Graph Visualization for windows event logs

rounded

Epagneul is a tool to visualize and investigate windows event logs.


layout

Deployment

Requires docker and docker-compose to be installed.

Installing

make

Offline deployment

On a machine connected to internet, build an offline release:

make release

This will create a release folder containing ready to go docker images. Copy the project to your air gapped machine then run:

make load
make

This will install:

  • epagneul web UI (port 8080)
  • epagneul backend (port 8000)
  • neo4j (port 7474)

todos

  •  Better SID corelations
  •  add edge tips
  •  Label propagation algorithm
  •  PageRank
  •  Add missing events IDs (sysmon)
  •  Proper conversion of known SIDS / security principals, …
  •  hidden markov chains
  •  Display a timeline of logons / at least a summary graph
  •  check out: https://github.com/ahmedkhlief/APT-Hunter
  •  Import data from ELK / splunk
  •  detect communities using louvain
  •  Document evtx filtering method using filter 3,4648,4624,4625,4672,4768,4769,4771,4776,4728,4732,4756

Known bugs

  • The count value on edges does not update based on the selected timeline

References:

https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
https://github.com/JPCERTCC/LogonTracer

Built With

  • Vue.js – The web framework used
  • Cytoscape.js – Library used for graph visualisation and analysis
  • d3 – Used to display the timeline
  • neo4j – Backend database
  • evtx – Parser for the windows XML EventLog format

Authors

  • jurelou – Initial work – jurelou