Our great sponsors
-
EventFinder2
Finds event logs between two time points. Useful for helpdesk/support/malware analysis.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
You might want to start by using something to build a timeline around the hour that you have to look at. You can use this to extract ALL evtx logs from that timeframe and put them in temporal order. If you aren't used to digging through these though, you're going to find a lot of things that look suspicious, but aren't. You'll have to do some baselineing for what is in your environment. https://github.com/BeanBagKing/EventFinder2
In the future, capture memory first. Everything else won't just disappear, memory is gone once you shut the machine down though. Also, look at increasing the logging on your systems. Use sysmon / https://github.com/SwiftOnSecurity/sysmon-config, enable firewall logging, enable command line logging, etc. I'll try to do a post on baseline logging, keep an eye on nullsec.us for the next article.