SlideShare a Scribd company logo

[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by Shusei Tomonaga and Kota Kino

CODE BLUE
CODE BLUE

LogonTracer is a tool to investigate malicious logons by visualizing and analyzing Windows Active Directory event logs. In many of our incident response cases, LogonTracer is able to detect malicious logons. Since we introduced this tool at CODE BLUE 2018, we have received a lot of feedback and continue updating it. LogonTracer is designed mainly for DFIR at present. We received many requests for using this tool for real-time log analysis, so we have added a new function for that purpose. A new version of LogonTracer v1.5 has added the function to analyze AD event logs stored in Elasticsearch. Many real-time log analysis systems monitor thresholds and specific event IDs, and they also require additional logs such as network traffic logs. LogonTracer can investigate malicious logons by visualization and machine learning based on event logs only. LogonTracer is an open source tool and the best suitable solution for real-time monitoring on malicious logons to Windows network.

Presentations & Public Speaking
1 of 42
Download to read offline
Copyright ©2020 JPCERT/CC All rights reserved.0 + = Real-time AD Log Analysis Syste CODE BLUE 2020
Copyright ©2020 JPCERT/CC All rights reserved.1 We released LogonTracer in 2018 CODE BLUE 2018
Copyright ©2020 JPCERT/CC All rights reserved.2 Completed Works Finished!
Copyright ©2020 JPCERT/CC All rights reserved. LogonTracer Basic 3 Concept LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs.
Copyright ©2020 JPCERT/CC All rights reserved. Visualizing Event Log Malicious Account Ranking Malicious Activity Search 4 Key Features
Copyright ©2020 JPCERT/CC All rights reserved.5 Visualizing Event Log Malicious Account Ranking Malicious Activity Search
Copyright ©2020 JPCERT/CC All rights reserved.6 Visualizing Event Log
Copyright ©2020 JPCERT/CC All rights reserved. It is easy to check which account name was used to logon to a host. 7 Details of Visualization User1 Host User2 Event ID 4624 Event ID 4625 Connect an account name and a host from the logon event IDs.
Copyright ©2020 JPCERT/CC All rights reserved.8 Check How Admin Account is Accessed from an Infected Host Search for a specific account which has a transaction path to Domain Administrator
Copyright ©2020 JPCERT/CC All rights reserved.9 Check How Admin Account is Accessed from an Infected Host Search the possible path to domain administrator from the infected host. Host User Host Domain Admin Malware infected host Possible to reach DomainAdmin
Copyright ©2020 JPCERT/CC All rights reserved.10 Check How Admin Account is Accessed from an Infected Host Possible to reach Domain Admin
Copyright ©2020 JPCERT/CC All rights reserved.11 Visualizing Event Log Malicious Account Ranking Malicious Activity Search
Copyright ©2020 JPCERT/CC All rights reserved.12 Malicious Account and Host Ranking Account Ranking Host Ranking
Copyright ©2020 JPCERT/CC All rights reserved. Important websites are cited in many websites, so the number of links will be large. Websites linked from websites with a large number of links have high importance. 13 Rank using PageRank PageRank is an algorithm used by Google Search to rank websites in their search engine results. 𝑃𝑃𝑃𝑃 𝐴𝐴 = 1 − 𝑑𝑑 + 𝑑𝑑 � 𝑖𝑖=1 𝑛𝑛 𝑃𝑃𝑃𝑃 𝑇𝑇𝑖𝑖 𝐶𝐶 𝑇𝑇𝑖𝑖 Idea
Copyright ©2020 JPCERT/CC All rights reserved.14 Important User !
