Logs to perform detective work and trace an attacker’s actions.
<aside> 💡 Logs store everything, here we are working with PowerShell Transcription logs which stores the input and output commands.
</aside>
<aside> 💡 Capturing of these logs can be done by Group Policy or by Windows Registry.
</aside>
<aside> 💡 Windows Registry is a large database for OS settings and configurations organized by hives with each hive containing keys and values.
</aside>
*net user <name> <password> /add*
for creating a new user in windows.
<aside> 💡 Shellbags - Logs that keeps track of when user moved, resized the folder window. Tracks folder settings, that “remembers” preferences when opened that window again.
</aside>
Questions :-
1st, RDP into the windows VM
2,3,4,10, 11th, read the transcription logs carefully
5th, Decode the certificate and open in ShellBagsExplorer
6, 7, 8, 9, 12th, pretty easy and requires OSINT