We covered the process of incident response and the steps taken to investigate and recover an infected Windows active directory system. We used Powerview and Eventviewer to investigate the actions taken by the attacker such as users created/modified, group policy changes and other events such as date and time. . This was part of TryHackMe recovering active directory.
Full writeup and room questions can be found here.
Video walk-through