Bound the Investigation Timeframe
Establish the earliest known indicator of compromise (IOC) and the latest known malicious activity to define the investigation window. This prevents scope creep and focuses collection efforts on relevant evidence.
Actions
- 1
Query SIEM for the earliest alert or IOC match and record the timestamp as T-start; search across all log sources (EDR, firewall, proxy, authentication) for corroborating events within +/- 24 hours.
- 2
Use PowerShell to pull the $MFT timeline: `Get-ForensicTimeline -VolumeName C: | Where-Object { $_.Date -ge $tStart -and $_.Date -le $tEnd } | Export-Csv mft_timeline.csv` -- compare with SIEM timestamps.
- 3
Run Velociraptor hunt `Windows.Timeline.MFT` across suspected hosts to identify file creation/modification clusters that may push T-start earlier.
- 4
Cross-reference email gateway logs for earliest delivery of malicious payload: `index=email sourcetype=proofpoint action=delivered | stats earliest(_time) as first_seen by sender, subject`.
- 5
Document the bounding timestamps in the incident ticket: T-start (earliest IOC), T-alert (first detection), T-now (current time), and the resulting investigation window.
- 6
Analyze ShimCache (AppCompatCache) for historical execution evidence that may predate EDR deployment: parse with `AppCompatCacheParser.exe -f SYSTEM --csv . --csvf shimcache.csv`. Entries are ordered by last-modification time and can reveal execution artifacts weeks before detection.
- 7
Parse AmCache.hve for application install and first-execution timestamps to push T-start earlier: `AmcacheParser.exe -f AmCache.hve --csv . --csvf amcache.csv`. Cross-reference SHA1 hashes against known-malicious IOCs in VirusTotal/MISP.
- 8
Generate a Prefetch-based execution timeline: `PECmd.exe -d C:\Windows\Prefetch --csv . --csvf prefetch.csv`. Prefetch files record the last 8 execution times (Win10+), providing a rich timeline of program execution even if event logs have rotated.
Queries
index=* (sourcetype=crowdstrike OR sourcetype=defender OR sourcetype=sysmon) earliest=-30d | stats earliest(_time) as first_seen latest(_time) as last_seen by src_ip, dest_ip, process_name | where first_seen < relative_time(now(), "-7d")
SecurityEvent | where TimeGenerated between (ago(30d) .. now()) | where EventID in (4624, 4625, 4648, 4672) | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Account, Computer, LogonType | order by FirstSeen asc
DeviceProcessEvents | where Timestamp > ago(30d) | where FileName in~ ("powershell.exe","cmd.exe","wscript.exe","mshta.exe","certutil.exe") | summarize EarliestExec=min(Timestamp), Count=count() by DeviceName, FileName, InitiatingProcessFileName | order by EarliestExec ascindex=wineventlog sourcetype=WinEventLog:Security EventCode=4624 earliest=-30d | stats earliest(_time) as first_logon latest(_time) as last_logon count by Account_Name, src_ip, Logon_Type, ComputerName | sort first_logon
index=wineventlog sourcetype=WinEventLog:Security EventCode IN (4624, 4625, 4648, 4672) earliest=-30d | stats earliest(_time) as first_seen latest(_time) as last_seen count by Account_Name, ComputerName, EventCode | sort first_seen
Notes
Always pad the investigation window by at least 48 hours before T-start -- attackers often perform reconnaissance days before the first detected IOC.
If log retention does not cover the full window, escalate immediately to preserve whatever remains and engage backup/archive recovery.
Use Chainsaw for rapid event log triage across large EVTX collections: `chainsaw hunt evtx_folder/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --csv --output chainsaw_results.csv`. This applies Sigma rules to quickly surface malicious activity.