Insight

Digital forensics and incident response

A new type of User access log

Kevin Stokes

Kevin Stokes

Sr Associate Advisory, Cyber Security Services, KPMG US

The KPMG Cyber Response Services team is dedicated to helping clients respond to cyber incidents. In a recent investigation, our team identified a potentially new Microsoft Windows’ artifact. We are excited to share this knowledge and research to advance the incident response community investigations against advanced attackers.

The Microsoft User Access Logs (UAL) is a feature that has existed for some time. The UAL can be found on Windows Servers (2012 and up) and is a local data aggregation feature, recording client usage by role and product on each system providing the resource.

According to Microsoft’s documentation1 these logs will:

  • Keep a tally of user requests for local servers, physical or virtual
  • Keep a tally of user requests for local software products on these servers
  • Pull statistics from Hyper-V, regarding high and low periods of demand for resources
  • Pull UAL data from remote servers

In addition to recording user access requests and server statistics, referring again to Microsoft’s documentation, this UAL feature categorizes data from the following roles and services:

  • Active Directory Certificate Services (AD CS)
  • Active Directory Rights Management Services (AD RMS)
  • BranchCache
  • Domain Name System (DNS)
  • Dynamic Host Configuration Protocol (DHCP)
  • Fax Server
  • File Services
  • File Transfer Protocol (FTP) Server
  • Hyper-V
  • Web Server (IIS)
  • Microsoft Message Queue (MSMQ) Services
  • Network Policy and Access Services
  • Print and Document Services
  • Routing and Remote Access Service (RRAS)
  • Windows Deployment Services (WDS)
  • Windows Server Update Services (WSUS)

When available, these UAL databases are stored at “[root]\Windows\System32\LogFiles\SUM”. Here, you will find at least two, and potentially 3 or 4, extensible storage engine (ESE) databases with a “mdb” file extension.

The SystemIdentity.mdb, contains at least three tables of interest, aside from other ESE related tables:

  • CHAINED_DATABASES – shows additional UAL databases that the system is keeping track of, per year
  • ROLE_IDS – list of the roles and services that have been accessed on the system and map to the chained databases
  • SYSTEM_IDENTITY – contains some server and OS information

Figure 1 below is from the SystemIdentity.mdb and displays the ROLE_IDS table with role names and GUIDs, as well as names and GUIDs for products accessed.

Role Guid

Product Name

Role Name

{10A9226F-50EE-49D8-A393-9A501D47CE04}

 

File Server

{4116A14D-3840-4F42-A67F-F2F9FF46EB4C}

 

Windows Deployment Services

{48EED6B2-9CDC-4358-B5A5-8DEA3B2F3F6A}

 

DHCP Server

{7CC4B071-292C-4732-97A1-CF9A7301195D}

 

FAX Server

{7FB09BD3-7FE6-435E-8348-7D8AEFB6CEA3}

 

Print and Document Services

{910CBAF9-B612-4782-A21F-F7C75105434A}

 

BranchCache

{952285D9-EDB7-4B6B-9D85-0C09E3DA0BBD}

 

Remote Access

{B4CDD739-089C-417E-878D-855F90081BE7}

 

Active Directory Rights Management Service

{BBD85B29-9DCC-4FD9-865D-3846DCBA75C7}

 

Network Policy and Access Services

{C23F1C6A-30A8-41B6-BBF7-F266563DFCD6}

 

FTP Server

{C50FCC83-BC8D-4DF5-8A3D-89D7F80F074B}

 

Active Directory Certificate Services

{D6256CF7-98FB-4EB4-AA18-303F1DA1F770}

 

Web Server

{D8DC1C8E-EA13-49CE-9A68-C9DCA8DB8B33}

 

Windows Server Update Services


Figure 2
below is the CHAINED_DATABASES table and displays the year each chained database is associated with.

Year

File Name

2019

{3BD85B29-9DCC-6FD9-865D-3826DCBA77C7}.mdb

2020

{D13F1C9A-30A8-41B6-BBF7-F266573DFCD6}.mdb

2021

{F59FCC83-BC8D-4DF5-8A3D-89A7180F174B}.mdb


The Current.mdb database records up to a 24-hour period of data, then transfers that data to the current year chained database. A chained database will be in use for an entire year and only contain data for that year. Thus, there would be an entire database for 2020 and a separate database for 2021. The previous year databases are kept for two years. Thus, since we are in 2021 now, you may see a chained database from both 2019 and 2020, if the service was active that long. In summary, you can possibly see between two and three years of data, with the 2019 and 2020 archives, plus the current databases for 2021. Once 2022 hits, the 2019 database will likely be overwritten. 

