SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Edit

Account Usage Investigation Workflow & Cheatsheet

Windows Enterprise DFIR - SOC Analyst Reference

🎯 Investigation Objectives

When investigating account usage, determine:

  • WHO: Which accounts were used (local vs domain)

  • WHEN: Timeline of authentication events

  • WHERE: Source and destination systems

  • HOW: Authentication method and logon type

  • WHAT: Actions performed and resources accessed

  • WHY: Legitimate business need or suspicious activity

📋 Quick Reference: Critical Event IDs

Authentication Events (Security.evtx)

Event ID
Description
Protocol
Priority

4624

Successful Logon

Both

🔴 Critical

4625

Failed Logon

Both

🔴 Critical

4776

Credential Validation

NTLM

🟠 High

4768

TGT Granted

Kerberos

🟠 High

4769

Service Ticket Requested

Kerberos

🟡 Medium

4771

Pre-auth Failed

Kerberos

🔴 Critical

4634/4647

Logoff

Both

🟢 Low

4648

Explicit Credentials (runas)

Both

🔴 Critical

4672

Admin Rights Logon

Both

🔴 Critical

4778

RDP Session Reconnect

N/A

🟠 High

4779

RDP Session Disconnect

N/A

🟡 Medium

4720

Account Created

N/A

🔴 Critical

4697

Service Installed

N/A

🔴 Critical

Service Events (System.evtx)

Event ID
Description
Priority

7045

Service Installed

🔴 Critical

7034

Service Crashed

🟠 High

7036

Service Start/Stop

🟡 Medium

7040

Service Startup Changed

🟠 High

🔍 Investigation Workflow

Phase 1: Initial Triage (First 15 Minutes)

Step 1.1: Identify the Scope

Questions to Answer:
□ What is the alert/indicator that triggered investigation?
□ Which user account(s) are involved?
□ Which system(s) are affected (workstation vs server vs DC)?
□ What is the suspected timeframe?
□ Is this a single incident or part of a campaign?

Step 1.2: Quick Account Profiling

# Check if account is local or domain
net user <username> /domain
net user <username>

# Get account details
Get-ADUser <username> -Properties *

# Check current active sessions
query user
qwinsta

# List local administrators
net localgroup administrators

Document:

  • Account type (Local/Domain/Cloud)

  • Account status (Active/Disabled/Locked)

  • Group memberships

  • Account age and last password change

Phase 2: Authentication Analysis (30 Minutes)

Step 2.1: Collect Authentication Events

On Workstation (Local Auth):

# Export Security log for analysis
wevtutil epl Security C:\Temp\Security_<hostname>.evtx

# Query specific events
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4624,4625,4648,4672,4776
    StartTime=(Get-Date).AddDays(-7)
} | Where-Object {$_.Properties[5].Value -eq '<username>'}

On Domain Controller (Domain Auth):

# Query Kerberos events
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4768,4769,4771,4776
    StartTime=(Get-Date).AddDays(-7)
} | Where-Object {$_.Properties[0].Value -eq '<username>'}

Step 2.2: Analyse Logon Types

Logon Type Decision Tree:

Type 2  → Console/Physical → Is this expected location?
Type 3  → Network → From which system? SMB, file shares
Type 7  → Unlock/Reconnect → Gap in activity?
Type 8  → Cleartext (!)→ Investigate immediately (insecure)
Type 9  → RunAs → What was executed? By whom?
Type 10 → RDP → From where? During business hours?
Type 11 → Cached → System offline? VPN connected?

Red Flags:

  • Type 8 (cleartext credentials)

  • Type 10 from unusual IPs/countries

  • Type 3 during off-hours to sensitive servers

  • Multiple Type 4625 (failed logons) followed by Type 4624 (brute force)

  • Type 9 with service accounts

Phase 3: Timeline Construction (45 Minutes)

Step 3.1: Build Authentication Timeline

PowerShell Timeline Script:

# Create timeline of all authentication events
$Events = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4624,4625,4648,4672,4776,4768,4769,4771,4778,4779
    StartTime=(Get-Date).AddDays(-7)
}

$Events | ForEach-Object {
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        EventID = $_.Id
        Username = $_.Properties[5].Value
        LogonType = $_.Properties[8].Value
        SourceIP = $_.Properties[18].Value
        Workstation = $_.Properties[11].Value
    }
} | Sort-Object TimeCreated | Export-Csv C:\Temp\auth_timeline.csv -NoTypeInformation

Step 3.2: Correlate with Other Activity

Check for:

□ Process execution (4688 events)
□ File access (4663 events)
□ Network connections (Firewall logs)
□ Service installations (7045, 4697)
□ Scheduled task creation (4698)
□ Registry modifications (NTUSER.DAT, SAM)
□ RDP Bitmap Cache artifacts

