epagneul v0.4.1 releases: visualize and investigate windows event logs
epagneul – visualize and investigate windows event logs
Changelog v0.4
Added
- Observable: windows groups
- Relationships: TGT_DES_REQUEST, TGT_AES_REQUEST, TGT_RC4_REQUEST
- Users ranking
Changed
- Better management of Relationships and Observables
- Edges labels are now more generic (instead of native windows event codes.)
Built With
- Vue.js – The web framework used
- Cytoscape.js – Library used for graph visualisation and analysis
- d3 – Used to display the timeline
- neo4j – Backend database
- evtx – Parser for the windows XML EventLog format
Deployment
Requires docker and docker-compose to be installed.
Installing
git clone https://github.com/jurelou/epagneul.git
make
Offline deployment
On a machine connected to the internet, build an offline release:
make release
This will create a release folder containing ready-to-go Docker images. Copy the project to your air-gapped machine then run:
make load
make
This will install:
- epagneul web UI (port 8080)
- epagneul backend (port 8000)
- neo4j (port 7474)
When installing on a server, you need to modify VUE_APP_BASE_URL=http://<server name>:8000/api in your docker-compose.yaml.
todos
- Better SID correlations
- add edge tips
- Label propagation algorithm
- PageRank
- Add missing events IDs (sysmon)
- Proper conversion of known SIDS / security principles, …
- hidden Markov chains
- Display a timeline of logons / at least a summary graph
- check out: https://github.com/ahmedkhlief/APT-Hunter
- Import data from ELK / Splunk
- detect communities using Louvain
- Document evtx filtering method using filter 3,4648,4624,4625,4672,4768,4769,4771,4776,4728,4732,4756
Author: jurelou – Initial work – jurelou
Source: https://github.com/jurelou/
