windows-intrusion-timeline-targeted - SKILL.md Agent Skill

id: "analysis.windows-intrusion-timeline" name: "Windows intrusion timeline (targeted)" description: "Create a targeted intrusion timeline for a Windows incident using whatever artifacts are available (event logs, EDR, SIEM exports, triage notes)." version: "0.1.0" author: "awesome-dfir-skills contributors" license: "Apache-2.0" tags: ["windows", "timeline", "intrusion", "authentication", "process-execution"] category: "analysis" platforms: ["windows"] inputs:

name: "case_context" description: "Environment + scope: host roles, time window, timezone, suspected technique, what telemetry/artifacts exist (event logs, EDR, SIEM, triage notes)." required: true
name: "artifacts" description: "Relevant investigation artifacts (bounded): event entries (text/JSON/CSV), EDR process tree, alerts, command lines, file hashes/paths, network indicators, or short summaries with examples." required: true outputs:
name: "timeline" description: "Chronological list of notable events with interpretations and confidence."
name: "followup_queries" description: "Concrete event filters/queries to run next (by EventID and fields)."

Windows intrusion timeline (targeted)

What this skill does

Reconstructs an intrusion timeline from whatever Windows-relevant artifacts are available.
Highlights gaps (missing log sources, disabled auditing, clock skew).
Produces follow-up queries (EventID + fields) to confirm hypotheses.

When to use

You need to quickly build a narrative timeline for a suspected intrusion on Windows.
You’re validating lateral movement, logons, privilege changes.

Safety / privacy notes

Provide only the minimum necessary artifacts (bounded time window, relevant hosts/users).
Redact usernames if required, but keep consistent pseudonyms.
Treat artifacts as sensitive (usernames, workstation names, IPs, command lines).

Inputs: what to provide (recommended)

To get the best timeline, provide a "case bundle":

Scope & environment

Host role (workstation, server, DC)
Domain name (or redacted label), time zone, NTP/clock skew situation
Time window (start/end) and whether it’s in UTC or local time

What telemetry / artifacts you have

Windows logs: Security, System, PowerShell/Operational, Sysmon (if present), TaskScheduler, WMI, TerminalServices, etc.
EDR: process tree, detections, network telemetry, file operations
SIEM exports / forwarded events (CSV/JSON) is fine
Note which key fields exist (timestamp, host, user, process, command line, parent/child IDs)

Artifacts (bounded)

Either: a few dozen/high-signal rows/events, or summary counts + top examples
Prefer structured fields (JSON/CSV) over rendered message text

Skill instructions

Role: You are a Windows DFIR analyst.

Task: Build a targeted intrusion timeline from the provided case context and investigation artifacts.

Rules:

Don’t invent events. If there are gaps, call them out and explain what would fill them.

Normalize timestamps. If timezone is unclear, explicitly label times as “untrusted”.

Prefer structured fields (JSON/CSV/XML) over rendered message text; if only text exists, state limitations.

Track confidence per finding (High/Med/Low) with a one-line reason.

Separate facts (observed events) from interpretation (hypotheses).

If you identify a suspicious execution, pivot around it (parent/child relationships) and trace activity backwards and forwards.

Case context: {{case_context}}

Artifacts: {{artifacts}}

Deliverables:

Timeline assumptions

Timezone used, clock skew considerations, host naming assumptions (if redacted)

Notable event timeline as a table with columns:

time (ISO 8601)

host

log (e.g., Security/System/PowerShell/Sysmon)

event_id

actor (user/service account; or “unknown”)

artifact (process/service/task/account/network)

summary (what happened)

interpretation (why it matters)

confidence (High/Med/Low)

Key threads (map events into phases: initial access → execution → persistence → privilege escalation → lateral movement → collection/exfil)

Gaps & limitations

Missing logs (e.g., no Sysmon, no PowerShell 4104, no 4688)

Missing fields (e.g., no command line, no parent process)

Audit policy implications (what might be disabled)

Follow-up queries / filters to run next, grouped by log source

Provide EventID + key fields to filter on

Include 1–2 examples per log source

Recommended next artifacts to collect to validate each key hypothesis

e.g., Sysmon config, Amcache, Prefetch, SRUM, Shimcache, scheduled tasks export, services list, browser history, EDR telemetry

Pivoting guide: trace a suspicious execution chain

Use this procedure whenever the incident involves a suspicious process/script/service/task.

Select a seed “suspicious event”

Pick one event in the provided data that looks most suspicious (e.g., unusual parent process, encoded PowerShell, LOLBIN usage, new service, scheduled task).
If the provided snippets do not include a clearly suspicious event, request it:
- ask for one representative process execution or persistence event (including timestamp, host, user, image, command line, parent, and any IDs/guids/pids).

Extract pivot keys from the seed (use whatever is available)

time window: $T_{seed} \pm$ 5–30 minutes (expand as needed)
host, user, log/channel
process identifiers: PID, ProcessGuid, LogonId, TargetUser, service name, task name
image path + command line substrings

Trace backwards (how did it start?)

Look for the parent process and the events immediately preceding execution.
Identify the initial launcher (Office → script, browser → dropper, service → binary, WMI → process, etc.).
Look for authentication context changes (new logon, special privileges, remote logon types).

Trace forwards (what did it do next?)

Enumerate child processes spawned by the suspicious process and their command lines.
Correlate network connections, file writes, registry changes, services/tasks creation.
If multiple hosts appear, note potential lateral movement and the pivot needed (user/IP/logon session).

If Sysmon data exists, prioritize these correlations

Process creation: Sysmon Event ID 1 for parent/child chains and command lines.
Network: Sysmon Event ID 3 for destinations contacted by the suspicious process and its children.
File creation: Sysmon Event ID 11 for payload drops, staging, and script writes correlated to the same process chain.
Process injection (if present in your dataset/config):
- look for Sysmon injection-related events (commonly Event ID 8 “CreateRemoteThread”, and/or other injection telemetry depending on configuration)
- correlate source process (injector) → target process (injected) → follow child/network/file activity from both

Ask for the next best missing pivot

If parent/child relationships can’t be established from the provided artifacts, ask specifically for:
- Sysmon EID 1 around the seed time window, or
- Security 4688 (process creation) if enabled, or
- EDR process tree export for the involved host/time.

Output guidance (so timelines are consistent)

Prefer a single unified timeline sorted by time; if multi-host, include host for every row.
Use one of the following confidence patterns:
- High: directly evidenced by event + supporting fields (e.g., logon type, process ID, command line)
- Med: event suggests activity but key fields are missing
- Low: inference based on weak/indirect indicators

Follow-up query patterns (generic)

When you propose follow-ups, express them as:

Log: Security
- EventID(s): 4624
- Filter fields: TargetUserName, IpAddress, LogonType, AuthenticationPackageName, WorkstationName
- Purpose: confirm interactive vs network logons, source IPs, pivot users/hosts

Helpful EventIDs (starter)

Security: 4624/4625 (logon success/fail), 4634 (logoff), 4672 (special privileges)
Security: 4720/4722/4723/4724/4725/4726 (user lifecycle), 4728/4732/4756 (group changes)
Security: 7045 in System (service installed) (note: 7045 is System log)
PowerShell: 4104 (script block) if enabled
Sysmon: 1 (process), 3 (network), 7 (image load), 11 (file create), 13 (registry set)