The first technique in the article discusses how to retrieve the PowerShell history for every user account via the 'ConsoleHost_History file' (typically enabled on Windows 10 endpoints) 2/6
The second leverages @EricRZimmerman's PECmd tool to examine Prefetch, an application caching system that we can use to evidence execution 3/6
The third technique levearges another @EricRZimmerman tool to parse Shimcache, originally designed to look for interoperability issues between Win versions and applications 4/6
The fourth technique leverages @velocidex / @scudette's Velociraptor tool to take an archeological dive into the USN Journal, which tracks changes to files and diretcories and more 5/6
@davisrichardg / @13CubedDFIR's videos were incredibly insightful when drafting this article, as they helped me concisely explain the mechanics behind these DFIR techniques.