Windows Security Triage Playbook with PowerShell (Step-by-Step)

This Windows security triage playbook gives a repeatable PowerShell-driven workflow for first-response investigation. It is optimized for fast signal extraction in the first 30–60 minutes of an incident.

Phase 1: Scope and initial indicators

• Identify affected hosts, users, and time window
• Confirm whether activity is isolated or lateral
• Preserve key logs before rotating/overwriting

Phase 2: Authentication triage

# failed logons
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-6)} |
  Select TimeCreated, MachineName, Message

# privileged logons
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672; StartTime=(Get-Date).AddHours(-6)} |
  Select TimeCreated, Message

# account lockouts
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740; StartTime=(Get-Date).AddHours(-6)} |
  Select TimeCreated, Message

Phase 3: Execution and persistence triage

# process creation events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-6)} |
  Select TimeCreated, Message

# service installation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697; StartTime=(Get-Date).AddDays(-1)} |
  Select TimeCreated, Message

# startup tasks overview
Get-ScheduledTask | Select TaskName,TaskPath,State

Phase 4: Host exposure checks

# active listening ports
Get-NetTCPConnection -State Listen | Sort-Object LocalPort |
  Select LocalAddress,LocalPort,OwningProcess

# running processes with path
Get-Process | Select Name,Id,Path | Sort Name

Phase 5: Privilege and policy changes

# group membership changes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728; StartTime=(Get-Date).AddDays(-1)} |
  Select TimeCreated, Message
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732; StartTime=(Get-Date).AddDays(-1)} |
  Select TimeCreated, Message

# audit policy changes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719; StartTime=(Get-Date).AddDays(-1)} |
  Select TimeCreated, Message

Phase 6: Evidence packaging

• Export findings to CSV/text with timestamps
• Record hypothesis and confidence level per finding
• Escalate to containment if compromise likelihood is high

Containment triggers

• Confirmed malicious process + suspicious network behavior
• Unauthorized privileged group changes
• Rapid multi-host failed logon activity

This playbook keeps Windows triage fast, structured, and defensible under incident pressure.