InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Information of interest
  • Parsing
  • References
  1. DFIR
  2. Windows
  3. Artefacts overview

User Access Logging (UAL)

PreviousTimestampsNextUsnJrnl

Last updated 1 year ago

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: .

Overview

Location: %SystemRoot%\System32\Logfiles\SUM\ folder.

Yield Information related to user access and activity. On Domain Controllers, yield information on sessions opening on domain-joined computers (if the given DC was reached for authentication / Group Policy retrieval).

User Access Logging (UAL) is a feature introduced, and enabled by default, in Windows Server 2012 that consolidates data on client activity. Among other information, user access on specific Windows Server roles (such as Active Directory Domain Services on Domain Controller) are logged by the UAL. The specific activity triggering an entry to be logged for a given role is not documented.

The information is stored locally in up to five Extensible Storage Engine (ESE) database files (.mdb):

  • Current.mdb which contains data for the last 24-hour.

  • Up to three <GUID>.mdb files, which contain data for an entire year (first to last day), going back to 2 years. The data in the Current.mdb database is copied each day to the corresponding (<GUID>.mdb) database for the current year.

  • Systemidentity.mdb which contains metadata on the local server, including a mapping on roles' GUIDs and names.

Historical data going back to 2 years (2020 as of 2022) may thus be retrieved in the UAL database files.

Information of interest

The CLIENTS table of the aforementioned database files contain multiple information of interest:

  • Accessed Windows Server role GUID and description. Among others, the following roles can be encountered:

    • Active Directory Domain Services (GUID: ad495fc3-0eaa-413d-ba7d-8b13fa7ec598).

    • File Server (GUID: 10a9226f-50ee-49d8-a393-9a501d47ce04).

    • Active Directory Certificate Services (GUID: c50fcc83-bc8d-4df5-8a3d-89d7f80f074b).

  • The client domain and username.

  • Total number of access.

  • First, last, and daily access timestamps.

  • Client IPv4 or IPv6 address. On Domain Controllers, the hostname associated the IP address at that time may be retrievable as machine accounts of domain-joined computers also authenticate on AD DS.

Each entry in the CLIENTS table is composed of a unique set of a Windows Server role, a client's domain / username, and a source IP address.

The DNS table of the aforementioned database files contain information about DNS resolutions: hostname, associated IP address, and timestamp of last resolution.

Parsing

Live forensics

The PowerShell cmdlets of the UserAccessLogging module can be used to retrieve UAL data on a live system:

# Enumerates the roles installed on the system.
Get-UalOverview

# Retrieves UAL data for user access (data stored in the CLIENTS table).
Get-UalUserAccess

# Retrieves UAL data for client access by device for a given service, ordered by date (data stored in the CLIENTS table).
# The cmdlets returns the date that the client accessed the service and how many times the client accessed the service during that day.
Get-UalDailyAccess

# Retrieves information on DNS resolutions (data stored in the DNS table).
Get-UalDns

Triaged UAL database files

# Example of low level file copy bypassing file locking using RawCopy.
RawCopy64.exe /FileNamePath:"<C:\Windows\System32\LogFiles\Sum\Current.mdb | UAL_DB_FILE>" /OutputPath:"<OUTPUT_DIRECTORY>"

As the databases copied will not be in a "clean state", the database files will have to be repaired. This can be accomplished using the esentutl utility:

# The following commands should be executed in the directory containing the UAL database files.

esentutl.exe /r sru /i

esentutl.exe /p <Current.mdb | UAL_DB_FILE>
# Parses the specified individual UAL database file.
KStrike.py <Current.mdb | UAL_DB_FILE>

# Parses the UAL database files (Current.mdb, SystemIdentity.mdb, etc.) in the specified directory.
# The results will be aggregated in single CSV files per category (client access, DNS requests, etc.).
SumECmd.exe --csv <CSV_DIRECTORY_OUTPUT> -d <DIRECTORY_WITH_UAL_DB_FILES>

References

https://advisory.kpmg.us/blog/2021/digital-forensics-incident-response.html

https://www.youtube.com/watch?v=rVHKXUXhhWA

https://docs.microsoft.com/en-us/windows-server/administration/user-access-logging/get-started-with-user-access-logging

https://www.crowdstrike.com/blog/user-access-logging-ual-overview/

A direct copy of the UAL database files is not possible as the files are being locked due to continued access. The files should be copied through a shadow copy volume or using utilities implementing raw disk reads (such as or ).

The Eric Zimmerman's SumECmd.exe tool or the Python script can be used to parse UAL database files:

artefacts.help
Velociraptor
RawCopy
KStrike