Copyright ©2020 JPCERT/CC All rights reserved. The HMM is one of the most important machine learning models in speech and language processing. This model is the state transition of the past in hidden state, and the event is modeled from the output result of that state. 15 PageRank with Hidden Markov Model Improve PageRank accuracy by using Hidden Markov Model (HMM) in combination. 𝑃𝑃𝑃𝑃 𝐴𝐴 = 1 − 𝑑𝑑(𝐴𝐴) + 𝑑𝑑(𝐴𝐴) � 𝑖𝑖=1 𝑛𝑛 𝑃𝑃𝑃𝑃 𝑇𝑇𝑖𝑖 𝐶𝐶 𝑇𝑇𝑖𝑖 What’s HMM
Copyright ©2020 JPCERT/CC All rights reserved.16 Anomaly Detection of State Transition Using HMM Logon state transitions HMM 4624 47764625 4768 4769 Predict the state from the event ID timeline. Detects not transitioning to Stage 1 or 2. Not logged on Logon Attempt Logged on Stage0 Stage1 Stage2
Copyright ©2020 JPCERT/CC All rights reserved. ID 4768 4769 4769 4624 4769 4624 4624 4776 4624 4769 4769 4624 Stage 0 2 2 0 2 0 0 2 0 2 2 0 17 Anomaly Detection of State Transition Using HMM Predict using HMM Normal Logon Pass-the-Ticket ID 4624 4624 4624 4624 4769 4624 4624 4769 4624 4624 4624 4624 Stage 0 0 0 1 2 0 0 2 0 0 0 0 In the case of PtT, it has not shifted to Stage 1. Not logged on Logon Attempt Logged on Stage0 Stage1 Stage2
Copyright ©2020 JPCERT/CC All rights reserved.18 Visualizing Event Log Malicious Account Ranking Malicious Activity Search
Copyright ©2020 JPCERT/CC All rights reserved.19 Malicious Activity Search
Copyright ©2020 JPCERT/CC All rights reserved. All users Visualize all users and hosts. SYSTEM privileges Visualize users with system privileges. NTLM Remote Logon Visualize remote logon users and hosts using NTLM authentication. If not using NTLM authentication, it may be pass-the-hash. RDP Logon Visualize RDP logon users and hosts (Logon type: 10). Network Logon Visualize logon users and hosts from remote network (Logon type: 3). Batch Logon Visualize batch server logon (Logon type: 4). Service Logon Visualize Services Control Manager logon (Logon type: 5). ms14-068 exploit failure Visualize the error log that the ms14-068 exploit failed. Logon failure Visualize failed logon. Detect DCSync/DCShadow Visualize the detection of DCSync and DCShadow log. Add/Delete Users Visualize deleted or added user(s). Domain Check Visualize all domain names. If an attacker has intruded into a network, there may be a malicious domain name. Audit Policy Change Visualize changed audit policy. Diff Graph Compare two days and view unique events. 20 Additional Event Log Search
Copyright ©2020 JPCERT/CC All rights reserved. All users Visualize all users and hosts. SYSTEM privileges Visualize users with system privileges. NTLM Remote Logon Visualize remote logon users and hosts using NTLM authentication. If not using NTLM authentication, it may be pass-the-hash. RDP Logon Visualize RDP logon users and hosts (Logon type: 10). Network Logon Visualize logon users and hosts from remote network (Logon type: 3). Batch Logon Visualize batch server logon (Logon type: 4). Service Logon Visualize Services Control Manager logon (Logon type: 5). ms14-068 exploit failure Visualize the error log that the ms14-068 exploit failed. Logon failure Visualize failed logon. Detect DCSync/DCShadowVisualize the detection of DCSync and DCShadow log. Add/Delete Users Visualize deleted or added user(s). Domain Check Visualize all domain names. If an attacker has intruded into a network, there may be a malicious domain name. Audit Policy Change Visualize changed audit policy. Diff Graph Compare two days and view unique events. 21 Additional Event Log Search