Phase 4: Deep Dive Analysis (1-2 Hours)

Step 4.1: RDP Investigation

If Type 10 logons detected:

# Query RDP-specific events
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4778,4779
    StartTime=(Get-Date).AddDays(-7)
}

# Check Terminal Services logs
Get-WinEvent -FilterHashtable @{
    LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
    ID=21,22,23,24,25
    StartTime=(Get-Date).AddDays(-7)
}

Artifact Collection:

Location: %USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache
Action: Collect BMC files for bitmap analysis
Tools: bmc-tools.py, bitmapcacheviewer.exe

Analysis:
□ What was visible on screen during RDP session?
□ Does it match expected business activity?
□ Any sensitive data visible?
□ Screenshots of malicious tools?

Step 4.2: Registry Analysis

SAM Hive Analysis:

# Export SAM hive (requires SYSTEM privileges)
reg save HKLM\SAM C:\Temp\SAM.hive

# Offline analysis with RegRipper
rr.exe -r SAM.hive -f sam > sam_analysis.txt

Look for:

  • Last login timestamps

  • Password last set dates

  • Login counts (high counts = automation/service account)

  • Failed login attempts

  • Cloud account indicators (InternetUserName value)

  • Unusual RIDs or account creation times

NTUSER.DAT Analysis:

# For each user profile
Get-ChildItem C:\Users\*/NTUSER.DAT | ForEach-Object {
    RECmd.exe --f $_.FullName --csv C:\Temp\Registry_Analysis\
}

Check for:

  • Recent documents accessed

  • Typed URLs (web activity)

  • UserAssist (program execution)

  • Run/RunOnce keys (persistence)

  • MRU lists (recently used files)

  • WordWheelQuery (search terms)

Step 4.3: Service Analysis

Query Service Events:

# System log service events
Get-WinEvent -FilterHashtable @{
    LogName='System'
    ID=7034,7035,7036,7040,7045
    StartTime=(Get-Date).AddDays(-7)
}

# Security log service events (if auditing enabled)
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4697
    StartTime=(Get-Date).AddDays(-7)
}

Red Flags:

  • Services installed during suspicious logon timeframe

  • Service names with random characters

  • Services running from temp directories

  • Services with unusual account contexts

  • Services that crash immediately after suspicious activity

Step 4.4: User Access Logging (Server Only)

For Windows Server 2012+:

# Analyse UAL database
SumECmd.exe -d "C:\Windows\System32\LogFiles\Sum" --csv C:\Temp\UAL_Analysis\

Extract:

  • Source IP addresses

  • Accessed services

  • Access timestamps

  • Total access counts

  • Authentication types

  • User accounts used

Phase 5: Pattern Analysis (30 Minutes)

Step 5.1: Identify Anomalies

Statistical Analysis:

Baseline Questions:
□ What are normal logon hours for this account?
□ What are typical source IPs/systems?
□ What is normal logon type distribution?
□ What is average failed logon rate?
□ What systems does this account normally access?

Anomaly Detection:
□ Logons during unusual hours (nights/weekends)
□ Logons from unexpected geographic locations
□ Impossible travel (multiple locations, short timeframe)
□ Sudden spike in failed logons
□ New systems accessed
□ Changed logon type patterns
□ Access to sensitive systems without business justification

Step 5.2: Check for Attack Indicators

Common Attack Patterns:

Attack Type
Indicators

Password Spray

Multiple accounts, few failed attempts each, Type 3

Brute Force

Single account, many 4625 events, then 4624

Pass-the-Hash

Type 3 logons, NTLM auth, no Type 2 on source

Pass-the-Ticket

Kerberos auth without initial 4768, unusual SPNs

Golden Ticket

Long ticket lifetimes, unusual encryption types

Lateral Movement

Type 3 chain across multiple systems

Privilege Escalation

4672 events, Type 9 logons, new admin access

Persistence

Service installs (7045), scheduled tasks, Run keys

RDP Hijacking

4778 without preceding 4624, session transfers

Phase 6: Lateral Movement Tracking (1 Hour)

Step 6.1: Map Authentication Chain

Build Network Map:

Workstation A → Server B → Server C → Domain Controller

For each hop:
1. Identify source system (from 4624 fields)
2. Identify destination system (log location)
3. Document authentication method (NTLM vs Kerberos)
4. Note logon type used
5. Record timestamp
6. Check for service/process spawned

PowerShell Lateral Movement Detector:

