AWELA — Advanced Windows Event Log Analysis Field Manual

AWELA

Advanced Windows Event Log Analysis

Field Manual — Triage, Investigation & Detection Reference

by: Steven Stone, RedSheep Security

First Edition — 2026

Copyright & Legal

AWELA: Advanced Windows Event Log Analysis Field Manual
First Edition, 2026

No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.

For permission requests, contact:
contact@redsheepsec.com

Disclaimer: This field manual is provided for educational and professional reference purposes only. The information contained herein is provided "as-is" without warranty of any kind, express or implied. The author and publisher assume no responsibility for errors, omissions, or damages resulting from the use of the information contained within. The detection queries, techniques, and procedures described are intended for authorized security operations, threat hunting, incident response, and defensive cybersecurity purposes only. Always ensure you have proper authorization before conducting any security testing or investigation activities. This publication does not constitute legal, professional, or compliance advice. Every environment is different. The queries in this book follow the Splunk Common Information Model (CIM) as closely as possible and the underlying logic is sound, but field names and index references may need to be adjusted to match your environment's specific configuration.

Trademarks: Splunk, MITRE ATT&CK, Cobalt Strike, Windows, Sysmon, and all other product names referenced herein are trademarks of their respective owners. Their use in this publication is for identification and reference purposes only and does not imply endorsement.

Version: 1.0
Published: 2026
Website: redsheepsec.com

How to Use This Manual

AWELA is a field reference — not a textbook. It's designed to be opened during an active investigation, hunt, or detection build, not read cover to cover.

Structure

Parts I–III: Investigation workflow — playbooks, pivot maps, triage checklists, baselines, attack detection. Start here during an active investigation.
Part IV: Foundations — ETW architecture and log integrity. Read once to understand the telemetry layer.
Parts V–IX: Event log reference — Security, System, PowerShell, Application, and Sysmon event IDs with deep dives. Flip to these when you need field definitions, detection queries, or hunt techniques for a specific event.

Conventions

SPL Queries: All detection queries are written in Splunk SPL. Adapt for Elastic KQL, Microsoft Sentinel KQL, or other SIEMs as needed. Field names follow CIM conventions where possible.
CRITICAL: Drop everything. Active breach indicators requiring immediate response.
HIGH: Investigate within 1 hour. Confirmed or likely malicious activity.
MEDIUM: Investigate same shift. Suspicious but context-dependent.
LOW: Review next business day. Low confidence or policy-level.

Assumptions

You have access to a SIEM with Windows event log ingestion
Sysmon is deployed (many detections require it — sections note when Sysmon is required vs optional)
Windows audit policies are configured to generate the referenced events (especially command-line logging for 4688)
You are authorized to perform the described security operations in your environment

Feedback & Corrections

Found an error? Have a detection query that should be included? Contact contact@redsheepsec.com.

Part I — Investigation & Triage Framework

1. Triage Priority Matrix 2. Log Source Decision Tree 3. Pivot Field Maps 4. Investigation Timeline Reconstruction 5. Playbook: Compromised Account 6. Playbook: Malware Execution 7. Playbook: Lateral Movement 8. Playbook: Credential Dumping 9. Playbook: Ransomware Precursors 10. Playbook: Data Staging & Exfiltration 11. Playbook: Insider Threat 12. Common False Positive Guide 13. MITRE ATT&CK Event Mapping 14. Quick Triage Checklists

Part II — Process & System Baselines

15. Windows Process Baseline 16. Suspicious Parent-Child Relationships 17. LOLBins Detection Reference 18. Dangerous Privileges Reference 19. Beaconing Interval Reference

Part III — Advanced Attack Detection

20. Token Manipulation & Privilege Escalation 21. .NET Assembly / Execute-Assembly Detection 22. Service Abuse Detection 23. COM Object Hijacking 24. DPAPI Backup Key Hunting 25. WMI Persistence Forensics 26. BITS Abuse Detection 27. Active Directory Attack Patterns 28. Scheduled Task Forensics — Beyond Event 4698 29. Incident Severity Matrix 30. Registry Persistence — Top Keys 31. ShimDB Persistence 32. Code Signing Forensics 33. WEF Architecture & Blind Spot Detection 34. Sigma-to-SPL Translation Reference 35. AMSI Content & Tool Identification

Part IV — Foundations

36. ETW (Event Tracing for Windows) 37. EVTX Integrity & Log Manipulation Detection

Part V — Windows Security Event Log

38. Authentication Events (4624, 4625) 39. Logon Events Deep Dive (4624/4625) 40. Account Management Events 41. Kerberos Events 42. Kerberos Deep Dive 43. Object Access & Audit Events 44. Event 4662 — GUID Decoding 45. Policy, System & Process Events 46. Event 4688 Deep Dive — Hunting Without Sysmon 47. Scheduled Task XML Dissection (Event 4698) 48. Share & Network Events 49. Event 5145 Deep Dive — Lateral Movement at File Level 50. Directory Service Events 51. Certificate Services & GPO Events

Part VI — Windows System Event Log

52. Core System Events 53. NTLM Operational Log 54. Print Service & PrintNightmare

Part VII — PowerShell Event Log

55. PowerShell Operational Events 56. PowerShell Logging Deep Dive 57. AMSI Bypass Detection

Part VIII — Application & Operational Logs

58. Application Error & Installer Events 59. Windows Defender Events 60. Task Scheduler Operational Events 61. WMI Events 62. BITS Client Events 63. Remote Desktop Events 64. Windows Firewall Events 65. AppLocker Events 66. DNS Client Events

Part IX — Sysmon Event Log

67. Sysmon Complete Event ID Reference 68. Event 10 — LSASS Credential Theft Detection 69. Event 1 — Advanced Process Analysis 70. Event 7 — DLL Side-Loading & BYOVD 71. Event 22 — Per-Process DNS Hunting 72. Event 25 — Process Tampering 73. Event 3 — Network Connection Hunting 74. Events 17/18 — Named Pipes 75. Event 15 — Alternate Data Streams 76. Cross-Event Correlation Patterns 77. Sysmon Configuration Best Practices

PART I — INVESTIGATION & TRIAGE FRAMEWORK

1. Triage Priority Matrix

Priority is based on event combinations, not individual events. Work top to bottom.

P1 — Drop Everything (Active Breach Indicators)

Signal Combination	What It Means	First Action
Event 10 (LSASS) + GrantedAccess 0x143A/0x1038 + CallTrace UNKNOWN	In-memory credential dumping (Mimikatz/shellcode)	Isolate host, preserve memory
Event 4662 (DCSync GUIDs) from non-DC source	Domain credential extraction in progress	Disable source account, isolate host
Event 5145 (drsuapi pipe) from workstation	DCSync at network level	Block source IP at firewall
Event 25 (ProcessTampering) + Event 3 (external connection)	Hollowed process calling out to C2	Isolate host, capture PCAP
Event 4688/Sysmon 1: vssadmin delete shadows + bcdedit recoveryenabled no	Ransomware detonation imminent	Isolate host AND check lateral spread
Event 1102 (audit log cleared) + Event 7045 (new service) within 5 min	Active attacker covering tracks while persisting	Isolate host, pull backup logs from SIEM

P2 — Investigate Within 1 Hour

Signal Combination	What It Means	First Action
Event 4624 Type 3 (NTLM) to multiple hosts from single source in <15 min	Lateral movement spray (PtH)	Identify source, check for 4648
Event 7045 (new service) with ImagePath containing cmd/powershell/temp path	Persistence via malicious service	Identify service binary, check parent
Event 5001 (Defender disabled) + Event 4688 (process from temp dir)	Attacker disabling AV before payload	Check what ran after Defender disabled
Event 4698 (sched task) with Hidden=true or RegistrationTrigger	Covert persistence or immediate execution	Parse TaskContent XML for payload
Sysmon 8 (CreateRemoteThread) into svchost/explorer/lsass	Process injection	Check source process, look for Event 3
Event 4769 with RC4 (0x17) — 5+ unique SPNs from one source in 5 min	Active Kerberoasting	Identify source account, check if compromised

P3 — Investigate Same Shift

Signal Combination	What It Means	First Action
Event 4720 (user created) by non-admin or outside change window	Possible backdoor account	Verify with account owner/change ticket
Event 4728/4732/4756 (group membership change) to admin groups	Privilege escalation or admin change	Verify with IAM team
Sysmon 6 (driver load) unsigned or from user-writable path	Possible BYOVD	Hash check against LOLDrivers
Event 4104 with download cradle patterns (IEX + IWR/Net.WebClient)	PowerShell downloading and executing	Check URL reputation, examine full script
Event 5145 mass samr/lsarpc/srvsvc from single source	AD enumeration (BloodHound-like)	Identify source account, check legitimacy
Sysmon 3 from LOLBin to external IP (certutil, mshta, rundll32)	Living-off-the-land download	Check destination IP/domain reputation

P4 — Review Next Business Day

Signal	What It Means	Action
Single Event 4625 from known IP range	Likely mistyped password	Only investigate if pattern emerges
Event 7040 (service start type changed) for known software	Software update changed service config	Verify against patch schedule
Event 4104 with Get-ADUser/Get-Process (no download/exec)	Admin recon or scripted inventory	Verify with user
Sysmon 22 (DNS) from browser to rare domain	User browsing, possibly risky site	Check domain reputation

2. Log Source Decision Tree

Check log sources in this order based on investigation type.

Investigation Type	Check First	Check Second	Check Third	Supporting
Account Compromise	Security (4624/4625/4648)	Security (4768/4769/4771)	Sysmon 1 (what ran under the account)	NTLM log (8001-8004), Security (4720/4728)
Malware Execution	Sysmon 1 (process tree)	Sysmon 7 (DLL loads), 11 (file drops)	Sysmon 3/22 (network/DNS)	Defender (1116/1117), AppLocker (8004)
Lateral Movement	Security (4624 Type 3/10, 5145)	Sysmon 17/18 (named pipes)	Security 4697 / System 7045	Sysmon 3, RDP logs (21-25)
Credential Theft	Sysmon 10 (LSASS access)	Security (4662 DCSync, 4768/4769)	Sysmon 1 (dumping tools)	Security (4672 SeDebugPrivilege)
Persistence	Sysmon 13 (registry), 12 (key create)	Security 4698 sched task / System 7045 service	Sysmon 19-21 (WMI)	Task Scheduler (106/140), Sysmon 6 (drivers)
Defense Evasion	Defender (5001/5007), Sysmon 4/16	Security (1102/4719 log clear/audit change)	Sysmon 25 (process tampering)	Sysmon 2 (timestomping), PS 4104 (AMSI bypass)
Data Exfiltration	Sysmon 3 (outbound connections)	Sysmon 11 (archive creation)	Sysmon 1 (rar/7z/zip commands)	BITS (3/4/59), Sysmon 15 (ADS)
Insider Threat	Security (5145 file share access)	Print Service (307), USB (6416)	Sysmon 11 (file staging)	RDP (21-25), Security (4663 object access)

3. Pivot Field Maps

Chain events using shared fields. Find something suspicious → pivot to the next event.

Authentication Chain

From Event	Pivot Field	To Event	What You Learn
4768 (TGT Request)	`TargetUserName + IpAddress + time`	4624 (Logon Success)	Which logon session came from this TGT
4624 (Logon)	`TargetLogonId`	4688 (Process Created)	Every process the user ran in this session
4624 (Logon)	`TargetLogonId`	5140/5145 (Share Access)	What shares/files the session accessed
4624 (Logon)	`TargetLogonId`	4634 (Logoff)	Session duration
4624 (Logon)	`IpAddress`	4625 (Logon Failure)	Failed attempts from same source
4624 (Logon)	`TargetUserName + IpAddress`	4769 (TGS Request)	What services the user requested tickets for
4625 (Failure)	`IpAddress + time window`	4624 (Success)	Did brute force eventually succeed?

Process Chain

From Event	Pivot Field	To Event	What You Learn
Sysmon 1 (ProcessCreate)	`ProcessId`	Sysmon 3 (NetworkConnect)	What network connections this process made
Sysmon 1 (ProcessCreate)	`ProcessId`	Sysmon 7 (ImageLoad)	What DLLs this process loaded
Sysmon 1 (ProcessCreate)	`ProcessId → SourceProcessId`	Sysmon 10 (ProcessAccess)	What other processes this one opened
Sysmon 1 (ProcessCreate)	`ProcessId`	Sysmon 11 (FileCreate)	What files this process dropped
Sysmon 1 (ProcessCreate)	`ProcessId`	Sysmon 12/13 (Registry)	What registry changes this process made
Sysmon 1 (ProcessCreate)	`ProcessId`	Sysmon 22 (DNSEvent)	What domains this process resolved
Sysmon 1 (ProcessCreate)	`ParentProcessId`	Sysmon 1 (parent)	What launched this process (walk up the tree)
Sysmon 1 (ProcessCreate)	`LogonId`	4624 (Logon)	Which logon session owns this process

Network Chain

From Event	Pivot Field	To Event	What You Learn
Sysmon 22 (DNS Query)	`QueryName → resolved IP`	Sysmon 3 (NetworkConnect)	Which process connected after resolving
Sysmon 3 (NetworkConnect)	`DestinationIp`	Threat Intel Lookup	IP reputation, known C2
Sysmon 3 (NetworkConnect)	`ProcessId`	Sysmon 1 (ProcessCreate)	What process made this connection
5145 (Share Access)	`IpAddress`	4624 (Logon) on source	Who was logged in on the source machine

Persistence Chain

From Event	Pivot Field	To Event	What You Learn
Sysmon 13 (Registry Set)	`Image (ProcessId)`	Sysmon 1 (ProcessCreate)	What process wrote the registry key
7045 (Service Install)	`ImagePath`	Sysmon 1 (matching Image)	When the service binary actually ran
4698 (Sched Task)	`TaskContent → Command`	Sysmon 1 (matching Image/CLI)	When the task payload executed
Sysmon 19-21 (WMI)	`Consumer details`	Sysmon 1 (triggered process)	What the WMI subscription launched

4. Investigation Timeline Reconstruction

Build a chronological event chain from anchor to full scope.

Step 1: Identify Your Anchor Event

Start with the anchor event. Extract these fields:

Anchor Type	Key Fields to Extract
Alert on a user	`TargetUserName`, `TargetLogonId`, `IpAddress`
Alert on a process	`ProcessId`, `Image`, `ParentProcessId`, `LogonId`
Alert on a host	`Computer`, time window
Alert on an IP	`IpAddress` / `DestinationIp`, time window

Step 2: Expand Backward (How Did We Get Here?)

# From a suspicious process — walk up the process tree
index=sysmon EventCode=1 Computer="HOST" ProcessId="SUSPECT_PID"
| table _time, Image, CommandLine, ParentImage, ParentProcessId, LogonId, User

# Then find the parent
index=sysmon EventCode=1 Computer="HOST" ProcessId="PARENT_PID"
| table _time, Image, CommandLine, ParentImage, ParentProcessId

# From a LogonId — find the original logon
index=wineventlog EventCode=4624 Computer="HOST" TargetLogonId="0xABC123"
| table _time, TargetUserName, LogonType, IpAddress, AuthenticationPackageName, WorkstationName

Step 3: Expand Forward (What Happened Next?)

# All activity in a logon session
index=wineventlog (TargetLogonId="0xABC123" OR SubjectLogonId="0xABC123") Computer="HOST"
| sort _time
| table _time, EventCode, TargetUserName, SubjectUserName

# All processes spawned by a parent
index=sysmon EventCode=1 Computer="HOST" ParentProcessId="SUSPECT_PID"
| sort _time
| table _time, Image, CommandLine, ProcessId

# All network connections from a process
index=sysmon EventCode=3 Computer="HOST" ProcessId="SUSPECT_PID"
| table _time, DestinationIp, DestinationPort, Initiated

Step 4: Build the Unified Timeline

# Full session reconstruction: logon → activity → logoff
index=wineventlog Computer="HOST"
  (EventCode IN (4624,4634,4672,4688,4698,5140,5145,1102)
   AND (TargetLogonId="0xABC123" OR SubjectLogonId="0xABC123"))
  OR EventCode=7045
# NOTE: 7045 (System log) has no LogonId — included unfiltered, correlate by time
| append
  [search index=sysmon Computer="HOST" LogonId="0xABC123"
   EventCode IN (1,3,7,10,11,13,22)]
| sort _time
| eval event_type=case(
    EventCode=4624, "LOGON",
    EventCode=4634, "LOGOFF",
    EventCode=4688 OR EventCode=1, "PROCESS",
    EventCode=3, "NETWORK",
    EventCode=5140 OR EventCode=5145, "SHARE_ACCESS",
    EventCode=10, "PROCESS_ACCESS",
    EventCode=13, "REGISTRY",
    EventCode=22, "DNS",
    EventCode=7045, "SERVICE_INSTALL",
    EventCode=4698, "SCHED_TASK",
    1=1, "OTHER"
  )
| eval Image=coalesce(Image, NewProcessName)
| table _time, event_type, EventCode, Image, CommandLine, TargetImage,
    DestinationIp, ShareName, RelativeTargetName, TargetObject, QueryName

Step 5: Expand to Other Hosts

# If lateral movement detected — find where they went
index=wineventlog EventCode=4624 LogonType IN (3,10) IpAddress="SOURCE_IP"
| stats count, values(LogonType) as logon_types, earliest(_time) as first_seen, latest(_time) as last_seen by Computer, TargetUserName
| sort first_seen

# Then repeat Steps 2-4 on each target host

5. Playbook: Compromised Account

Trigger: Suspicious logon activity, impossible travel, credential leak notification

Phase 1: Scope the Compromise (15 min)

# 1. Find all logon activity for this account (last 7 days)
index=wineventlog EventCode=4624 TargetUserName="SUSPECT_USER"
| stats count by Computer, LogonType, IpAddress, AuthenticationPackageName
| sort - count

# 2. Check for logon failures preceding success (brute force?)
index=wineventlog EventCode IN (4624,4625) TargetUserName="SUSPECT_USER"
| sort _time | table _time, EventCode, IpAddress, LogonType, Status, SubStatus

# 3. Check for explicit credential use (RunAs, credential theft)
index=wineventlog EventCode=4648 SubjectUserName="SUSPECT_USER"
| table _time, TargetUserName, TargetServerName, ProcessName

# 4. Check for Kerberos anomalies
index=wineventlog EventCode IN (4768,4769) TargetUserName="SUSPECT_USER"
| table _time, EventCode, IpAddress, TicketEncryptionType, ServiceName, Status

Phase 2: Assess Impact (30 min)

# 5. What did they access? (shares, files)
index=wineventlog EventCode IN (5140,5145) SubjectUserName="SUSPECT_USER"
| stats count values(RelativeTargetName) as files by ShareName, Computer
| sort - count

# 6. What processes did they run?
index=sysmon EventCode=1 User="*\\SUSPECT_USER"
| table _time, Computer, Image, CommandLine, ParentImage
| sort _time

