Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / WINDOWS

Hunt Matrix

CategoryTechniquePrimary ArtifactFirst CheckCritical SignalImmediate PivotTypical Abuse / Context
AccountsNew Local UserSecurityEvent ID 4720New user created unexpectedlyGroup membership, logon activity, profile creationPersistence / rogue account
AccountsAccount EnabledSecurityEvent ID 4722Previously disabled account enabledLogon events, actor account, target purposeReactivated foothold
AccountsPassword ResetSecurityEvent ID 4724Password reset by another account4624 / 4672 around same actorForceChangePassword / takeover
AccountsAccount DeletedSecurityEvent ID 4726User removed unexpectedlyPrior 4720/4722/4724 chainCleanup / evidence destruction
AuthenticationSuccessful LogonSecurityEvent ID 4624Suspicious LogonType, account, source4672, 4648, 4688, workstationLateral movement / foothold
AuthenticationFailed LogonSecurityEvent ID 4625Burst failures across users or hostsSource IP, usernames, 4771/4776Password spraying / brute force
AuthenticationExplicit CredentialsSecurityEvent ID 4648Alternate creds used4624 target logon, 4688 parent processRunAs / PsExec / remote exec
AuthenticationSpecial Privileges AssignedSecurityEvent ID 4672Admin-equivalent session established4624 logon pair, 4688 child processesPrivileged foothold
AuthenticationLogoffSecurityEvent IDs 4634 / 4647Session boundariesPaired 4624, child process timelineInvestigation scoping
AuthenticationNTLM AuthenticationSecurityEvent ID 4776NTLM validation where Kerberos expected4624 LogonType, source host, target accountPtH / relay / legacy auth abuse
AuthenticationKerberos TGT RequestSecurityEvent ID 4768Unusual source, volume, or account4769, 4771, workstation, IPKerberos baseline / OPTH
AuthenticationKerberos Service TicketSecurityEvent ID 4769High-volume SPN requests or rare service accessSPN name, encryption type, source, accountKerberoasting / ticket abuse
AuthenticationKerberos RenewalSecurityEvent ID 4770Long-running session / renewal anomaliesPrior 4768/4769, host activityPersistence / long sessions
AuthenticationKerberos Pre-Auth FailureSecurityEvent ID 4771Many failures across usersSource IP, account selection, timingPassword spray / guessing
AuthenticationKerberos TGT FailureSecurityEvent ID 4772Abnormal TGT failure patternAccount, host, adjacent 4771/4768Kerberos abuse / failure analysis
CredentialsLSASS Handle AccessSysmonEvent ID 10Process opening lsass.exe with suspicious accessSysmon 1 parent/child, signer, userMimikatz / credential dumping
CredentialsLSASS Process Creation ContextSysmon / SecurityEvent ID 1 / 4688dumper / comsvcs / rundll32 / procdump near LSASSCommand line, signed status, temp pathsCredential dumping staging
CredentialsSAM Hive AccessSecurityEvent ID 4663Access to \Windows\System32\config\SAMProcess, account, nearby 4688SAM dumping
CredentialsSECURITY Hive AccessSecurityEvent ID 4663Access to SECURITY hiveActor, process, adjacent file copiesLSA secrets extraction
CredentialsSYSTEM Hive AccessSecurityEvent ID 4663SYSTEM hive access with SAM/SECURITYCopy location, archive stagingOffline credential extraction
CredentialsNTDS / Replication Rights AbuseSecurityEvent ID 4662Replication-related object accessSubject user, rights GUIDs, DC contextDCSync / NTDS replication
CredentialsNTDS File AccessSecurity / File Logs4663 or file telemetryntds.dit touched or copiedVSS activity, temp copies, archive creationNTDS dump
CredentialsVault / Browser Secret CollectionSysmon / File / Browser logs1 / file touchesBrowsers, vault paths, sqlite accessArchive creation, temp stagingCredential theft / data collection
EnumerationLocal Account Enumeration4688 / Sysmon 1 / PowerShell 4104net user, whoami, wmic useraccount, Get-LocalUserEnumeration immediately after foothold4624, 4672, later privilege abuseDiscovery
EnumerationGroup Enumeration4688 / 4104net localgroup, Get-LocalGroupMember, whoami /groupsPrivilege-focused enumeration4672, later 7045 / 4698 / 5136Privilege planning
EnumerationDomain User EnumerationSecurity 4662 / 4104 / LDAPLDAP queries for users/groupsHigh-volume domain discoverySPN / trust / ACL follow-upAD recon