Copyright ©2020 JPCERT/CC All rights reserved.22 Diff Graph
Copyright ©2020 JPCERT/CC All rights reserved.23 Diff Graph
Copyright ©2020 JPCERT/CC All rights reserved.24 Timeline
Copyright ©2020 JPCERT/CC All rights reserved.25 Timeline Anomaly detection score using Change Finder.
Copyright ©2020 JPCERT/CC All rights reserved. DEMONSTRATION 26
Copyright ©2020 JPCERT/CC All rights reserved.27 LogonTracer Released Timeline
Copyright ©2020 JPCERT/CC All rights reserved.28 Frequently Asked Feedback Can I useLogonTracerfor real- timeAD log analysis? LogonTraceris only used with #DFIR.
Copyright ©2020 JPCERT/CC All rights reserved.29 New Feature!
Copyright ©2020 JPCERT/CC All rights reserved.30 We are released LogonTracer 1.5 Main Feature LogonTracer updated to support
Copyright ©2020 JPCERT/CC All rights reserved.31 LogonTracer + Elasticsearch + LogonTracer provides real-time AD log analysis function using Elasticsearch.
Copyright ©2020 JPCERT/CC All rights reserved.32 LogonTracer + Elasticsearch LogonTracer ElasticsearchWinlogbeat Kibana AD Event log Event log Analysis results Monitoring Visualization AD Log Monitoring System Neo4j Analysis results Event log
Copyright ©2020 JPCERT/CC All rights reserved. There is a limit to the size of visualization. It is not realistic to visualize all the event logs of a month or year with LogonTracer. Use LogonTracer visualization at intervals such as a day or hours. 33 Weak Point of LogonTracer
Copyright ©2020 JPCERT/CC All rights reserved.34 Monitoring Operation using LogonTracer LogonTracer ElasticsearchWinlogbeat Kibana AD Event log (Real-time) Event log (/day /hour) Analysis results (/day /hour) E-mail etc. (/day /hour) Visualization (as necessary) AD Log Monitoring System Neo4j Analysis results (/day /hour) Event log Analyze logs daily or hourly. Reporting daily or hourly. Check log based on report.
Copyright ©2020 JPCERT/CC All rights reserved.35 Monitoring Operation using LogonTracer Kibana GUI
Copyright ©2020 JPCERT/CC All rights reserved.36 How to Use Load from ES
Copyright ©2020 JPCERT/CC All rights reserved. DEMONSTRATION 37 v1.5
Copyright ©2020 JPCERT/CC All rights reserved.38 Elasticsearch Query Samples curl -H "Content-Type: application/json" -XPOST 'localhost:9200/logontracer- user-index/_search?pretty' -d '{ "query": { "match_all": {} }, "size": 10, "sort": { "rank": { "order": "desc" } }}' curl -H "Content-Type: application/json" -XPOST 'localhost:9200/logontracer- user-index/_search?pretty' -d '{ "query": { "match": { "status": “2020" }}}' curl -H "Content-Type: application/json" -XPOST 'localhost:9200/logontracer- user-index/_search?pretty' -d '{ "query": { "match": { "rights": "system" }}}' Search for admin user Search for policy changes and user add/del Search for top 10 user ranks
Copyright ©2020 JPCERT/CC All rights reserved. LogonTracer Wiki https://github.com/JPCERTCC/LogonTracer/wiki How to Use 39
Copyright ©2020 JPCERT/CC All rights reserved.40 Future Works Add analysis function for Sysmon and PowerShell. Add detection function of new attack method. We welcome your feedback and pull request.
Copyright ©2020 JPCERT/CC All rights reserved. T h a n k y o u ! @jpcert_en ir-info@jpcert.or.jp PGP https://www.jpcert.or.jp/english/pgp/ Contact https://github.com/JPCERTCC/LogonTracer 41