# 7. Did they create persistence?
# NOTE: 7045 (System log) does not record installing user; correlate with 4697 or Sysmon 1 for attribution
index=wineventlog (EventCode IN (4698,4720) SubjectUserName="SUSPECT_USER") OR (EventCode=7045)
| table _time, EventCode, Computer, TaskName, ServiceName, TargetUserName, ImagePath

# 8. Did they move laterally?
index=wineventlog EventCode=4624 LogonType IN (3,10) TargetUserName="SUSPECT_USER"
| stats count by Computer, IpAddress, LogonType | sort - count

Phase 3: Contain & Remediate

Reset password + revoke all Kerberos tickets (klist purge or reset krbtgt if domain-wide)
Disable account if confirmed compromised
Check for new accounts created (4720) by this user
Check for group membership changes (4728/4732/4756) by this user
Review all hosts where LogonType 3/10 was observed

6. Playbook: Malware Execution

Trigger: AV alert, suspicious process, EDR detection

Phase 1: Build the Process Tree (10 min)

# 1. Find the suspicious process and its full chain
index=sysmon EventCode=1 Computer="HOST" Image="*\\SUSPECT.exe"
| table _time, ProcessId, Image, CommandLine, ParentImage, ParentProcessId, User, Hashes, LogonId

# 2. Walk up: What launched it?
index=sysmon EventCode=1 Computer="HOST" ProcessId="PARENT_PID"
| table _time, Image, CommandLine, ParentImage, ParentProcessId
# Repeat until you reach explorer.exe, services.exe, or the initial vector

# 3. Walk down: What did it spawn?
index=sysmon EventCode=1 Computer="HOST" ParentProcessId="SUSPECT_PID"
| sort _time | table _time, Image, CommandLine, ProcessId

Phase 2: Assess Behavior (15 min)

# 4. Network connections (C2?)
index=sysmon EventCode=3 Computer="HOST" ProcessId="SUSPECT_PID"
| table _time, DestinationIp, DestinationPort, DestinationHostname

# 5. DNS queries (what did it resolve?)
index=sysmon EventCode=22 Computer="HOST" ProcessId="SUSPECT_PID"
| table _time, QueryName, QueryResults

# 6. Files dropped
index=sysmon EventCode=11 Computer="HOST" ProcessId="SUSPECT_PID"
| table _time, TargetFilename, Hashes

# 7. Registry changes (persistence?)
index=sysmon EventCode IN (12,13) Computer="HOST" ProcessId="SUSPECT_PID"
| table _time, EventCode, TargetObject, Details

# 8. Did it access LSASS? (credential theft)
index=sysmon EventCode=10 Computer="HOST" SourceProcessId="SUSPECT_PID" TargetImage="*\\lsass.exe"
| table _time, GrantedAccess, CallTrace

Phase 3: Scope & Contain

# 9. Check hash across environment (did it spread?)
index=sysmon EventCode=1 Hashes="*SUSPECT_HASH*"
| stats count by Computer | sort - count

# 10. Check if the same C2 IPs appear elsewhere
index=sysmon EventCode=3 DestinationIp="C2_IP"
| stats count by Computer, Image | sort - count

7. Playbook: Lateral Movement

Trigger: Type 3 logon from unexpected source, PsExec/WMI alerts, named pipe detection

Phase 1: Confirm & Identify Source (10 min)

# 1. On the TARGET host — find the inbound logon
index=wineventlog EventCode=4624 Computer="TARGET" LogonType IN (3,10)
  earliest=-1h
| where NOT match(IpAddress, "known_admin_subnet")
| table _time, TargetUserName, IpAddress, WorkstationName, LogonType,
    AuthenticationPackageName, TargetLogonId

# 2. What happened immediately after logon?
# NOTE: 7045 has no SubjectLogonId — search separately or correlate by time
index=wineventlog Computer="TARGET" SubjectLogonId="LOGON_ID"
  EventCode IN (4688,5140,5145,4698)
| sort _time
| table _time, EventCode, NewProcessName, CommandLine, ShareName, RelativeTargetName

# 3. Check for service install or sched task (PsExec signature)
index=wineventlog Computer="TARGET" EventCode IN (7045,4697)
  earliest=-1h
| eval account=coalesce(AccountName, ServiceAccount)
| table _time, EventCode, ServiceName, ImagePath, ServiceFileName, account

Phase 2: Investigate the Source Host (15 min)

# 4. What was happening on the SOURCE at the time?
index=sysmon EventCode=1 Computer="SOURCE" earliest=-30m@m latest=+30m@m
| table _time, Image, CommandLine, User, ParentImage | sort _time

# 5. How did the SOURCE get compromised? (look for inbound lateral movement)
index=wineventlog EventCode=4624 Computer="SOURCE" LogonType IN (3,10)
  earliest=-24h
| table _time, TargetUserName, IpAddress, LogonType | sort _time

# 6. Check for credential dumping on SOURCE
index=sysmon EventCode=10 Computer="SOURCE" TargetImage="*\\lsass.exe"
  earliest=-24h
| table _time, SourceImage, GrantedAccess, CallTrace

Phase 3: Map the Full Lateral Path

# 7. Find ALL hosts this account touched
index=wineventlog EventCode=4624 TargetUserName="SUSPECT_USER" LogonType IN (3,10)
| stats earliest(_time) as first_seen latest(_time) as last_seen count
  by Computer, IpAddress
| sort first_seen

8. Playbook: Credential Dumping

Trigger: Sysmon Event 10 alert on LSASS, 4662 DCSync alert, suspicious 4672

Phase 1: Confirm the Dump (5 min)

# 1. Examine the LSASS access event
index=sysmon EventCode=10 Computer="HOST" TargetImage="*\\lsass.exe"
  earliest=-1h
| table _time, SourceImage, SourceProcessId, GrantedAccess, CallTrace

# 2. Is CallTrace showing UNKNOWN (shellcode)?
#    Is GrantedAccess 0x143A/0x1038/0x1FFFFF?
#    Is SourceImage from a temp/user directory?
#    If YES to any → confirmed credential dump. Go to Phase 2.

# 3. Check the source process
index=sysmon EventCode=1 Computer="HOST" ProcessId="SOURCE_PID"
| table _time, Image, CommandLine, ParentImage, User, Hashes

Phase 2: Assess Blast Radius (15 min)

# 4. What accounts were logged in at the time? (all are potentially compromised)
index=wineventlog EventCode=4624 Computer="HOST"
  earliest=-24h latest=+0h
| dedup TargetUserName
| table TargetUserName, LogonType, IpAddress
# ALL of these accounts should be considered compromised

# 5. Check for DCSync (domain-wide escalation)
index=wineventlog EventCode=4662
| where match(Properties, "1131f6aa|1131f6ad|89e95b76")
| where NOT match(SubjectUserName, "\$$")
| table _time, SubjectUserName, Computer

# 6. Check for Pass-the-Hash activity (using stolen hashes)
index=wineventlog EventCode=4624 LogonType=3 AuthenticationPackageName="NTLM"
  TargetUserName IN ("COMPROMISED_USER1","COMPROMISED_USER2")
  earliest=-1h
| table _time, Computer, IpAddress, TargetUserName

Phase 3: Contain

Reset passwords for ALL accounts that had active sessions on the compromised host
If DCSync confirmed: reset krbtgt password TWICE (with 12hr gap)
If service accounts compromised: rotate all service account passwords
Monitor for new logons from previously compromised accounts

9. Playbook: Ransomware Precursors

Trigger: Shadow copy deletion, mass file rename, bcdedit recovery disable

Phase 1: Confirm & Isolate IMMEDIATELY (5 min)

# 1. Confirm ransomware precursors
index=sysmon EventCode=1 Computer="HOST"
| where match(CommandLine, "(?i)vssadmin.*delete|wmic.*shadowcopy.*delete|bcdedit.*recoveryenabled.*no|wbadmin.*delete.*catalog")
| table _time, Image, CommandLine, User, ParentImage

# IF CONFIRMED: ISOLATE THE HOST FROM NETWORK IMMEDIATELY

# 2. Check for encryption activity (mass file operations)
index=sysmon EventCode=11 Computer="HOST" earliest=-30m
| stats count by TargetFilename
| rex field=TargetFilename "(?<ext>\.[^.]+)$"
| stats count by ext | sort - count
# Look for unusual extensions (.encrypted, .locked, .crypt, ransom notes)

Phase 2: Scope the Spread (10 min)

# 3. Did the ransomware spread? Check same indicators on other hosts
index=sysmon EventCode=1
| where match(CommandLine, "(?i)vssadmin.*delete|wmic.*shadowcopy.*delete")
| stats count by Computer | sort - count

# 4. Check lateral movement FROM the infected host
index=wineventlog EventCode=4624 LogonType=3 IpAddress="INFECTED_HOST_IP"
| stats count by Computer, TargetUserName | sort - count

# 5. Check for the deployment mechanism
index=sysmon EventCode=1 Computer="HOST" earliest=-2h
| where match(ParentImage, "(?i)psexec|wmic|powershell|cmd")
| table _time, ParentImage, Image, CommandLine | sort _time

Phase 3: Immediate Actions

Isolate ALL confirmed and suspected hosts
Disable the compromised account(s) domain-wide
Check for Group Policy modification (ransomware deployed via GPO?)
Preserve evidence: memory dump before reboot
Check backup integrity BEFORE attempting restoration

10. Playbook: Data Staging & Exfiltration

Trigger: Large outbound transfers, archive tools on sensitive systems, BITS jobs to external

Phase 1: Identify Staging Activity (15 min)

# 1. Archive tool usage
index=sysmon EventCode=1 Computer="HOST"
| where match(Image, "(?i)rar|7z|zip|tar") OR match(CommandLine, "(?i)Compress-Archive|makecab")
| table _time, User, Image, CommandLine, ParentImage

# 2. Large files created (staging archives)
index=sysmon EventCode=11 Computer="HOST"
| where match(TargetFilename, "(?i)\\.rar$|\\.7z$|\\.zip$|\\.tar$|\\.gz$")
| table _time, Image, TargetFilename

# 3. Sensitive file access
index=wineventlog EventCode=5145 SubjectUserName="SUSPECT"
| where match(RelativeTargetName, "(?i)confidential|sensitive|finance|hr|legal|password|secret")
| table _time, Computer, ShareName, RelativeTargetName

Phase 2: Identify Exfil Channel (15 min)

# 4. Unusual outbound connections from staging host
index=sysmon EventCode=3 Computer="HOST" Initiated=true
| where NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
| stats count as connections values(DestinationPort) as ports by Image, DestinationIp
| sort - connections

# 5. BITS transfers (common exfil mechanism)
index=wineventlog source="*BITS*" EventCode IN (3,4,59) Computer="HOST"
| table _time, EventCode, Computer

# 6. DNS exfil check (high volume of DNS queries from single process)
index=sysmon EventCode=22 Computer="HOST"
| stats count dc(QueryName) as unique_domains by Image
| where unique_domains > 100 | sort - unique_domains

11. Playbook: Insider Threat

Trigger: HR referral, abnormal access patterns, departing employee monitoring

# 1. Off-hours activity
index=wineventlog EventCode IN (4624,4688,5145) (TargetUserName="SUSPECT" OR SubjectUserName="SUSPECT")
| eval hour=tonumber(strftime(_time, "%H"))
| where hour >= 20 OR hour <= 5
| stats count by EventCode, hour, Computer | sort hour

# 2. Print volume (data exfil via paper)
index=wineventlog source="*PrintService*" EventCode=307
# NOTE: param2 = user who printed, param1 = document name
| where match(param2, "(?i)SUSPECT")
| stats count by param2, param1, Computer | sort - count

# 3. USB device connections
index=wineventlog EventCode=6416 Computer="SUSPECTS_WORKSTATION"
| table _time, SubjectUserName, DeviceDescription, ClassName

# 4. Abnormal share access patterns
index=wineventlog EventCode=5145 SubjectUserName="SUSPECT"
| stats count dc(RelativeTargetName) as unique_files by ShareName, Computer
| sort - unique_files

# 5. Email attachment volume (if Exchange/O365 logs available)
# Check for large attachment sends, forwarding rules, mailbox exports

# 6. Cloud upload activity (if proxy/CASB logs available)
# Check for uploads to personal cloud storage (Dropbox, GDrive, OneDrive personal)

12. Common False Positive Guide

Known-good patterns. Verify before closing — don't burn hours on these.

Event 10 (LSASS ProcessAccess) — Known Good

SourceImage	GrantedAccess	Why It's Normal
`MsMpEng.exe` (Defender)	Various	Defender scans all processes including LSASS
`MpCmdRun.exe`	Various	Defender command-line scan
`csrss.exe`	0x1000	Normal subsystem interaction
`wininit.exe`	0x1000	Session 0 initialization
`svchost.exe`	0x1000	Service host querying LSASS
`WerFault.exe`	0x1FFFFF	Windows Error Reporting crash dump (full access is expected)
`taskhostw.exe`	0x1000	Scheduled task host
Any EDR agent (CrowdStrike, SentinelOne, etc.)	Various	EDR monitoring LSASS is their job

Still Investigate If

Even "known good" processes are suspicious if: GrantedAccess is 0x143A from a non-security product, CallTrace contains UNKNOWN, or the process path doesn't match expected location.

Event 4624 (Logon) — Known Good

Pattern	Why It Fires	When to Still Investigate
Type 3 from DCs to each other	Normal AD replication	Only if from unexpected IP or account
NTLM from legacy printers/scanners	Old devices can't do Kerberos	If the printer IP is spoofed or unexpected
Type 5 (Service) for known service accounts	Services starting normally	If the service account logs on interactively (Type 2/10)
Type 7 (Unlock) during business hours	Users unlocking screens	Only if off-hours or from unexpected location
ANONYMOUS LOGON Type 3	NULL session for share enumeration (can be normal in some environments)	If volume is high or from external IPs
Machine accounts (ending in $) Type 3	Normal machine-to-machine auth	Only if from unexpected source

Event 7045 (New Service) — Known Good

ServiceName Pattern	Why It Fires
Windows Update services	Windows patches install services
Software deployment (SCCM, Intune, PDQ)	Management tools install/update services
`MsMpEng`, `Sense`, `CSFalcon`	Security product updates
Print spooler related	Printer driver installs

Red flags even in "known" services: ImagePath pointing to \Temp\, \Users\, or containing cmd.exe /c, powershell -enc, or pipe characters.

Event 4688/Sysmon 1 (Process Creation) — Known Good

Pattern	Why	Suspicious If
svchost.exe spawned by services.exe	Normal service hosting	Spawned by anything else
conhost.exe spawned by any console app	Console host for CLI tools	Spawned without a console parent
WerFault.exe after app crash	Windows Error Reporting	If it makes network connections
SearchIndexer.exe, SearchProtocolHost.exe	Windows Search indexing	If loading unusual DLLs
WMIPRVSE.exe spawning from svchost	WMI provider host	If spawning cmd/powershell children

Event 4698 (Scheduled Task) — Known Good

Pattern	Why
Tasks created by `SYSTEM` with paths under `C:\Windows\`	OS maintenance tasks
Tasks from SCCM/Intune (`ccmexec`, `Microsoft Intune`)	Management platform operations
Tasks referencing `UpdateOrchestrator`, `WindowsUpdate`	Patch management

Sysmon Event 3 (NetworkConnect) — Noisy but Normal

Process	Destination	Normal?
svchost.exe	Microsoft IPs on 80/443	Yes — Windows Update, telemetry
OneDrive.exe, Teams.exe	Microsoft 365 IPs	Yes
MsMpEng.exe	Microsoft IPs	Yes — definition updates, cloud protection
LSASS.exe	DCs on 88/389/636	Yes — Kerberos and LDAP to domain controllers

13. MITRE ATT&CK Event Mapping

Event IDs mapped to ATT&CK techniques by tactic.

Initial Access (TA0001)

Technique	Detection Events	Key Indicator
T1078 Valid Accounts	4624, 4625, 4648	Logon from unusual IP/time/location
T1566 Phishing	Sysmon 1 (Office → child process), 4104	winword.exe spawning cmd/powershell

Execution (TA0002)

Technique	Detection Events	Key Indicator
T1059.001 PowerShell	4104, 4103, 800, Sysmon 1	Encoded commands, download cradles, AMSI bypass
T1059.003 Windows Command Shell	Sysmon 1, 4688	cmd.exe from unusual parent
T1047 WMI	5861, Sysmon 1 (wmiprvse → child), Sysmon 19-21	WMI spawning processes, persistent subscriptions
T1053.005 Scheduled Task	4698, Task Scheduler 106/200, Sysmon 1	Task with hidden/immediate/SYSTEM attributes
T1569.002 Service Execution	7045, 4697, Sysmon 1	New service with suspicious ImagePath

Persistence (TA0003)

Technique	Detection Events	Key Indicator
T1547.001 Registry Run Keys	Sysmon 13	Value set under `\Run\` or `\RunOnce\`
T1543.003 Windows Service	7045, 4697, Sysmon 13	New service pointing to non-standard path
T1053.005 Scheduled Task	4698, Task Scheduler 106	BootTrigger/LogonTrigger with unusual command
T1546.003 WMI Event Sub	Sysmon 19/20/21, 5861	Permanent WMI consumer created
T1546.015 COM Hijacking	Sysmon 12 (HKCU CLSID InprocServer32)	User-level COM registration
T1547.004 Winlogon Helper	Sysmon 13	Winlogon\Shell or Userinit modified

Privilege Escalation (TA0004)

Technique	Detection Events	Key Indicator
T1134 Access Token Manipulation	4672, 4688 (TokenElevationType), 4696	SeDebugPrivilege for non-admin, %%1936 for regular user
T1068 Exploitation for Privesc	4688 (MandatoryLabel jump), Sysmon 1	Medium → System integrity jump without UAC

Defense Evasion (TA0005)

Technique	Detection Events	Key Indicator
T1562.001 Disable Security Tools	Defender 5001/5007, Sysmon 4/16	RT protection disabled, exclusions added, Sysmon stopped
T1070.001 Clear Windows Event Logs	1102, 104	Log cleared, especially Security log
T1070.006 Timestomp	Sysmon 2, 4616	File creation time modified (Sysmon 2) or system clock changed (4616)
T1036 Masquerading	Sysmon 1 (OriginalFileName mismatch)	OriginalFileName != actual filename
T1055 Process Injection	Sysmon 8, 10, 25	CreateRemoteThread, LSASS access, process tampering
T1574.002 DLL Side-Loading	Sysmon 7	Unsigned DLL loaded by signed exe from non-standard path

Credential Access (TA0006)

Technique	Detection Events	Key Indicator
T1003.001 LSASS Memory	Sysmon 10	GrantedAccess 0x143A/0x1038, CallTrace UNKNOWN
T1003.006 DCSync	4662 (replication GUIDs), 5145 (drsuapi)	Non-DC requesting replication rights
T1558.003 Kerberoasting	4769 (RC4, mass SPNs)	Multiple TGS requests with 0x17 encryption
T1558.004 AS-REP Roasting	4768 (PreAuthType=0)	TGT without pre-authentication
T1110 Brute Force	4625 (mass failures), 4771	Multiple failures then success, spray patterns

Discovery (TA0007)

Technique	Detection Events	Key Indicator
T1087 Account Discovery	4662, 5145 (samr pipe), 4104 (Get-ADUser)	Mass samr queries, AD enumeration scripts
T1018 Remote System Discovery	Sysmon 1 (net.exe, nltest, dsquery)	Network/domain enumeration commands
T1135 Network Share Discovery	5145 (srvsvc pipe), Sysmon 1 (net share)	Mass share enumeration

Lateral Movement (TA0008)

Technique	Detection Events	Key Indicator
T1021.002 SMB/Windows Admin Shares	5140, 5145, 4624 Type 3	ADMIN$/C$ access + exe drop + svcctl pipe
T1021.001 Remote Desktop	4624 Type 10, RDP 21/22/25	RDP from unexpected source
T1021.006 Windows Remote Mgmt	4624 Type 3, Sysmon 1 (wsmprovhost)	WinRM session from workstation to workstation
T1550.002 Pass the Hash	4624 (Type 3 + NTLM + unusual source)	NTLM logon from workstation to multiple targets
T1550.003 Pass the Ticket	4769 without preceding 4768	Service ticket without TGT request

Exfiltration (TA0010)

Technique	Detection Events	Key Indicator
T1041 Exfil Over C2	Sysmon 3 (large outbound)	Unusual process with sustained external connection
T1048 Exfil Over Alternative Protocol	Sysmon 3/22 (DNS, ICMP)	High DNS query volume, unusual protocols
T1567 Exfil to Cloud Storage	Sysmon 3/22 (cloud storage domains)	Non-browser uploading to Dropbox/GDrive/OneDrive
T1560 Archive Collected Data	Sysmon 1 (rar/7z), Sysmon 11	Archive tool usage followed by network transfer

14. Quick Triage Checklists

Work top to bottom. Check the box, move on.

