- Home
- Skills
- Tsale
- Awesome Dfir Skills
- Windows Intrusion Timeline
windows-intrusion-timeline_skill
- Python
250
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill tsale/awesome-dfir-skills --skill windows-intrusion-timeline- skill.md8.5 KB
Overview
This skill builds a targeted intrusion timeline for Windows incidents by ingesting available artifacts (event logs, EDR exports, SIEM CSVs, and triage notes). It reconstructs observed actions, highlights gaps and uncertainty, and produces concrete follow-up queries to confirm hypotheses. Outputs separate facts from interpretation and assigns confidence to each finding.
How this skill works
I parse structured telemetry (Security, Sysmon, PowerShell, System, TaskScheduler, EDR process trees) and normalize timestamps. I select a suspicious seed event when present, pivot on process/Logon/Network identifiers, and trace backward/forward to map parent/child activity across hosts. For each row I record the observed fields, interpretive hypothesis, and a High/Med/Low confidence justification, and I call out missing logs or fields that would improve certainty.
When to use it
- You need a succinct incident narrative from limited Windows telemetry to brief stakeholders.
- Validating lateral movement, abnormal logons, or suspicious process chains across hosts.
- Prioritizing collection of missing artifacts (Sysmon, PowerShell script blocks, EDR process trees).
- Generating targeted SIEM/EDR queries to confirm key hypotheses quickly.
Best practices
- Provide a bounded time window and relevant hosts/users to reduce noise and protect privacy.
- Supply structured exports (CSV/JSON) with timestamp, host, user, process, parent IDs, and command line where possible.
- Mark timezone and any known clock skew; label untrusted timestamps explicitly.
- If you redact usernames, use consistent pseudonyms so chains remain traceable.
- When a suspicious execution is found, include ±30 minutes of surrounding logs and any EDR process tree.
Example use cases
- Pivot from a Sysmon EID 1 process creation that runs encoded PowerShell to find drop and C2 connections.
- Correlate Security 4624 logons with task scheduler events to detect lateral execution via scheduled tasks.
- Map privilege escalation by linking 4672 events, service creation (System 7045), and new scheduled tasks.
- Rapidly produce follow-up EventID filters for the SOC to run in the SIEM and confirm host compromise.
FAQ
You can still get a useful targeted timeline, but I will flag gaps and request specific pivot artifacts (e.g., Sysmon EID 1 around the suspicious time or EDR process tree) to raise confidence.
How do you handle timezone uncertainty?
I normalize to the provided timezone and explicitly mark times as 'untrusted' when timezone or clock skew is unknown, and I recommend verifying NTP/clock settings.