LogonTracer – Investigate Malicious Logon Using Event Logs

LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.

LogonTracer - Investigate Malicious Logon Using Event Logs
LogonTracer – Investigate Malicious Logon Using Event Logs

This tool can visualize the following event id related to Windows logon:

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

The windows default log setting does not provide sufficient information for LogonTracer. You must to enable the audit policy on each computer which you want to analyze logon activities.

Open Local Group Policy Editor (gpedit.msc) and drill down to following location. Enable following entries, the event ID will be recorded:

  • Account Logon
    • Audit Credential Validation
    • Audit Kerberos Authentication Service
    • Audit Kerberos Service Ticket Operations
  • Logon/Logoff
    • Audit Logon
    • Audit Special Logon

CIS Benchmark provide as well a special section for logging purpose it will be recommended to review that section and apply the hardening requirement to get the logs properly enabled for system monitoring.

You can read more and download this tool over here: https://github.com/JPCERTCC/LogonTracer

Notify of
Inline Feedbacks
View all comments