LogonTracer helps digital forensics analysts to investigate malicious logon by visualizing and analyzing Windows active directory event logs. The tool uses PageRank and ChangeFinder to detect malicious hosts and accounts from event log. It can visualize the following event id related to Windows logon based on this research:
- 4624: Successful logon
- 4625: Logon failure
- 4768: Kerberos Authentication (TGT Request)
- 4769: Kerberos Service Ticket (ST Request)
- 4776: NTLM Authentication
- 4672: Assign special privileges
Learn more about the tool here.