Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Windows 10: ID 1149 is recorded when Alice's account is successfully logged on via RDP. Windows 10: If you specify the RestrictedAdmin option, the u…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Check when the ID 4648 occurs. Runas,Overpass-the-Hash,NET USE,Task Scheduler(schtasks),PsExec,WMIC,PowerShell,Remote Desktop(mstsc) If authenticati…

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Grant the access right of "AdminSDHolder" to Bob account, using DCshadow.The nTSecurityDescriptor of "AdminSDHolder" is recorded in the ADTimeline. …

Note:I translated Japanese into English using Google Translate.Thank you, Google. Summary: Delete the Bob account. I can check the change of isDeleted on the ADTimeline. Activate the AD recycle bin and delete the Bob account. The changing …