EnumerationShare EnumerationSecurityEvent IDs 5140 / 5145Many shares accessed without normal workflowSource host, account, target serverSMB recon / lateral planning
EnumerationSPN EnumerationSecurity / 41044662 or LDAP query telemetryservicePrincipalName discoverySubsequent 4769 spikesKerberoasting prep
EnumerationTrust EnumerationSecurity / 41044662 / PowerShell telemetrytrustedDomain queriesCross-domain auth eventsTrust mapping
EnumerationDNS EnumerationDNS logs / 4104 / 4688zone transfer, many lookups, nslookup, Resolve-DnsNameRare zone queries or broad lookup burstSource host, later network movementInfra discovery
EnumerationBloodHound / SharpHound CollectionSysmon / 4688 / 4104Sysmon 1 or 4688SharpHound execution or zip stagingLDAP volume, temp archives, outbound copyGraph recon
ExecutionProcess CreationSecurity / Sysmon4688 / 1Suspicious parent-child or command lineNetwork connections, signer, pathGeneral execution anchor
ExecutionPowerShell ExecutionPowerShell4103 / 4104Encoded, obfuscated, download cradle, AD recon4688, Sysmon 1, network, AMSI gapsScript-based intrusion
ExecutionCMD Abuse4688 / Sysmon 1cmd.exe /cShort one-liners launching LOLBins or scriptsParent process, child process, temp filesStaging / execution
ExecutionWMI ExecutionSysmon / Security / WMISysmon 1, WMI logswmiprvse.exe spawning shell / script4624 source host, remote account, childrenWMIExec / lateral exec
ExecutionWinRM Remote ShellWinRMEvent ID 91Remote shell established4624, PowerShell 4104, source IPEvil-WinRM / admin shell
ExecutionPsExec Service ExecutionSecurity / System7045 / 7036PSEXESVC or odd remote service4624, service binary path, ADMIN$ accessPsExec
ExecutionSMBExec / Service DropSecurity / System7045 / 7036Random-named service installed remotely5140/5145, copied batch / exe, actor logonImpacket SMBExec
ExecutionDCOMExecSysmon / 4688Sysmon 1dllhost.exe spawning shell or script4624, COM CLSID context, sourceDCOM-based lateral exec
ExecutionRundll32 AbuseSysmon / 46881 / 4688suspicious DLL path, javascript, export abuseDLL file path, signer, networkLOLBin execution
ExecutionRegsvr32 AbuseSysmon / 46881 / 4688/s /n /u /i: or remote scriptletNetwork, scriptlet URL, parentLOLBin / Squiblydoo
ExecutionMshta AbuseSysmon / 46881 / 4688remote HTA / inline JS/VBSNetwork, child powershell/cmdLOLBin execution
ExecutionInstallUtil AbuseSysmon / 46881 / 4688untrusted assembly launched with InstallUtilFile path, signer, parentLOLBin execution
ExecutionRegasm / Regsvcs AbuseSysmon / 46881 / 4688unmanaged registration of suspicious assemblyFile path, persistence changesLOLBin execution
ExecutionOdbcconf AbuseSysmon / 46881 / 4688odbcconf.exe spawning payloadParent, registry, child processLOLBin execution
ExecutionCscript / Wscript AbuseSysmon / 46881 / 4688script host launching encoded or temp scriptsScript path, MOTW, parentScript execution
ExecutionOffice Child ProcessSysmon / 46881 / 4688Office spawning shell / script / LOLBinCommand line, document source, MOTWMacro / phishing execution
ExecutionBrowser Child ProcessSysmon / 46881 / 4688browser spawning powershell, mshta, cmdDownload path, MOTW, userBrowser exploit / click-through
ExecutionScheduled Task ExecutionSecurity / Task Scheduler4698 / 4702 / Operationalsuspicious task action path or creator4624 actor, file path, persistence chainTask-based execution
StagingTemp Payload DropSysmon / File telemetry11 / file logsExecutable/script in Temp, ProgramData, AppDataPrefetch, Amcache, 4688Staging
StagingArchive Creation4688 / File logs4688 or file telemetry7z/rar/zip created near sensitive files5145, HTTP upload, temp pathsStaging / exfil prep
StagingADS UsageSysmon / file / cmdlineSysmon 1 / file logsalternate data stream write / executeParent, hidden execution, pathConcealment / staging
StagingDownload CradlePowerShell / Sysmon4104 / Sysmon 1IEX, DownloadString, WebClient, Invoke-WebRequestNetwork, child payload, temp fileStaging / memory load
