This Windows security triage playbook gives a repeatable PowerShell-driven workflow for first-response investigation. It is optimized for fast signal extraction in the first 30–60 minutes of an incident.
Phase 1: Scope and initial indicators
- Identify affected hosts, users, and time window
- Confirm whether activity is isolated or lateral
- Preserve key logs before rotating/overwriting
Phase 2: Authentication triage
# failed logons
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-6)} |
Select TimeCreated, MachineName, Message
# privileged logons
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672; StartTime=(Get-Date).AddHours(-6)} |
Select TimeCreated, Message
# account lockouts
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740; StartTime=(Get-Date).AddHours(-6)} |
Select TimeCreated, MessagePhase 3: Execution and persistence triage
# process creation events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-6)} |
Select TimeCreated, Message
# service installation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697; StartTime=(Get-Date).AddDays(-1)} |
Select TimeCreated, Message
# startup tasks overview
Get-ScheduledTask | Select TaskName,TaskPath,StatePhase 4: Host exposure checks
# active listening ports
Get-NetTCPConnection -State Listen | Sort-Object LocalPort |
Select LocalAddress,LocalPort,OwningProcess
# running processes with path
Get-Process | Select Name,Id,Path | Sort NamePhase 5: Privilege and policy changes
# group membership changes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728; StartTime=(Get-Date).AddDays(-1)} |
Select TimeCreated, Message
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732; StartTime=(Get-Date).AddDays(-1)} |
Select TimeCreated, Message
# audit policy changes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719; StartTime=(Get-Date).AddDays(-1)} |
Select TimeCreated, MessagePhase 6: Evidence packaging
- Export findings to CSV/text with timestamps
- Record hypothesis and confidence level per finding
- Escalate to containment if compromise likelihood is high
Containment triggers
- Confirmed malicious process + suspicious network behavior
- Unauthorized privileged group changes
- Rapid multi-host failed logon activity
This playbook keeps Windows triage fast, structured, and defensible under incident pressure.
