Tracking Malicious Logon: Visualize and Analyze Active Directory Event Logs

In the lateral movement phase of APT incidents, analysis of Windows Active Directory event logs is crucial since it is one of the few ways to identify compromised hosts. At the same time, examining the logs is usually a painful task because Windows Event Viewer is not a best tool. Analysts often end up exporting the entire logs into text format, then feeding them to other tools such as SIEM. However, SIEM is neither a perfect solution to handle the increasing amount of logs. In this presentation, we would like to introduce a more specialized event log analysis tool for incident responders. It visualizes event logs using network analysis and machine learning so as to show correlation of accounts and hosts. Proven with our on the ground response experience, most importantly it is an open source tool.

Presented by