# Identify Type 3 logon chains
$SourceSystems = @()
$Timeline = @()

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4624
    StartTime=(Get-Date).AddHours(-24)
} | Where-Object {
    $_.Properties[8].Value -eq 3  # Type 3 logons
} | ForEach-Object {
    $Timeline += [PSCustomObject]@{
        Time = $_.TimeCreated
        TargetUser = $_.Properties[5].Value
        TargetSystem = $env:COMPUTERNAME
        SourceIP = $_.Properties[18].Value
        SourceHost = $_.Properties[11].Value
    }
}

# Analyze for pivot patterns
$Timeline | Group-Object SourceIP | 
    Where-Object {$_.Count -gt 5} |
    Select-Object Name, Count, @{N='Targets';E={$_.Group.TargetSystem | Select-Object -Unique}}

Step 6.2: Correlate with Process Execution

Check what was executed after authentication:

# Get process creation events near logon time
$LogonTime = Get-Date "2025-11-29 14:30:00"

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4688
    StartTime=$LogonTime.AddMinutes(-1)
    EndTime=$LogonTime.AddMinutes(5)
}

Red Flags:

  • PowerShell execution immediately after Type 3 logon

  • cmd.exe with suspicious command lines

  • psexec, wmic, mmc, sc.exe usage

  • Mimikatz or other credential dumping tools

  • Remote management tools (TeamViewer, AnyDesk)

🛠️ Tool Quick Reference

Built-in Windows Tools

# Query specific user logons
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} | 
    Where-Object {$_.Properties[5].Value -eq 'username'}

# Export event log
wevtutil epl Security backup.evtx

# Query remote system
Get-WinEvent -ComputerName SERVER01 -FilterHashtable @{LogName='Security';ID=4624}

# Real-time monitoring
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624,4625} -MaxEvents 10

# Net commands
net user username /domain
net localgroup administrators
net accounts /domain
net session
net use

Registry Analysis Tools

# RegRipper
rr.exe -r NTUSER.DAT -f ntuser > output.txt
rr.exe -r SAM -f sam > sam_output.txt

# RECmd (Eric Zimmerman)
RECmd.exe --f "C:\Users\user\NTUSER.DAT" --csv C:\Output\
RECmd.exe --f "SAM.hive" --sk Users --recover false

# RegistryExplorer.exe (GUI - load hive and browse)

RDP Artifact Analysis

# BMC Tools
python bmc-tools.py -s C:\Cache\Cache0001.bin -d output_folder
bitmapcacheviewer.exe  # GUI tool

# Check RDP connections history
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers"

UAL Analysis (Server)

# SumECmd
SumECmd.exe -d "C:\Windows\System32\LogFiles\Sum" --csv C:\Output\

# KStrike
python KStrike.py -d Sum_folder -o output.csv

SAM Analysis

# samparser
python samparser.py SAM.hive > output.txt

# Extract password hashes (for cracking analysis)
secretsdump.py -sam SAM.hive -system SYSTEM.hive LOCAL

📊 Investigation Checklist

Initial Assessment

  • [ ] Identify affected account(s)

  • [ ] Determine account type (Local/Domain/Cloud)

  • [ ] Verify current account status

  • [ ] Establish investigation timeframe

  • [ ] Identify affected systems

Data Collection

  • [ ] Security.evtx from affected workstation

  • [ ] Security.evtx from Domain Controller

  • [ ] System.evtx from affected systems

  • [ ] Terminal Services logs (if RDP used)

  • [ ] SAM registry hive

  • [ ] NTUSER.DAT from user profile

  • [ ] RDP Bitmap Cache (if applicable)

  • [ ] UAL databases (if server)

  • [ ] Network traffic logs

  • [ ] EDR/AV logs

Authentication Analysis

  • [ ] Timeline of 4624/4625 events

  • [ ] Analyse logon types distribution

  • [ ] Identify source IPs/hostnames

  • [ ] Check for failed logon patterns

  • [ ] Verify authentication protocols used

  • [ ] Review explicit credential usage (4648)

  • [ ] Check for privilege escalation (4672)

Artifact Analysis

  • [ ] RDP session artifacts reviewed

  • [ ] Registry analysis completed

  • [ ] Service events examined

  • [ ] Process execution correlated

  • [ ] File access patterns checked

  • [ ] Network connections mapped

Lateral Movement

  • [ ] Authentication chain mapped

  • [ ] Pivot points identified

  • [ ] Affected systems documented

  • [ ] Attack timeline constructed

Pattern Analysis

  • [ ] Baseline behaviour established

  • [ ] Anomalies identified

  • [ ] Attack patterns matched

  • [ ] IOCs extracted

  • [ ] Risk assessment completed

Documentation

  • [ ] Timeline created

  • [ ] Evidence preserved

  • [ ] Screenshots captured

  • [ ] IOCs documented

  • [ ] Report prepared

🚨 Quick Win: High-Value Queries

Detect Potential Compromise

1. Find after-hours admin logons:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4672} | 
    Where-Object {
        $_.TimeCreated.Hour -lt 6 -or $_.TimeCreated.Hour -gt 18
    }

