details are described in the following documents:

LogonTracer sample

Additional Analysis

LogonTracer uses PageRank, Hidden Markov model and ChangeFinder to detect malicious hosts and accounts from event log.
PageRank List
With LogonTracer, it is also possible to display event logs in a chronological order.
Timeline

Use LogonTracer

To use LogonTracer, you can:

Documentation

If you want to know more details, please check the LogonTracer wiki.

Demonstration

Following YouTube's video shows how to use LogonTracer.

LogonTracer_Demonstration

Architecture

LogonTracer is written in Python and uses Neo4j for database. The following tools are used.