Sum UAL

What Is?

Forensic Value:

File Location:

Parse Data:

Considerations:

DC vs Desktop:

User logs into DC and user logs into workstation. UAL from DC.

Administrator=DC and subaru=desktop

Secretsdump and LLMMNR poisoning:

These techniques are NOT captured in the UAL.

Wmiexec IS captured:

If wmiexec is used against the DC it is captured as SMB from a loop back address.

Example:

Analysis Tips:

Anti-Forensics:

  • Deleting databases

  • Disabling databases

Last updated