rayyan-umair/AD-Audit

# What it does * Kerberos ticket abuse profiles * privilege escalation chains * ACL and group membership drift alerts * domain dominance attempt narratives * explainable 5W+H investigation context * SIEMulate privilege enrichment handshakes Every detection becomes a **human-readable identity threat narrative**: ### Instead of raw event log entries: EventID 4769 - Kerberos Service Ticket Request - RC4 - MSSQLSvc/db01.corp.local EventID 4728 - Member Added to Security-Enabled Global Group - Domain Admins ### You get: * WHO triggered it (user + privilege level + risk score) * WHAT happened (plain-English detection summary) * WHERE it came from (source host + target DC) * WHEN it happened (timestamp + chain context) * WHY it matters (exact Event ID logic and escalation reason) * HOW to respond (isolation recommendation + SIEMulate ingest link) No SIEM complexity. No raw Event ID hunting. No manual correlation. # System Overview ## Collector The Windows-side ingestion layer. Handles: * Windows Security Event Log tailing via pywin32 and WMI * EVTX XML export fallback mode for offline analysis * PowerShell-based event channel export (alternative collector) * Event ID normalisation into universal schema * ZeroMQ publishing to the Brain No analysis. No storage. No intelligence. ## Brain The intelligence layer. Handles: # Core Concept It treats them as: # Universal Event Schema Every collected Windows event becomes: { "event_id_win": "4769", "event_uuid" : "uuid", "timestamp" : "UTC ISO8601", "source_host" : "WKSTN-04", "domain" : "corp.local", "actor": { "username" : "jsmith", "domain" : "CORP", "is_admin" : false, "privilege_level": "standard" }, "target": { "username" : null, "group" : "Domain Admins", "service_spn": "MSSQLSvc/db01.corp.local", "host" : "DC01" }, "logon": { "type" : 3, "type_name" : "Network", "auth_package": "NTLM" }, "kerberos": { "ticket_type" : "ST", "encryption_type" : "RC4", "encryption_code" : "0x17", "service_name" : "MSSQLSvc/db01.corp.local" }, "raw_payload": { } } # Quick Start ## 1. Install Dependencies pip install -r requirements.txt ## 2. Configure cp brain/.env.example brain/.env # Set DOMAIN_CONTROLLER_IP and DOMAIN_CONTROLLER_NAME ## 3. Start the Brain cd brain python main.py ## 4. Start the Collector (Windows only - requires admin) cd collector python collector.py Or use the PowerShell fallback: .\powershell\export_events.ps1 # The Four Detection Engines # 5W+H Investigation Engine Every detection is transformed into: # SIEMulate Privilege Handshake { "actor" : "jsmith", "is_admin" : true, "privilege_level": "domain_admin", "critical_groups": ["Domain Admins"], "detection_type" : "AD-002", "risk_score" : 9.2 } SIEMulate uses this to instantly upgrade any existing alert involving that account to a Critical Isolation Event - regardless of what the original alert severity was. A low-priority brute force alert becomes a CRITICAL chain the moment AD-Audit confirms the account holds domain-wide keys. # Domain State Snapshot On every group change event it: # Entity Intelligence * authentication timeline * group membership history * Kerberos ticket request history * privilege level classification * risk score with time decay * behavior flags (kerberoasting_target, acl_drift, lateral_movement, domain_dominance) # AI Layer (Optional) AI is NOT required. When enabled it acts as: It can: * explain Kerberoasting in plain English for junior analysts * summarise privilege escalation chains * generate incident reports * suggest remediation steps Supported providers: * Local LLMs (Ollama / llama.cpp) * OpenAI, Gemini, Groq * Disabled mode (fully offline) # NetRaptor Ecosystem It feeds privileged identity context to: * **SIEMulate** - detection intelligence engine (port 8002) * **TalonResponse** - incident response terminal And receives behavioral context from: * **LogClaw** - authentication log events (port 8000) * **PacketStrike** - network behavior context (port 8001) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Part of the NetRaptor ecosystem. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ # Hard Constraints * Collector performs ingestion only - no analysis * Brain performs all intelligence - no collection * ZeroMQ is the transport layer between them * UTC is mandatory everywhere * Events must remain schema-compliant * Domain snapshot diffs are immutable - deletions are flagged not erased # Legal Notice Only use it on Active Directory environments you own or are explicitly authorized to monitor. Unauthorized access to Windows Event Logs or Active Directory structures may be illegal in your jurisdiction. The author accepts no liability for misuse.