Active Directory Security Event Analysis using LogonTracer

by Posted on

LogonTracer associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph and it is possible to see in which account login attempt occurs and which host is used. LogonTracer creates graphs, which shows the relations of some IP addresses and accounts.

For this ranking, LogonTracer performs network analysis on the event log graph, and creates a ranking based on the “centrality” of each node. Centrality is an index which indicates each node’s proximity to the centre in a network. For calculation of centrality, PageRank [1] is applied. In this algorithm, nodes that have connection to many other nodes are located towards the centre of the graph and therefore have a higher centrality.

As compromised accounts are used to perform login attempts to many hosts, they tend to have a higher centrality. Consequently, by comparing the centrality, possibly affected accounts/hosts can be identified.

Node details

  • Node Red SYSTEM privileges account
  • Node Blue Standard user account
  • Node Green IP address and host

Setup LogonTracer on Ubuntu 19.04

root@sec01:/home/admin#lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.04
Release: 19.04
Codename: disco

LogonTracer loads the graph from Neo4j. Neo4j should be installed prior setting up LogonTracer.

Install Neo4j

Please check the Neo4j web site and install Neo4j.

https://neo4j.com/docs/operations-manual/current/installation/linux/debian/

sudo apt-get install neo4j=1:4.0.3

Change Neo4j configuration to allow remote access

root@sec01:/home/admin# vim /etc/neo4j/neo4j.conf
# Bolt connector
dbms.connector.bolt.enabled=true
#dbms.connector.bolt.tls_level=DISABLED
dbms.connector.bolt.listen_address=0.0.0.0:7687

# HTTP Connector. There can be zero or one HTTP connectors.
dbms.connector.http.enabled=true
dbms.connector.http.listen_address=0.0.0.0:7474

Save the configuration and restart the service

systemctl restart neo4j

Next up, connect to the server at http://192.168.0.40:7474 and login to the UI for neo4j. (192.168.0.40 is my server IP)

Using the default credentials of username “neo4j” and password “neo4j”. You can change the password at the first login.

Clone LogonTracer

git clone https://github.com/JPCERTCC/LogonTracer.git

From LogonTracer folder

pip3 install -r LogonTracer/requirements.txt

Once the requirements are installed start the LogonTracer

root@sec01:/home/admin/LogonTracer# python3 logontracer.py --run --port 8877 --user neo4j --password 'newpass' --server 192.168.0.40

These different arguments are:
–run: Launch web server
–port: Port number where the web server operates – In my case this is “8877”
–user: Neo4j username – In my case this user is “neo4j”
–password: Neo4j password – In my case this is “newpass”
–server: Address where the web server operates – In my case this is “192.168.0.40”

Now that the server is running, let’s now access it using our browser.

Using the “Upload Event Log” at the bottom left hand side of the screen, we are able to provide our Security Event log. We can upload this in either of two formats. Either the raw .evtx file or we can use the Windows Event Viewer and export these logs as XML. It is recommended that you convert your .EVTX file to .XML by exporting the security events from the Windows Event Viewer or some other tool.

Published by Sumesh MS