We are going to make the assumption that the hash for the Administrator account with SID 500 is compromised and is being used as shown in the below screenshot:
Also it can be observed that port 3389 is being used for payload. This is because by default port 3389 TCP outbound is open on Windows 7. With the above settings configured the exploit is then executed and successfully connects. Below are the event logs that are generated on Windows 7 when the above actions are taken.
Event ID 4776 is created to identify the connecting computer. The monitoring of this event for a non-standard workstation name provided as the "Source Workstation" could assist in identifying the intrusion.
Event ID 5145 identifies if the account that authenticated has the appropriate rights to add or write a file to the network share. The the file "HoUGhAVh.exe" was written to the c:\windows directory.
Event ID 4688 identifies that a new process was created by the above executable that was saved in c:\windows. Then a new process is created with the rundll32.exe file in c:\windows\system32. This event can also be observed when a command shell is opened from the meterpreter. Inside of the command shell any commands that are executed can be observed by event ID 4688.
Event ID 4689 shows the process exits that has the random executable name in the windows directory.