Recommended

100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
SIEM
SIEMSIEM
SIEMvikasraina
 
SIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkSIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkBernie Leung, P.E., CISSP
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 

Recommended

100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
SIEM
SIEMSIEM
SIEMvikasraina
 
SIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkSIEM in NIST Cyber Security Framework
SIEM in NIST Cyber Security FrameworkBernie Leung, P.E., CISSP
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Hey, you, get off of my cloud exploring information leakage in third party c...
Hey, you, get off of my cloud exploring information leakage in third party c...Hey, you, get off of my cloud exploring information leakage in third party c...
Hey, you, get off of my cloud exploring information leakage in third party c...Fahad Ameen
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
Safety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCSafety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCPankaj Singh
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Ch 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksCh 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksSam Bowne
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability TesterAditya Jain
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
security onion
security onionsecurity onion
security onionBoni Yeamin
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 

More Related Content

What's hot

Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Hey, you, get off of my cloud exploring information leakage in third party c...
Hey, you, get off of my cloud exploring information leakage in third party c...Hey, you, get off of my cloud exploring information leakage in third party c...
Hey, you, get off of my cloud exploring information leakage in third party c...Fahad Ameen
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
Safety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCSafety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCPankaj Singh
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Ch 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksCh 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksSam Bowne
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability TesterAditya Jain
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 

What's hot (20)

Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Hey, you, get off of my cloud exploring information leakage in third party c...
Hey, you, get off of my cloud exploring information leakage in third party c...Hey, you, get off of my cloud exploring information leakage in third party c...
Hey, you, get off of my cloud exploring information leakage in third party c...
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
 
Safety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCSafety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoC
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Ch 3: Network and Computer Attacks
Ch 3: Network and Computer AttacksCh 3: Network and Computer Attacks
Ch 3: Network and Computer Attacks
 
Nessus-Vulnerability Tester
Nessus-Vulnerability TesterNessus-Vulnerability Tester
Nessus-Vulnerability Tester
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
security onion
security onionsecurity onion
security onion
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 

Similar to [CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by Shusei Tomonaga and Kota Kino

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Flink Forward
 
Dynamic Rule-based Real-time Market Data Alerts
Dynamic Rule-based Real-time Market Data AlertsDynamic Rule-based Real-time Market Data Alerts
Dynamic Rule-based Real-time Market Data AlertsFlink Forward
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analyticsnovsela
 
Microapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityMicroapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityNischal Reddy
 
Achieving High Throughput With Reliability In Transactional Systems
Achieving High Throughput With Reliability In Transactional SystemsAchieving High Throughput With Reliability In Transactional Systems
Achieving High Throughput With Reliability In Transactional SystemsVMware Tanzu
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopAmazon Web Services
 
Data Democratization at Nubank
Data Democratization at Nubank Data Democratization at Nubank
Data Democratization at NubankDatabricks
 
From AWS Data Pipeline to Airflow - managing data pipelines in Nielsen Market...
From AWS Data Pipeline to Airflow - managing data pipelines in Nielsen Market...From AWS Data Pipeline to Airflow - managing data pipelines in Nielsen Market...
From AWS Data Pipeline to Airflow - managing data pipelines in Nielsen Market...Itai Yaffe
 
Observability in real time at scale
Observability in real time at scaleObservability in real time at scale
Observability in real time at scaleBalvinder Hira
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...TigerGraph
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018Quentin Castel
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and complianceRogue Wave Software
 
Software Supply Chain Security in CI/CD Environment
Software Supply Chain Security in CI/CD EnvironmentSoftware Supply Chain Security in CI/CD Environment
Software Supply Chain Security in CI/CD EnvironmentOWASP Hacker Thursday
 
Closed Loop Compliance: Achieving closed loop compliance with Brainwave integ...
Closed Loop Compliance: Achieving closed loop compliance with Brainwave integ...Closed Loop Compliance: Achieving closed loop compliance with Brainwave integ...
Closed Loop Compliance: Achieving closed loop compliance with Brainwave integ...ForgeRock
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
That Conference 2017: Refactoring your Monitoring
That Conference 2017: Refactoring your MonitoringThat Conference 2017: Refactoring your Monitoring
That Conference 2017: Refactoring your MonitoringJamie Riedesel
 
webMethods World: How Can You Innovate Even Faster With the Latest webMethods...
webMethods World: How Can You Innovate Even Faster With the Latest webMethods...webMethods World: How Can You Innovate Even Faster With the Latest webMethods...
webMethods World: How Can You Innovate Even Faster With the Latest webMethods...Software AG
 

