Tracking Malicious Logon: Visualize and Analyze Active Directory Event Logs

thank you very much for the introduction and for everyone's coming to our presentation today I'm sure say tominaga our presentation today is about how to detect the rotary movement using a bent rod and we will show a demo of our tools first of all let me introduce our service my name is jose ettan Raja I have been working at JP sat for five years my primary responsibilities are to analyze Maria and EFI yar we have been publishing analysis of the Bayesian approach we also develop some tools which are useful for Mary analysis these are available on github ok so hello everybody hello thank you for response to market on you forum JP start and it's my first B style buoy

and I'm very very excited to be here with you today and thanks for giving us opportunity to having a presentation here and thanks to attending and thanks to all the staff and volunteer and beside that we ok let's give up on this thank you ok thanks and shoot and I and I belongs to the instant response group at JP SAR and my primary responsibility is D F IR ok so does everyone know JP star no thank you thank you very much yeah ok I would like to speak a little bit about our group we were our group receive almost 10,000 decent report every year and coordinate and cooperate with our partners to mitigate security incidents

also we handle 20 to 30 APD instance per year and put in a lot of time and effort to them and today's talks come from the experience we collected from DF IR and I wish we would help your DF IR and your studies okay before moving on the main topic I would like to talk about the current state of the incident response especially in apt okay as you know when the incident happens attackers in truth into the company's network and in fact many Holliston servers with their malware using windows default tools in case the number of the impacted horse runs up to a hundred and it takes months is to reveal what happened there okay so

importance of the event log analysis an apt case Ben log analysis will be the key factor to identify the compromised tossed in the victim network so why a Windows Active Directory records all the log on histories to the repair log and we could chase the malicious activity from them many of the attackers tried to spread the malware and executed it remotely with the ad authentications okay so what's a trend of the malicious mr. logon method nowadays attacker use pass the ticket when spreading the infection to other host passage kit issues and unauthorized ticket that grants access to other hot without a license without additional authentication and golden tickets is it granting ticket and silver ticket

is use service tickets so this one question does Windows System recalls the past that ticket in the band log oh thank you so in the past to get user sister used the system records the same it will say me been log as a standard logon and to detect malicious logon from the Bell law we need a new Tecna analyzing techniques or new methods so what's the best tool for event log emphasis here you like to discuss option is bamboo it could be the first often yeah we could use we depend beer but maybe everyone knows it's a viewer it's not a lighter so it's very painful to analyze this so the next one is the next option

is to export benlloch to the text and file and use grep or it okay or sets and yeah it's much better than the viewer but yeah it's still painful if we have a large data side to analyze in this very difficult analyze okay how about see ya theme is very useful to search logs their desserts tactical language and the dashboard is very cool so I love it but yeah it's not clear where to find the malicious logs okay so the problem of the computational methods of analyzing band logs there's three points and first it did it difficult to investigate with the default tools and second is the new techniques or new method is required to

to detect pasture to get from the bank logs and finally it's not clear where where to find malicious logs so today's goal is to propose a method of analyzing Active Directory a bit log okay in this presentation we will introduce our approach to these those challenges so our approach is investigate malicious windows log on by visualizing and analyzing padlock if we could support visualizing and analyzing event lock with stools it will make it easier to find out malicious activities such as PT pass the ticket PDT or pass a hash PTH okay so here's a topic for today's presentation first we will talk about the band lock visualization and second we will show the additional analysis of

the BAM log using several algorithms and techniques and third we will introduce our tool logon tracer and finally we would like to show the demonstration ok from here I would like to pass the mic to suzay so after this right we will introduce how to visualize an honor and an irrelevant role how to visualizing live interact the inventor has multi multi event related to log on the log events contains account and host information the analyze and visualize dot information in destroyed reached over all going event IDs these are about 2000 go events for example logo success is ID f--

you

the answer is no it is possible to detect Marcia struggle without monitoring Oregon event or IDs in your research we know that it is important to monitor just six event IDs the highlight event IDs the events that we recommended to monitor in relation to the success and failure of rogue on an ethereal and carriers authentication attempt is also important the event log is not used for analysts chrome name or event ices are different for each review entities and not all the event ID has the same type of information associate of the ideal man analyzing event roll it is necessary to solve these problems this figure is a simple pattern visualizing the event role by visualizing vm2 asset account