StagingBITS AbuseBITS logs / Sysmon / 4688BITS operational + processsuspicious BITS job to external sourceDownloaded file, job persistenceStaging / persistence
StagingCertutil Download / DecodeSysmon / 46881 / 4688certutil -urlcache, -decodeFile output, later executionLOLBin staging
StagingCopy to ADMIN$ / IPC$5140 / 5145Share accessRemote copy preceding service/task creation7045 / 4698 / 4624Lateral staging
PersistenceRun KeysSysmon / Registry / SecuritySysmon 12/13/14 or registry logsHKCU/HKLM Run modifiedTarget binary, signer, user logonUser/system persistence
PersistenceStartup FolderFile telemetryfile create in Startup pathexecutable/link/script droppedUser profile, recent executionUser persistence
PersistenceService InstallSecurity / System7045 / 7036New service created with suspicious binaryFile path, signer, actor, 4624Persistence / remote exec
PersistenceScheduled Task Create / ModifySecurity / Task Scheduler4698 / 4702hidden task, odd action, encoded commandCreator account, path, repetitionPersistence
PersistenceWMI SubscriptionWMI-Activity / Sysmon / PowerShellWMI logs / 4104Event filter / consumer / binding creationPowerShell, repository artifactsFileless persistence
PersistenceAppInit / IFEO / SilentProcessExitRegistryRegistry telemetrydebugger / monitor process addedParent-child chain, target imageExecution hijack
PersistenceCOM HijackRegistry / Sysmonregistry mods / 1CLSID points to rogue DLLLoad path, target processHijack persistence
PersistenceLNK PersistenceFile telemetry / 4688file create + later processsuspicious shortcut in Startup / PublicTarget binary, MOTW, recent docsPersistence / lure
PersistencePrint Processor / Port MonitorRegistry / 7045 / DLL loadsregistry/service telemetrynew print DLL / driver pathDLL path, signer, spoolsv loadsPrivileged persistence
PersistenceSSP / LSA PackageRegistry / 4688 / serviceregistry value changeauth package modifiedreboot/logon sequence, lsass loadCredential interception persistence
Privilege EscalationUAC BypassSysmon / 4688 / Registry1 / registry changesauto-elevate LOLBin with child payloadIntegrity level jump, HKCU hijackLocal priv esc
Privilege EscalationSeDebug / Sensitive Privilege Use4672 / 4688 / Sysmon 10privilege session + LSASS/process accesssame logon session, parent chainCredential dumping / token abuse
Privilege EscalationToken Manipulation / Impersonation4688 / Sysmon / 4624unusual token context / process lineagechild as SYSTEM after user processsource logon, services, handlesToken abuse
Privilege EscalationService BinPath / Config AbuseService registry / 7040 / 7045service path change to attacker binaryactor account, restart eventService abuse
Privilege EscalationDLL Search Order HijackSysmon 7 / file createunsigned DLL in app dir loaded by high-priv processimage load, path, signerPriv esc / persistence
Privilege EscalationUnquoted Service PathService config / 4688binary created in exploitable pathservice start, process creationPriv esc
Privilege EscalationAlwaysInstallElevatedRegistry / MSI logspolicy enabled + msiexec executionparent process, package sourceMSI priv esc
NetworkInbound SMB AccessSecurity5140 / 5145unusual ADMIN$, C$, IPC$ access4624 source, copied files, 7045Lateral movement
NetworkOutbound ConnectionSysmonEvent ID 3suspicious destination, rare port, parent processDNS, process creation, userC2 / staging / exfil
NetworkNon-Standard Port ListenerSysmon / netstat / EDRprocess + port telemetryunexpected service or user process listeningbinary path, signer, task/serviceC2 / tunnel
NetworkRDP LogonSecurity / TerminalServices4624 LogonType 10 + TS logsunusual source or account4672, clipboard/drive use, follow-on execInteractive lateral movement
NetworkWinRM SessionWinRM / 462491 + 4624remote management where unusualPowerShell, source IP, parent chainLateral movement
NetworkDNS Query AbuseDNS / Sysmon 22 / ETWrare domain, TXT bursts, beacon cadenceprocess, destination, timingDNS C2 / staging
NetworkProxy / TunnelingSysmon 3 / process logslong-lived SSH/chisel/ncat-like patternchild process, listening ports, remote endpointPivot / tunnel
