LogonTracer Tool to Investigate malicious Windows logon


Finding and stopping a cyber-attack is becoming the highest priority for any organization. some security tools going to help into achieving this objective and this regardless if they are commercial or open source solutions.

One of the tool that you can use to detect leteral movement or suspicious activity in your environment is LogonTracer. This is an open source tool that will allow you to import all access logs and will display them in suitable way so you can identify security relates windows logon events.

In the graph you will have:
• Red: SYSTEM privilege account
• Blue: Standard user account
• Green: Host/IP address

LogonTracer Tool to Investigate malicious Windows logon

LogonTracer Tool to Investigate malicious Windows logon

LogonTracer Investigate malicious logon by visualizing and analyzing Windows active directory event logs. next it will associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.
4624: Successful logon
4625: Logon failure
4768: Kerberos Authentication (TGT Request)
4769: Kerberos Service Ticket (ST Request)
4776: NTLM Authentication
4672: Assign special privileges

You can download the latest release for this tool on https://github.com/JPCERTCC/