Checklist: Suspicious Logon

[ ] Identify the logon: EventCode=4624, note TargetUserName, LogonType, IpAddress, TargetLogonId
[ ] Check LogonType: Type 3 (network) or 10 (RDP) from unexpected source?
[ ] Check AuthenticationPackageName: NTLM where Kerberos expected?
[ ] Check IpAddress: Known asset? Expected subnet? VPN or external?
[ ] Check time: Business hours? Expected for this user?
[ ] Check for preceding 4625 failures from same IP (brute force?)
[ ] Pivot on TargetLogonId: What did this session do? (4688, 5140, 5145)
[ ] Pivot on IpAddress: Any other accounts from this source?
[ ] Check source host: Was it recently compromised?
[ ] VERDICT: Legitimate / Suspicious / Confirmed Malicious
[ ] ACTIONS: Document / Escalate / Contain

Checklist: Suspicious Process

[ ] Identify process: Sysmon 1, note Image, CommandLine, ParentImage, ProcessId, User
[ ] Check parent: Is this parent-child relationship normal? (e.g., winword → cmd = BAD)
[ ] Check path: Is the executable running from expected location?
[ ] Check command line: Encoded? Unusually long? Contains URLs or UNC paths?
[ ] Check OriginalFileName: Does it match the actual filename? (masquerading?)
[ ] Check Hashes: Run through VT/threat intel
[ ] Check children: Did this process spawn anything? (Sysmon 1, ParentProcessId=this PID)
[ ] Check network: Did this process connect out? (Sysmon 3, ProcessId=this PID)
[ ] Check file drops: Did this process create files? (Sysmon 11, ProcessId=this PID)
[ ] Check registry: Did this process modify persistence keys? (Sysmon 13)
[ ] Check LSASS: Did this process access LSASS? (Sysmon 10)
[ ] VERDICT: Legitimate / Suspicious / Malicious
[ ] ACTIONS: Document / Kill process / Isolate host / Scope to other hosts via hash

Checklist: New Service / Scheduled Task

[ ] Identify: Event 7045/4697 (service) or 4698 (task). Note name, path/command, account
[ ] Check ImagePath/Command: Points to Windows/Program Files (normal) or Temp/Users (suspicious)?
[ ] Check for obfuscation: Does the path contain cmd /c, powershell -enc, pipe characters?
[ ] Check the account: LocalSystem for a non-Microsoft service? Non-admin creating the task?
[ ] Check the creator: Who/what created it? (SubjectUserName for 4697/4698; 7045 does NOT record creator — correlate with Sysmon 1 or Security 4697)
[ ] For tasks: Is it Hidden? RegistrationTrigger (immediate)? BootTrigger/LogonTrigger?
[ ] Check timing: Was this during a change window? Does a change ticket exist?
[ ] Check the binary: Hash lookup, signature check, file path analysis
[ ] Check if the service/task already executed (Task Scheduler 200, Sysmon 1 matching command)
[ ] VERDICT: Legitimate / Suspicious / Malicious
[ ] ACTIONS: Document / Disable service/task / Investigate binary / Scope

Checklist: LSASS Access Alert

[ ] Identify: Sysmon 10, note SourceImage, GrantedAccess, CallTrace
[ ] Check SourceImage: Is it a known security product? (see False Positive Guide)
[ ] Check GrantedAccess: 0x1000/0x0400 = likely benign. 0x143A/0x1038/0x1FFFFF = investigate
[ ] Check CallTrace: Contains "UNKNOWN"? → HIGH CONFIDENCE MALICIOUS (injected code)
[ ] Check CallTrace: Contains comsvcs.dll? → MiniDump technique
[ ] Check CallTrace: Contains dbghelp.dll? → Debug/dump technique
[ ] If suspicious: Examine the source process (Sysmon 1, same ProcessId)
[ ] Check source process parent chain (walk up the tree)
[ ] Check source process network activity (Sysmon 3)
[ ] Determine accounts at risk: All sessions active on this host at time of dump
[ ] VERDICT: False Positive / Confirmed Credential Dump
[ ] ACTIONS: If confirmed → isolate host, reset ALL active session passwords, check for lateral movement

PART II — PROCESS & SYSTEM BASELINES

15. Windows Process Baseline

Know normal to find evil. If any of these deviate, investigate immediately.

Process	Expected Parent	Count	Expected Path	Expected User
System	None (PID 4)	1	N/A	SYSTEM
smss.exe	System	1 (master)	%systemroot%\System32\	SYSTEM
csrss.exe	smss.exe (shown as none)	2+ (per session)	%systemroot%\System32\	SYSTEM
wininit.exe	smss.exe (shown as none)	1	%systemroot%\System32\	SYSTEM
winlogon.exe	smss.exe (shown as none)	1+ (per session)	%systemroot%\System32\	SYSTEM
services.exe	wininit.exe	1	%systemroot%\System32\	SYSTEM
lsass.exe	wininit.exe	1 (EXACTLY)	%systemroot%\System32\	SYSTEM
svchost.exe	services.exe	Many	%systemroot%\System32\	SYSTEM/SERVICE/NETWORK SERVICE
explorer.exe	userinit.exe (shown as none)	1 per user	%systemroot%\	Logged-in user
taskhostw.exe	svchost.exe	1+	%systemroot%\System32\	User/SYSTEM
RuntimeBroker.exe	svchost.exe	1+	%systemroot%\System32\	User

Critical Alerts

lsass.exe with parent other than wininit.exe = credential theft or rootkit
Multiple lsass.exe instances = investigate immediately
services.exe with wrong parent = rootkit/bootkit
svchost.exe NOT spawned by services.exe = masquerading
svchost.exe running from path other than System32 = masquerading
svchost.exe running as a user account = investigate

Windows Boot Process Chain

UEFI/BIOS → bootmgr → winload.exe → ntoskrnl.exe
  → smss.exe (Session Manager)
    → csrss.exe (Session 0) + wininit.exe
      wininit.exe → services.exe → svchost.exe (many)
                  → lsass.exe (EXACTLY ONE)
    → csrss.exe (Session 1) + winlogon.exe
      winlogon.exe → userinit.exe → explorer.exe

Any deviation from this tree = suspicious.

svchost.exe Service Groups

Group	Services	User
`-k netsvcs`	Many (largest group)	SYSTEM
`-k LocalService`	Various local services	LOCAL SERVICE
`-k NetworkService`	DNS client, etc.	NETWORK SERVICE
`-k DcomLaunch`	DCOM, RPC	SYSTEM
`-k LocalServiceNoNetwork`	Audio endpoint builder, etc.	LOCAL SERVICE
`-k UnistackSvcGroup`	Modern app services	User

16. Suspicious Parent-Child Relationships

Critical — Almost Always Malicious

winword.exe  → cmd.exe → powershell.exe    (macro execution)
winword.exe  → powershell.exe (direct)         (macro execution)
excel.exe    → cmd.exe / powershell.exe / mshta (macro execution)
outlook.exe  → powershell.exe                   (email-based attack)
w3wp.exe     → cmd.exe                          (web shell)
sqlservr.exe → cmd.exe / powershell.exe          (SQL injection)
wmiprvse.exe → powershell.exe                   (WMI lateral movement)
wsmprovhost.exe → powershell.exe                (WinRM lateral movement)

Suspicious — Investigate Arguments

explorer.exe   → cmd.exe → powershell.exe  (check args for -enc, downloads)
svchost.exe    → cmd.exe                       (possible injection into svchost)
services.exe   → cmd.exe                       (service executing shell)
taskhostw.exe  → suspicious child               (scheduled task abuse)
rundll32.exe   → cmd.exe / powershell.exe       (LOLBin chaining)
mshta.exe      → cmd.exe / powershell.exe       (HTA-based attack)
cscript/wscript → cmd.exe / powershell.exe      (script-based attack)
regsvr32.exe   → cmd.exe                        (Squiblydoo / AppLocker bypass)

Expected — Usually Benign

services.exe  → svchost.exe       svchost.exe  → WerFault.exe
explorer.exe  → [user apps]       userinit.exe → explorer.exe
smss.exe      → csrss.exe         wininit.exe  → services.exe
wininit.exe   → lsass.exe         winlogon.exe → userinit.exe

17. LOLBins Detection Reference

Living Off the Land Binaries — legitimate Windows tools abused by attackers.

Binary	Legitimate Use	Abuse Pattern	Detection Events
`certutil.exe`	Certificate management	`-urlcache -f` download, `-decode` base64	Sysmon 1 + 3
`mshta.exe`	HTML Applications	Remote HTA execution via URL	Sysmon 1 + 3
`regsvr32.exe`	Register COM DLLs	`/s /n /u /i:http://` (Squiblydoo)	Sysmon 1 + 3
`rundll32.exe`	Run DLL functions	Arbitrary DLL/shellcode execution	Sysmon 1 + 7
`bitsadmin.exe`	BITS transfers	Silent file download	Sysmon 1 + 3
`msiexec.exe`	Install MSI packages	Remote MSI payloads	Sysmon 1 + 3
`wmic.exe`	WMI command line	Process creation, remote exec	Sysmon 1 + 3
`cmstp.exe`	Connection Manager	UAC bypass via INF file	Sysmon 1 + 13
`esentutl.exe`	ESE database utility	Copy locked files (ntds.dit)	Sysmon 1
`msbuild.exe`	Build .NET projects	Inline C# task execution	Sysmon 1
`installutil.exe`	.NET installer	Code exec via Uninstall method	Sysmon 1
`forfiles.exe`	Batch file processing	Execution proxy	Sysmon 1
`pcalua.exe`	Program Compat Assistant	Execution proxy	Sysmon 1
`bash.exe / wsl.exe`	Windows Subsystem for Linux	Linux commands on Windows	Sysmon 1

Detection approach for all LOLBins:
  1. Unusual parent process (who launched it?)
  2. Unusual command-line arguments (what's it doing?)
  3. Network connections (shouldn't phone home)
  4. File writes to unusual locations (dropping payloads?)
  5. Execution from non-standard paths (masquerading?)

SPL (LOLBins with network connections):
  index=sysmon EventCode=3
  | where match(Image, "(?i)\\\\(certutil|mshta|regsvr32|rundll32|bitsadmin|msiexec|wmic|cmstp|msbuild|installutil)\\.exe$")
  | where NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
  | table _time, Computer, Image, DestinationIp, DestinationPort, User

18. Dangerous Privileges Reference

Hunt via Event 4672 (Special Privileges Assigned). Non-SYSTEM accounts with these = investigate.

Privilege	What It Allows	Risk	Attack Use
SeDebugPrivilege	Debug any process	CRITICAL	LSASS access, process injection
SeImpersonatePrivilege	Impersonate tokens	CRITICAL	Potato exploits (Juicy/Sweet/God)
SeTcbPrivilege	Act as part of OS	CRITICAL	Full system access
SeCreateTokenPrivilege	Create tokens	CRITICAL	Forge arbitrary tokens
SeLoadDriverPrivilege	Load kernel drivers	CRITICAL	BYOVD attacks
SeBackupPrivilege	Read any file	HIGH	SAM/NTDS.dit access
SeRestorePrivilege	Write any file	HIGH	DLL hijacking, file replacement
SeTakeOwnershipPrivilege	Take ownership of objects	HIGH	Permission manipulation
SeAssignPrimaryTokenPrivilege	Assign process token	HIGH	Token manipulation
SeEnableDelegationPrivilege	Trust for delegation	HIGH	Kerberos delegation abuse

# Track dangerous privilege usage (non-system accounts)
index=wineventlog EventCode=4672
| where match(PrivilegeList, "SeDebugPrivilege|SeImpersonatePrivilege|SeBackupPrivilege|SeRestorePrivilege|SeTcbPrivilege|SeLoadDriverPrivilege|SeCreateTokenPrivilege")
| where NOT match(SubjectUserName, "(?i)SYSTEM|LOCAL SERVICE|NETWORK SERVICE|DWM-|UMFD-")
| where NOT match(SubjectUserName, "\$$")
| stats count values(PrivilegeList) as privileges by SubjectUserName, Computer
| sort - count

19. Beaconing Interval Reference

Interval	Common Tool	Detection Difficulty
0s (continuous)	Meterpreter (default)	Easy — very noisy
5-30s	Default Cobalt Strike	Easy — regular intervals visible
60s	Various "low and slow"	Medium — need frequency analysis
300s (5m)	Mature C2 operations	Hard — blends with normal polling
900s (15m)	Advanced persistent actors	Hard — blends with normal traffic
3600s (1h)	Long-haul persistence	Very hard — need long baselines
Random/large jitter	Advanced actors	Very hard — need statistical analysis

# Beaconing detection via Sysmon Event 3
index=sysmon EventCode=3 Initiated=true
| where NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
| bin _time span=5m
| stats count by Image, DestinationIp, DestinationPort, _time, Computer
| streamstats current=f last(_time) as prev_time by Image, DestinationIp, Computer
| eval delta=_time-prev_time
| stats avg(delta) as avg_int, stdev(delta) as stdev_int, count
  by Image, DestinationIp, DestinationPort, Computer
| where count > 20 AND stdev_int < (avg_int * 0.2)
| eval jitter_pct=round((stdev_int/avg_int)*100,2)
| sort jitter_pct

PART III — ADVANCED ATTACK DETECTION

20. Token Manipulation & Privilege Escalation

Token Theft (T1134.001)

Attack: Open high-privilege process → duplicate token → apply to attacker process
Target: winlogon.exe, lsass.exe, services.exe (requires SeDebugPrivilege)

Detection:
  Sysmon Event 10: ProcessAccess targeting winlogon/lsass/services
  Security Event 4696: Primary token assigned to process
  Security Event 4672: SeDebugPrivilege used (prerequisite)

Token Impersonation — Potato Exploits

Juicy/Sweet/Rotten/God Potato abuse SeImpersonatePrivilege
to escalate from service account → SYSTEM.

Detection:
  index=wineventlog EventCode=4672
  | where match(PrivilegeList, "SeImpersonatePrivilege")
  | where NOT match(SubjectUserName, "(?i)SYSTEM|LOCAL SERVICE|NETWORK SERVICE")
  | table _time, Computer, SubjectUserName, PrivilegeList

Make Token (Cobalt Strike)

Creates new logon session with stolen creds. Generates 4624 LogonType=9.

  index=wineventlog EventCode=4624 LogonType=9
  | where NOT match(TargetUserName, "(?i)SYSTEM|DWM-|UMFD-")
  | table _time, Computer, TargetUserName, SubjectUserName, IpAddress

Parent PID Spoofing

Process appears to have a legitimate parent but was actually spawned by attacker.
Detection: Cross-reference Sysmon Event 1 creation times.
  If "parent" started AFTER "child" → spoofed PPID.
ETW: Microsoft-Windows-Kernel-Process catches REAL parent even when PID is spoofed.

21. .NET Assembly / Execute-Assembly Detection

C# attack tools (Rubeus, SharpHound, Seatbelt, Certify, SharpDPAPI) require the .NET CLR. Detect via Sysmon Event 7.