2. Detect password spray attempts:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} |
    Group-Object @{Expression={$_.Properties[19].Value}} |
    Where-Object {$_.Count -gt 5} |
    Select-Object Name, Count

3. Find Type 10 (RDP) logons from external IPs:

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} |
    Where-Object {
        $_.Properties[8].Value -eq 10 -and
        $_.Properties[18].Value -notlike "10.*" -and
        $_.Properties[18].Value -notlike "192.168.*"
    }

4. Identify explicit credential usage (runas):

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4648} |
    Select-Object TimeCreated, 
        @{N='User';E={$_.Properties[1].Value}},
        @{N='TargetUser';E={$_.Properties[5].Value}},
        @{N='TargetServer';E={$_.Properties[8].Value}}

5. Find service installations during suspicious timeframe:

$SuspiciousTime = Get-Date "2025-11-29 14:00:00"
Get-WinEvent -FilterHashtable @{LogName='System';ID=7045} |
    Where-Object {
        $_.TimeCreated -ge $SuspiciousTime.AddMinutes(-10) -and
        $_.TimeCreated -le $SuspiciousTime.AddMinutes(10)
    }

🎓 Pro Tips

Efficiency Tips

  1. Use FilterHashtable instead of Where-Object for faster queries

  2. Narrow timeframes - don't query entire logs if you know the window

  3. Query remote systems in parallel using PowerShell jobs

  4. Export to CSV for analysis in Excel/Timeline Explorer

  5. Use date math: (Get-Date).AddDays(-7) for relative dates

Analysis Tips

  1. Start broad, then narrow - overview first, deep dive on anomalies

  2. Follow the data - let artifacts guide your investigation

  3. Trust but verify - logs can be cleared/modified

  4. Look for absence - missing logs are suspicious

  5. Context matters - one odd event might be normal, patterns aren't

Documentation Tips

  1. Screenshot everything - you may need it for reports

  2. Note your commands - reproducibility is critical

  3. Preserve original evidence - work on copies

  4. Chain of custody - document who, what, when, where

  5. Timeline format - use ISO 8601 (YYYY-MM-DD HH:MM:SS)

Common Pitfalls

  1. ❌ Only checking Security log (also check System, Application, specialised logs)

  2. ❌ Ignoring logon type (Type 3 vs Type 10 context is critical)

  3. ❌ Not checking Domain Controller (domain auth happens there)

  4. ❌ Forgetting about log rotation (events may be archived)

  5. ❌ Tunnel vision on one indicator (look for corroborating evidence)

📈 Escalation Criteria

Escalate Immediately If:

  • ✅ Admin account compromise confirmed

  • ✅ Domain Controller authentication anomalies

  • ✅ Evidence of credential dumping tools

  • ✅ Lateral movement to multiple critical systems

  • ✅ After-hours access to sensitive data repositories

  • ✅ Service account used interactively

  • ✅ Cloud admin account suspicious activity

  • ✅ Evidence of golden ticket or similar advanced attack

  • ✅ Data exfiltration indicators

  • ✅ Ransomware/malware execution correlated with logon

📚 Additional Resources

Microsoft Documentation

  • Windows Security Log Encyclopedia

  • Advanced Security Audit Policies

  • Account Logon Events Reference

Tools

  • Eric Zimmerman Tools Suite (KAPE, RECmd, Timeline Explorer)

  • Volatility Framework (memory analysis)

  • Chainsaw (Sigma rule detection for Windows Event Logs)

  • DeepBlueCLI (PowerShell threat hunting)

Training

  • SANS FOR500 (Windows Forensics)

  • SANS FOR508 (Advanced Incident Response)

  • MITRE ATT&CK Framework (Credential Access, Lateral Movement tactics)

📋 Report Template Structure

1. EXECUTIVE SUMMARY
   - Incident overview
   - Impact assessment
   - Key findings
   - Recommendations

2. INVESTIGATION DETAILS
   - Timeline of events
   - Affected accounts and systems
   - Attack methodology
   - Evidence summary

3. TECHNICAL ANALYSIS
   - Authentication events analysis
   - Artifact findings
   - Lateral movement map
   - IOCs

4. RECOMMENDATIONS
   - Immediate actions
   - Short-term remediation
   - Long-term improvements

5. APPENDICES
   - Raw event logs
   - Commands used
   - Tool outputs
   - Screenshots

Remember: The best investigation is methodical, documented, and reproducible. Take your time, be thorough, and let the evidence tell the story.

PreviousWindow Artifact AnalysisNextWindows Forensic Artifacts – Investigation Workflow & Cheatsheet

Last updated