Saturday, March 2, 2019

Tracking authentication information with JPCert's Logon Tracker - Usage

This post is a continuation from the previous post. First we load LogonTracer

securitynik@securitynik.local:~/LogonTracer$ python3 --run --port 5678 --user securitynik --password 'Testing1' --server

These different arguments are:
    --run: Launch web server
    --port: Port number where the web server operates - In my case this is "5678"
    --user: Neo4j username - In my case this user is "securitynik"
    --password: Neo4j password - In my case this is "Testing1"
    --server: Address where the web server operates - In my case this is ""

This produced the following at the console:
securitynik@securitynik.local:~/LogonTracer$ python3 --run --port 5678 --user securitynik --password 'Testing1' --server
[*] Script start. 2019/02/21 20:12:11
 * Serving Flask app "logontracer" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on (Press CTRL+C to quit)

Now that the server is running, let's now access it using our browser.

Using the "Upload Event Log" at the bottom left hand side of the screen, we are able to provide our Security Event log. We can upload this in either of two formats. Either the raw .evtx file or we can use the Windows Event Viewer and export these logs as XML. It is recommended that you convert your .EVTX file to .XML by exporting the security events from the Windows Event Viewer or some other tool.

While I showed this screen, I actually struggled to get my events in this way. Whenever, I clicked on the "log" screen the log says there was a problem connecting to the database.

As a result, I opened the "Event Viewer" and selected "Save All Events As". Here I provided my filename as "SecurityNik_Security-Events.xml" and specified the type as "XML". Note also rather than selecting all events, you can instead filter the event log for event IDs 4624, 4625, 4768, 4769 and 4776 and then save the filtered file.
securitynik@securitynik:~/LogonTracer$ python3 ./ --user securitynik --password Testing1 --xml upload/SecurityNik_Security-events.xml --timezone -5 --server
[*] Script start. 2019/02/23 17:04:12
[*] Time zone is -5.
[*] Last record number is 164.
[*] Start parsing the EVTX file.
[*] Parse the EVTX file upload/SecurityNik_Security-events.xml.
[*] Now loading 100 records.
[*] Load finished.
[*] Total Event log is 164.
[*] Calculate ChangeFinder.
[*] Calculate Hidden Markov Model.
/home/securitynik/.local/lib/python3.6/site-packages/hmmlearn/ RuntimeWarning: divide by zero encountered in log
  return np.log(self.emissionprob_)[:, np.concatenate(X)].T
[*] Calculate PageRank.
[*] Creating a graph data.
[*] Creation of a graph data finished.
[*] Script end. 2019/02/23 17:04:33

Important to note that in order for this to work properly, you need to ensure your security policy is configured to capture event IDs: 4624, 4625, 4768, 4769 and 4776.

Once the log has been imported you can then login to your portal and check your graphs. In my case we see:

Please note that there is a sample "Security.evtx" file in the "samples" folder of LogonTracer.

I find this to be a very interesting tool you should try it.


No comments:

Post a Comment