Tracking Malicious Logon: Visualize and Analyze Active Directory Event Logs

BSidesLV 2018

Presented by: Tomoaki Tani, Shusei Tomonaga
Date: Wednesday August 08, 2018
Time: 14:00 - 14:55
Location: Ground Truth

In the lateral movement phase of APT incidents, analysis of Windows Active Directory event logs is crucial since it is one of the few ways to identify compromised hosts. At the same time, examining the logs is usually a painful task because Windows Event Viewer is not a best tool. Analysts often end up exporting the entire logs into text format, then feeding them to other tools such as SIEM. However, SIEM is neither a perfect solution to handle the increasing amount of logs. In this presentation, we would like to introduce a more specialized event log analysis tool for incident responders. It visualizes event logs using network analysis and machine learning so as to show correlation of accounts and hosts. Proven with our on the ground response experience, most importantly it is an open source tool.

Shusei Tomonaga

Tomoaki Tani


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats