DFIR Tip: windows server user access logging (sum)-"User Access Logging (UAL)" forensics
Mohammed AlAqeel
Subject Matter Expert in Cyber Defense solutions | Digital Forensic Incident Response|SecOps| Cyber Threat Intelligence| Threat Detection and Response |GCFA | GCFE| GCTI| eCMAP| OSCP| OSINT/SOCMINT | IT and OT.
During my previous compromised assessment engagement, I have been working on new artifacts, specifically when you have Windows Server 2012 and above in the CA scope, and how I add to my collection scope. I have read the blog from the kpmg forensics team. below in Reference the link to the blog.
User Access Logging (UAL), a newer forensic artifact on Windows Server operating system,that offers a wealth of data to support forensic investigations. UAL has proven beneficial to help correlate an account and the source IP address with actions performed remotely on systems.
What Is user access logging?
UAL is a feature included by default in server editions of Microsoft Windows, starting with Server 2012. As defined by Microsoft, UAL is a feature that “logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.”
The value of looking and analyzing this artifact during investigation :-
The UAL records user access to various services running on a Windows Server. The access is logged to databases on disk that contain information on the type of service accessed, the user account that performed the access and the source IP address from which the access occurred. One key element of UAL is that each record is based on the combination of username, source IP, and service accessed, ,so it’s good for identifying anomalous or rare access to a system.
And the good thing about this artifact is that “UAL makes a copy of the active database file, current.mdb, to a file named GUID.mdb every 24 hours. On the first day of the year, UAL will create a new GUID.mdb. The old GUID.mdb is retained as an archive. After two years, the original GUID.mdb will be overwritten.”
Where to Find UAL Data:-
UAL database files are stored under the directory C:\Windows\System32\LogFiles\Sum. Inside this directory, you’ll find up to five Extensible Storage Engine (ESE) database files with.mdb extensions.
The files will include:
1- Systemidentity.mdb (database containing information about the server, including a map of RoleGuid values to Role names
2- Current.mdb (UAL database — current year; active copy)
3- <GUID>.mdb (UAL database — current year)<GUID>.mdb (UAL database — previous year)<GUID>.mdb (UAL database — two years prior)
领英推荐
scenario/example of attack :-
Note: There are a lot of attacks that we can discover by analyzing this artifact.
for example The attacker used PsExec to execute the malicious file on a specific time and date .. so through analysis of host artifacts. , event logs have been rolled and were not forwarded elsewhere. Let us try to understand which user account executed PsExec targeting the infected machine and from which system the activity originated.
so After parsing the UAL CLIENTS table (from the date of the executed database file),?the first thing that immediately jumps out is the row related to the account used to do this attack that has a Last Access value matching precisely the time of PsExec usage identified via other artifacts. This record’s IP address value, means the activity originated from a device with this IP. Also, we note the total access value and more, such as below :-
1. Tracking User Activity: UAL meticulously logs every instance of user access to various services and roles on a Windows Server. This meticulous record-keeping empowers investigators to identify:
? Unauthorized access: If a user attempts to access a service or role beyond their authorized scope, UAL logs this activity, alerting investigators to potential security breaches.
? Unusual patterns: UAL helps identify deviations from typical user behavior. For instance, an administrator logging in from an unfamiliar location at an odd hour might warrant investigation.
2. Temporal Analysis: UAL provides crucial timestamps for each logged event. This enables investigators to:
? Construct a timeline: By piecing together timestamps, investigators can establish a chronological sequence of events during an incident. This timeline is vital for understanding the attack's progression and identifying potential connections between events.
? Correlate with other events: Timestamps from UAL logs can be correlated with timestamps from other sources, such as network traffic logs or security event logs, to gain a more comprehensive picture of the overall incident.
UAL Analysis Tools:
1. On live systems, analysts can access UAL data via PowerShell cmdlets or WMI. 2. In image analysis, UAL databases can be parsed with any tool that supports parsing ESE databases.
3. Eric Zimmerman’s and Brian Moran’s tools, SumECmd and KStrike, are to be used for parsing UAL data .
References links :-
Note : And I believe this artifact or feature was added in sans FOR 508 for the new version and the value of information that helps DFIR team during the investigation or with compromise assessment engagement.