Parse Transactional Registry logs in 010 Editor using this template: https://gist.github.com/williballenthin/eeeb2796c112b9b12f09af782e7b91fb

Windows Scheduled Tasks uses the Transactional Registry to record tasks, so you can feasibly recover deleted tasks.

Used this to find APT28 lateral movement last week.