CLR DLLs to Monitor

DLL	Purpose
`clr.dll`	Main CLR runtime
`clrjit.dll`	JIT compiler
`mscoree.dll`	CLR startup shim
`System.Management.Automation.dll`	PowerShell engine

# Non-.NET process loading CLR (high-fidelity detection)
index=sysmon EventCode=7 (ImageLoaded="*\\clr.dll" OR ImageLoaded="*\\clrjit.dll")
| where NOT match(Image, "(?i)powershell|pwsh|csc\\.exe|msbuild\\.exe|w3wp\\.exe|dotnet\\.exe|mmc\\.exe|devenv\\.exe|sqlservr|dns\\.exe|wsmprovhost")
| where NOT match(Image, "(?i)\\\\Microsoft\\\\|\\\\Windows\\\\Microsoft\\.NET|Visual Studio|JetBrains")
| table _time, Computer, Image, ImageLoaded, User

# Classic execute-assembly pattern (rundll32/dllhost loading CLR)
index=sysmon EventCode=7
  (ImageLoaded="*\\clr.dll" OR ImageLoaded="*\\clrjit.dll" OR ImageLoaded="*\\mscoree.dll")
  Image IN ("*\\rundll32.exe", "*\\dllhost.exe", "*\\gpupdate.exe",
            "*\\msiexec.exe", "*\\searchprotocolhost.exe", "*\\svchost.exe")
| table _time, Computer, Image, ImageLoaded, User

# PowerShell engine in non-PowerShell process (unmanaged PS / CLM bypass)
index=sysmon EventCode=7 ImageLoaded="*\\System.Management.Automation.dll"
| where NOT match(Image, "(?i)powershell|pwsh|wsmprovhost|svchost|ConfigRemoting")
| table _time, Computer, Image, ImageLoaded, User

22. Service Abuse Detection

Attack Tool Service Patterns

Tool	Service Name	ImagePath Pattern
PsExec	PSEXESVC (or random)	`%SystemRoot%\PSEXESVC.exe`
Impacket smbexec	Random (e.g., "BToBTo")	`%COMSPEC% /Q /c echo ... ^> \\127.0.0.1\C$\...`
Cobalt Strike	Random 7-16 chars	`%COMSPEC% /b /c start /b /min powershell -nop -w hidden -enc ...`

# Comprehensive suspicious service detection (Event 7045)
index=wineventlog EventCode=7045
| eval suspicious=case(
    match(ImagePath, "(?i)cmd\\.exe|powershell|%COMSPEC%"), "CMD_IN_PATH",
    match(ImagePath, "(?i)\\\\Users\\\\|\\\\Temp\\\\|\\\\tmp\\\\|\\\\Downloads\\\\"), "USER_PATH",
    match(ImagePath, "(?i)-enc|-encoded|base64|hidden"), "ENCODED",
    match(ImagePath, "(?i)\\\\\\\\[0-9]|\\\\\\\\[a-zA-Z]"), "UNC_PATH",
    match(ImagePath, "(?i)rundll32|regsvr32|mshta"), "LOLBIN_SERVICE",
    NOT match(ImagePath, "^\"") AND match(ImagePath, " ") AND NOT match(ImagePath, "(?i)Windows|Program Files"), "UNQUOTED_PATH",
    len(ServiceName) < 4 OR match(ServiceName, "^[a-zA-Z]{7,16}$"), "RANDOM_NAME",
    1=1, "REVIEW"
  )
| where suspicious!="REVIEW"
| table _time, Computer, ServiceName, ImagePath, AccountName, suspicious | sort suspicious

# Unquoted service path (privilege escalation vector)
index=wineventlog EventCode=7045
| where NOT match(ImagePath, "^\"") AND match(ImagePath, " ")
  AND NOT match(ImagePath, "^C:\\\\Windows")
| table _time, Computer, ServiceName, ImagePath

# ServiceDll hijacking (Sysmon 13)
index=sysmon EventCode=13
| where match(TargetObject, "(?i)\\\\Services\\\\.*\\\\Parameters\\\\ServiceDll")
| table _time, Computer, Image, TargetObject, Details

23. COM Object Hijacking

No admin required. HKCU checked before HKLM. Attacker creates HKCU CLSID entry → their DLL loads instead.

Why It's Stealthy

No new process, no service, no scheduled task, no Run key. DLL loads into existing process when COM object is called. Most tools don't monitor HKCU CLSID changes.

Commonly Hijacked CLSIDs

CLSID	Loaded By	Notes
`{BCDE0395-E52F-...}`	Many audio apps	MMDeviceEnumerator — very frequent trigger
`{42aedc87-2188-...}`	explorer.exe	Triggers at user logon — classic persistence
`{fbeb8a05-beee-...}`	explorer.exe	ShellFolder
`{0A29FF9E-7F9C-...}`	eventvwr.exe	UAC bypass — eventvwr auto-elevates

# HKCU CLSID InprocServer32 creation (the attack itself)
index=sysmon EventCode IN (12, 13)
| where match(TargetObject, "(?i)HKU\\\\.*\\\\Classes\\\\CLSID\\\\.*\\\\InprocServer32")
  OR match(TargetObject, "(?i)HKCU\\\\.*\\\\Classes\\\\CLSID\\\\.*\\\\InprocServer32")
| where NOT match(Image, "(?i)msiexec|TiWorker|setup|install|update|DismHost|svchost")
| table _time, Computer, Image, TargetObject, Details

# DLL loaded from user path via COM (the result)
index=sysmon EventCode=7
| where match(ImageLoaded, "(?i)\\\\Users\\\\|\\\\Temp\\\\|\\\\AppData\\\\")
| where match(Image, "(?i)explorer\\.exe|svchost\\.exe|mmc\\.exe|eventvwr\\.exe")
| table _time, Computer, Image, ImageLoaded, Signed

24. DPAPI Backup Key Hunting

Domain Backup Key = master key to ALL DPAPI-protected secrets across the domain. Extractable by Domain Admins.

What It Unlocks

Secret	Where
Browser passwords	Chrome, Edge, Firefox
Credential Manager	Windows Vault
WiFi passwords	WLAN profiles
RDP credentials	Saved RDP sessions
Certificate private keys	User/machine cert store
EFS encryption keys	Encrypted files

# Detect backup key extraction (Event 4662 targeting LSA secrets)
index=wineventlog EventCode=4662
| where match(Properties, "(?i)BCKUPKEY|currentValue")
| table _time, SubjectUserName, Computer, ObjectName, Properties

# Sysmon: Tools extracting backup key
index=sysmon EventCode=1
| where match(CommandLine, "(?i)backupkeys|lsadump::backupkeys|dpapi\\.py.*backupkey")
| table _time, Computer, User, Image, CommandLine

25. WMI Persistence Forensics

Fileless persistence via WMI event subscriptions. Survives reboots with no files on disk.

WMI Subscription Components

Component	Sysmon Event	What It Does
__EventFilter	Event 19	WHEN to trigger (timer, logon, process start)
__EventConsumer	Event 20	WHAT to execute (CommandLine, ActiveScript, PowerShell)
__FilterToConsumerBinding	Event 21	Links filter to consumer (activates the subscription)

# All three must exist for a working subscription
# Sysmon 19/20/21 fire when each is created

# WMI persistent subscriptions (Sysmon)
index=sysmon EventCode IN (19, 20, 21)
| table _time, Computer, EventCode, Operation, User, Name, Query, Destination

# WMI-Activity operational log
index=wineventlog source="*WMI-Activity*" EventCode=5861
| table _time, Computer, Message

# WMI consumers executing suspicious commands
index=sysmon EventCode=20
| where match(Destination, "(?i)powershell|cmd|script|encoded|http|rundll32")
| table _time, Computer, Name, Destination

26. BITS Abuse Detection

Background Intelligent Transfer Service — used for downloads, exfil, and persistence.

Event	Source	Meaning
3	BITS-Client	Job created
4	BITS-Client	Transfer completed
59	BITS-Client	Started transferring
60	BITS-Client	Stopped transferring

# BITS persistence via NotifyCmdLine (runs command after transfer)
index=sysmon EventCode=1 Image="*\\bitsadmin.exe"
| where match(CommandLine, "(?i)SetNotifyCmdLine|/transfer.*http|addfile.*http")
| table _time, Computer, User, CommandLine

# BITS-Client events
index=wineventlog source="*BITS*" EventCode IN (3,4,59)
| table _time, Computer, EventCode, Message

27. Active Directory Attack Patterns

Kerberos Attacks Summary

Attack	Detection Event	Key Indicator
Kerberoasting	4769	RC4 (0x17) encryption + multiple SPNs from one source
AS-REP Roasting	4768	PreAuthType=0 (no pre-authentication)
Golden Ticket	4769 without 4768	TGS without preceding TGT request
Silver Ticket	4624 without 4769	Logon without TGS on DC (forged locally)
Overpass-the-Hash	4768	TGT with RC4 encryption from unexpected source
Pass-the-Ticket	4769 from different IP than 4768	TGT obtained on one host, used on another
Skeleton Key	Sysmon 7 (lsass loading DLL)	lsass.exe loading unexpected DLL
DCShadow	4742 + 5137	Computer account promoted to DC, new AD object
Diamond Ticket	Very hard	Modified legitimate TGT — requires decryption analysis

AD Persistence Mechanisms

Technique	Detection	Key Indicator
AdminSDHolder	5136 (AD object modified)	ACL on AdminSDHolder container changed
GPO Abuse	5136 (gPLink/gPCFileSysPath)	GPO linked to OU or GPO content modified
SID History Injection	4765	SID history added to account
Machine Account Quota	4741	Non-admin creating computer accounts (RBCD setup)
Certificate Template Abuse	4899	Template modified for ESC1-ESC8
Rogue DC	4742	Computer account modified with DC attributes

AD Enumeration Detection

# BloodHound-style LDAP enumeration
# High volume of LDAP queries for users, groups, computers, SPNs
index=wineventlog EventCode=4662
| where match(Properties, "bf967aba|bf967a86|bf967a9c")
| bin _time span=5m
| stats count dc(ObjectName) as objects by SubjectUserName, _time
| where objects > 50

# Sensitive LDAP query patterns
# (userAccountControl:1.2.840.113556.1.4.803:=4194304) = DONT_REQ_PREAUTH (AS-REP roastable)
# (servicePrincipalName=*) = Kerberoastable accounts
# (adminCount=1) = Admin accounts
# (msDS-AllowedToDelegateTo=*) = Delegation-enabled accounts

28. Scheduled Task Forensics — Beyond Event 4698

Task Scheduler artifacts exist in multiple locations. Cross-reference for complete coverage.

Artifact	Location	Survives Log Clearing?
Task XML files	`C:\Windows\System32\Tasks\`	Yes
Security events	Events 4698-4702	No (if cleared)
Scheduler operational log	Events 106, 140, 141, 200, 201	No (if cleared)
Registry (TaskCache)	`HKLM\SOFTWARE\Microsoft\Windows NT\...\Schedule\TaskCache`	Yes
Legacy AT tasks	`C:\Windows\Tasks\*.job`	Yes

Hidden Task Discovery

# Compare tasks on disk vs visible via schtasks
# Hidden tasks exist on disk but don't show in Task Scheduler UI

# Event 200 (Action Started) shows the ACTUAL command executed
# This is more reliable than 4698's TaskContent XML for confirming execution
index=wineventlog source="*TaskScheduler*" EventCode=200
| table _time, Computer, TaskName, ActionName, Message

29. Incident Severity Matrix

Severity	Criteria	Response Time	Examples
CRITICAL	Active data breach, ransomware, APT confirmed	< 15 min	DCSync, ransomware precursors, LSASS dump + lateral movement
HIGH	Confirmed lateral movement, credential theft, active C2	< 1 hour	PtH spray, new malicious service, C2 beacon confirmed
MEDIUM	Suspicious activity, possible recon, single-host indicator	< 4 hours	BloodHound enumeration, suspicious PowerShell, single AV alert
LOW	Policy violation, low-confidence alert	< 24 hours	Failed logon spike, USB device, off-hours admin access

30. Registry Persistence — Top Keys

Monitor via Sysmon Event 12 (key create/delete) and 13 (value set).

Persistence Keys

#	Key	What It Does
1	`HKLM\...\CurrentVersion\Run`	Programs run at every logon (all users)
2	`HKCU\...\CurrentVersion\Run`	Programs run at logon (current user)
3	`HKLM\...\CurrentVersion\RunOnce`	Run once then delete (all users)
4	`HKLM\...\Winlogon\Shell`	Default: explorer.exe. Replace = boot persistence
5	`HKLM\...\Winlogon\Userinit`	Default: userinit.exe. Append = logon persistence
6	`HKLM\...\Image File Execution Options\*\Debugger`	Runs instead of named exe = hijack any process
7	`HKLM\SYSTEM\...\Services\*\ImagePath`	Service binary path. Start=2 = auto-start
8	`HKLM\...\Windows\AppInit_DLLs`	DLL injected into every user32.dll process
9	`HKLM\SYSTEM\...\Control\Session Manager\BootExecute`	Runs before Windows fully starts
10	`HKCU\...\Classes\CLSID\*\InprocServer32`	COM hijacking (no admin needed)
11	`HKLM\...\Control\Lsa\Security Packages`	SSP injection into lsass.exe at boot
12	`HKLM\...\Print\Monitors\*\Driver`	DLL loaded by spoolsv.exe (SYSTEM)

Defense Evasion Keys

Key	Abuse
`HKLM\...\Windows Defender\DisableAntiSpyware`	Defender disabled via registry
`HKLM\...\Windows Defender\Exclusions\Paths`	Attacker adds malware path to exclusions
`HKLM\...\Policies\System\EnableLUA`	0 = UAC disabled
`HKLM\...\PowerShell\EnableScriptBlockLogging`	Attacker disables PS logging

# Comprehensive registry persistence sweep (Sysmon 12/13)
index=sysmon EventCode IN (12, 13)
| where match(TargetObject, "(?i)\\\\Run\\\\|\\\\RunOnce\\\\|\\\\Winlogon\\\\(Shell|Userinit)|Image File Execution Options.*Debugger|AppInit_DLLs|\\\\Print\\\\Monitors.*Driver|\\\\Lsa\\\\(Security|Authentication) Packages|\\\\Classes\\\\CLSID.*InprocServer32|BootExecute")
| table _time, Computer, EventCode, Image, TargetObject, Details | sort - _time

31. ShimDB Persistence

Application Compatibility shims inject DLLs or redirect execution. No Run keys, no services, no tasks — invisible to most tools.

Technique	How It Works
InjectDLL	.sdb specifies DLL → target app runs → DLL loads automatically
RedirectEXE	.sdb redirects one exe to another → user runs notepad → malware runs

Locations:
  C:\Windows\AppPatch\Custom\*.sdb
  C:\Windows\AppPatch\Custom\Custom64\*.sdb
  HKLM\...\AppCompatFlags\Custom
  HKLM\...\AppCompatFlags\InstalledSDB

# sdbinst.exe execution (shim installation)
index=sysmon EventCode=1 Image="*\\sdbinst.exe"
| table _time, Computer, User, CommandLine

# New .sdb files
index=sysmon EventCode=11
| where match(TargetFilename, "(?i)\\\\AppPatch\\\\Custom.*\\.sdb")
| table _time, Computer, Image, TargetFilename

# AppCompatFlags registry changes
index=sysmon EventCode IN (12, 13)
| where match(TargetObject, "(?i)AppCompatFlags\\\\(Custom|InstalledSDB)")
| table _time, Computer, Image, TargetObject, Details

32. Code Signing Forensics

Signature Status	Meaning	Hunt Value
Valid	Unmodified since signing	Normal (but stolen certs exist)
Invalid / HashMismatch	File tampered after signing	Investigate immediately
Expired	Certificate expired	May be old legitimate or lazy attacker
Revoked	Certificate revoked (compromised)	Known-compromised publisher
NotSigned	Never signed	Context-dependent

Known Stolen Certificate Campaigns

Stuxnet:            Stolen Realtek + JMicron certs
Duqu:               Stolen C-Media cert
Flame:              Forged Microsoft cert (MD5 collision)
ShadowPad/CCleaner: Legitimate Piriform/Avast cert (supply chain)
NVIDIA leak:        Stolen NVIDIA certs used to sign malware
Various ransomware: Purchased or stolen EV certificates

# Modules loaded with invalid/expired/revoked signatures (Event 7, not Event 1)
index=sysmon EventCode=7
| where SignatureStatus IN ("Expired", "Revoked", "Invalid", "Error")
| table _time, Computer, Image, ImageLoaded, SignatureStatus, Signature

# Unsigned drivers (BYOVD indicator)
index=sysmon EventCode=6
| where Signed="false" OR SignatureStatus!="Valid"
| table _time, Computer, ImageLoaded, Signed, Signature, Hashes

# Certificate serial number as IOC (find other files from same stolen cert)
# PowerShell:
Get-AuthenticodeSignature C:\path\to\file.exe
# Then search: Get-ChildItem -Recurse *.exe | Where { (Get-AuthenticodeSignature $_).SignerCertificate.SerialNumber -eq "TARGET_SERIAL" }

33. WEF Architecture & Blind Spot Detection

If attackers disable WEF, your SIEM goes blind for that host.

How Attackers Disable Forwarding

Technique	Command	Detection
Stop WinRM	`net stop WinRM`	Event 7036 (WinRM stopped)
Disable subscription	`wecutil ss Name /e:false`	Sysmon 1 (wecutil.exe)
Block WinRM ports	`netsh ... block 5985,5986`	Firewall Event 2004
Shrink log size	`wevtutil sl Security /ms:1048576`	Sysmon 1 (wevtutil.exe)
Modify GPO	GPO change for WEF	Event 5136

# Detect hosts that stopped forwarding (blind spot detection)
index=wineventlog
| stats latest(_time) as last_event by Computer
| eval hours_since = round((now() - last_event) / 3600, 1)
| where hours_since > 4
| sort - hours_since
| table Computer, hours_since, last_event

# WinRM service stopped
index=wineventlog EventCode=7036
| where match(Message, "(?i)Windows Remote Management.*stopped")
| table _time, Computer, Message

# WEF manipulation tools
index=sysmon EventCode=1 Image IN ("*\\wecutil.exe", "*\\wevtutil.exe")
| where match(CommandLine, "(?i)/e:false|ds |sl.*ms:")
| table _time, Computer, User, CommandLine

34. Sigma-to-SPL Translation Reference

Convert community Sigma rules to production SPL queries.

Modifier Translation

Sigma Modifier	SPL Equivalent
`\|endswith`	`field="*value"`
`\|startswith`	`field="value*"`
`\|contains`	`field="value"`
`\|contains\|all`	`field="val1" field="val2"` (AND)
`\|re`	`match(field, "regex")`
`\|cidr`	`cidrmatch("10.0.0.0/8", field)`
`\|windash`	`field="/c" OR field="-c"`

Logsource Mapping

Sigma Category	SPL Index / Filter
`process_creation`	`index=sysmon EventCode=1` OR `index=wineventlog EventCode=4688`
`registry_set`	`index=sysmon EventCode=13`
`file_event`	`index=sysmon EventCode=11`
`network_connection`	`index=sysmon EventCode=3`
`image_load`	`index=sysmon EventCode=7`
`process_access`	`index=sysmon EventCode=10`
`dns_query`	`index=sysmon EventCode=22`
`driver_load`	`index=sysmon EventCode=6`
`create_remote_thread`	`index=sysmon EventCode=8`
`wmi_event`	`index=sysmon EventCode IN (19,20,21)`
`ps_script`	`index=wineventlog EventCode=4104`
`windows / security`	`index=wineventlog source="WinEventLog:Security"`
`windows / system`	`index=wineventlog source="WinEventLog:System"`

# Automated conversion
sigma convert -t splunk -p sysmon rules/credential_access/mimikatz.yml

35. AMSI Content & Tool Identification

Windows Defender Events 1116/1117 contain the actual threat name — use it to identify attacker tools.

