Logs to perform detective work and trace an attacker’s actions.

<aside> 💡 Logs store everything, here we are working with PowerShell Transcription logs which stores the input and output commands.

</aside>

<aside> 💡 Capturing of these logs can be done by Group Policy or by Windows Registry.

</aside>

<aside> 💡 Windows Registry is a large database for OS settings and configurations organized by hives with each hive containing keys and values.

</aside>

*net user <name> <password> /add* 

for creating a new user in windows.

<aside> 💡 Shellbags - Logs that keeps track of when user moved, resized the folder window. Tracks folder settings, that “remembers” preferences when opened that window again.

</aside>

Questions :-

1st, RDP into the windows VM

2,3,4,10, 11th, read the transcription logs carefully

5th, Decode the certificate and open in ShellBagsExplorer

6, 7, 8, 9, 12th, pretty easy and requires OSINT