UAL

Shows potential lateral movement to servers with UAL logging (all servers).

How to Leverage User Access Logging for Forensic Investigationscrowdstrike.com

File Location:

C:\Windows\System32\LogFiles\Sum

Parsing Data

#Parse DB directory
SumECmd.exe -d F:\Tools\Investigation\logs\ --csv F:\Tools\Investigation\logs\logs1

#repair dirty DB files
esentutl.exe /p Current.mdb
esentutl.exe /p SystemIdentity.mdb
esentutl.exe /p GUID.mdb

Considerations

Detail_Clients_Output

Sever of the UAL logs will be server the clients are connecting to.
Artifact will show lateral movement of known compromised account.
Shows list of authenticated user names and what they auth'd to.
Shows total accesses and last accessed by user and Role GUID.
Source IP addresses and client names.

Anti-Forensics

Delete logs
Logs last for to 3 years

PreviousNetwork Logs NextPage 1

Last updated 9 months ago