Introducing the Web-Based LogonSessionAuditor

By /

Listen to this Post

During DFIR investigations, pinpointing active user sessions at a specific time is critical. Inspired by Mohammed Hasan’s incredible LogonSessionAuditor, Raj Upadhyay has taken it a step further by building a Flask-based web app for even smoother log analysis!

Key Features:

  • Upload & analyze EVTX logs directly from your browser
  • Instantly filter out service accounts for cleaner results
  • Extract logon & logoff events (4624, 4634, 4647) effortlessly
  • View session data in a sortable, searchable table
  • Export results as CSV for easy reporting
  • Standalone EXE availableā€”no Python setup required!

This tool makes Windows log analysis incredibly accessible. Just set a time, and it instantly shows all active sessions at that moment!

GitHub: https://lnkd.in/dJ7uBViV

Practice Verified Codes and Commands:

1. Extracting Logon Events (4624) from EVTX:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Export-Csv -Path "LogonEvents.csv"

2. Filtering Service Accounts:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object { $_.Properties[5].Value -notmatch "SERVICE" } | Export-Csv -Path "FilteredLogonEvents.csv"

3. Extracting Logoff Events (4634, 4647):

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4634,4647} | Export-Csv -Path "LogoffEvents.csv"

4. Running the Web-Based LogonSessionAuditor:

python app.py

5. Converting Python Script to EXE:

pyinstaller --onefile app.py

What Undercode Say:

The Web-Based LogonSessionAuditor is a significant leap forward in DFIR investigations, particularly for Windows log analysis. By leveraging Flask, Raj Upadhyay has made it easier for cybersecurity professionals to analyze EVTX logs without the need for complex setups. The ability to filter service accounts and extract specific logon/logoff events (4624, 4634, 4647) is invaluable for incident response and threat hunting. The tool’s export functionality to CSV further enhances its utility, making it a must-have for any DFIR toolkit.

For those looking to dive deeper into Windows log analysis, here are some additional commands and tools that can complement the LogonSessionAuditor:

1. Analyzing Event Logs with PowerShell:

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 } | Format-Table -Property TimeCreated, Message

2. Using Log Parser for Advanced Queries:

logparser.exe "SELECT * FROM Security WHERE EventID=4624" -i:EVT -o:CSV

3. Sysinternals Tools for Log Analysis:

psloggedon.exe -l
  1. Linux Commands for Log Analysis (if dealing with cross-platform logs):
    grep "session opened" /var/log/auth.log

5. Automating Log Analysis with Python:

import pandas as pd
logs = pd.read_csv('LogonEvents.csv')
filtered_logs = logs[~logs['Account'].str.contains('SERVICE')]
filtered_logs.to_csv('FilteredLogonEvents.csv', index=False)

For further reading and resources, consider visiting the following URLs:
Windows Security Log Events
Sysinternals Tools
Python for Cybersecurity

The Web-Based LogonSessionAuditor not only simplifies log analysis but also opens up new possibilities for automation and integration with other tools. Its standalone EXE version ensures that even those without Python expertise can benefit from its features. This tool is a testament to the power of open-source collaboration in advancing cybersecurity practices.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: