Public Repository

Last pushed: 18 days ago
Short Description
Docker image for LogonTracer
Full Description

LogonTracer is a tools to investigate malicious logon by visualizing and analyzing Windows active directory event logs.
LogonTracer uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log.
This tool can visualize the following event id related to Windows logon based on this research.

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges


Command to launch Docker image for LogonTracer

$ docker run \
   --detach \
   --publish=7474:7474 --publish=7687:7687 --publish=8080:8080 \
   -e LTHOSTNAME=[IP_Address] \

How to Use

Access http://[LogonTracer_Server]:8080/ via Web browser.
Import the event log using Web GUI.
Event log can be imported with upload EVTX button.

More Details

More details are described in the following url:


Docker Pull Command