A script to hunt for the most simple indicator that RCE was conducted via the set-OABVirtualDirectory Cmdlet This is basic but it should give you a good view on if your have had someone SSRF to ECP and then hit the Set-OABVirtualAddress Endpoint
This is all use at own risk - if you have a pwn3d system with a webshell and this doesn't line up please let me know. I have tested this theory on a live system that had RCE as well as in the lab with a honeypot.
#mRr3b00t