-
Notifications
You must be signed in to change notification settings - Fork 3
Workflow
You feed it with plaso events and it gives you an interactive lateral movement graph. Easy. This graph can be used to quickly obtain information about layout of the network, which machines accessed which other machines and which machine has which users. And of course you can filter it by specific time periods.
Eccemotus can be used in three ways. It can be used as a stand alone tool, as a library, or as a library integrated to some other tool (timesketch).
You are provided with a command line console and a simple web server. Firs you need data in one of two formats:
- Plaso events serialized to json_line format (can be obtained by psort.py -o json_line).
- Plaso events at elasticsearch index. To load files like this, you need to specify an elasticsearch address and port as well as indices you want to query.
Then you can produce a graph. Graph is serialized to json in a not very memory friendly way, however this should not be a problem. Last think is to visualize the graph. Web interface does all those steps for you. In command line interface you need to generate a directory with all necessary javascript/html. This is done by render sub-command. Note that the render sub-command needs a graph not in json, but in pure javascript. Graph like this is created with --javascript flag.
In timesketch you have just need to click on a button, wait and click one more time. That's it.
This options is relevant if you want to integrate Eccemotus into your own tool. In that case please check timesketche or eccemotus_web.py or contact me. Important file is eccemotus_lib.py. You want to create a Data generator (ElasticDataGenerator or FileDataGenerator) and create a graph out of them (GetGraph). Then you need to show the graph. For this use lateral-map.js. It is a javascript module written in d3.