Windows User Access Logs (UAL)

Windows Server Artefact

Overview

User Access Logging (UAL) is feature in Windows Server that aggregates client usage data by role on a local server. The DFIR team at KPMG released a great blog which spotlights User Access Logs by delving into the different components that make up the database.

Artefact Features

Applicable OS: Windows Server 2012+
Requirements: Enabled by default on supported OS
Evidence of:
Lateral Movement-User/IP requests to a server (per day)
Location
:

  • C:\Windows\System32\LogFiles\SUM\Current.mdb
  • C:\Windows\System32\LogFiles\SUM\SystemIdentity.mdb
  • C:\Windows\System32\LogFiles\SUM\<GUID>.mdb

Format: ESE Databases
Current Parsing Tools:

Retention: 2–3 years. Current.mdb contains the most recent 24 hours (by default) and is then moved into the database for the current year named with a unique GUID. The last 2 years are retained in separate databases aswell:

If an attacker has cleared all logs from the environment and there is no centralised logging, UAL could be a valuable resource used in investigations.

Acquisition

These databases will be locked by the OS if the host is running, so when conducting live response you will need to use a tool that does a low level copy such as RawCopy.

RawCopy.exe /FileNamePath:c:\Windows\System32\LogFiles\Sum\Current.mdb /Outpath:c:\Dev\Sum\

A tool like Velociraptor will also allow you to copy the files of a live system.

Repairing the Databases

If you attempt to run SumECmd.exe, depending on how you acquire the files, you will get an error stating the databases need to be repaired. Using esentutl.exe, you can repair the *.mdb files:

esentutl.exe /p Current.mdbesentutl.exe /p SystemIdentity.mdbesentutl.exe /p "{<GUID>}.mdb"

Here is an example of the repair command on SystemIdentity.mdb:

Parsing and Analysis

Once you have valid ESE databases, you can point SumECmd.exe to the directory where you have your files.

SumECmd.exe -d C:\Location\of\Sumfiles\ --csv C:\Output\Directory

The output should provide a number of csv exports for review.

The <date>_SumECmd_DETAIL_ClientDetailed_Output.csv contains something like the following which maps certain user activity with first and last access times and Role description.

NOTE: It is not documented or tested on what specific activities qualify an entry to be recorded for each Microsoft role.

Another option for live response is to query the system directly using WMI or Powershell.

WMI Example
Gwmi -Namespace “root\AccessLogging” -query “SELECT * FROM MsftUal_DeviceAccess WHERE LastSeen >=’1/01/2013' and LastSeen <=’3/31/2013
PowerShell Commandlets (more here)
Get-UalUserAccess
Get-UalDailyUserAccess

Example of Get-UalDailyUserAccess:

If you are testing, you can decrease the polling time from the default 24 hours (for example two minutes):

reg.exe ADD HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\Sum /v PollingInterval /t REG_DWORD /d 120000 /F

I’m looking forward to see how the DFIR community uses this artefact as appears to have a wealth of historical knowledge.

Thanks,
Zach

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store