Threat Name Decoding

Defender threat names follow a pattern:
  [Type]:[Platform]/[Family].[Variant]![Suffix]

Examples:
  HackTool:Win32/Mimikatz.D        = Mimikatz
  HackTool:Win64/Rubeus.A          = Rubeus (Kerberos attacks)
  HackTool:MSIL/SharpHound.A       = SharpHound (BloodHound collector)
  Trojan:Win32/CobaltStrike.B!dha  = Cobalt Strike beacon
  HackTool:Win32/Certify.A         = Certify (AD CS attacks)
  Behavior:Win32/Invoke-Mimikatz.A = PowerShell Mimikatz

Type prefixes: HackTool = offensive tool, Trojan = malware, Behavior = behavioral detection
Platform: Win32/Win64 = native, MSIL = .NET/C#

# Extract tool names from Defender detections
index=wineventlog source="*Windows Defender*" EventCode IN (1116, 1117)
| rex field=Message "Threat Name:\s*(?<threat_name>[^\n]+)"
| eval tool=case(
    match(threat_name, "(?i)Mimikatz"), "MIMIKATZ",
    match(threat_name, "(?i)CobaltStrike|Beacon"), "COBALT_STRIKE",
    match(threat_name, "(?i)Rubeus"), "RUBEUS",
    match(threat_name, "(?i)SharpHound|BloodHound"), "BLOODHOUND",
    match(threat_name, "(?i)Certify"), "CERTIFY_ADCS",
    match(threat_name, "(?i)Seatbelt"), "SEATBELT",
    match(threat_name, "(?i)SharpDPAPI"), "SHARPDPAPI",
    1=1, threat_name
  )
| table _time, Computer, tool, threat_name, EventCode
| sort - _time

# Track attacker response to detection (did they disable Defender after?)
index=wineventlog source="*Windows Defender*" EventCode IN (1116, 5001, 5007) Computer="HOST"
| sort _time
| table _time, EventCode, Message
# Pattern: 1116 (detected) → 5001 (disabled) or 5007 (exclusion added) = attacker adapting

PART IV — FOUNDATIONS

36. ETW (Event Tracing for Windows)

ETW is the underlying telemetry framework. Sysmon, Security logs, and EDR all consume ETW. Understanding it gives access to the raw source.

Architecture

Provider → Session → Consumer

Provider:   Generates events (kernel, applications, services)
Session:    Collects events from one or more providers
Consumer:   Processes/records events (SIEM, EDR, custom tools)

Key ETW Providers for Security

Provider	GUID	Events	Value
Kernel-Process	`{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}`	Process creation, termination, image load	Raw process telemetry (before Sysmon filtering)
Kernel-File	`{EDD08927-9CC4-4E65-B970-C2560FB5C289}`	File create, delete, rename, read, write	File system activity at kernel level
Kernel-Registry	`{70EB4F03-C1DE-4F73-A051-33D13D5413BD}`	Registry key/value operations	Registry changes before Sysmon filtering
Kernel-Network	`{7DD42A49-5329-4832-8DFD-43D979153A88}`	TCP/UDP connections, DNS queries	Network connections at kernel level
DNS-Client	`{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}`	DNS query/response	Process-level DNS resolution
DotNETRuntime	`{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}`	.NET assembly loading, JIT compilation	Detect .NET-based attacks (Cobalt Strike, PowerShell)
LDAP-Client	`{099614A5-5DD7-4788-8BC9-E29F43DB28FC}`	LDAP queries	AD enumeration detection
WinINet	`{43D1A55C-76D6-4F7E-995C-64C711E5CAFE}`	HTTP/HTTPS connections	Process-level HTTP activity
Security-Auditing	`{54849625-5478-4994-A5BA-3E3B0328C30D}`	All Windows Security events	The provider behind the Security event log

Using ETW for Advanced Detection

# List all active ETW sessions
logman query -ets

# Create a custom ETW session for hunting
logman create trace SecurityHunt -ets -p Microsoft-Windows-Kernel-Process -o C:\hunt\trace.etl

# Start/stop the trace
logman start SecurityHunt -ets
logman stop SecurityHunt -ets

# Convert ETL to readable format
tracerpt C:\hunt\trace.etl -o C:\hunt\output.csv -of CSV

# Real-time ETW monitoring with SilkETW
SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -ot file -p C:\hunt\dotnet.json

ETW-Based Detection Bypasses (What Attackers Do)

Technique	Method	Detection
Patching EtwEventWrite	Patches ntdll.dll in user-mode to return immediately	Monitor for ntdll.dll memory modifications
Removing ETW providers	`logman update trace -ets -p {GUID} -disable`	Monitor for ETW session modifications
Kernel-level tampering	Patching kernel ETW functions	Kernel integrity monitoring
TLS callback abuse	Modify ETW thread callbacks	Very difficult — requires kernel monitoring

# Hunt for ETW tampering
# Suspicious process access with write permissions (potential ntdll patching)
index=sysmon EventCode=10 GrantedAccess IN ("0x1FFFFF","0x1F3FFF","0x001F0FFF")
| where NOT match(SourceImage, "(?i)csrss\\.exe|smss\\.exe|services\\.exe|MsMpEng\\.exe|lsass\\.exe|svchost\\.exe")
| where NOT match(TargetImage, "(?i)\\\\lsass\\.exe")
| table _time, Computer, SourceImage, TargetImage, GrantedAccess

# ETW session modifications
index=sysmon EventCode=1 Image="*\\logman.exe"
| where match(CommandLine, "(?i)update|delete|stop") AND match(CommandLine, "(?i)trace|ets|session")
| table _time, Computer, User, CommandLine

37. EVTX Integrity & Log Manipulation Detection

Sophisticated attackers selectively delete events, not just clear logs.

How EVTX Files Work

.evtx files contain records with sequential Record IDs: 1, 2, 3, 4, 5, 6, 7...
If an attacker deletes records 4 and 5:  1, 2, 3, [GAP], 6, 7...
The gap in Record IDs = evidence of manipulation.

Detection Methods

Method	Technique	Notes
Record ID Gaps	Check for non-sequential Record IDs	Most reliable for selective deletion
File Size vs Count	File size larger than expected for record count	Slack space contains remnants
Timestamp Gaps	No events during a period on a busy system	Context-dependent
Event 1102	Security Audit Log Cleared	Obvious — attackers who selectively delete don't trigger this
Event 104 (System)	Any event log was cleared	Catches non-Security log clears
Service Tampering	Event log service stopped (7036)	No new events while stopped
Sysmon Continuity	Gap in Sysmon events	Sysmon stopped or logs deleted

PowerShell Record ID Gap Detection

$events = Get-WinEvent -Path Security.evtx -Oldest
$prev = 0
foreach ($event in $events) {
    if ($event.RecordId - $prev > 1 -and $prev -gt 0) {
        Write-Host "GAP: Records $prev to $($event.RecordId) missing ($($event.RecordId - $prev - 1) events)"
    }
    $prev = $event.RecordId
}

SPL Detection Queries

# Log cleared events
index=wineventlog EventCode=1102
| table _time, Computer, SubjectUserName

# System log - any log cleared
index=wineventlog source="WinEventLog:System" EventCode=104
| table _time, Computer, Message

# Event log service stopped
index=wineventlog EventCode=7036
| where match(Message, "(?i)Windows Event Log.*stopped")
| table _time, Computer, Message

# Sysmon continuity check (gap = suspicious)
index=sysmon Computer="HOST"
| bin _time span=5m
| timechart span=5m count
| where count < 5

EVTX Analysis Tools

Tool	Purpose
EvtxECmd (Eric Zimmerman)	Full EVTX parsing with timeline output
Chainsaw (WithSecure)	Fast Windows event log hunting with Sigma rules
Hayabusa	Fast forensic timeline from EVTX files
LogParser	Microsoft's SQL-like log query tool

PART V — WINDOWS SECURITY EVENT LOG

38. Authentication Events (4624, 4625)

Event ID	Name	Hunt Value	Key Fields
4624	Logon Success	Lateral movement, account abuse	TargetUserName, LogonType, IpAddress, WorkstationName
4625	Logon Failure	Brute force, password spray	TargetUserName, LogonType, IpAddress, Status, SubStatus
4626	User/Device Claims Info	Claims-based access	Subject, DeviceClaims
4627	Group Membership Info	Group tracking	SubjectUserName, GroupMembership
4634	Logoff	Session duration	TargetUserName, LogonType
4647	User-Initiated Logoff	User session tracking	TargetUserName
4648	Logon Using Explicit Creds	RunAs, credential use	SubjectUserName, TargetUserName, TargetServerName
4649	Replay Attack Detected	Kerberos replay	TargetUserName, KeyType
4672	Special Privileges Assigned	Privilege escalation	SubjectUserName, PrivilegeList
4675	SIDs Were Filtered	SID filtering	TargetUserName

4625 Failure Status/SubStatus Codes

Note: Splunk stores these in lowercase (e.g., 0xc000006d). Use lower(Status) or match case when searching.

Status	SubStatus	Meaning
0xC000006A	—	Wrong password
0xC0000064	—	User does not exist
0xC000006D	0xC000006A	Bad password
0xC000006D	0xC0000064	Bad username
0xC000006F	—	Logon outside allowed hours
0xC0000070	—	Logon from unauthorized workstation
0xC0000071	—	Expired password
0xC0000072	—	Account disabled
0xC000015B	—	User not granted logon type
0xC0000192	—	NetLogon service not started
0xC0000193	—	Account expired
0xC0000224	—	Password must change at next logon
0xC0000234	—	Account locked out
0xC0000413	—	Machine account auth failure

Logon Type Reference

Type	Name	When Generated	Hunt Significance
2	Interactive	Console logon, RunAs	Normal for workstations; suspicious for servers
3	Network	SMB, net use, remote mgmt	Lateral movement indicator (PsExec, WMI)
4	Batch	Scheduled task execution	Persistence mechanism
5	Service	Service startup	Service account abuse
7	Unlock	Screen unlock	Normal, but timing can matter
8	NetworkCleartext	IIS basic auth	Credentials in clear — security issue
9	NewCredentials	RunAs /netonly	Credential use without interactive logon
10	RemoteInteractive	RDP, Terminal Services	Lateral movement (very common)
11	CachedInteractive	Offline domain cred logon	DC connectivity issues or isolation
12	CachedRemoteInteractive	Cached RDP	Similar to Type 11 for RDP
13	CachedUnlock	Cached creds unlock	DC unreachable during unlock

39. Logon Events Deep Dive (4624/4625)

Most analysts use 30% of Event 4624. These are the fields they miss.

The Full 4624 Field Set

Field	Description	Hunt Use
`SubjectUserSid`	SID of the requesting account	Identify the "asker"
`TargetLogonId`	Logon session ID (hex)	Track ALL activity in this session
`AuthenticationPackageName`	Kerberos / NTLM / Negotiate	Protocol fingerprinting
`LogonGuid`	Links to Kerberos TGS (4769)	Correlate logon to Kerberos service tickets
`LmPackageName`	NTLM V1 / NTLM V2	NTLMv1 should not exist
`KeyLength`	Encryption key length	Pass-the-Hash detection (128=NTLMv2, 0=Kerberos/NULL, 56=NTLMv1)
`ImpersonationLevel`	Impersonation granted	Token manipulation
`ElevatedToken`	%%1842=Yes, %%1843=No	Admin session tracking
`RestrictedAdminMode`	RDP Restricted Admin	RDP security posture
`TargetLinkedLogonId`	Links standard + elevated sessions	UAC split token tracking
`TargetOutboundUserName`	Outbound identity (Type 9)	NewCredentials identity

AuthenticationPackageName — Protocol Fingerprinting

Value	Protocol	Significance
`Kerberos`	Kerberos authentication	Modern, preferred — most domain logons
`NTLM`	NTLM authentication	Legacy, weaker, attack vector (PtH, relay)
`Negotiate`	Tried Kerberos, fell back	Possible Kerberos config issue
`MICROSOFT_AUTHENTICATION_PACKAGE_V1_0`	MSV1_0 (local account)	Unusual for domain accounts
`CloudAP`	Azure AD / Entra ID	Cloud authentication
`Schannel`	Certificate-based (TLS)	Client cert auth

Pass-the-Hash Detection via KeyLength

# Detect potential Pass-the-Hash
index=wineventlog EventCode=4624 LogonType=3
  AuthenticationPackageName="NTLM" LogonProcessName="NtLmSsp"
| where TargetUserName!="ANONYMOUS LOGON" AND NOT match(TargetUserName, "\$$")
| stats count dc(Computer) as unique_targets values(Computer) as targets
  by TargetUserName, IpAddress, WorkstationName, KeyLength
| where unique_targets > 2
| sort - unique_targets

# NTLMv1 usage (should be ZERO)
index=wineventlog EventCode=4624 AuthenticationPackageName="NTLM"
| where LmPackageName="NTLM V1" OR KeyLength=56
| stats count by TargetUserName, IpAddress, Computer, LmPackageName

TargetLogonId — Session Tracking

# Everything a user did in one session
index=wineventlog (EventCode=4624 OR EventCode=4634 OR EventCode=4672 OR
  EventCode=4688 OR EventCode=5140 OR EventCode=5145)
  (TargetLogonId="0x12345678" OR SubjectLogonId="0x12345678")
| sort _time
| table _time, EventCode, Computer, TargetUserName, SubjectUserName

# Cross-reference with Sysmon (LogonId links process execution to logon session)
index=sysmon EventCode=1 LogonId="0x12345678"
| table _time, Computer, Image, CommandLine, ParentImage | sort _time

Event 4625 — Failure Analysis Patterns

# Password Spray Detection
index=wineventlog EventCode=4625 Status="0xc000006d" SubStatus="0xc000006a"
| bin _time span=15m
| stats count dc(TargetUserName) as unique_users values(TargetUserName) as users
  by IpAddress, _time
| where unique_users > 10

# User Enumeration (SubStatus=0xC0000064 = user does not exist)
index=wineventlog EventCode=4625 SubStatus="0xc0000064"
| stats count dc(TargetUserName) as tried_names by IpAddress
| where tried_names > 10

# Brute Force Success (multiple failures then success)
index=wineventlog EventCode IN (4625, 4624)
| sort _time
| transaction TargetUserName IpAddress maxspan=30m
  startswith=(EventCode=4625) endswith=(EventCode=4624)
| where eventcount > 5
| table TargetUserName, IpAddress, eventcount, duration

40. Account Management Events

Event ID	Name	Hunt Value	Key Fields
4720	User Account Created	Backdoor accounts	TargetUserName, SubjectUserName
4722	User Account Enabled	Dormant account activation	TargetUserName
4723	Password Change Attempt (by user)	Account manipulation	TargetUserName
4724	Password Reset Attempt (by admin)	Account takeover	TargetUserName, SubjectUserName
4725	User Account Disabled	Cleanup or denial of service	TargetUserName
4726	User Account Deleted	Cleanup	TargetUserName
4728	Member Added to Global Security Group	Privilege escalation	MemberName, TargetUserName
4732	Member Added to Local Security Group	Local admin add	MemberName, TargetUserName
4738	User Account Changed	Account manipulation	TargetUserName, changed attributes
4740	User Account Locked Out	Brute force indicator	TargetUserName, SubjectUserName
4741	Computer Account Created	New domain join	TargetUserName
4756	Member Added to Universal Security Group	Enterprise admin add	MemberName, TargetUserName
4767	User Account Unlocked	Post-lockout activity	TargetUserName, SubjectUserName

41. Kerberos Events

Event ID	Name	Hunt Value	Key Fields
4768	Kerberos TGT Requested (AS-REQ)	AS-REP Roasting, auth tracking	TargetUserName, IpAddress, TicketEncryptionType, Status
4769	Kerberos Service Ticket (TGS-REQ)	Kerberoasting, service access	ServiceName, TargetUserName, IpAddress, TicketEncryptionType
4770	Kerberos Service Ticket Renewed	Ticket management	TargetUserName, ServiceName
4771	Kerberos Pre-Auth Failed	Password spraying	TargetUserName, IpAddress, Status
4773	Kerberos Service Ticket Failed	Auth failures (never generated — use 4769 with non-zero Status instead)	TargetUserName, ServiceName

Kerberos Encryption Types

Value	Algorithm	Hunt Significance
0x1	DES-CBC-CRC	Weak/legacy — should not be in use
0x3	DES-CBC-MD5	Weak/legacy — should not be in use
0x11	AES128-CTS-HMAC-SHA1-96	Normal — modern
0x12	AES256-CTS-HMAC-SHA1-96	Normal — modern, preferred
0x17	RC4-HMAC	Kerberoasting indicator — downgraded encryption
0x18	RC4-HMAC-EXP	Weak — export grade

4768 Kerberos Status Codes

Status	Meaning	Hunt Value
0x0	Success	Normal
0x6	Client not found	Enumeration attempt
0x7	Server not found	Misconfiguration or enumeration
0xC	Policy rejects request	Time sync or policy violation
0x12	Client credentials revoked	Account disabled/locked/expired
0x18	Pre-auth data invalid	Wrong password (AS-REQ)
0x25	Clock skew too great	Time sync issue or Golden Ticket

42. Kerberos Deep Dive

Event 4768 (AS-REQ) — TGT Request Analysis

TicketOptions Bitmask

Bit	Flag	Notes
0x40000000	Forwardable	Can be used for delegation
0x20000000	Forwarded	Has been forwarded
0x10000000	Proxiable	Can be used as proxy
0x08000000	Proxy	Proxy ticket requested
0x00800000	Renewable	Can be renewed
0x00010000	Canonicalize	Request principal name canonicalization
0x00000010	Name-canonicalize	Canonicalize server name

Common values: 0x40810010 = normal workstation TGT. 0x50800000 = Forwardable + Proxiable + Renewable (delegation-capable TGT — investigate if from unexpected account). 0x60810010 = forwarded TGT (Kerberos delegation).