name and the host from the logo event IDs therefore it is easy to check which account name used to log on or to a host this is an example of visualizing logon event ID based on the previous concept

you

the host and account ratio is one to one this is an example of Marshall slogan we can easy find out that many hosts log on using matter movement if Masako attempts too much prahasta a card from account the rogue will be like this

you

you have a great enough eyesight you could find master Drago from this video but most people will find it difficult to analyze this figure from this result we learned that visualization is a good support for analyzing relevant rock but not a perfect soldier we using that other approach is needed to analyze in the event log therefore we saw the botana cur'us approach it is difficult to analyze a lot of logs dogs using visualization but if we can automatically real suspicious act account analysis will be similar so we proposed a new method to automatically detect emerges wrong next let me introduce method to method of automatically inertia's in order to create to create an automatic detection

method it is necessary to understand more about lateral movement through our experience in many case of instant response we found that attacker normal conducted lateral movement in the following steps this introduces a flow of repetitions attacker foo infected the host with Maria correct information or the host next they collect information to the host server within the network and this first infection to other host this diverse and confidential information using call service and saw rust the drugs under credit files this is an example of a lot of metal steps executed command by ticks a taco tick is a cyber-espionage a group known to target the Japanese organizations such as a government agency as well as so is biotechnology

rhetoric as manufacturing and industrial chemistry the initial investigations that will fool my command the news mimic cuts to create accordant yet internal recon European Command after that use net command to map our remote hosts they executed prior to remote host with copy and eighty command and the final data files

from our experience of dear file there are three Co a future in lateral movement first attack I use not orab at actors but also windows command and resume tools next they use the domain other is administrator account finally they use the story account to repeat to logon biotic is the domain administrator account no reason for this example it is possible to log onto or host on the server using the domain administrator account the occipital hold attacker takeover domain administrators account the most common method is exploiting building administrator account many organization use common password for administrator account to manage a host therefore if you can still one account to it infected host they can easy access all hosts and servers the

attacker use rattle movement with one stern password password and account as a result a host that has been compromised by the attacker will be used for logon to many hosts with the same account we are going to many hosts with vow account is a suspicious activity we applied this future to automatic automatic detection we applies a common in the rotor movement in introduced area to automatic analysis specifically in the visualize the event wrong we propose a method to automatically detect to user a so how can I automatically detect the user a from this video there are similar approach to surges solve such tasks we use net network analysis to detect account that log on to many host network

analysis is to hundreds of property of complex in network is various field network analysis has two metrics clustering is a task of grouping a set of objects in such a way that object in the same group was similar to each other than those in other groups we use a laser matrix centrality centrality and network analysis centrality indicates the most important busted bottles within a group graph in other words it is a method of cross-training calculating regional is connected to the most known the algorithm to calculate calculate centrality the most famous our worries is a Zhang Dejiang is an algorithm years for Google search to lock the website in their search engine result I do Falcon

is as follow imported will be page sorted from many sites so the number of links will appear our web page linked from web pages with large number of links how high important page rank is also used for ranking others own web page pressure can be used for spreaded graphs such an event raw graph the old original PageRank algorithm was described by Brian on page several publications we calculate centrality using this organism and the Fondren issue the project for a controller is Hyosung only one host is connected this issue is the two hours ever ever ilysm other than PageRank hard disk programs so we investigate method better calculate version we saw the issue using this method increase the

rank of important to account by changing the topic factor for each account the Falconeri hold that imaginary interactive user who is around every quaking on the link will virtually stop creaking the probably any steps that possibly conduct continue in that topic factor baristas have tested differently but it is generally assumed that the on-field factor will be set around the point eight five so it has been proposed that method to control the rank or with us spawn webpage by adjusting the at attrition concentration we also use a method to control the ranking of the account by controlling the top in factor the patients that the change of dumping factor value for each account is different if by the following

