Public Repository

Last pushed: 19 days ago
Short Description
Docker image for LogonTracer
Full Description

LogonTracer is a tools to investigate malicious logon by visualizing and analyzing Windows active directory event logs.
LogonTracer uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log.
This tool can visualize the following event id related to Windows logon based on this research.

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

Usage

Command to launch Docker image for LogonTracer

$ docker run \
   --detach \
   --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 \
   -e LTHOSTNAME=[IP_Address] \
   jpcertcc/docker-logontracer

How to Use

Access http://[LogonTracer_Server]:8080/ via Web browser.
Import the event log using Web GUI.
Event log can be imported with upload EVTX button.

More Details

More details are described in the following url:
https://github.com/JPCERTCC/LogonTracer/wiki/jump-start-with-docker

Dockerfile

https://github.com/JPCERTCC/LogonTracer/tree/master/docker

Docker Pull Command
Owner
jpcertcc