Epagneul is a tool to visualize and investigate windows event logs

epagneul

Deployment

Requires docker and docker-compose to be installed.

Installing

make

Offline deployment

On a machine connected to internet, build an offline release:

make release

This will create a release folder containing ready to go docker images. Copy the project to your air gapped machine then run:

make load
make

This will install:

• epagneul web UI (port 8080)
• epagneul backend (port 8000)
• neo4j (port 7474)

When installing on a server, you need to modify VUE_APP_BASE_URL=http:// :8000/api in your docker-compose.yaml.

todos

• Better SID corelations
• add edge tips
• Label propagation algorithm
• PageRank
• Add missing events IDs (sysmon)
• Proper conversion of known SIDS / security principals, ...
• hidden markov chains
• Display a timeline of logons / at least a summary graph
• check out: https://github.com/ahmedkhlief/APT-Hunter
• Import data from ELK / splunk
• detect communities using louvain
• Document evtx filtering method using filter 3,4648,4624,4625,4672,4768,4769,4771,4776,4728,4732,4756

Known bugs

• The count value on edges does not update based on the selected timeline

References:

• https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
• https://github.com/JPCERTCC/LogonTracer

Built With

• Vue.js - The web framework used
• Cytoscape.js - Library used for graph visualisation and analysis
• d3 - Used to display the timeline
• neo4j - Backend database
• evtx - Parser for the windows XML EventLog format

Authors

• jurelou - Initial work - jurelou