formula D is a damping factor over page a and the next question is how to describe the damping factor we dynamically calculate the damping factor from the following intervals account private authentication type unbury deduction over local controller timeline Annamarie detection of transition of local event rolls after destroyed we will introduce German first element is account privilege as I said earlier the administrator account is used by the taco therefore it is better for the the other in Saratoga County to rank higher second element is authentication type yotaka use pasta hodge mitad ntlm authentication is recorded so if she account to use ntlm authentication for rode on the rank will be higher south airman is unburied detection of rock

event roll timeline anomaly detection by counting the number of local event logs timeline for example a large number of Rockefellers may be brute-force attack we use the change find out anomaly detection change finder is a time share data change point detection algorithm that can detect change point in real time whichever page change finder is raw computational complexity therefore it is used for real-time anomaly detection if change finder detects timeline and body the rank will be higher finally animal detection or state transition of raga event Rock windows logon has three state transition I can't not Rogan burger attempt are the Lord o if sheet shift from not rogue on States to load our logo attempt and finally

shift to roll down if it is Marcia's role on the state-transition baby became anomaly in case of a brute-force attack or pasta ticket the state did not with low growl or roar attempt we examinate method to detect Armory in this state transition so we proposed a method to detect on Murray instead transition using massive running there are superior machine learning algorithm to analyze the state transitions recently recurrent neural network is mainstream in this field however recurrent neural network has a program of Raja Raja computational complexity the who we analyzed the inventor of using hidden Markov model the hidden Markov model is both the most reported machine running bothers in speech and language processing this model is a state transition of the pasta

is a hidden state and the event is modelled from the output result of the two states this figure is an example of the shielding Markov model for example a thermal pulse of rupees srimant walk shop and cream the event to be conducted will depend on the version of the time however the Reza itself is not disclosed when you only know the conductor to event you chasms current visa this is how hidden Markov model works we otherwise I paint over here is a shitty Markov model even these local event or IDs and the shooting state not rogue on dog attempt Android all predict the state of the event ID time run the hidden Markov model can

detect that the it does not move to stage one or two so this is a examples are not as European trope timeline with hidden Markov model if normal Orem it will be from state zero to one and finally move to stage two but in the case of pasta Hodge it has not shift to page one Stage one if sister additional money is detected the lock will be higher we evaluated the person including discernment as a result of evaluation the method we capable of detecting account using pasta Hodge or Pacific ate by another anything they repent rogue it is also probe possible to detect suspicious Logan however the case which she can not be detected the geography is dynamic

damping factor heart problems false positive if Pluto administrator account is used for although your host and Sabah the Polanco of the account will be higher first negative if TACA affected only one post it is decided to detect that the activity this is a future task

okay thank you for introducing the core techniques and methods and logon tracers who say so from here I would like to introduce our tool logon tracer logon tracer is a tool to investigate malicious logon by visualizing and analyzing event and our Windows Active Directory event logs it's a python-based analyzing tool with web GUI and we use nail for J at the database and we use the Site escape dot J's for visualizations and it's open source software so will be developed on github and we released the first version last November and we released the latest version 1.1 this August okay lock on tracer has four features first is visualizing bed logs it makes it easier to understand what is happening in the

victims network and second is display important account and hosts and this is very cool feature and you can find suspicious accounts or hot very quickly and third it is no event log search and it's a preset search conditions for investigation Active Directory event logs and it accelerates your log analysis and forces timeline and you can make the timeline table very quickly in this tool and this feature will help your analysis and reporting instance and this is web GUI I think it's very simple everyone how do you think ok I would like to introduce about the interface so the upper side is a search navigation bar and you can set the search conditions here and the right side table so the rank of

the page page rank with dynamic damping factor it's about one of the most important part of this GUI and upper table here shows the suspicious account King and the lower one shows the suspicious horse ranking so the higher ranking rank is more more suspicious here and you can find suspicious or suspicious or important accounts from this table and the left side you can depend log search like a preset for search conditions you can use drop-down menu to search account name matching to specific criteria here's a list of the additional event log search these search are very important when you investigate Active Directory logs in real case I really do these investigations in thought search and dfi are and here's the

