Skip to content

Home

Jump to bottom
shu-tom edited this page Dec 27, 2017 · 11 revisions

LogonTracer

LogonTracer is investigate malicious logon by visualizing and analyzing Windows active directory event logs. This tool uses PageRank and ChangeFinder to detect malicious hosts and accounts from event logs. This tool visualizes the following event ids related to Windows logon based on our previous research.

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

More details are described in the following documents:

LogonTracer

Manual

1. Home

2. Hot to Install

3. How to Use

4. Jump start with Docker

5. Important Notes

Manual

  1. Home
  2. How to Install
    1. for Linux
    2. for OS X
  3. How to Use
    1. Start LogonTracer
    2. Accessing the Web GUI
    3. Import EVTX
    4. Search and visualize the event log
    5. Importance rank of accounts and hosts
    6. Timeline
    7. User Management
    8. Case Management
  4. Combining LogonTracer with Elasticsearch
  5. Jump start with Docker
  6. Setup with Docker Compose
  7. Setup with SSL
  8. Configuration
  9. Important Notes

マニュアル(日本語)

  1. ホーム
  2. インストール
    1. Linux
    2. OS X
  3. 使用方法
    1. LogonTracerの起動
    2. Web GUIへアクセス
    3. EVTXのインポート
    4. イベントログの検索と可視化
    5. アカウントとホストの重要度
    6. タイムライン
    7. ユーザ管理
    8. ケース管理
  4. Elasticsearchとの連携
  5. Dockerイメージの使い方
  6. Docker Composeの使い方
  7. 通信の暗号化
  8. 設定情報
  9. 注意

Clone this wiki locally