I Tracked an Attacker Who Typed 'ls' on a Windows Server

The attacker scanned a Joomla website with 17,547 requests, brute-forced the admin panel with 412 passwords in under two seconds, uploaded an encrypted PHP backdoor, got a shell, and typed ls. On a Wi