According to the description from the tool's GitHub page "LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.
4624: Successful logon
4625: Logon failure
4768: Kerberos Authentication (TGT Request)
4769: Kerberos Service Ticket (ST Request)
4776: NTLM Authentication
4672: Assign special privileges"
For this install, I'm using Ubuntu 18 as shown below:
securitynik@securitynik.local:~# lsb_release --all No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.1 LTS Release: 18.04 Codename: bionic
Let's first install Java 8
sudo add-apt-repository ppa:webupd8team/java sudo apt-get update sudo apt-get install oracle-java8-installer
Install neo4j Community Edition by first adding its repository:
wget -O - https://debian.neo4j.org/neotechnology.gpg.key | sudo apt-key add - echo 'deb https://debian.neo4j.org/repo stable/' | sudo tee /etc/apt/sources.list.d/neo4j.list sudo apt-get update
Let's now install neo4j:
sudo apt-get install neo4j
Now that neo4j is installed, let's make two quick configuration changes. Locate the following two lines:
#dbms.connector.bolt.listen_address=:7687 #dbms.connector.https.listen_address=192.168.0.4:7473
For me I specify the interface I would like neo4j to listen on and thus I made the following change:
dbms.connector.bolt.listen_address=0.0.0.0:7687 dbms.connector.https.listen_address=192.168.0.4:7473
Note above, I also removed the comment "#" from these two lines
Next step ... restart neo4j using systemctl
systemctl restart neo4j
If we next do a "netstat -nltp", we see the host is listening on those two ports above.
securitynik@securitynik.local:/tmp# netstat -nltp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name .... tcp6 0 0 :::7687 :::* LISTEN 24537/java tcp6 0 0 192.168.0.4:7473 :::* LISTEN 24537/java tcp6 0 0 192.168.0.4:7474 :::* LISTEN 24537/java ....
Next up, connect to the server at http://192.168.0.4:7474 and login to the UI for neo4j.
Using the default credentials of username "neo4j" and password "neo4j", I was able to authenticate and then asked to change my password. I also added the user "securitynik" with password "Testing1". Once my password was changed, the next step was to clone LogonTracer
git clone https://github.com/JPCERTCC/LogonTracer.git
Once finished cloning the following was executed
Taking a loo at the requirements file before we install, we see:
securitynik@securitynik.local:~$ cat LogonTracer/requirements.txt numpy py2neo==3.1.2 python-evtx lxml changefinder flask hmmlearn scikit-learn==0.19.2
Now that we know what it is trying to install, let's continue
pip3 install -r LogonTracer/requirements.txt
Ensure you have "python3-pip" installed. If not, run
apt-get install python3-pip
If all went well, I guess I will see you in the next post.
Reference:
https://github.com/JPCERTCC/LogonTracer
https://github.com/JPCERTCC/LogonTracer/wiki/for-linux
https://blogs.jpcert.or.jp/en/2017/11/visualise-event-logs-to-identify-compromised-accounts---logontracer-.html
https://gist.github.com/nepobef/0f378ded038b35324e0106fcff79303c
http://debian.neo4j.org/
https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf
https://neo4j.com/docs/operations-manual/current/installation/linux/debian/?_ga=2.249168388.2041192375.1507250087-893468657.1507250087
https://neo4j.com/docs/operations-manual/current/installation/linux/debian/
http://debian.neo4j.org/?_ga=2.45025828.1204700703.1550717522-969713451.1550717522
https://neo4j.com/docs/operations-manual/current/installation/linux/tarball/
i get so many errors while installing this "pip3 install -r LogonTracer/requirements.txt"
ReplyDeleteSorry to hear. What OS are you using?
Delete