Overview
LastLog-Audit is a zero-dependency Python parser for the binary
/var/log/lastlog database on Linux systems. It extracts the most recent
login timestamp, terminal, and originating host for every UID, enabling security
teams to identify stale accounts, detect credential abuse, and support forensic
triage during incident response.
Stale and dormant accounts are a persistent blind spot in enterprise environments. Adversaries routinely leverage forgotten local accounts for initial access (T1078) and persistence, knowing these credentials often escape rotation policies and active monitoring. LastLog-Audit makes this exposure immediately visible.
Quick Start
# Parse lastlog with usernames
$ sudo python3 LastLogAudit.py -u
# Parse wtmp (full login/logout history)
$ python3 LastLogAudit.py --wtmp /var/log/wtmp
# Parse auth.log (SSH successes/failures + sudo)
$ python3 LastLogAudit.py --auth-log /var/log/auth.log
# Cross-reference all 3 sources
$ python3 LastLogAudit.py -f /var/log/lastlog --wtmp /var/log/wtmp --auth-log /var/log/auth.log --correlate
Parameters
| Parameter | Description |
|---|---|
-f / --file | Path to lastlog binary (default: /var/log/lastlog) |
--wtmp | Parse wtmp binary for full login/logout history |
--auth-log | Parse auth.log for SSH events and sudo commands |
--correlate | Cross-reference lastlog + wtmp + auth.log (requires all three) |
-u / --include-username | Resolve UIDs to usernames (lastlog mode only) |
-d / --display | Output format: table or line |
-e / --export | Export to file |
-F / --export-format | csv or txt |
MITRE ATT&CK Mapping
| ID | Technique | Relevance |
|---|---|---|
T1078 |
Valid Accounts | Surfaces accounts with recent login activity indicating potential credential abuse. |
T1078.003 |
Local Accounts | Dormant local accounts with unexpected recent logins are high-fidelity indicators. |
T1136 |
Create Account | New UIDs with no lastlog record may indicate adversary-created accounts. |
T1070.006 |
Timestomp | Active accounts with zeroed lastlog records suggest evidence destruction. |
T1021 |
Remote Services | Hostname/IP fields reveal the origin of SSH and remote authentications. |
T1531 |
Account Access Removal | Missing records relative to a baseline may indicate passwd or lastlog tampering. |
Training Lab
9 pre-built lastlog scenarios in samples/ for hands-on forensic training.
Analyze offline without root access. Use as SOC analyst exercises, DFIR training, or CTF challenges.
| Scenario | Key Indicators | MITRE |
|---|---|---|
clean_server | Baseline: internal IPs, business hours | - |
compromised | Root from Tor exit, dormant account reactivated | T1078, T1021 |
timestomped | Root record zeroed, future timestamp | T1070.006 |
apt_cozy_bear | 9-month dwell, rotating C2, business hours | APT29 |
apt_lazarus | Rapid multi-account, single C2, NK hours | APT38 |
insider_threat | 2-3 AM access from home IP | Insider |
brute_force | 5 accounts + root, same IP, 13 minutes | T1110 |
supply_chain | CI/CD service accounts from GCP IPs | T1195 |
pentest_engagement | 10.10.14.x, methodical privesc chain | Red team |
# Analyze an APT29 scenario
$ python3 LastLogAudit.py --file samples/apt_cozy_bear.lastlog
[+] 7 login record(s) parsed
Terminal From Last Login
----------------------------------------------------------------
pts/0 10.0.1.50 2026-03-25 10:15:00
pts/3 193.29.56.122 2025-06-14 09:32:00
pts/3 91.219.236.18 2025-09-03 10:47:00
pts/3 5.45.65.52 2025-12-11 11:05:00
pts/3 45.133.1.71 2026-03-22 09:58:00
Forensic Learning Lab
Interactive training module: explore the binary structure of lastlog records at the byte level, compare the same compromise across all 3 log sources, and test your IOC detection skills.
Requirements
Python 3.7 or later. Standard library only, no external dependencies.
Read access to /var/log/lastlog (requires root or adm group membership).
License
Released under the GNU Affero General Public License v3.0.