Note: As of this writing, it is unknown if these databases would be part of a volume shadow copy.

  • The Current.mdb and chained databases, named like “{GUID}.mdb” have a few tables of interest:
    • CLIENTS – This table contains many fields of interest:
    • AuthenticatedUserName – Authenticated user or system associated with the access
    • TotalAccesses – Tally of the authenticated accesses
    • InsertDate) – First Authenticated access (UTC), recorded for the role, for that year; since the time of earliest database creation
    • LastAccess – Last Authenticated access (UTC), recorded for the role, for that year, at the time of last file modification
    • RoleGUID – Defined in SystemIdentifier.mdb, the role of the related entry
    • TenantIdentifier – GUID for a tenant client of an installed role or product, related to the entry, if applicable
    • Address – IP or MAC address of the client device used to access a role or service. (IPv6 local-link addresses are present and can be converted to associated device MAC address)
    • Day### – Value here represents the number of Authenticated Accesses that occurred for that entry on the respective of the year. Limited to 65,535 per day.
  • DNS – Collection of DNS data, including hostnames, IP addresses, and last seen timestamp
  • ROLE_ACCESS – Related to RoleGuid values
  • VIRTUALMACHINES – (have not seen this populated yet, but possibly Hyper-V related)

Figure 3 shows an example of a portion CLIENTS table, with 2019 data

RoleGuid

Tenant ID

Total Accesses

Insert Date

Last Access

Address

Converted Address

Authenticated UserName

10A9226F-50EE-49D8-A393-9A501D47CE04

00000000

67

2019-01-15 16:53:02

2019-09-17 13:41:02

0aff6978

10.255.105.120

User3

10A9226F-50EE-49D8-A393-9A501D47CE04

00000000

54

2019-02-12-11:45:42

2019-12-06 14:37:49

0aff3532

10.255.53.50

User2

10A9226F-50EE-49D8-A393-9A501D47CE04

00000000

43

2019-04-06 06:01:06

2019-12-26 22:36:17

0aff0078

10.255.0.120

User1

10A9226F-50EE-49D8-A393-9A501D47CE04

00000000

32

2019-07-08 03:25:47

2019-11-19 10:05:58

0aff939f

10.255.147.159

User4

10A9226F-50EE-49D8-A393-9A501D47CE04

00000000

11

2019-08-26 17:22:12

2019-12-18 10:25:11

0affd46a

10.255.212.106

User5


Figure 4
is an example of the Day columns within the CLIENTS table.

Day 1

Day 2

Day 3

Day 4

Day 5

Day 6

Day 7

Day 8

Day 9

Day 10

Day 11

Day 12

34670

34672

34674

34676

34678

34680

34682

34684

34686

34688

34690

 

355392

35394

35396

35398

35400

 

 

35402

35404

35406

35408

35410

32564

32566

32568

32570

32572

32574

32576

32578

32580

32582

32584

32586

 

35154

35156

 

35158

 

 

35160

 

 

 

 

 

32230

 

 

32232

 

 

 

 

 

 

 

 

32106

 

 

32108

 

 

 

 

 

 

 

 

 

 

 

32776

32778

32780

32782

32784

32786

32788

32790

 

 

 

 

32370

32372

 

32374

 

 

 

 


The KPMG Cyber Response Services team utilizes User Access Logs to timeline unauthorized accesses by advanced threat actors and discover malicious activity. 

Brian Moran of BriMor Labs has created a Python UAL parser named KStrike, which is available at the link here.

These logs2 can also be used by systems administrators or security professionals for querying and monitoring activity on the devices where this service is available. There are many PowerShell cmdlets for this purpose.

About KPMG Cyber Response Services

KPMG LLP is the U.S. member firm of KPMG International Cooperative. Member firms employ over 2,500 cyber professionals around the globe who are available to help you with your cyber needs. Many of these professionals are leaders in the cyber community, helping to develop the tools and methodologies used to combat cyber-crime on a daily basis.

Our professionals have experience working on a variety of cybercrimes, including insider threats, data breaches, hacktivism, and advanced persistent threat-style intrusions by highly motivated adversaries. Our services include a variety of pre-breach strategy and investigation offerings to support your needs.

KPMG has an automated forensic collection, analysis, and reporting engine, KPMG Digital Responder) that significantly enhances investigation quality while reducing labor hours.

For more information about KPMG’s Cyber Response Services or interested in DFIR career opportunities at KPMG please contact Kim Casey.

Subscribe to cyber security services