LogonTracer is a tools to investigate malicious logon by visualizing and analyzing Windows active directory event logs.
LogonTracer uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log.
This tool can visualize the following event id related to Windows logon based on this research.
- 4624: Successful logon
- 4625: Logon failure
- 4768: Kerberos Authentication (TGT Request)
- 4769: Kerberos Service Ticket (ST Request)
- 4776: NTLM Authentication
- 4672: Assign special privileges
Command to launch Docker image for LogonTracer
$ docker run \ --detach \ --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 \ -e LTHOSTNAME=[IP_Address] \ jpcertcc/docker-logontracer
How to Use
Access http://[LogonTracer_Server]:8080/ via Web browser.
Import the event log using Web GUI.
Event log can be imported with upload EVTX button.
More details are described in the following url: