epagneul v0.4.1 releases: visualize and investigate windows event logs

epagneul – visualize and investigate windows event logs

Changelog v0.4

Added

• Observable: windows groups
• Relationships: TGT_DES_REQUEST, TGT_AES_REQUEST, TGT_RC4_REQUEST
• Users ranking

Changed

• Better management of Relationships and Observables
• Edges labels are now more generic (instead of native windows event codes.)

Built With

• Vue.js – The web framework used
• Cytoscape.js – Library used for graph visualisation and analysis
• d3 – Used to display the timeline
• neo4j – Backend database
• evtx – Parser for the windows XML EventLog format

Deployment

Requires docker and docker-compose to be installed.

Installing

git clone https://github.com/jurelou/epagneul.git
make

Offline deployment

On a machine connected to the internet, build an offline release:

This will create a release folder containing ready-to-go Docker images. Copy the project to your air-gapped machine then run:

This will install:

• epagneul web UI (port 8080)
• epagneul backend (port 8000)
• neo4j (port 7474)

When installing on a server, you need to modify VUE_APP_BASE_URL=http://<server name>:8000/api in your docker-compose.yaml.

todos

• Better SID correlations
•  add edge tips
•  Label propagation algorithm
•  PageRank
•  Add missing events IDs (sysmon)
• Proper conversion of known SIDS / security principles, …
• hidden Markov chains
•  Display a timeline of logons / at least a summary graph
•  check out: https://github.com/ahmedkhlief/APT-Hunter
• Import data from ELK / Splunk
• detect communities using Louvain
• Document evtx filtering method using filter 3,4648,4624,4625,4672,4768,4769,4771,4776,4728,4732,4756

Author: jurelou – Initial work – jurelou

Source: https://github.com/jurelou/