Similar to [CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by Shusei Tomonaga and Kota Kino (20)

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
 
Dynamic Rule-based Real-time Market Data Alerts
Dynamic Rule-based Real-time Market Data AlertsDynamic Rule-based Real-time Market Data Alerts
Dynamic Rule-based Real-time Market Data Alerts
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
 
Microapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise MobilityMicroapps: Redefining Enterprise Mobility
Microapps: Redefining Enterprise Mobility
 
Achieving High Throughput With Reliability In Transactional Systems
Achieving High Throughput With Reliability In Transactional SystemsAchieving High Throughput With Reliability In Transactional Systems
Achieving High Throughput With Reliability In Transactional Systems
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation Workshop
 
Data Democratization at Nubank
Data Democratization at Nubank Data Democratization at Nubank
Data Democratization at Nubank
 
From AWS Data Pipeline to Airflow - managing data pipelines in Nielsen Market...
From AWS Data Pipeline to Airflow - managing data pipelines in Nielsen Market...From AWS Data Pipeline to Airflow - managing data pipelines in Nielsen Market...
From AWS Data Pipeline to Airflow - managing data pipelines in Nielsen Market...
 
Industrial IoT bootcamp
Industrial IoT bootcampIndustrial IoT bootcamp
Industrial IoT bootcamp
 
Observability in real time at scale
Observability in real time at scaleObservability in real time at scale
Observability in real time at scale
 
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
Graph Gurus Episode 34: Graph Databases are Changing the Fraud Detection and ...
 
ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018ForgeRock Open banking - Meetup 28/06/2018
ForgeRock Open banking - Meetup 28/06/2018
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliance
 
Software Supply Chain Security in CI/CD Environment
Software Supply Chain Security in CI/CD EnvironmentSoftware Supply Chain Security in CI/CD Environment
Software Supply Chain Security in CI/CD Environment
 
Closed Loop Compliance: Achieving closed loop compliance with Brainwave integ...
Closed Loop Compliance: Achieving closed loop compliance with Brainwave integ...Closed Loop Compliance: Achieving closed loop compliance with Brainwave integ...
Closed Loop Compliance: Achieving closed loop compliance with Brainwave integ...
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
That Conference 2017: Refactoring your Monitoring
That Conference 2017: Refactoring your MonitoringThat Conference 2017: Refactoring your Monitoring
That Conference 2017: Refactoring your Monitoring
 
webMethods World: How Can You Innovate Even Faster With the Latest webMethods...
webMethods World: How Can You Innovate Even Faster With the Latest webMethods...webMethods World: How Can You Innovate Even Faster With the Latest webMethods...
webMethods World: How Can You Innovate Even Faster With the Latest webMethods...
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...[cb22] What I learned from the direct confrontation with the adversaries who ...
[cb22] What I learned from the direct confrontation with the adversaries who ...
 

Recently uploaded

Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝soniya singh
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfhenrik385807
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptxLANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptxBasil Achie
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...NETWAYS
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrsaastr
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@vikas rana
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...NETWAYS
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfakankshagupta7348026
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )Pooja Nehwal
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...NETWAYS
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...NETWAYS
 

Recently uploaded (20)

Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
Call Girls in Sarojini Nagar Market Delhi 💯 Call Us 🔝8264348440🔝
 
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdfOpen Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
Open Source Strategy in Logistics 2015_Henrik Hankedvz-d-nl-log-conference.pdf
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptxLANDMARKS AND MONUMENTS IN NIGERIA.pptx
LANDMARKS AND MONUMENTS IN NIGERIA.pptx
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
Open Source Camp Kubernetes 2024 | Running WebAssembly on Kubernetes by Alex ...
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStrSaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
SaaStr Workshop Wednesday w: Jason Lemkin, SaaStr
 
call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@call girls in delhi malviya nagar @9811711561@
call girls in delhi malviya nagar @9811711561@
 
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Vaishnavi 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
OSCamp Kubernetes 2024 | SRE Challenges in Monolith to Microservices Shift at...
 
Motivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdfMotivation and Theory Maslow and Murray pdf
Motivation and Theory Maslow and Murray pdf
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
OSCamp Kubernetes 2024 | Zero-Touch OS-Infrastruktur für Container und Kubern...
 

[CB20] LogonTracer v1.5 + Elasticsearch = Real-time AD Log Analysis System by Shusei Tomonaga and Kota Kino

  • 1. Copyright ©2020 JPCERT/CC All rights reserved.0 + = Real-time AD Log Analysis Syste CODE BLUE 2020
  • 2. Copyright ©2020 JPCERT/CC All rights reserved.1 We released LogonTracer in 2018 CODE BLUE 2018
  • 3. Copyright ©2020 JPCERT/CC All rights reserved.2 Completed Works Finished!
  • 4. Copyright ©2020 JPCERT/CC All rights reserved. LogonTracer Basic 3 Concept LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs.
  • 5. Copyright ©2020 JPCERT/CC All rights reserved. Visualizing Event Log Malicious Account Ranking Malicious Activity Search 4 Key Features
  • 6. Copyright ©2020 JPCERT/CC All rights reserved.5 Visualizing Event Log Malicious Account Ranking Malicious Activity Search
  • 7. Copyright ©2020 JPCERT/CC All rights reserved.6 Visualizing Event Log
  • 8. Copyright ©2020 JPCERT/CC All rights reserved. It is easy to check which account name was used to logon to a host. 7 Details of Visualization User1 Host User2 Event ID 4624 Event ID 4625 Connect an account name and a host from the logon event IDs.
  • 9. Copyright ©2020 JPCERT/CC All rights reserved.8 Check How Admin Account is Accessed from an Infected Host Search for a specific account which has a transaction path to Domain Administrator
  • 10. Copyright ©2020 JPCERT/CC All rights reserved.9 Check How Admin Account is Accessed from an Infected Host Search the possible path to domain administrator from the infected host. Host User Host Domain Admin Malware infected host Possible to reach DomainAdmin
  • 11. Copyright ©2020 JPCERT/CC All rights reserved.10 Check How Admin Account is Accessed from an Infected Host Possible to reach Domain Admin
  • 12. Copyright ©2020 JPCERT/CC All rights reserved.11 Visualizing Event Log Malicious Account Ranking Malicious Activity Search
  • 13. Copyright ©2020 JPCERT/CC All rights reserved.12 Malicious Account and Host Ranking Account Ranking Host Ranking
  • 14. Copyright ©2020 JPCERT/CC All rights reserved. Important websites are cited in many websites, so the number of links will be large. Websites linked from websites with a large number of links have high importance. 13 Rank using PageRank PageRank is an algorithm used by Google Search to rank websites in their search engine results. 𝑃𝑃𝑃𝑃 𝐴𝐴 = 1 − 𝑑𝑑 + 𝑑𝑑 � 𝑖𝑖=1 𝑛𝑛 𝑃𝑃𝑃𝑃 𝑇𝑇𝑖𝑖 𝐶𝐶 𝑇𝑇𝑖𝑖 Idea
  • 15. Copyright ©2020 JPCERT/CC All rights reserved.14 Important User !
  • 16. Copyright ©2020 JPCERT/CC All rights reserved. The HMM is one of the most important machine learning models in speech and language processing. This model is the state transition of the past in hidden state, and the event is modeled from the output result of that state. 15 PageRank with Hidden Markov Model Improve PageRank accuracy by using Hidden Markov Model (HMM) in combination. 𝑃𝑃𝑃𝑃 𝐴𝐴 = 1 − 𝑑𝑑(𝐴𝐴) + 𝑑𝑑(𝐴𝐴) � 𝑖𝑖=1 𝑛𝑛 𝑃𝑃𝑃𝑃 𝑇𝑇𝑖𝑖 𝐶𝐶 𝑇𝑇𝑖𝑖 What’s HMM
