UAL

Shows potential lateral movement to servers with UAL logging (all servers).

How to Leverage User Access Logging for Forensic InvestigationsCrowdStrike.com

File Location:

• C:\Windows\System32\LogFiles\Sum

Parsing Data

#Parse DB directory
SumECmd.exe -d F:\Tools\Investigation\logs\ --csv F:\Tools\Investigation\logs\logs1

#repair dirty DB files
esentutl.exe /p Current.mdb
esentutl.exe /p SystemIdentity.mdb
esentutl.exe /p GUID.mdb

Considerations

Detail_Clients_Output

• Sever of the UAL logs will be server the clients are connecting to.

• Artifact will show lateral movement of known compromised account.

• Shows list of authenticated user names and what they auth'd to.

• Shows total accesses and last accessed by user and Role GUID.

• Source IP addresses and client names.

Anti-Forensics

• Delete logs

• Logs last for to 3 years