Download and unzip the file and check the hint:
Hint: Our CEO's computer was compromised in a phishing attack. The attackers took care to clear the PowerShell logs, so we don't know what they executed. Can you help us?
Files: 325 files/folders
We need to look through these evtx files to find PowerShell events and those would be located in the PowerShell Operational.evtx file.
Invoke-Mimikatz on the first event!?! If we look at the event IDs, we need to filter out every 40962, 40961, 53504, 4100 event IDs. We do that by using the - exclusion.
-40962, -40961, -53504, -4100
Challenge was easier than expected.