  • 17. Copyright ©2020 JPCERT/CC All rights reserved.16 Anomaly Detection of State Transition Using HMM Logon state transitions HMM 4624 47764625 4768 4769 Predict the state from the event ID timeline. Detects not transitioning to Stage 1 or 2. Not logged on Logon Attempt Logged on Stage0 Stage1 Stage2
  • 18. Copyright ©2020 JPCERT/CC All rights reserved. ID 4768 4769 4769 4624 4769 4624 4624 4776 4624 4769 4769 4624 Stage 0 2 2 0 2 0 0 2 0 2 2 0 17 Anomaly Detection of State Transition Using HMM Predict using HMM Normal Logon Pass-the-Ticket ID 4624 4624 4624 4624 4769 4624 4624 4769 4624 4624 4624 4624 Stage 0 0 0 1 2 0 0 2 0 0 0 0 In the case of PtT, it has not shifted to Stage 1. Not logged on Logon Attempt Logged on Stage0 Stage1 Stage2
  • 19. Copyright ©2020 JPCERT/CC All rights reserved.18 Visualizing Event Log Malicious Account Ranking Malicious Activity Search
  • 20. Copyright ©2020 JPCERT/CC All rights reserved.19 Malicious Activity Search
  • 21. Copyright ©2020 JPCERT/CC All rights reserved. All users Visualize all users and hosts. SYSTEM privileges Visualize users with system privileges. NTLM Remote Logon Visualize remote logon users and hosts using NTLM authentication. If not using NTLM authentication, it may be pass-the-hash. RDP Logon Visualize RDP logon users and hosts (Logon type: 10). Network Logon Visualize logon users and hosts from remote network (Logon type: 3). Batch Logon Visualize batch server logon (Logon type: 4). Service Logon Visualize Services Control Manager logon (Logon type: 5). ms14-068 exploit failure Visualize the error log that the ms14-068 exploit failed. Logon failure Visualize failed logon. Detect DCSync/DCShadow Visualize the detection of DCSync and DCShadow log. Add/Delete Users Visualize deleted or added user(s). Domain Check Visualize all domain names. If an attacker has intruded into a network, there may be a malicious domain name. Audit Policy Change Visualize changed audit policy. Diff Graph Compare two days and view unique events. 20 Additional Event Log Search
  • 22. Copyright ©2020 JPCERT/CC All rights reserved. All users Visualize all users and hosts. SYSTEM privileges Visualize users with system privileges. NTLM Remote Logon Visualize remote logon users and hosts using NTLM authentication. If not using NTLM authentication, it may be pass-the-hash. RDP Logon Visualize RDP logon users and hosts (Logon type: 10). Network Logon Visualize logon users and hosts from remote network (Logon type: 3). Batch Logon Visualize batch server logon (Logon type: 4). Service Logon Visualize Services Control Manager logon (Logon type: 5). ms14-068 exploit failure Visualize the error log that the ms14-068 exploit failed. Logon failure Visualize failed logon. Detect DCSync/DCShadowVisualize the detection of DCSync and DCShadow log. Add/Delete Users Visualize deleted or added user(s). Domain Check Visualize all domain names. If an attacker has intruded into a network, there may be a malicious domain name. Audit Policy Change Visualize changed audit policy. Diff Graph Compare two days and view unique events. 21 Additional Event Log Search
  • 23. Copyright ©2020 JPCERT/CC All rights reserved.22 Diff Graph
  • 24. Copyright ©2020 JPCERT/CC All rights reserved.23 Diff Graph
  • 25. Copyright ©2020 JPCERT/CC All rights reserved.24 Timeline