interface for the timeline table and here it shows a summary of the band log in and the number shows the crowd of the logs and each hour and colored cell shows anomaly score so if so the darker color it the cell has it will be that the cell has more a higher on all of my score here and this is a timeline timeline graph and this graphs show about a specific user and you could check the transition of the bandwidth anomalies score the red line shows an animated score here okay let's move on to the demonstration for here so we prepared a demo boobie and I would like to show how to use log on tracer

so movie starts okay so first how to star logon tree

and yes you can find how to start the web GUI where we are here run start web application so you can start with vacation with hyphen R option and now he running on the local host there with HTTP and party aoao so access to the bar from web browser and here's a picture like this mode if you click all user you could find all data here and the red box here is shows the graph visualization panel so you could customize the visualization here and right side sorry the tops at top is certain navigation bar so you could set the search conditions and here I'll explain it more detail later and the right side it is

yes rank of the page rank withstand damping factor

and the left box here is graph options view option so you could set a graph mode or you could change the link link values here and here's a drop-down menu for search and yeah it's kind of the search preset search conditions here okay from here I would like to show a little bit about no details of the icon meaning the blue one is the standard account and the red circle is system privileged account and the green one is IP address or host and the link detail has how to read the link and this example uterus madam is traced their success to logon costs to the host and yeah very simple to read so from here

yeah and you could check the account detail by clicking the node like this yeah you can find a name the privilege status the security ID and you can search it by the user names of quick search and you can find it you can change the visualization then you can drag the node so you can clean up the panel and yeah you can find this account it's very suspicious because it was used for it this account is useful for several hosts logon attempts and you know you could also search with navigation bar click search so yeah you can show the account from here and also you could add accounts here for example here you can use your house or IP

address so here it's adding IP address

and click search so yeah you can find out this here and yet it looks very suspicious and yeah you could filter by your event ID here and if you only want to show two IDs you could change like this you could also export data to see its Bowie or Jason or image it's like PNG or JPEG and here it exporting PNG based so just click and you can download it and you can get the file so you can use it for for reporting instance here

and you could also search users from right side from example for example here it will click sis G admin the top one yes so here the top line is suspicious so you can find you with previous account using here and also these horses you could click horse and you find it suspicious like this and from here you could change the graph mode the default is grid but you could take clothes and show all users so it's a you can find here something something happening here it's in here so no more nor no normal logon times and you could also use a graph more like circles so you could show the graph like circle and here you

can get a deep L used to link so in this example in the demonstration it's adding count and oust names so that's a little bit small but you can find the authentication name and the user count here

okay and now checking with a bent idea again and so the system privilege yeah so ap the attacker wants target the system produced account so you can only check the system previous that come from this button and also you could check PLM remote logon only empty all logins to check the Hat pastor has I'll pass it has yeah check domain which which account where or belonging to and this feature is useful when certs a minute certs search if the beaming cut is used because the mimikatz has need to enter the domain name and sometimes attacker miss type it make a typo so you can find a suspicious domain from this feature and from here it's showing the timetable

and you could show a click call to show the timeline summary and yet and the colored shows are normally detection so you can find something is happening on the seventh Tuesday or here and you could check call so yeah it's very simple it's very easy to check the timeline because it's colored

and also you could check click username to show the detail the timeline so you could find that the count and each AT&T IDs and here you can find anomaly anomaly detection here like this and

also you could add search conditions forms from shared you can compare accounts like this so yep and you can find it upper one has anomaly detection six and lower land has a separate animal detection on 7th

and you can switch the timeline mode to the timeline to the graph going on the upper side switch and you can search the specific user here and yeah here you can find the high anomaly score in the middle and this score is caused by the suspicious Coble's service to get to request ebay 94 7 6 9 here so you can you could you could you can detect that you can think that it's a possible over the past ticket here and you can find the eg pen log count here and yes this feature makes it easy to analyze specific user and quick got to go back to the timeline summary and yep that's all for the demonstration

okay if you want to know more detail about vlog on tracer check it out or wiki on the github and this wiki you can find how to install log on tracer or how to store with docker or and how to use it from this QR code stop now okay

[Applause]