Note:I translated Japanese into English using Google Translate.Thank you, Google. There is a great article called “Windows Server Data Dedupliction and Forensic Analysis”.If you are interested in the Dedupliction feature, I recommend that …

Note:I translated Japanese into English using Google Translate.Thank you, Google. "Microsoft-Windows-Terminal Services-RDPClient / Operational" may record information to help you track Lateral Movement. Destination computer name / IP addre…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Windows Defender Remote Credential Guard is available for Windows 10 and Windows Server 2016.Is there any way to check if Remote Credential Guard was used wi…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Change the ACL of the object on AD and check ADTimline. Use AD ACL Scanner as a tool to check the ACL of AD objects. AD Timeline-FIRST TC Page 22 has an entr…

Note:I translated Japanese into English using Google Translate.Thank you, Google. If NLA(Network Level Authentication) is enabled for RDP connection, event ID 4624 logon type 3 will be recorded in the security log. Is there a way to determ…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Windows 10: ID 1149 is recorded when Alice's account is successfully logged on via RDP. Windows 10: If you specify the RestrictedAdmin option, the u…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Check when the ID 4648 occurs. Runas,Overpass-the-Hash,NET USE,Task Scheduler(schtasks),PsExec,WMIC,PowerShell,Remote Desktop(mstsc) If authenticati…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Grant the access right of "AdminSDHolder" to Bob account, using DCshadow.The nTSecurityDescriptor of "AdminSDHolder" is recorded in the ADTimeline. …

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Delete the Bob account. I can check the change of isDeleted on the ADTimeline. Activate the AD recycle bin and delete the Bob account. The changing …

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I added the Bob account to the "Domain Admins" group and deleted it from the group. You can check this operation with ADTimeline. Run DCsync with Al…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I created an Alice account, added it to the Domain admins group, and confirmed it on the timeline. Next, I created a Bob account and logged on to th…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I added PC 1 to the example domain, but I could not find it on ADTimeline timeline. I created an Alice account and added it to the Domain Admins gro…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: I got some comments on Twitter about the previous contents. So I did a simple test using DCshadow. Updates of SIDHistory etc. are explained in detai…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Active Directory accounts have "When-Created" and "When-Changed" attributes. I am checking when those attributes are updated. However, I just starte…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Did you read "Daily Blog # 602: Solution Saturday 1/19/19"?, I read it and tested it on RDP connection. I ran the program via RDP and looked up the …

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: "Last Run Time" is displayed in the GUI of Task Scheduler, this value is saved in the registry. Several timestamps are stored in the "Dynamicinfo" v…