Timeline Dateiaktivitäten mit PowerShell
_______________________________________________________________________________
Zeitraum:
Get-ChildItem -Path C:\Users -Recurse -Filter "*.*" -Force | Where-Object { $_.CreationTime -ge "06/26/2022 14:00" -and $_.CreationTime -le "06/26/2022 19:30"} | Select-Object Fullname,CreationTime | Out-GridView

Get-ChildItem -Path C:\ProgramData -Recurse -Filter "*.*" -Force | Where-Object { $_.CreationTime -ge "06/26/2022 14:00" -and $_.CreationTime -le "06/26/2022 19:30"} | Select-Object Fullname,CreationTime | Out-GridView

Zeitpunkt:
Get-ChildItem -Path -Recurse c:\ -Filter "*.*"  -Force | Where-Object { $_.CreationTime -gt "06/26/2022"} | Select-Object Fullname,CreationTime | Out-GridView

Zimmermann Tools
_______________________________________________________________________________
Prefetch Reader:
D:\eztools\PECmd.exe -f "C:\Windows\Prefetch\SCHTASKS.EXE-5CA45734.pf" | Out-GridView
Live Forensic Problem Zeitstempel letzter Zugriff nicht Angriff
D:\eztools\PECmd.exe -f "C:\windows\prefetch\POWERSHELL.EXE-920BBA2A.pf" | Out-GridView


Module PowerForensics
_______________________________________________________________________________
Install-Module -Name PowerForensics
Get-ForensicTimeline -VolumeName C: | Out-GridView


WMI Befehle
_______________________________________________________________________________

Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

C:\Windows\System32\wbem\Repository\OBJECTS.DATA untersuchen
_______________________________________________________________________________

editor.exe C:\Windows\System32\wbem\Repository\OBJECTS.DATA 
Suche nach "Powershell"


Decodieren von BASE64 codierten Powershell Befehlen
_______________________________________________________________________________
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("SQB......=="));


Fundstellen für Artefakte
_______________________________________________________________________________
C:\ProgramData\autobackup.bat
C:\Windows\System32\Tasks\autobackup
C:\windows\prefetch\SCHTASKS.EXE-5CA45734.pf
C:\windows\prefetch\POWERSHELL.EXE-920BBA2A.pf
C:\Users\Nutzer1\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
C:\Users\Nutzer1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autobackup.bat
C:\Windows\System32\wbem\Repository\OBJECTS.DATA