LogonTracer helps digital forensics analysts to investigate malicious logon by visualizing and analyzing Windows active directory event logs. The tool uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log. It can visualize the following event id related to Windows logon based on this research:

  • 4624: Successful logon
  • 4625: Logon failure
  • 4768: Kerberos Authentication (TGT Request)
  • 4769: Kerberos Service Ticket (ST Request)
  • 4776: NTLM Authentication
  • 4672: Assign special privileges

Learn more about the tool here.

Load More Related Articles
Load More In Software

Leave a Reply

Your email address will not be published. Required fields are marked *