joachimmetz
commented
8 years ago - [x] script to read eventlogs and message strings directly from images
- extract script
- [ ] script to analyze logon/logoff (e.g. event id 4624)
- http://social.technet.microsoft.com/wiki/contents/articles/17055.event-ids-when-a-new-user-account-is-created-on-active-directory.aspx
- add Registry key access (id 4663)
- [ ] script to analyze process start/stop