Active Directory Security Event Analysis using LogonTracer

LogonTracer associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph and it is possible to see in which account login attempt occurs and which host is used. LogonTracer creates graphs, which shows the relations of some IP addresses and accounts.

For this ranking, LogonTracer performs network analysis on the event log graph, and creates a ranking based on the “centrality” of each node. Centrality is an index which indicates each node’s proximity to the centre in a network. For calculation of centrality, PageRank [1] is applied. In this algorithm, nodes that have connection to many other nodes are located towards the centre of the graph and therefore have a higher centrality.

As compromised accounts are used to perform login attempts to many hosts, they tend to have a higher centrality. Consequently, by comparing the centrality, possibly affected accounts/hosts can be identified.

Node details

  • Node Red SYSTEM privileges account
  • Node Blue Standard user account
  • Node Green IP address and host

Setup LogonTracer on Ubuntu 19.04

LogonTracer loads the graph from Neo4j. Neo4j should be installed prior setting up LogonTracer.

Install Neo4j

Please check the Neo4j web site and install Neo4j.

https://neo4j.com/docs/operations-manual/current/installation/linux/debian/

Change Neo4j configuration to allow remote access

Save the configuration and restart the service

Next up, connect to the server at http://192.168.0.40:7474 and login to the UI for neo4j. (192.168.0.40 is my server IP)

Using the default credentials of username “neo4j” and password “neo4j”. You can change the password at the first login.

Clone LogonTracer

From LogonTracer folder

Once the requirements are installed start the LogonTracer

These different arguments are:
–run: Launch web server
–port: Port number where the web server operates – In my case this is “8877”
–user: Neo4j username – In my case this user is “neo4j”
–password: Neo4j password – In my case this is “newpass”
–server: Address where the web server operates – In my case this is “192.168.0.40”

Now that the server is running, let’s now access it using our browser.

Using the “Upload Event Log” at the bottom left hand side of the screen, we are able to provide our Security Event log. We can upload this in either of two formats. Either the raw .evtx file or we can use the Windows Event Viewer and export these logs as XML. It is recommended that you convert your .EVTX file to .XML by exporting the security events from the Windows Event Viewer or some other tool.