Alternatives and detailed information of Logontracer

This repository contains a collection of PowerShell tools that can be utilized to protect and defend an environment based on the recommendations of multiple cyber security researchers at Microsoft. These tools were created with a small to medium size enterprise environment in mind as smaller organizations do not always have the type of funding a…

Stars: ✭ 33 (-98.28%)

Mutual labels: active-directory, blueteam

Plumhound

Bloodhound for Blue and Purple Teams

Stars: ✭ 452 (-76.38%)

Mutual labels: active-directory, blueteam

Lolbas

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Stars: ✭ 3,810 (+99.06%)

Mutual labels: dfir, blueteam

Threathunt

ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills.

Stars: ✭ 92 (-95.19%)

Mutual labels: dfir, blueteam

Timesketch

Collaborative forensic timeline analysis

Stars: ✭ 1,795 (-6.22%)

Mutual labels: dfir

Psadhealth

A toolkit of AD specific health checks that you can run in your environment to ensure your Active Directory is running optimally.

Stars: ✭ 114 (-94.04%)

Mutual labels: active-directory

Deploy Deception

A PowerShell module to deploy active directory decoy objects.

Stars: ✭ 109 (-94.31%)

Mutual labels: blueteam

Mthc

All-in-one bundle of MISP, TheHive and Cortex

Stars: ✭ 134 (-93%)

Mutual labels: dfir

Defaultcreds Cheat Sheet

One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

Stars: ✭ 1,949 (+1.83%)

Mutual labels: blueteam

Information Security Tasks

This repository is created only for infosec professionals whom work day to day basis to equip ourself with uptodate skillset, We can daily contribute daily one hour for day to day tasks and work on problem statements daily, Please contribute by providing problem statements and solutions

Stars: ✭ 108 (-94.36%)

Mutual labels: blueteam

View All Similar Projects ➔

Concept

LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.

4624: Successful logon
4625: Logon failure
4768: Kerberos Authentication (TGT Request)
4769: Kerberos Service Ticket (ST Request)
4776: NTLM Authentication
4672: Assign special privileges

More details are described in the following documents:

Additional Analysis

LogonTracer uses PageRank, Hidden Markov model and ChangeFinder to detect malicious hosts and accounts from event log.

With LogonTracer, it is also possible to display event logs in a chronological order.

Use LogonTracer

To use LogonTracer, you can:

Documentation

If you want to know more details, please check the LogonTracer wiki.

Demonstration

Following YouTube's video shows how to use LogonTracer.

Architecture

LogonTracer is written in Python and uses Neo4j for database. The following tools are used.

Python 3
Neo4j for a graph database.
Neo4j JavaScript driver for connects to Neo4j using the binary protocol.
Cytoscape for visualizing a graph network.
Flask is a microframework for Python.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

JPCERTCC / Logontracer

Programming Languages

Labels

Projects that are alternatives of or similar to Logontracer

Concept

Additional Analysis

Use LogonTracer

Documentation

Demonstration

Architecture