Digital forensics and incident response

The KPMG Cyber Response Services team is dedicated to helping clients respond to cyber incidents. In a recent investigation, our team identified a potentially new Microsoft Windows’ artifact. We are excited to share this knowledge and research to advance the incident response community investigations against advanced attackers.

The Microsoft User Access Logs (UAL) is a feature that has existed for some time. The UAL can be found on Windows Servers (2012 and up) and is a local data aggregation feature, recording client usage by role and product on each system providing the resource.

According to Microsoft’s documentation¹ these logs will:

• Keep a tally of user requests for local servers, physical or virtual
• Keep a tally of user requests for local software products on these servers
• Pull statistics from Hyper-V, regarding high and low periods of demand for resources
• Pull UAL data from remote servers

In addition to recording user access requests and server statistics, referring again to Microsoft’s documentation, this UAL feature categorizes data from the following roles and services:

• Active Directory Certificate Services (AD CS)
• Active Directory Rights Management Services (AD RMS)
• BranchCache
• Domain Name System (DNS)
• Dynamic Host Configuration Protocol (DHCP)
• Fax Server
• File Services
• File Transfer Protocol (FTP) Server
• Hyper-V
• Web Server (IIS)
• Microsoft Message Queue (MSMQ) Services
• Network Policy and Access Services
• Print and Document Services
• Routing and Remote Access Service (RRAS)
• Windows Deployment Services (WDS)
• Windows Server Update Services (WSUS)

When available, these UAL databases are stored at “[root]\Windows\System32\LogFiles\SUM”. Here, you will find at least two, and potentially 3 or 4, extensible storage engine (ESE) databases with a “mdb” file extension.

The SystemIdentity.mdb, contains at least three tables of interest, aside from other ESE related tables:

• CHAINED_DATABASES – shows additional UAL databases that the system is keeping track of, per year
• ROLE_IDS – list of the roles and services that have been accessed on the system and map to the chained databases
• SYSTEM_IDENTITY – contains some server and OS information

Figure 1 below is from the SystemIdentity.mdb and displays the ROLE_IDS table with role names and GUIDs, as well as names and GUIDs for products accessed.

Figure 2 below is the CHAINED_DATABASES table and displays the year each chained database is associated with.

The Current.mdb database records up to a 24-hour period of data, then transfers that data to the current year chained database. A chained database will be in use for an entire year and only contain data for that year. Thus, there would be an entire database for 2020 and a separate database for 2021. The previous year databases are kept for two years. Thus, since we are in 2021 now, you may see a chained database from both 2019 and 2020, if the service was active that long. In summary, you can possibly see between two and three years of data, with the 2019 and 2020 archives, plus the current databases for 2021. Once 2022 hits, the 2019 database will likely be overwritten. 

Note: As of this writing, it is unknown if these databases would be part of a volume shadow copy.

• The Current.mdb and chained databases, named like “{GUID}.mdb” have a few tables of interest:
  • CLIENTS – This table contains many fields of interest:
  • AuthenticatedUserName – Authenticated user or system associated with the access
  • TotalAccesses – Tally of the authenticated accesses
  • InsertDate) – First Authenticated access (UTC), recorded for the role, for that year; since the time of earliest database creation
  • LastAccess – Last Authenticated access (UTC), recorded for the role, for that year, at the time of last file modification
  • RoleGUID – Defined in SystemIdentifier.mdb, the role of the related entry
  • TenantIdentifier – GUID for a tenant client of an installed role or product, related to the entry, if applicable
  • Address – IP or MAC address of the client device used to access a role or service. (IPv6 local-link addresses are present and can be converted to associated device MAC address)
  • Day### – Value here represents the number of Authenticated Accesses that occurred for that entry on the respective of the year. Limited to 65,535 per day.
• DNS – Collection of DNS data, including hostnames, IP addresses, and last seen timestamp
• ROLE_ACCESS – Related to RoleGuid values
• VIRTUALMACHINES – (have not seen this populated yet, but possibly Hyper-V related)

Figure 3 shows an example of a portion CLIENTS table, with 2019 data

Figure 4 is an example of the Day columns within the CLIENTS table.

The KPMG Cyber Response Services team utilizes User Access Logs to timeline unauthorized accesses by advanced threat actors and discover malicious activity. 

Brian Moran of BriMor Labs has created a Python UAL parser named KStrike, which is available at the link here.

These logs² can also be used by systems administrators or security professionals for querying and monitoring activity on the devices where this service is available. There are many PowerShell cmdlets for this purpose.

About KPMG Cyber Response Services

KPMG LLP is the U.S. member firm of KPMG International Cooperative. Member firms employ over 2,500 cyber professionals around the globe who are available to help you with your cyber needs. Many of these professionals are leaders in the cyber community, helping to develop the tools and methodologies used to combat cyber-crime on a daily basis.

Our professionals have experience working on a variety of cybercrimes, including insider threats, data breaches, hacktivism, and advanced persistent threat-style intrusions by highly motivated adversaries. Our services include a variety of pre-breach strategy and investigation offerings to support your needs.

KPMG has an automated forensic collection, analysis, and reporting engine, KPMG Digital Responder) that significantly enhances investigation quality while reducing labor hours.

For more information about KPMG’s Cyber Response Services or interested in DFIR career opportunities at KPMG please contact Kim Casey.