CtrlK

Sum UAL

How to Leverage User Access Logging for Forensic Investigationscrowdstrike.com

Windows User Access Logs (UAL)Medium

What Is?

Forensic Value:

File Location:

Parse Data:

Considerations:

DC vs Desktop:

User logs into DC and user logs into workstation. UAL from DC.

Secretsdump and LLMMNR poisoning:

These techniques are NOT captured in the UAL.

Wmiexec IS captured:

If wmiexec is used against the DC it is captured as SMB from a loop back address.

Example:

Analysis Tips:

Anti-Forensics:

Deleting databases
Disabling databases

PreviousEvidence of Execution NextOffice Apps Forensics

Last updated 10 months ago