PreAuthType

Value	Meaning	Hunt Value
0	No pre-authentication	AS-REP Roasting vulnerable!
2	PA-ENC-TIMESTAMP	Standard (encrypted timestamp)
15	PA-PK-AS-REQ	Certificate/smartcard authentication

Kerberos Attack Detection Queries

# Kerberoasting (mass TGS requests with RC4)
index=wineventlog EventCode=4769 TicketEncryptionType="0x17"
| where ServiceName!="krbtgt" AND NOT match(ServiceName, "\$$")
| bin _time span=5m
| stats count dc(ServiceName) as unique_spns values(ServiceName) as services
  by TargetUserName, IpAddress, _time
| where unique_spns > 3

# AS-REP Roasting
index=wineventlog EventCode=4768 PreAuthType="0" Status="0x0"
| stats count by TargetUserName, IpAddress, TicketEncryptionType

# Golden Ticket indicators (TGS without recent TGT)
index=wineventlog EventCode=4769
| eval key=TargetUserName."-".IpAddress
| join type=left key
  [search index=wineventlog EventCode=4768 Status="0x0"
   | eval key=TargetUserName."-".IpAddress
   | stats max(_time) as last_tgt by key]
| eval time_since_tgt = _time - last_tgt
| where isnull(last_tgt) OR time_since_tgt > 43200
| table _time, TargetUserName, ServiceName, IpAddress, time_since_tgt

# Clock skew (possible Golden Ticket)
index=wineventlog EventCode=4768 Status="0x25"
| stats count by IpAddress, TargetUserName

4768 → 4769 → 4624 Correlation Chain

Anomaly Detection in the Chain

TGT with RC4 (0x17) → Overpass-the-Hash
TGS without TGT → Golden Ticket or Pass-the-Ticket
TGT from one IP, TGS from another → Ticket theft
TGT for non-existent user → Enumeration or forged ticket
Very long time between TGT and TGS → Ticket export/reimport

43. Object Access & Audit Events

Event ID	Name	Hunt Value	Key Fields
4656	Handle to Object Requested	SAM/SYSTEM/SECURITY hive access	ObjectName, ObjectType, AccessMask
4657	Registry Value Modified	Persistence, config changes	ObjectName, ObjectValueName, NewValue
4660	Object Deleted	Anti-forensics	ObjectName
4662	Operation on AD Object	DCSync detection	Properties (GUIDs), SubjectUserName
4663	Object Access Attempted	File access auditing	ObjectName, AccessMask, ProcessName
4670	Permissions Changed	ACL manipulation	ObjectName, SubjectUserName

4662 Key GUIDs for DCSync

DS-Replication-Get-Changes:          {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}
DS-Replication-Get-Changes-All:      {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}
DS-Replication-Get-Changes-In-Filtered-Set: {89e95b76-444d-4c62-991a-0facbeda640c}

44. Event 4662 — GUID Decoding

Critical GUIDs for Detection

GUID	Maps To	Hunt Use
`{1131f6aa-...}`	DS-Replication-Get-Changes	DCSync detection
`{1131f6ad-...}`	DS-Replication-Get-Changes-All	DCSync detection
`{89e95b76-...}`	DS-Replication-Get-Changes-In-Filtered-Set	DCSync detection
`{4c164200-...}`	User-Account-Control	Account property manipulation (e.g., disable pre-auth)
`{91e647de-...}`	Private-Information (CONFIDENTIAL)	Confidential attribute access
`{f30e3bc2-...}`	GPC-File-Sys-Path	GPO access/modification
`{00299570-...}`	Reset-Password	Password reset by non-admin
`{f3a64788-...}`	servicePrincipalName	SPN modification (Kerberoasting setup)
`{bf967aba-...}`	User object class	AD enumeration
`{bf967a86-...}`	Computer object class	AD enumeration

# DCSync detection — the definitive query
index=wineventlog EventCode=4662
| where match(Properties,
    "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2|1131f6ad-9c07-11d1-f79f-00c04fc2dcd2|89e95b76-444d-4c62-991a-0facbeda640c")
| where NOT match(SubjectUserName, "\$$")
| table _time, SubjectUserName, SubjectDomainName, ObjectName

# SPN modification (Kerberoasting setup)
# NOTE: %%14674 = Object Access (includes reads); triage for write operations
index=wineventlog EventCode=4662
| where match(Properties, "f3a64788-5306-11d1-a9c5-0000f80367c1")
| where OperationType="%%14674"
| table _time, SubjectUserName, ObjectName

# Mass AD enumeration (BloodHound)
index=wineventlog EventCode=4662
| where match(Properties, "bf967aba-0de6-11d0-a285-00aa003049e2|bf967a86-0de6-11d0-a285-00aa003049e2")
| bin _time span=5m
| stats count dc(ObjectName) as unique_objects by SubjectUserName, _time
| where unique_objects > 50

45. Policy, System & Process Events

Event ID	Name	Hunt Value	Key Fields
1100	Event Logging Service Shutdown	Anti-forensics	—
1102	Security Audit Log Cleared	Anti-forensics	SubjectUserName
4616	System Time Changed	Timestomping	SubjectUserName, PreviousTime, NewTime
4688	Process Created	Process execution tracking	NewProcessName, CommandLine, ParentProcessName
4689	Process Exited	Process lifecycle	ProcessName
4690	Duplicate Handle	Token manipulation	SourceProcessId, TargetProcessId
4692-4695	DPAPI Operations	Credential access	SubjectUserName
4696	Primary Token Assigned	Token manipulation	SubjectUserName, NewProcessName
4697	Service Installed	Persistence	ServiceName, ServiceFileName, ServiceAccount
4698	Scheduled Task Created	Persistence	TaskName, TaskContent (XML)
4699-4702	Scheduled Task Modified/Deleted/Enabled/Disabled	Task lifecycle	TaskName
4703	Token Right Adjusted	Privilege manipulation	ProcessName, EnabledPrivilegeList
4719	System Audit Policy Changed	Audit evasion	SubjectUserName, CategoryId

46. Event 4688 Deep Dive — Hunting Without Sysmon

Prerequisite: Enable Command Line Logging

GPO: Computer Config → Admin Templates → System → Audit Process Creation → "Include command line in process creation events" = Enabled

Registry: HKLM\SOFTWARE\...\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled = 1

Without this setting, 4688 is nearly useless.

Hidden Fields Most Analysts Miss

TokenElevationType

Value	Type	Meaning	Hunt Value
%%1936	Type 1: Full token	Full admin privileges	If a regular user has Type 1, investigate
%%1937	Type 2: Elevated	UAC elevation occurred	Expected for admin tasks
%%1938	Type 3: Limited	Standard user rights	Normal — most common

MandatoryLabel (Integrity Level)

Value	Level	SID	When
%%4096	Untrusted	S-1-16-0	Almost never seen
%%4097	Low	S-1-16-4096	Protected Mode IE, sandboxed
%%4098	Medium	S-1-16-8192	Standard user processes
%%4099	Medium Plus	S-1-16-8448	Slightly elevated (rare)
%%4100	High	S-1-16-12288	Admin/elevated processes
%%4101	System	S-1-16-16384	SYSTEM-level processes

4688 Hunt Queries (Sysmon-Free Environment)

# Suspicious parent-child (Office spawning shells)
index=wineventlog EventCode=4688
| where match(ParentProcessName, "(?i)\\\\(winword|excel|powerpnt|outlook)\\.exe$")
  AND match(NewProcessName, "(?i)\\\\(cmd|powershell|mshta|wscript|cscript|certutil|regsvr32|rundll32)\\.exe$")
| table _time, Computer, SubjectUserName, ParentProcessName, NewProcessName, CommandLine

# Encoded PowerShell
index=wineventlog EventCode=4688 NewProcessName="*\\powershell.exe"
  (CommandLine="*-enc*" OR CommandLine="*-EncodedCommand*")
| table _time, Computer, SubjectUserName, CommandLine

# Processes from temp/user directories
index=wineventlog EventCode=4688
| where match(NewProcessName, "(?i)\\\\(Temp|tmp|Downloads|AppData)\\\\") AND match(NewProcessName, "\\.exe$")
| table _time, Computer, SubjectUserName, NewProcessName, CommandLine

# Shadow copy deletion (pre-ransomware)
index=wineventlog EventCode=4688
  ((NewProcessName="*\\vssadmin.exe" CommandLine="*delete*shadows*")
   OR (NewProcessName="*\\wmic.exe" CommandLine="*shadowcopy*delete*")
   OR (NewProcessName="*\\bcdedit.exe" CommandLine="*recoveryenabled*no*"))
| table _time, Computer, SubjectUserName, NewProcessName, CommandLine

# Privilege escalation — Full token for non-admin
index=wineventlog EventCode=4688 TokenElevationType="%%1936"
| where NOT match(SubjectUserName, "(?i)SYSTEM|LOCAL SERVICE|NETWORK SERVICE|DWM-|UMFD-")
| where NOT match(SubjectUserName, "\$$")
| stats count by SubjectUserName, Computer, NewProcessName

47. Scheduled Task XML Dissection (Event 4698)

Task XML Structure

<Task>
  <RegistrationInfo>   — Who created it, when, description
  <Triggers>           — WHEN it runs (boot, logon, time, event)
  <Principals>         — WHO it runs as (user, privilege level)
  <Settings>           — Execution settings (hidden, run if missed)
  <Actions>            — WHAT it does (execute command)
</Task>

Key Indicators

<Hidden>true</Hidden> — Task hidden from Task Scheduler UI
RegistrationTrigger — Runs immediately upon creation (attacker wants instant execution)
RunLevel=HighestAvailable + UserId=S-1-5-18 — SYSTEM-level persistence
BootTrigger / LogonTrigger — Persistence across reboots

# Parse Command from TaskContent XML
index=wineventlog EventCode=4698
| rex field=TaskContent "<Command>(?<task_command>[^<]+)</Command>"
| rex field=TaskContent "<Arguments>(?<task_args>[^<]+)</Arguments>"
| rex field=TaskContent "<UserId>(?<task_user>[^<]+)</UserId>"
| table _time, Computer, SubjectUserName, TaskName, task_command, task_args, task_user

# Hidden tasks
index=wineventlog EventCode=4698
| where match(TaskContent, "<Hidden>true</Hidden>")
| rex field=TaskContent "<Command>(?<cmd>[^<]+)</Command>"
| table _time, Computer, SubjectUserName, TaskName, cmd

# Tasks with RegistrationTrigger (immediate execution)
index=wineventlog EventCode=4698
| where match(TaskContent, "RegistrationTrigger")
| rex field=TaskContent "<Command>(?<cmd>[^<]+)</Command>"
| table _time, Computer, SubjectUserName, TaskName, cmd

# SYSTEM tasks from non-standard paths
index=wineventlog EventCode=4698
| rex field=TaskContent "<Command>(?<cmd>[^<]+)</Command>"
| rex field=TaskContent "<UserId>(?<uid>[^<]+)</UserId>"
| where (uid="S-1-5-18" OR match(uid, "(?i)SYSTEM"))
  AND NOT match(cmd, "(?i)C:\\\\Windows\\\\|C:\\\\Program Files")
| table _time, Computer, TaskName, cmd, uid

48. Share & Network Events

Event ID	Name	Hunt Value	Key Fields
5140	Network Share Accessed	Lateral movement	ShareName, IpAddress, SubjectUserName
5142	Network Share Created	New share creation	ShareName
5145	Network Share Object Checked	Detailed share access	ShareName, RelativeTargetName, AccessMask
5156	WFP Connection Allowed	Network connection tracking	Application, SourceAddress, DestAddress, Ports
5157	WFP Connection Blocked	Blocked connections	Application, SourceAddress, DestAddress

5145 Access Mask Values

Mask	Meaning
0x1	ReadData / ListDirectory
0x2	WriteData / AddFile
0x4	AppendData / AddSubdirectory
0x20	Execute / Traverse
0x10000	Delete
0x20000	ReadControl (read ACL)
0x40000	WriteDACL (modify permissions!)
0x80000	WriteOwner (take ownership!)

49. Event 5145 Deep Dive — Lateral Movement at File Level

ShareName & RelativeTargetName Patterns

ShareName	RelativeTargetName	Indicates
\\*\ADMIN$	PSEXESVC.exe	PsExec dropping service binary
\\*\IPC$	svcctl	Service Control Manager pipe (PsExec, smbexec)
\\*\IPC$	samr	SAM Remote pipe (BloodHound, enumeration)
\\*\IPC$	lsarpc	LSA Remote pipe (enumeration, DCSync prep)
\\*\IPC$	drsuapi	DRS pipe (DCSync!)
\\*\IPC$	atsvc	Task Scheduler pipe (atexec)
\\*\IPC$	RemCom_communicaton	Impacket RemCom pipe
\\*\IPC$	spoolss	Print Spooler (PrintNightmare)
\\*\SYSVOL	Groups.xml	GPP password hunting

# Comprehensive lateral movement detection via 5145
index=wineventlog EventCode=5145
| eval risk=case(
    match(RelativeTargetName, "(?i)PSEXESVC|RemCom"), "CRITICAL-psexec",
    match(RelativeTargetName, "drsuapi"), "CRITICAL-dcsync",
    RelativeTargetName="svcctl" AND match(ShareName, "\\\\IPC\\$"), "HIGH-service_control",
    RelativeTargetName="atsvc", "HIGH-sched_task",
    match(RelativeTargetName, "(?i)\\.exe$") AND AccessMask="0x2", "HIGH-exe_drop",
    match(ShareName, "\\\\ADMIN\\$") AND AccessMask="0x2", "HIGH-admin_write",
    match(ShareName, "\\\\C\\$"), "MEDIUM-c_drive_access",
    match(RelativeTargetName, "samr|lsarpc|srvsvc"), "MEDIUM-enumeration",
    1=1, "LOW"
  )
| where risk!="LOW"
| table _time, Computer, IpAddress, SubjectUserName, ShareName, RelativeTargetName, risk
| sort risk

50. Directory Service Events

Event ID	Name	Hunt Value	Key Fields
4661	Handle to AD Object Requested	AD enumeration	ObjectType, ObjectName
4662	Operation on AD Object	DCSync, AD manipulation	Properties, ObjectName
5136	Directory Service Object Modified	GPO changes, AD modifications	ObjectDN, AttributeLDAPDisplayName
5137	Directory Service Object Created	New AD objects	ObjectDN
5138	Directory Service Object Undeleted	Deleted object recovery	ObjectDN
5141	Directory Service Object Deleted	AD object deletion	ObjectDN

51. Certificate Services & GPO Events

Event ID	Name	Hunt Value
4886	Certificate requested	Certificate request tracking
4887	Certificate issued	Check SAN for impersonation
4888	Certificate request denied	Failed attack attempt
4899	Certificate template updated	ESC4 attack (template modification)
4739	Domain Policy Changed	Domain-level policy modification

# GPO Modification Hunting
index=wineventlog EventCode=5136
| where match(ObjectDN, "(?i)groupPolicyContainer") OR match(AttributeLDAPDisplayName, "(?i)gPCFileSysPath|gPLink")
| table _time, SubjectUserName, ObjectDN, AttributeLDAPDisplayName, AttributeValue

PART VI — WINDOWS SYSTEM EVENT LOG

52. Core System Events

Event ID	Source	Name	Hunt Value
1	Kernel-General	Time Changed	Timestomping at kernel level
6	FilterManager	FS Filter Load	Filter driver (rootkit detection)
12	Kernel-General	System Start	Boot tracking
13	Kernel-General	System Shutdown	Shutdown tracking
16	Kernel-Boot	Boot Type (Normal/Safe)	Boot mode detection
41	Kernel-Power	Unexpected Shutdown	Crash or forced shutdown
104	Eventlog	Event Log Cleared	Anti-forensics
7000	SCM	Service Failed to Start	Service issues
7034	SCM	Service Crashed Unexpectedly	Exploitation/instability
7040	SCM	Service Start Type Changed	Persistence (disabled to auto)
7045	SCM	New Service Installed	Persistence — critical event

Event 7045 Hunting

High Priority Indicators:
  - ImagePath contains cmd.exe, powershell.exe, or encoded commands
  - ImagePath points to temp directories or user profiles
  - ImagePath contains pipe (|) or redirection (>)
  - Service name is random-looking or very short
  - Account is LocalSystem for a non-Microsoft service
  - ImagePath uses UNC path (\\server\share)

  NOTE: Event 7045 (System log) uses "ImagePath" field.
        Event 4697 (Security log) uses "ServiceFileName" field.

SPL:
  index=wineventlog source="WinEventLog:System" EventCode=7045
  | where NOT match(ImagePath, "(?i)C:\\\\Windows\\\\|C:\\\\Program Files")
  | table _time, Computer, ServiceName, ImagePath, ServiceType, AccountName

Additional System Events

Event ID	Source	Name	Hunt Value
1074	User32	Shutdown/Restart Initiated	Who shut it down?
1033/1034	MsiInstaller	Product install/removal	Software tracking
11707/11708	MsiInstaller	Install success/failure	Package tracking

53. NTLM Operational Log

Event ID	Name	Hunt Value
8001	NTLM client blocked audit	NTLM usage tracking
8002	NTLM server blocked audit	NTLM usage on servers
8003	NTLM auth from domain controller	DC NTLM usage
8004	NTLM auth to domain controller	Client-to-DC NTLM — investigate

Why Track NTLM?

NTLM is legacy and weaker than Kerberos. Pass-the-Hash and NTLM relay attacks exploit NTLM. Any NTLM to a DC from a workstation = investigate.

# NTLM field names vary by Splunk TA; 8004 has DomainName, UserName, Workstation
index=wineventlog source="*NTLM*" EventCode IN (8001,8002,8003,8004)
| stats count by EventCode, Computer, DomainName, UserName | sort - count

54. Print Service & PrintNightmare

Event ID	Name	Hunt Value
307	Document printed	Insider threat — print volume
316	Printer driver installed	PrintNightmare exploitation
808	Spooler failed to load driver	Exploitation attempt
842	New printer driver installed	Remote driver installation

# PrintNightmare Detection
# Field names depend on Splunk TA — check Message field if DriverName/UserName are blank
index=wineventlog source="*PrintService*" EventCode IN (316, 808, 842)
| table _time, Computer, param1, param2, Message

# Also via Sysmon
index=sysmon EventCode=11 TargetFilename="*\\spool\\drivers\\*"
| where NOT match(Image, "(?i)spoolsv\\.exe")
| table _time, Computer, Image, TargetFilename

PART VII — POWERSHELL EVENT LOG

55. PowerShell Operational Events

Event ID	Name	Description	Hunt Value
4103	Module Logging	Pipeline execution details with parameters	Command execution + parameter values
4104	Script Block Logging	Full script content	Most valuable for hunting
4105/4106	Script Block Start/Stop	Execution lifecycle	Execution tracking
40961/40962	PS Console Starting/Ready	Session lifecycle	Session tracking
800	Pipeline Execution	Classic PS logging	HostApplication shows what launched PS

Script Block Logging (4104) — Suspicious Pattern Hunting

# Download cradles
index=wineventlog EventCode=4104 ScriptBlockText="*DownloadString*"
  OR ScriptBlockText="*DownloadFile*" OR ScriptBlockText="*Invoke-WebRequest*"
  OR ScriptBlockText="*Net.WebClient*" OR ScriptBlockText="*Start-BitsTransfer*"

# Credential access
index=wineventlog EventCode=4104 ScriptBlockText="*Invoke-Mimikatz*"
  OR ScriptBlockText="*sekurlsa*" OR ScriptBlockText="*kerberos::*"
  OR ScriptBlockText="*lsadump*" OR ScriptBlockText="*token::elevate*"

# Evasion (AMSI bypass)
index=wineventlog EventCode=4104 ScriptBlockText="*AmsiUtils*"
  OR ScriptBlockText="*amsiInitFailed*" OR ScriptBlockText="*AmsiScanBuffer*"
  OR ScriptBlockText="*VirtualAlloc*" OR ScriptBlockText="*-ExecutionPolicy Bypass*"

# Encoding/obfuscation
index=wineventlog EventCode=4104 ScriptBlockText="*FromBase64String*"
  OR ScriptBlockText="*ToBase64String*" OR ScriptBlockText="*DeflateStream*"
  OR ScriptBlockText="*GzipStream*"

# Lateral movement
index=wineventlog EventCode=4104 ScriptBlockText="*Invoke-Command*"
  OR ScriptBlockText="*Enter-PSSession*" OR ScriptBlockText="*Invoke-WmiMethod*"

# Persistence
index=wineventlog EventCode=4104 ScriptBlockText="*Register-ScheduledTask*"
  OR ScriptBlockText="*New-Service*" OR ScriptBlockText="*Set-ItemProperty*HKLM*Run*"

PowerShell Severity Classification

Level	Patterns
CRITICAL	Invoke-Mimikatz, sekurlsa::, Invoke-DllInjection, Invoke-Shellcode, AmsiUtils, amsiInitFailed, token::elevate, privilege::debug
HIGH	Download + Execute chains (IWR + IEX), Base64 + execution, VirtualAlloc + CreateThread (shellcode), -WindowStyle Hidden -ExecutionPolicy Bypass
MEDIUM	Invoke-Command to remote hosts, Get-ADUser large queries, Registry Run key mods, Service creation
LOW	Standard admin tasks (Get-Process, Get-Service), file operations, network testing

56. PowerShell Logging Deep Dive

4104 vs 4103 vs 800 — What Each Captures

Event	Source Log	Captures	Best For	Misses
4104	PS/Operational	Full script text (ScriptBlockText)	Seeing exactly what code ran	Runtime variable values
4103	PS/Operational	Pipeline execution with parameter values	What variables resolved to	Custom functions, .NET calls
800	Windows PowerShell (classic)	Pipeline summary, HostApplication	Quick overview, unusual PS launchers	Script internals

Recommendation: Enable ALL THREE. 4104 gives you the code. 4103 gives you what the code did with what values. 800 gives you the execution context.

