search

Sum UAL

LogoHow to Leverage User Access Logging for Forensic InvestigationsCrowdStrike.comchevron-right
LogoWindows User Access Logs (UAL)Mediumchevron-right

hashtag

hashtag
What Is?

hashtag
Forensic Value:

hashtag
File Location:

hashtag
Parse Data:

hashtag
Considerations:

hashtag
DC vs Desktop:

User logs into DC and user logs into workstation. UAL from DC.

Administrator=DC and subaru=desktop

hashtag
Secretsdump and LLMMNR poisoning:

These techniques are NOT captured in the UAL.

hashtag
Wmiexec IS captured:

If wmiexec is used against the DC it is captured as SMB from a loop back address.

hashtag
Example:

hashtag
Analysis Tips:

hashtag
Anti-Forensics:

  • Deleting databases

  • Disabling databases

PreviousEvidence of ExecutionNextOffice Apps Forensics

Last updated