Hi, I remember seeing a bashrc configuration a long time ago, that allows one to log all the commands issued and lets the admin see what an attacker is doing. Is this possible in Windows? How else can we observe what an attacker is doing other than to check if our defenses are functional ?
Do I need to do wireshark using a router/switch mirror/span machine? Or is it OK to run wireshark on the affected/attacked machine ?