dissect.target.plugins.os.windows.ual

Module Contents

Classes

UalPlugin

Return all available User Access Log information.

Attributes

ClientAccessRecord
RoleAccessRecord
VirtualMachineRecord
DomainSeenRecord
SystemIdentityRecord
FIELD_NAME_MAP

dissect.target.plugins.os.windows.ual.ClientAccessRecord

dissect.target.plugins.os.windows.ual.RoleAccessRecord

dissect.target.plugins.os.windows.ual.VirtualMachineRecord

dissect.target.plugins.os.windows.ual.DomainSeenRecord

dissect.target.plugins.os.windows.ual.SystemIdentityRecord

dissect.target.plugins.os.windows.ual.FIELD_NAME_MAP

class dissect.target.plugins.os.windows.ual.UalPlugin(target)

Bases: dissect.target.plugin.Plugin

Return all available User Access Log information.

User Access Logging (UAL) is a logging system that aggregates client usage data by role and products on a local server. It helps Windows server administrators to quantify requests from client computers for roles and services on a local server.

References

• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh849634%28v=ws.11%29

__namespace__ = 'ual'

Defines the plugin namespace.

LOG_DB_GLOB = 'sysvol/Windows/System32/LogFiles/Sum/*.mdb'

IDENTITY_DB_FILENAME = 'SystemIdentity.mdb'

IDENTITY_DB_PATH = 'sysvol/Windows/System32/LogFiles/Sum/SystemIdentity.mdb'

mdb_paths

role_guid_map

identity_db_parser = None

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

find_mdb_files() → list[pathlib.Path]

populate_role_guid_map() → None

read_table_records(table_name: str) → Iterator[tuple[pathlib.Path, dict[str, Any]]]

client_access() → Iterator[ClientAccessRecord]

Return client access data within the User Access Logs.

role_access() → Iterator[RoleAccessRecord]

Return role access data within the User Access Logs.

virtual_machines() → Iterator[VirtualMachineRecord]

Return virtual machine data within the User Access Logs.

domains_seen() → Iterator[DomainSeenRecord]

Return DNS data within the User Access Logs.

system_identities() → Iterator[SystemIdentityRecord]

Return system identity data within the User Access Logs.