# UAL

{% embed url="<https://www.crowdstrike.com/blog/user-access-logging-ual-overview/>" %}

File Location:

* C:\Windows\System32\LogFiles\Sum

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2Fv113ruiYZO1DnCpBYZo1%2Fimage.png?alt=media&#x26;token=3eebc7d3-6261-4077-b385-e2af6dad927f" alt=""><figcaption></figcaption></figure>

### Parsing Data

<pre class="language-powershell"><code class="lang-powershell">#Parse DB directory
SumECmd.exe -d F:\Tools\Investigation\logs\ --csv F:\Tools\Investigation\logs\logs1
<strong>
</strong><strong>#repair dirty DB files
</strong>esentutl.exe /p Current.mdb
esentutl.exe /p SystemIdentity.mdb
esentutl.exe /p GUID.mdb
</code></pre>

### Considerations

**Detail\_Clients\_Output**

* Sever of the UAL logs will be server the clients are connecting to.
* Artifact will show lateral movement of known compromised account.
* Shows list of authenticated user names and what they auth'd to.
* Shows total accesses and last accessed by user and Role GUID.
* Source IP addresses and client names.

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2FcFlRySah664Q2TP7ZhLG%2Fimage.png?alt=media&#x26;token=4dfd7ab7-6db6-48c0-8a0c-47400b0d4b76" alt=""><figcaption></figcaption></figure>

### Anti-Forensics

* Delete logs
* Logs last for to 3 years