[addtool] LogonTracer

[gwen001]

[tags]authentication,windows,defense[/tags] [short_descr]Investigate malicious Windows logon by visualizing and analyzing Windows event log.[/short_descr] [link] https://github.com/JPCERTCC/LogonTracer [/link] [long_descr] LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.

This tool can visualize the following event id related to Windows logon:

• 4624: Successful logon
• 4625: Logon failure
• 4768: Kerberos Authentication (TGT Request)
• 4769: Kerberos Service Ticket (ST Request)
• 4776: NTLM Authentication
• 4672: Assign special privileges [/long_descr] [image] https://raw.githubusercontent.com/gwen001/offsectools_www/main/tmp/2303dbb61bda8d640dd7612e9e2f0068.png [/image] [image] https://raw.githubusercontent.com/gwen001/offsectools_www/main/tmp/070fa88cd29d2e92ce943c9f40192086.png [/image]

[gwen001]

Issue correctly handled, tool is waiting for human validation.

[gwen001]

Tool has been accepted by the team: https://offsec.tools/tool/logontracer

Thank you for your contribution!