ScriptBlockId — Reassembling Fragmented Scripts

Attackers Exploit Script Fragmentation

Large scripts are split across multiple 4104 events. If a keyword like "DownloadString" spans two message parts, a single-event search will MISS it.

# Reassemble fragmented scripts
index=wineventlog EventCode=4104
| sort ScriptBlockId, MessageNumber
| stats list(ScriptBlockText) as parts values(MessageTotal) as total by ScriptBlockId, Computer
| eval full_script=mvjoin(parts, "")
| where match(full_script, "(?i)DownloadString|Invoke-Expression|FromBase64|Invoke-Mimikatz|AmsiUtils")
| table Computer, ScriptBlockId, total, full_script

Key Insight: -EncodedCommand

Event 4104 captures the DECODED script, not the Base64 blob. Sysmon Event 1 captures the original -enc command line. Use both: 4104 for decoded content, Sysmon 1 for the original command.

57. AMSI Bypass Detection

# Direct AMSI bypass strings
index=wineventlog EventCode=4104
| where match(ScriptBlockText, "(?i)AmsiUtils|amsiInitFailed|AmsiScanBuffer|AmsiOpenSession|amsi\\.dll")
| table _time, Computer, ScriptBlockText

# Reflection-based AMSI bypass
index=wineventlog EventCode=4104
| where match(ScriptBlockText, "(?i)\\[Reflection\\.Assembly\\]|DynamicMethod|Runtime\\.InteropServices")
  AND match(ScriptBlockText, "(?i)Amsi|Marshal")
| table _time, Computer, ScriptBlockText

# Non-PowerShell loading PS engine (unmanaged PS — bypasses CLM entirely)
index=sysmon EventCode=7 ImageLoaded="*\\System.Management.Automation.dll"
| where NOT match(Image, "(?i)powershell|pwsh|wsmprovhost|svchost|mmc")
| table _time, Computer, Image, ImageLoaded

# CLM bypass via PowerShell v2
index=sysmon EventCode=1 Image="*\\powershell.exe"
| where match(CommandLine, "(?i)-version\\s+2|-v\\s+2")
| table _time, Computer, User, CommandLine

PART VIII — APPLICATION & OPERATIONAL LOGS

58. Application Error & Installer Events

Event ID	Source	Name	Hunt Value
1000	Application Error	Application crash	Exploitation indicator
1001	Windows Error Reporting	Crash details	Exploitation details (faulting module)
1002	Application Hang	Application hung	DoS or exploitation
1033/1034	MsiInstaller	MSI install/removal completed	Software tracking
11707/11708	MsiInstaller	Install success/failure	Package tracking

59. Windows Defender Events

Event ID	Name	Hunt Value
1006	Malware Detected	Known malware found
1007	Malware Action Taken	Remediation action
1008	Malware Action Failed	Failed remediation — investigate!
1009	Restore from Quarantine	Restored malicious file
1013	Malware History Deleted	Anti-forensics
1116	Threat Detected	Real-time detection
1117	Action on Threat	Block/quarantine action
5001	Real-time Protection Disabled	Defense evasion!
5004	Real-time Protection Config Changed	Settings manipulation
5007	Configuration Changed	Exclusion added, settings modified
5010/5012	Scanning Disabled	Reduced protection

# Detect Defender being disabled or tampered
index=wineventlog source="WinEventLog:Microsoft-Windows-Windows Defender/Operational"
  EventCode IN (5001, 5004, 5007, 5010, 5012, 1013)
| table _time, Computer, EventCode, Message

# Detect exclusion additions
index=wineventlog source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" EventCode=5007
| search Message="*Exclusion*"
| table _time, Computer, Message

60. Task Scheduler Operational Events

Event ID	Name	Hunt Value
100	Task Started	Execution tracking
106	Task Registered	New task — persistence
107	Task Triggered	Task fired on trigger
118	Triggered by Computer Startup	Boot persistence
119	Triggered by Logon	Logon persistence
140	Task Updated	Modification
141	Task Removed	Cleanup
200	Action Started	Shows actual command executed
201	Action Completed	Execution finished

61. WMI Events

Event ID	Name	Hunt Value
5857	WMI Provider Loaded	Provider activity
5858	WMI Query Error	Failed operations
5860	WMI Temporary Event Created	Event subscription
5861	WMI Permanent Event Created	Persistent event subscription — investigate!

62. BITS Client Events

Event ID	Name	Hunt Value
3	BITS Job Created	New transfer — download/exfil
4	BITS Job Transferred	Transfer completed
59	BITS Started Transferring	Active transfer
61	BITS Error	Transfer failure

63. Remote Desktop Events

TerminalServices-LocalSessionManager/Operational

Event ID	Name	Hunt Value
21	Session Logon Succeeded	RDP logon success
22	Shell Start Notification	RDP shell started
23	Session Logoff Succeeded	RDP logoff
24	Session Disconnected	RDP disconnect
25	Session Reconnected	RDP reconnect

TerminalServices-RDPClient/Operational

Event ID	Name	Hunt Value
1024	RDP Connecting	Connection attempt
1025	RDP Connected	Connection established
1026	RDP Disconnected	Disconnected

64. Windows Firewall Events

Event ID	Name	Hunt Value
2003	Firewall Profile Changed	Profile/settings change
2004	Firewall Rule Added	New rule — possible opening
2005	Firewall Rule Modified	Rule change
2006	Firewall Rule Deleted	Rule removed
2033	All Rules Deleted	Complete rule wipe — evasion

65. AppLocker Events

Event ID	Name	Log	Hunt Value
8002	Exe/DLL was allowed	EXE and DLL	Allowed execution
8003	Exe/DLL would have been blocked	EXE and DLL	Audit mode bypass
8004	Exe/DLL was blocked	EXE and DLL	Blocked execution
8005	Script/MSI was allowed	Script and MSI	Allowed script
8006	Script/MSI would have been blocked	Script and MSI	Audit mode bypass
8007	Script/MSI was blocked	Script and MSI	Blocked script

66. DNS Client Events

Event ID	Name	Hunt Value
3006	DNS Query Completed (by type)	DNS resolution tracking
3008	DNS Query Completed	Query result
3020	DNS Response Received	Response data

PART IX — SYSMON EVENT LOG

67. Sysmon Complete Event ID Reference

ID	Name	Description	Hunt Value
1	ProcessCreate	Process creation with full command line	Core hunting event
2	FileCreateTime	File creation timestamp changed	Timestomping detection
3	NetworkConnect	TCP/UDP connection detected	Process network activity
4	Sysmon State Change	Sysmon started/stopped	Anti-forensics if stopped
5	ProcessTerminate	Process terminated	Lifecycle tracking
6	DriverLoad	Driver loaded into kernel	Rootkit/BYOVD detection
7	ImageLoad	Module (DLL) loaded	DLL side-loading, injection
8	CreateRemoteThread	Thread in remote process	Process injection
9	RawAccessRead	Raw disk access	MBR read, forensic tool
10	ProcessAccess	Process handle opened	Credential dumping (LSASS)
11	FileCreate	File created/overwritten	Dropped files, staging
12	RegistryEvent (Create/Delete)	Registry key created/deleted	Persistence
13	RegistryEvent (ValueSet)	Registry value set	Persistence
14	RegistryEvent (Rename)	Registry key/value renamed	Evasion
15	FileCreateStreamHash	Alternate Data Stream created	ADS hiding data
16	Sysmon Config Change	Configuration modified	Anti-forensics
17	PipeEvent (Created)	Named pipe created	C2 communication
18	PipeEvent (Connected)	Named pipe connected	Lateral movement
19	WmiEvent (Filter)	WMI filter registered	Persistence
20	WmiEvent (Consumer)	WMI consumer registered	Persistence
21	WmiEvent (Binding)	Filter-consumer bound	Persistence
22	DNSEvent (Query)	DNS query by process	Process-level DNS
23	FileDelete (Archived)	File deleted (copy kept)	Anti-forensics
24	ClipboardChange	Clipboard changed	Data theft
25	ProcessTampering	Process image modified	Hollowing/herpaderping
26	FileDeleteDetected	File deleted (logged only)	Deletion tracking
27	FileBlockExecutable	Executable blocked	Blocked exec tracking
28	FileBlockShredding	File shredding blocked	Anti-forensics prevention
29	FileExecutableDetected	Executable dropped	New executable tracking
255	Error	Sysmon error	Health monitoring

68. Event 10 — LSASS Credential Theft Detection

GrantedAccess Values for LSASS

Value	Meaning	Threat Level
0x0010	PROCESS_VM_READ	LOW
0x0400	PROCESS_QUERY_INFORMATION	LOW
0x1000	PROCESS_QUERY_LIMITED_INFORMATION	LOW
0x1010	QUERY_LIMITED + VM_READ	HIGH possible cred dump
0x1038	QUERY_LIMITED + VM_WRITE + VM_READ + VM_OPERATION	CRITICAL credential dump
0x1438	QUERY_LIMITED + QUERY_INFO + VM_OPERATION + VM_READ + VM_WRITE	CRITICAL modified Mimikatz
0x143A	QUERY_LIMITED + QUERY_INFO + CREATE_THREAD + VM_OPS + VM_RW	CRITICAL Mimikatz signature
0x0810	SUSPEND_RESUME + VM_READ	HIGH nanodump, custom dumpers
0x1FFFFF	PROCESS_ALL_ACCESS	CRITICAL full access

CallTrace Field — Most Underused Field in Sysmon

CallTrace shows HOW the handle was opened

The magic keyword is UNKNOWN — this indicates unbacked memory (code not loaded from disk = injected/shellcode).

# Normal (AV checking LSASS):
C:\Windows\SYSTEM32\ntdll.dll+12345|C:\Windows\System32\KERNELBASE.dll+6789|
C:\Program Files\Windows Defender\MsMpEng.exe+abc

# Mimikatz sekurlsa::logonpasswords:
C:\Windows\SYSTEM32\ntdll.dll+9c5a4|C:\Windows\System32\KERNELBASE.dll+2cd86|
UNKNOWN(00000000XXXXXXXX)              ← UNBACKED MEMORY = shellcode/injected

# Procdump:
...|C:\Windows\System32\dbghelp.dll+xxx|C:\SysinternalsSuite\procdump64.exe+xxx

# comsvcs.dll MiniDump:
...|C:\Windows\System32\comsvcs.dll+xxx|C:\Windows\System32\rundll32.exe+xxx

Comprehensive LSASS Detection with Risk Scoring

index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
| where NOT SourceImage IN (
    "C:\\Windows\\system32\\csrss.exe",
    "C:\\Windows\\system32\\wininit.exe",
    "C:\\Windows\\system32\\WerFault.exe",
    "C:\\Windows\\system32\\svchost.exe",
    "C:\\Windows\\system32\\lsass.exe"
  )
| where NOT match(SourceImage, "(?i)MsMpEng\\.exe|MpCmdRun\\.exe|MsSense\\.exe")
| eval risk=case(
    match(CallTrace, "UNKNOWN"), "CRITICAL-shellcode",
    GrantedAccess="0x1FFFFF", "CRITICAL-full_access",
    GrantedAccess="0x143a" OR GrantedAccess="0x143A", "CRITICAL-mimikatz",
    GrantedAccess="0x1438", "CRITICAL-credential_dump",
    GrantedAccess="0x1038", "HIGH-memory_rw",
    GrantedAccess="0x1010", "HIGH-memory_read",
    GrantedAccess="0x0810", "HIGH-suspend_read",
    match(CallTrace, "dbghelp|dbgcore"), "HIGH-debugger",
    match(CallTrace, "comsvcs"), "HIGH-minidump",
    GrantedAccess="0x1410", "MEDIUM-query_read",
    GrantedAccess="0x0040", "MEDIUM-dup_handle",
    1=1, "LOW-other"
  )
| where NOT risk="LOW-other"
| table _time, Computer, SourceImage, GrantedAccess, risk, CallTrace
| sort risk

Beyond LSASS — Other Event 10 Targets

Target	Why	Attack
`csrss.exe`	Handles process/thread creation	Injecting = kernel-adjacent access
`winlogon.exe`	Secure logon, credential provider	Token theft, credential interception
`services.exe`	Service Control Manager	Service manipulation, privesc

69. Event 1 — Advanced Process Analysis

# Command line length analysis (long = encoded/obfuscated)
index=sysmon EventCode=1
| eval cmd_len=len(CommandLine)
| where cmd_len > 500
| table _time, Computer, User, Image, cmd_len, CommandLine | sort - cmd_len

# OriginalFileName vs IMAGE (masquerading detection)
index=sysmon EventCode=1
| where isnotnull(OriginalFileName) AND OriginalFileName!=""
| eval image_name=replace(Image, ".*\\\\", "")
| eval orig_lower=lower(OriginalFileName), image_lower=lower(image_name)
| where orig_lower != image_lower
| table _time, Computer, Image, OriginalFileName, CommandLine

# Processes from temp/user directories
index=sysmon EventCode=1
| where match(CurrentDirectory, "(?i)\\\\Temp\\\\|\\\\tmp\\\\|\\\\Downloads\\\\|\\\\AppData\\\\Local\\\\Temp")
| table _time, Computer, User, Image, CurrentDirectory, CommandLine

# Rare process hashes (long-tail analysis)
index=sysmon EventCode=1
| stats count dc(Computer) as host_count by Hashes, Image
| where host_count < 3 AND count < 5
| sort count | head 50

70. Event 7 — DLL Side-Loading & BYOVD

DLL Side-Loading Detection

# Unsigned DLLs loaded by signed executables
index=sysmon EventCode=7 Signed="false" SignatureStatus!="Valid"
| where match(Image, "(?i)C:\\\\Program Files|C:\\\\Windows")
| where NOT match(ImageLoaded, "(?i)C:\\\\Windows\\\\|C:\\\\Program Files\\\\")
| stats count by Image, ImageLoaded, Signed | sort count

Common Side-Loading Pairs

Legitimate EXE	Hijacked DLL
OneDrive.exe	version.dll, secur32.dll
Teams.exe	Various (Electron app)
bginfo.exe	Various (SysInternals)
msbuild.exe	version.dll
Narrator.exe	MSTTSLocEnUS.DLL (UAC bypass)

Event 6 (DriverLoad) — BYOVD Detection

# Unsigned drivers
index=sysmon EventCode=6 Signed="false"
| table _time, Computer, ImageLoaded, Hashes, Signed

# Drivers from user-writable paths
index=sysmon EventCode=6
| where match(ImageLoaded, "(?i)\\\\Users\\\\|\\\\Temp\\\\|\\\\Downloads\\\\|\\\\AppData\\\\")
| table _time, Computer, ImageLoaded, Hashes, Signed

# Known vulnerable driver names
index=sysmon EventCode=6
| where match(ImageLoaded, "(?i)RTCore64\\.sys|gdrv\\.sys|dbutil_2_3\\.sys|cpuz141\\.sys|iqvw64e\\.sys|mhyprot2\\.sys|kprocesshacker\\.sys|procexp152\\.sys")
| table _time, Computer, ImageLoaded, Hashes, Signed

Resource: LOLDrivers Project (loldrivers.io) — known-vulnerable driver hash list.

71. Event 22 — Per-Process DNS Hunting

# Rare DNS queries (long-tail analysis)
index=sysmon EventCode=22
| stats count dc(Computer) as hosts by QueryName, Image
| where hosts < 3 AND count < 5 | sort count | head 50

# Non-browser processes making external DNS queries
index=sysmon EventCode=22
| where NOT match(Image, "(?i)chrome|firefox|edge|msedge|teams|outlook|svchost")
| where NOT match(QueryName, "(?i)\\.microsoft\\.com|\\.windows\\.com|\\.office\\.com")
| stats count by Image, QueryName | sort count | head 100

# rundll32 making DNS queries (almost always suspicious)
index=sysmon EventCode=22 Image="*\\rundll32.exe"
| table _time, Computer, Image, QueryName, QueryResults

# DGA detection via high unique domain count
index=sysmon EventCode=22
| eval domain_parts=split(QueryName, ".") | eval sld=mvindex(domain_parts, -2) | eval sld_len=len(sld)
| where sld_len > 10
| stats dc(QueryName) as unique_domains count by Image, Computer
| where unique_domains > 20 | sort - unique_domains

72. Event 25 — Process Tampering

Technique	MITRE	How It Works
Process Hollowing	T1055.012	Create suspended process → unmap original → map malicious code → resume
Process Herpaderping	—	Create file with malware → create process → modify file on disk → close
Process Ghosting	—	Create temp file → mark for deletion → write payload → create section → delete file

# ALL process tampering events
index=sysmon EventCode=25
| table _time, Computer, Image, Type, User | sort - _time

# Correlate tampering with subsequent activity
index=sysmon EventCode=25
| rename Computer as host, ProcessId as tampered_pid
| join type=left host tampered_pid
  [search index=sysmon (EventCode=3 OR EventCode=1)
   | rename Computer as host, ProcessId as tampered_pid
   | table _time, host, tampered_pid, Image, DestinationIp, CommandLine]
| table _time, host, Image, Type, DestinationIp, CommandLine

73. Event 3 — Network Connection Hunting

# LOLBins making outbound connections
index=sysmon EventCode=3
| where match(Image, "(?i)\\\\(certutil|mshta|regsvr32|rundll32|bitsadmin|msiexec|wmic|cmstp|msbuild|powershell|cmd)\\.exe$")
| where NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
| table _time, Computer, Image, DestinationIp, DestinationPort, User

# Svchost to unusual ports (injection indicator)
index=sysmon EventCode=3 Image="*\\svchost.exe" Initiated=true
| where DestinationPort NOT IN (80, 443, 53, 123, 389, 636, 445, 135, 88, 5985, 5986)
| where NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
| stats count by DestinationIp, DestinationPort | sort count

# Process-level beaconing detection
index=sysmon EventCode=3 Initiated=true
| where NOT match(DestinationIp, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)")
| bin _time span=5m
| stats count by Image, DestinationIp, DestinationPort, _time, Computer
| streamstats current=f last(_time) as prev_time by Image, DestinationIp, Computer
| eval delta=_time-prev_time
| stats avg(delta) as avg_interval, stdev(delta) as stdev_interval, count
  by Image, DestinationIp, DestinationPort, Computer
| where count > 20 AND stdev_interval < (avg_interval * 0.2)
| eval jitter_pct=round((stdev_interval/avg_interval)*100,2)
| sort jitter_pct

74. Events 17/18 — Named Pipes

Event 17 = Pipe CREATED. Event 18 = Pipe CONNECTED. Not logged by default — requires Sysmon.

