Wimdows 5 - author: deltabluejay - forensics

WriteUp: Hadarios, Eliot, Rubisk and tinderbox.

In Sysmon logs, we find a registry modification event, that indicates a modification in the sticky keys registry to spawn cmd.exe, and the flag is commented.

We used the following command first to find it: Get-WinEvent | Where-Object < $_.Message -like "*byuctf*" >