  • 26. Copyright ©2020 JPCERT/CC All rights reserved.25 Timeline Anomaly detection score using Change Finder.
  • 27. Copyright ©2020 JPCERT/CC All rights reserved. DEMONSTRATION 26
  • 28. Copyright ©2020 JPCERT/CC All rights reserved.27 LogonTracer Released Timeline
  • 29. Copyright ©2020 JPCERT/CC All rights reserved.28 Frequently Asked Feedback Can I useLogonTracerfor real- timeAD log analysis? LogonTraceris only used with #DFIR.
  • 30. Copyright ©2020 JPCERT/CC All rights reserved.29 New Feature!
  • 31. Copyright ©2020 JPCERT/CC All rights reserved.30 We are released LogonTracer 1.5 Main Feature LogonTracer updated to support
  • 32. Copyright ©2020 JPCERT/CC All rights reserved.31 LogonTracer + Elasticsearch + LogonTracer provides real-time AD log analysis function using Elasticsearch.
  • 33. Copyright ©2020 JPCERT/CC All rights reserved.32 LogonTracer + Elasticsearch LogonTracer ElasticsearchWinlogbeat Kibana AD Event log Event log Analysis results Monitoring Visualization AD Log Monitoring System Neo4j Analysis results Event log
  • 34. Copyright ©2020 JPCERT/CC All rights reserved. There is a limit to the size of visualization. It is not realistic to visualize all the event logs of a month or year with LogonTracer. Use LogonTracer visualization at intervals such as a day or hours. 33 Weak Point of LogonTracer
  • 35. Copyright ©2020 JPCERT/CC All rights reserved.34 Monitoring Operation using LogonTracer LogonTracer ElasticsearchWinlogbeat Kibana AD Event log (Real-time) Event log (/day /hour) Analysis results (/day /hour) E-mail etc. (/day /hour) Visualization (as necessary) AD Log Monitoring System Neo4j Analysis results (/day /hour) Event log Analyze logs daily or hourly. Reporting daily or hourly. Check log based on report.
  • 36. Copyright ©2020 JPCERT/CC All rights reserved.35 Monitoring Operation using LogonTracer Kibana GUI
  • 37. Copyright ©2020 JPCERT/CC All rights reserved.36 How to Use Load from ES
  • 38. Copyright ©2020 JPCERT/CC All rights reserved. DEMONSTRATION 37 v1.5
  • 39. Copyright ©2020 JPCERT/CC All rights reserved.38 Elasticsearch Query Samples curl -H "Content-Type: application/json" -XPOST 'localhost:9200/logontracer- user-index/_search?pretty' -d '{ "query": { "match_all": {} }, "size": 10, "sort": { "rank": { "order": "desc" } }}' curl -H "Content-Type: application/json" -XPOST 'localhost:9200/logontracer- user-index/_search?pretty' -d '{ "query": { "match": { "status": “2020" }}}' curl -H "Content-Type: application/json" -XPOST 'localhost:9200/logontracer- user-index/_search?pretty' -d '{ "query": { "match": { "rights": "system" }}}' Search for admin user Search for policy changes and user add/del Search for top 10 user ranks
  • 40. Copyright ©2020 JPCERT/CC All rights reserved. LogonTracer Wiki https://github.com/JPCERTCC/LogonTracer/wiki How to Use 39
  • 41. Copyright ©2020 JPCERT/CC All rights reserved.40 Future Works Add analysis function for Sysmon and PowerShell. Add detection function of new attack method. We welcome your feedback and pull request.
  • 42. Copyright ©2020 JPCERT/CC All rights reserved. T h a n k y o u ! @jpcert_en ir-info@jpcert.or.jp PGP https://www.jpcert.or.jp/english/pgp/ Contact https://github.com/JPCERTCC/LogonTracer 41