Parent-ChildOffice → Script HostSysmon 1Office parent of wscript/cscript/powershellmacro-driven executiondocument path, user, MOTWPhishing
Parent-ChildBrowser → LOLBinSysmon 1browser spawns mshta/rundll32/powershelldownload/drive-by chainfile path, URL, networkUser execution
Parent-Childwmiprvse → ShellSysmon 1wmiprvse spawning cmd/powershellremote WMI execution4624 source, accountWMI lateral exec
Parent-Childdllhost → ShellSysmon 1dllhost child cmd/powershellDCOM abuseremote source, CLSIDDCOM lateral exec
Parent-Childservices.exe → Odd BinarySysmon 1service launching unusual payload7045/7036, binary pathservice execution / persistence
Parent-Childtaskeng/taskhostw → PayloadSysmon 1task engine launching suspicious binary4698/4702, task XMLTask persistence
Parent-Childwinword/excel → cmd/powershellSysmon 1direct macro shell launchdocument source, child chainMalicious Office document
Parent-Childexplorer → LOLBin from TempSysmon 1user-click execution from temp/downloadsMOTW, file hash, recent docsUser execution
EvasionEvent Log ClearedSecurity / System1102 / 104log clearedactor account, adjacent activityCover tracks
EvasionTimestompSysmon / MFT / file metadatafile time anomaliesctime/mtime mismatch or backdated PEcreation path, Prefetch/Amcache mismatchAnti-forensics
EvasionPrefetch Missing but Execution Evidence PresentPrefetch / Amcache / 4688expected PF absentAmcache/4688/Sysmon prove run but PF absentservice / one-shot / cleanupEvasion / unusual execution context
EvasionAmcache / Shimcache MismatchAmcache / Shimcache / Prefetchartifact disagreementone artifact proves presence not execution / vice versatimeline, path, compile timeAnti-forensics / uncertainty handling
EvasionSecurity Tool Disable4688 / service / registrysc stop, tamper settings, policy disableactor, child actions, subsequent payloadDefense evasion
EvasionScript Block Logging Disabled4104 gaps / registry / GPOexpected PowerShell telemetry missingregistry/GPO changes, module logsEvasion
EvasionHistory / Recent Items Cleanupuser artifacts / 4688MRU gaps, deleted LNKs, cleanup commandsshellbags, jumplists, recycle binCover tracks
ExfiltrationSMB Copy Out5145 / 3 / file logsbulk file access then remote share writessource process, archive creation, target shareExfil / staging
ExfiltrationHTTP Upload / Web ExfilSysmon 3 / proxy logs / 4104upload to rare external domain or endpointprocess, archive, command lineExfiltration
ExfiltrationCloud Sync / WebDAV Abuseprocess / network / file logsrclone, OneDrive abuse, WebDAV mappingfile set, auth, rare destinationsData theft
ExfiltrationArchive + Deletefile logs / 4688archive created then source deleted / movedprocess, destination, timingExfil prep + cleanup
ImpactShadow Copy Delete4688 / VSS logsvssadmin delete shadows, wmic shadowcopy deleteactor, ransomware indicators, file encryptionRansomware prep
ImpactBackup Disable / Recovery Inhibit4688 / service / registrywbadmin / bcdedit / recovery changesshadow delete, service stopsDestructive prep
ImpactMass File Rename / Encryptfile telemetry / Sysmon / EDRhigh-volume file modificationsprocess, extension pattern, notesRansomware / destruction
ImpactLogon Script / GPO Impact Abuse5136 / file logs / 4104broad script deployment or malicious GPO pushchanged GPO, SYSVOL writes, affected hostsDomain-wide impact
AD BridgeLDAP Object Read BurstSecurity4662broad object access from unusual hostactor, process, later AD abuseAD recon
AD BridgeAD Object ModifiedSecurity5136ACL / attribute changeactor, object DN, follow-up authACL abuse / RBCD / shadow creds
AD BridgeObject Created / DeletedSecurity5137 / 5141rogue objects or cleanupactor, object DN, later auth/persistenceDCShadow / GPO / cleanup
AD BridgeGroup Membership ChangeSecurity4728 / 4732 / 4756privileged group additionactor, new privileges, later logonsPriv esc / persistence
AD BridgeCertificate Issued / ApprovedSecurity4886 / 4887unusual cert enrollmenttemplate, requester, SAN, later authADCS abuse
AD BridgeCoerced AuthenticationSecurity4624 / 4776 / 4769machine auth to odd host / relay chainsource, relay target, servicePrinterBug / PetitPotam / relay

