Sum UAL
What Is?
Forensic Value:
File Location:
Parse Data:
Considerations:
DC vs Desktop:
User logs into DC and user logs into workstation. UAL from DC.

Secretsdump and LLMMNR poisoning:
These techniques are NOT captured in the UAL.
Wmiexec IS captured:
If wmiexec is used against the DC it is captured as SMB from a loop back address.

Example:
Analysis Tips:
Anti-Forensics:
Deleting databases
Disabling databases
Last updated