Active Directory Logs

Overview

Evidence: Active Directory Logs Description: Collect Active Directory Logs Category: Applications Platform: windows Short Name: adl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Active Directory NTDS directory contains the AD database and transaction logs. This is the core directory service database that stores user accounts, groups, computers, and organizational structure for Windows domains.

Data Collected

This collector gathers structured data about active directory logs.

Collection Method

This collector gathers files from the Windows NTDS directory, including the Active Directory database (ntds.dit) and associated transaction logs.

Forensic Value

Active Directory data is essential for investigating credential theft, privilege escalation, unauthorized access, account manipulation, and domain compromise. The NTDS.dit database contains password hashes and is a high-value target for attackers.