Networking
- Networking
Windows
Linux
Enterprise Architecture
Mac
- Forensics
  - Page 3
Attacker Information
IR Playbook
- Activity from Unmanaged Host
- Recommendations
Reverse Engineering
- Python - Pyinstaller

Powered by GitBook

On this page

What Is?
Forensic Value:
File Location:
Parse Data:
Considerations:
Example:
Analysis Tips:
Anti-Forensics:

Windows

Forensics

Evidence of Execution

Sum UAL

PreviousEvidence of Execution NextOffice Apps Forensics

Last updated 3 months ago

What Is?

Forensic Value:

File Location:

Parse Data:

Considerations:

DC vs Desktop:

User logs into DC and user logs into workstation. UAL from DC.

Secretsdump and LLMMNR poisoning:

These techniques are NOT captured in the UAL.

Wmiexec IS captured:

If wmiexec is used against the DC it is captured as SMB from a loop back address.

Example:

Analysis Tips:

Anti-Forensics:

Deleting databases
Disabling databases

How to Leverage User Access Logging for Forensic Investigationscrowdstrike.com

Windows User Access Logs (UAL)Medium