Why Pipes Matter for Hunting

Reason	Detail
No files on disk	Pure IPC — no artifacts without Sysmon
Network capable	SMB pipes span machines (port 445)
Blends in	Legitimate Windows uses hundreds of pipes
C2 channel	Cobalt Strike SMB beacon, Meterpreter, etc.
Lateral movement	PsExec, smbexec, atexec all use pipes

Pipe Types

Type	Format	Use
Local	`\\.\pipe\PipeName`	Same-machine IPC. CS post-ex, credential relay.
Remote (SMB)	`\\TargetHost\pipe\PipeName`	Cross-machine over port 445. PsExec, WMI, DCE/RPC.

C2 Framework Pipes

Tool	Pipe Patterns	Notes
Cobalt Strike	`msagent_##`, `MSSE--server`, `postex_`, `postex_ssh_`, `status_`	Defaults — configurable via Malleable C2
Cobalt Strike (newer)	`mojo.`, `interprocess.`, `win_svc`	Chrome-mimicking and service pipes
Metasploit	`meterpreter`, `msf_`	Default Meterpreter pipes
Covenant	`gruntsvc`	Default Covenant C2
Various RATs	`DserNamePipe`, `SearchTextHarvester`	Generic malware pipes

Lateral Movement Pipes

Tool	Pipe	Behavior
PsExec	`PSEXESVC`	Drops service binary to ADMIN$ → creates service → communicates via pipe
Impacket RemCom	`RemCom_communicaton`	Similar to PsExec, open-source
CsExec	`csexec`	PsExec alternative
PAExec	`PAExec*`	PsExec alternative (open-source)
smbexec	`svcctl`	Service control pipe for remote service manipulation

Credential Attack Pipes

Pipe	Attack
`spoolss`	PrinterBug / SpoolSample coercion
`efsrpc`	PetitPotam NTLM coercion
`lsarpc`	LSA operations, DCSync preparation
`drsuapi`	Directory Replication — DCSync
`netdfs`	DFS coercion

Expected Windows Pipes (Know Normal to Find Evil)

ALWAYS PRESENT:
  lsass, ntsvcs, scerpc, browser, wkssvc, srvsvc, winreg,
  samr, netlogon, svcctl, atsvc, epmapper, spoolss,
  tapsrv, InitShutdown, protected_storage, ROUTER

KEY INSIGHT: When Event 18 shows Image="System" connecting to a pipe,
that is a REMOTE connection over SMB. Local pipe access shows the
actual process path.

Detection Queries

# Known malicious pipe names (comprehensive)
index=sysmon EventCode IN (17, 18)
| where match(PipeName, "(?i)\\\\msagent_|\\\\MSSE-.*-server|\\\\postex_|\\\\status_|\\\\mojo\\.|\\\\interprocess\\.|meterpreter|msf_|gruntsvc|\\\\RemCom_|DserNamePipe|SearchTextHarvester|csexec|PAExec|win_svc")
| table _time, Computer, EventCode, Image, PipeName

# Remote pipe connections (lateral movement indicator)
# Image="System" means connection came over SMB from another host
index=sysmon EventCode=18 Image="System"
| stats count by PipeName, Computer | sort - count

# Pipe creation by unusual processes
index=sysmon EventCode=17
| where NOT match(Image, "(?i)svchost|lsass|services|spoolsv|SearchIndexer|System|wininit|csrss|smss")
| stats count by Image, PipeName | sort count | head 30

# Rarest pipes (long-tail — your best hunting query)
index=sysmon EventCode=17
| stats count dc(Computer) as hosts by PipeName
| where hosts < 3 | sort count | head 30

# Risk-scored pipe detection
index=sysmon EventCode IN (17, 18)
| eval pipe_risk=case(
    match(PipeName, "(?i)\\\\msagent_|\\\\postex_|\\\\status_|\\\\MSSE-.*-server|\\\\mojo\\.|\\\\interprocess\\."), "CRITICAL-cobalt_strike",
    match(PipeName, "(?i)\\\\meterpreter|\\\\msf_"), "CRITICAL-metasploit",
    match(PipeName, "(?i)\\\\PSEXESVC"), "HIGH-psexec",
    match(PipeName, "(?i)\\\\RemCom_comm|\\\\csexec|\\\\PAExec"), "HIGH-lateral_move",
    match(PipeName, "(?i)\\\\gruntsvc|\\\\DserNamePipe|\\\\SearchTextHarvester|\\\\win_svc"), "HIGH-c2_framework",
    match(PipeName, "(?i)\\\\drsuapi") AND EventCode=18 AND Image="System", "CRITICAL-dcsync_pipe",
    1=1, "LOW"
  )
| where pipe_risk!="LOW"
| table _time, Computer, EventCode, Image, PipeName, pipe_risk | sort pipe_risk

Live System Pipe Enumeration

# PowerShell — list all active pipes
Get-ChildItem \\.\pipe\ | Select-Object Name
[System.IO.Directory]::GetFiles("\\\\.\\pipe\\") | ForEach-Object { Split-Path $_ -Leaf }

# Sysinternals
pipelist.exe

# Compare against known-good baseline → new pipes = investigate

75. Event 15 — Alternate Data Streams

# Files downloaded from internet (Zone.Identifier)
index=sysmon EventCode=15
| where match(TargetFilename, "Zone\\.Identifier")
| rex field=TargetFilename "(?<base_file>.+):Zone\\.Identifier"
| table _time, Computer, Image, base_file, Hash

# Suspicious ADS (non-Zone.Identifier = actually suspicious)
index=sysmon EventCode=15
| where NOT match(TargetFilename, "Zone\\.Identifier")
| table _time, Computer, Image, TargetFilename, Hash | sort - _time

76. Cross-Event Correlation Patterns

Pattern: Process Injection Chain

Event 1 (attacker process) → Event 8 (CreateRemoteThread) → Event 10 (ProcessAccess) → Event 3 (C2 connection)

index=sysmon EventCode IN (1, 8, 10, 3) Computer="TARGET_HOST"
| sort _time | table _time, EventCode, Image, TargetImage, SourceImage, DestinationIp, CommandLine

Pattern: Credential Dump → Lateral Movement

Event 10 (LSASS access) → Event 1 (recon) → Event 1 (lateral movement) → Event 3 (outbound)

index=sysmon Computer="SOURCE_HOST"
| where (EventCode=10 AND TargetImage="*\\lsass.exe")
  OR (EventCode=1 AND (Image="*\\net.exe" OR Image="*\\wmic.exe" OR Image="*\\psexec*"))
  OR (EventCode=3 AND match(Image, "(?i)wmic|psexec"))
| sort _time | table _time, EventCode, Image, TargetImage, CommandLine, DestinationIp

Pattern: Macro → Download → Execute → Persist

Event 1 (winword → cmd/ps) → Event 22 (DNS query) → Event 11 (file dropped) → Event 1 (payload run) → Event 13 (Run key)

index=sysmon Computer="TARGET_HOST"
| where (EventCode=1 AND ParentImage="*\\winword.exe")
  OR EventCode=22
  OR (EventCode=11 AND match(TargetFilename, "(?i)\\\\Temp\\\\|\\\\Downloads\\\\"))
  OR (EventCode=13 AND match(TargetObject, "\\\\Run\\\\"))
| sort _time | table _time, EventCode, Image, ParentImage, TargetFilename, TargetObject, QueryName, CommandLine

Pattern: BYOVD → EDR Kill

Event 6 (vulnerable driver loaded) → Event 1 (exploit tool) → Event 5 (EDR terminated)

index=sysmon Computer="TARGET_HOST"
| where (EventCode=6 AND Signed="true") OR EventCode=1 OR EventCode=5
| sort _time | table _time, EventCode, Image, ImageLoaded, ParentImage, Signed, Signature, CommandLine

77. Sysmon Configuration Best Practices

Golden Rules

Log everything, then exclude. Never start with include-only.
Never exclude: Events 1, 8, 10, 11, 13, 25
Be careful with Event 3: Exclude by process (chrome, edge), not destination.
Aggressive Event 7 exclusions: System32 DLLs, known signed DLLs.

Event Volume Estimation (per endpoint per day)

Event	Volume	Notes
Event 1 (Process)	500–5,000	Core — always log
Event 3 (Network)	10,000–100,000+	Needs filtering!
Event 7 (DLL Load)	10,000–50,000+	Needs filtering!
Event 10 (ProcessAccess)	100–1,000	Manageable
Event 11 (FileCreate)	1,000–10,000	Moderate
Event 13 (Registry)	500–5,000	Moderate
Event 22 (DNS)	5,000–50,000	Can be noisy
Total per endpoint	~30K–200K/day	Plan SIEM ingestion accordingly

Recommended Configs

Config	Source	Style
SwiftOnSecurity	sysmon-config	Starting point
Olaf Hartong	sysmon-modular	Modular
ION-Storm	sysmon-config	Verbose

# Install with config
sysmon64.exe -accepteula -i sysmonconfig.xml

# Update config (no reinstall)
sysmon64.exe -c sysmonconfig.xml

# Verify running
sc query Sysmon64

Appendix A — Critical Event ID Quick Reference

The most important event IDs for threat hunting and incident response.

ID	Source	Name	Why It Matters
1	Sysmon	ProcessCreate	Core hunting event — process trees, CLI args
3	Sysmon	NetworkConnect	Process-level network connections
6	Sysmon	DriverLoad	BYOVD / rootkit detection
7	Sysmon	ImageLoad	DLL side-loading, .NET CLR injection
8	Sysmon	CreateRemoteThread	Process injection
10	Sysmon	ProcessAccess	LSASS credential dumping
11	Sysmon	FileCreate	Dropped files, payload staging
13	Sysmon	RegistryEvent (ValueSet)	Persistence via registry
17/18	Sysmon	PipeEvent	C2 named pipes, lateral movement
22	Sysmon	DNSEvent	Per-process DNS resolution
25	Sysmon	ProcessTampering	Process hollowing / herpaderping
1102	Security	Audit Log Cleared	Anti-forensics
4624	Security	Logon Success	Lateral movement, account tracking
4625	Security	Logon Failure	Brute force, password spray
4648	Security	Explicit Credentials	RunAs, credential theft
4662	Security	AD Object Operation	DCSync detection
4672	Security	Special Privileges	Privilege escalation, SeDebugPrivilege
4688	Security	Process Created	Process tracking (without Sysmon)
4697	Security	Service Installed	Persistence
4698	Security	Scheduled Task Created	Persistence
4719	Security	Audit Policy Changed	Defense evasion
4720	Security	User Account Created	Backdoor accounts
4728	Security	Member Added to Group	Privilege escalation
4768	Security	Kerberos TGT (AS-REQ)	AS-REP Roasting
4769	Security	Kerberos TGS	Kerberoasting (RC4 0x17)
4771	Security	Kerberos Pre-Auth Fail	Password spraying
5140	Security	Share Accessed	Lateral movement
5145	Security	Share Object Checked	File-level lateral movement
104	System	Event Log Cleared	Anti-forensics
7045	System	New Service Installed	Persistence — critical event
4104	PowerShell	Script Block Logging	Full script content capture
5001	Defender	Real-time Protection Off	Defense evasion
5007	Defender	Config Changed	Exclusions added
1116	Defender	Threat Detected	Malware/tool identification
5861	WMI-Activity	Permanent Event Created	WMI persistence
21	TS-LocalSession	RDP Session Logon	RDP lateral movement
2004	Firewall	Rule Added	Firewall manipulation

Appendix B — Glossary

Term	Definition
ACL	Access Control List — permissions on an object
ADS	Alternate Data Stream — hidden NTFS file stream
AMSI	Antimalware Scan Interface — scans scripts before execution
AS-REP	Authentication Service Reply — Kerberos TGT response
AS-REQ	Authentication Service Request — Kerberos TGT request
BITS	Background Intelligent Transfer Service
BYOVD	Bring Your Own Vulnerable Driver
C2	Command and Control
CLM	Constrained Language Mode (PowerShell restriction)
CLR	Common Language Runtime (.NET execution engine)
COM	Component Object Model
CLSID	Class Identifier — unique ID for a COM object
DCSync	Attack that replicates AD credentials via DRS protocol
DGA	Domain Generation Algorithm
DPAPI	Data Protection API — encrypts user/system secrets
DRS	Directory Replication Service
EQL	Event Query Language (Elastic)
ETW	Event Tracing for Windows — kernel telemetry framework
EVTX	Windows Event Log file format
GPO	Group Policy Object
IPC$	Inter-Process Communication share (named pipe access)
JA3/JA3S	TLS Client/Server fingerprinting
JARM	Active TLS server fingerprinting
KQL	Kusto Query Language (Elastic KQL or Sentinel KQL)
LAPS	Local Administrator Password Solution
LOLBin	Living Off the Land Binary
LSASS	Local Security Authority Subsystem Service
MFT	Master File Table (NTFS)
NTLM	NT LAN Manager authentication protocol
PtH	Pass-the-Hash
PtT	Pass-the-Ticket
RBCD	Resource-Based Constrained Delegation
SDB	Shim Database (Application Compatibility)
Sigma	Open standard for SIEM detection rules
SPN	Service Principal Name (Kerberos)
SPL	Search Processing Language (Splunk)
SSP	Security Support Provider
TGS	Ticket Granting Service (Kerberos service ticket)
TGT	Ticket Granting Ticket (Kerberos initial ticket)
TTP	Tactics, Techniques, and Procedures
UAC	User Account Control
WEF	Windows Event Forwarding
WMI	Windows Management Instrumentation
WinRM	Windows Remote Management (WS-Management)

Dedication

To my homies in cell block 121B — you made coming into the office way better than it could've been.

To my wife Kekai — thanks for putting up with all my sh!t.

And to my kids, Kawai and Bishop — go to sleep, or I will read this entire book to you, word for word, from front to back; then we'll talk in depth about why every organization needs a threat intel capability.

I love all of you.

About the Author

Steven Stone is a Cyber Threat Intelligence analyst, Threat Hunter, and former Detection Engineer supporting government networks. With over 15 years of experience in DoD operations, he operates across the full spectrum of defensive cyber, from intelligence analysis and threat hunting to detection engineering and incident response.

Steven currently serves as a CTI analyst, where he builds and maintains threat hunting programs, develops detection content for enterprise SIEMs, tracks advanced threat actors, and leads intelligence-driven hunt operations. His daily work lives at the intersection of Splunk, Elastic, threat intelligence platforms, and the Windows event logs that this manual is built from.

He holds multiple industry certifications including the CISSP, CISM, several SANS certifications (GCTI, GCFA, GCIH, GCFE, GNFA), and CompTIA credentials (SecurityX/CASP+, CySA+, PenTest+, Security+). He also built and maintains redsheepsec.com, an intelligence sharing platform that tracks ransomware campaigns, emerging CVEs, and threat actor activity, and publishes intelligence reports and hunt guides on current and developing threats.

Contact

Email: contact@redsheepsec.com
Web: redsheepsec.com
LinkedIn: linkedin.com/in/steven-st0n3/

Sigma Modifier	SPL Equivalent
`\|endswith`	`field="*value"`
`\|startswith`	`field="value*"`
`\|contains`	`field="value"`
`\|contains\|all`	`field="val1" field="val2"` (AND)
`\|re`	`match(field, "regex")`
`\|cidr`	`cidrmatch("10.0.0.0/8", field)`
`\|windash`	`field="/c" OR field="-c"`

Copyright & Legal

How to Use This Manual

Structure

Conventions

Assumptions

Feedback & Corrections

Table of Contents

1. Triage Priority Matrix

P1 — Drop Everything (Active Breach Indicators)

P2 — Investigate Within 1 Hour

P3 — Investigate Same Shift

P4 — Review Next Business Day

2. Log Source Decision Tree

3. Pivot Field Maps

Authentication Chain

Process Chain

Network Chain

Persistence Chain

4. Investigation Timeline Reconstruction

Step 1: Identify Your Anchor Event

Step 2: Expand Backward (How Did We Get Here?)

Step 3: Expand Forward (What Happened Next?)

Step 4: Build the Unified Timeline

Step 5: Expand to Other Hosts

5. Playbook: Compromised Account

Phase 1: Scope the Compromise (15 min)

Phase 2: Assess Impact (30 min)

Phase 3: Contain & Remediate

6. Playbook: Malware Execution

Phase 1: Build the Process Tree (10 min)

Phase 2: Assess Behavior (15 min)

Phase 3: Scope & Contain

7. Playbook: Lateral Movement

Phase 1: Confirm & Identify Source (10 min)

Phase 2: Investigate the Source Host (15 min)

Phase 3: Map the Full Lateral Path

8. Playbook: Credential Dumping

Phase 1: Confirm the Dump (5 min)

Phase 2: Assess Blast Radius (15 min)

Phase 3: Contain

9. Playbook: Ransomware Precursors

Phase 1: Confirm & Isolate IMMEDIATELY (5 min)

Phase 2: Scope the Spread (10 min)

Phase 3: Immediate Actions

10. Playbook: Data Staging & Exfiltration

Phase 1: Identify Staging Activity (15 min)

Phase 2: Identify Exfil Channel (15 min)

11. Playbook: Insider Threat

12. Common False Positive Guide

Event 10 (LSASS ProcessAccess) — Known Good

Event 4624 (Logon) — Known Good

Event 7045 (New Service) — Known Good

Event 4688/Sysmon 1 (Process Creation) — Known Good

Event 4698 (Scheduled Task) — Known Good

Sysmon Event 3 (NetworkConnect) — Noisy but Normal

13. MITRE ATT&CK Event Mapping

Initial Access (TA0001)

Execution (TA0002)

Persistence (TA0003)

Privilege Escalation (TA0004)

Defense Evasion (TA0005)

Credential Access (TA0006)

Discovery (TA0007)

Lateral Movement (TA0008)

Exfiltration (TA0010)

14. Quick Triage Checklists

Checklist: Suspicious Logon

Checklist: Suspicious Process

Checklist: New Service / Scheduled Task

Checklist: LSASS Access Alert

15. Windows Process Baseline

Windows Boot Process Chain

svchost.exe Service Groups

16. Suspicious Parent-Child Relationships

Critical — Almost Always Malicious

Suspicious — Investigate Arguments

Expected — Usually Benign

17. LOLBins Detection Reference

18. Dangerous Privileges Reference

19. Beaconing Interval Reference