Highest Value Windows First Checks Under Pressure

1. Security 4624 / 4625 / 4648 / 4672 around the suspected time window

2. Sysmon 1 and 3 for process + network pairing

3. Sysmon 10 for LSASS / process access

4. Security 7045 and 4698 for service/task-based persistence or lateral exec

5. PowerShell 4104 for script content

6. Security 5140 / 5145 for SMB movement and file access

7. WinRM 91 and WMI-related process lineage

8. Prefetch + Amcache + Shimcache for execution corroboration

9. Run keys, services, scheduled tasks, WMI subscription artifacts for persistence

10. Temp / ProgramData / AppData payload paths and signer / hash / compile time review

Highest Value Windows Artifact Families

Artifact FamilyWhy It Wins
Security LogAuthentication, privilege, service, task, account changes
SysmonProcess, network, image loads, file time changes, process access
PowerShell LogsHigh-fidelity script content and recon / cradle detection
Task Scheduler OperationalTask persistence and task-triggered execution
Services / SCMRemote exec and persistence via service install or path abuse
RegistryRun keys, IFEO, AppInit, COM hijack, policy tampering
PrefetchProgram execution corroboration
AmcacheProgram presence and execution-related metadata
ShimcacheProgram presence / historical execution context clues
Jump Lists / Recent Files / LNKUser execution context and file interaction
File System Metadata / MFT / USNTimeline truth, staging, tampering, mass change analysis
WMI Repository / WMI-ActivityFileless persistence and remote execution context
DNS / Proxy / Firewall / NetflowC2, exfiltration, staging, rare destination validation
WinRM / TerminalServicesInteractive or remote admin shell context
AD Security LogsDomain auth, directory reads, object changes, privilege escalation

Windows Panic Openers by Suspicion

SuspicionOpen First
Someone logged in remotely4624, 4672, 4648, WinRM/RDP logs
Lateral movement suspected4624, 5140, 7045, 4698, Sysmon 1/3
Credential dumping suspectedSysmon 10, 4688, 4663 on SAM/SECURITY/SYSTEM
PowerShell abuse suspected4104, 4103, 4688, Sysmon 1/3
Remote exec suspected7045, 4698, 91, wmiprvse/dllhost parent-child
Persistence suspectedRun keys, tasks, services, WMI subscription, startup folder
Ransomware / destructive behaviorvssadmin/wmic/bcdedit, service stops, mass file modifications
Fileless / stealth execution suspectedWMI, PowerShell, deleted binaries, script logs, in-memory loaders
AD abuse suspected4662, 5136, 4728, 4768, 4769, 4886/4887