In terms of basic security, Login authentication provides an individual to gain access to a computer system by identifying and authenticating themselves. In which the user gets authorized by their password, in terms of active defense it became the key factor to monitor the log-on activity to prevent attackers from getting into their organization.
Tool: Logon tracer [open source]
Logon tracker is used to investigating malicious logon by visualizing and analyzing Windows Active Directory event logs. It uses various algorithms like PageRank, Hidden Markov model, and ChangeFinder to detect malicious hosts and accounts from event logs.
- Python 3
- Neo4j for a graph database.
- Cytoscape for visualizing a graph network.
- Flask is a microframework for Python.
Also Read: APT-Hunter – Threat Hunting Tool For Windows Event Logs
The installation and deployment are been done by two major methods
- Using Docker
- Local Deployment
A simple two-line command help to deploy the logon tracker in your host machine
- $ docker pull jpcertcc/docker-logontracer
- $ docker run detach –publish=7474:7474 –publish=7687:7687 –publish=8080:8080 -e LTHOSTNAME=[IP_Address] jpcertcc/docker-logontracer
- Events can be directly get forwarded or it can be imported mainly for finding anomaly login activity
Note: The manual update file formats: EVTX, XML
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
- A process of examining a suspicious log-on activity in-range of date and events id are more user friendly and accurate.
Features of logontracer
- Centralized dashboard
- Easy deployment
- Graph & virtualization
- Import/Export logins events
- Exclusively used for host based threat intel [to observe suspicious login attempts]
Important Event ID to be monitored
- 4624: Successful logon
- 4625: Logon failure
- 4768: Kerberos Authentication (TGT Request)
- 4769: Kerberos Service Ticket (ST Request)
- 4776: NTLM Authentication
- 4672: Assign special privileges
For a proactive defense, it has been mandatory to monitor high-sensitivity IT assets to prevent external intruders. Logon tracker is a simple and user-friendly tool for its easy deployment and high virtualization.