Sign In
In this module

IR1.9 Native Windows IR — When You Have Nothing but the OS

90-120 minutes · Module 1 · Free
Operational Objective
The Zero-Tool Problem: it is 02:00, the alert has fired, and the compromised system is a legacy server where KAPE cannot be deployed (no USB access, execution policy blocks unknown binaries, change management prevents installing software during business hours), Velociraptor is not installed, and the only access is an RDP session with a local admin account. You have nothing but the operating system itself. Windows ships with every capability needed to collect volatile evidence, assess the current state of compromise, identify persistence mechanisms, and execute initial containment — if you know which commands to run and what the output means. Native Windows IR is the discipline of investigating and responding using only built-in tools and commands, requiring no downloads, no installations, and no third-party software.
Deliverable: A comprehensive library of native Windows commands for evidence collection across four evidence categories (processes, network, persistence, event logs), annotated with interpretation guidance and evidence significance, combined into a production-ready collection script (Collect-Native.ps1) for immediate deployment on any Windows system from Server 2012 R2 through Windows 11.
⏱ Estimated completion: 25 minutes

Native Windows IR — When You Have Nothing but the OS

When the forensic tools are not available yet

You are on a call with a panicking sysadmin. A server is behaving strangely and they think it is compromised. You need them to capture volatile data — running processes, network connections, logged-in users — before anyone reboots the system. They do not have KAPE. They do not have EZTools. They have a command prompt and PowerShell. What do you tell them to run? Native Windows commands are the fallback when proper forensic tools have not been deployed yet — and knowing them means you can guide a non-forensic responder through critical evidence capture over the phone.

Every forensic tool in this course — KAPE, EZTools, Velociraptor, Volatility 3 — is superior to native Windows commands for its specific purpose. KAPE's two-pass collection with raw disk access captures locked files that native commands cannot touch. EZTools parse binary artifacts into structured timeline data that native commands cannot produce. Velociraptor provides enterprise-scale hunting that native commands cannot replicate. Volatility 3 analyzes memory structures that native commands cannot access.

# NATIVE: Complete process inventory with command lines and parent relationships
# This is the native equivalent of Volatility PsList + CmdLine + PsTree
$processes = Get-CimInstance Win32_Process | ForEach-Object {
    $parent = Get-CimInstance Win32_Process -Filter "ProcessId=$($_.ParentProcessId)" -ErrorAction SilentlyContinue
    $owner = try { $_.GetOwner() } catch { $null }
    [PSCustomObject]@{
        PID           = $_.ProcessId
        Name          = $_.Name
        PPID          = $_.ParentProcessId
        ParentName    = if ($parent) { $parent.Name } else { "N/A (exited)" }
        CommandLine   = $_.CommandLine
        ExecutablePath = $_.ExecutablePath
        Owner         = if ($owner) { "$($owner.Domain)\$($owner.User)" } else { "N/A" }
        CreationDate  = $_.CreationDate
        SessionId     = $_.SessionId
        HandleCount   = $_.HandleCount
        ThreadCount   = $_.ThreadCount
        WorkingSetMB  = [math]::Round($_.WorkingSetSize / 1MB, 1)
    }
}
$processes | Export-Csv "C:\IR\Evidence\processes_native.csv" -NoTypeInformation
$processes | Sort-Object CreationDate -Descending | Format-Table PID, Name, PPID, ParentName, CreationDate -AutoSize | Out-String | Write-Host
# CMD FALLBACK (if PowerShell is restricted or unavailable):
tasklist /v /fo csv > C:\IR\Evidence\tasklist.csv
wmic process get processid,parentprocessid,name,commandline,executablepath,creationdate /format:csv > C:\IR\Evidence\wmic_processes.csv
# NATIVE: Active network connections mapped to owning process
# Equivalent of Volatility NetScan + Velociraptor connections artifact
$connections = Get-NetTCPConnection |
    Where-Object { $_.State -eq 'Established' -or $_.State -eq 'Listen' } |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State,
    @{N='ProcessName'; E={(Get-Process -Id $_.OwningProcess -EA 0).ProcessName}},
    @{N='PID'; E={$_.OwningProcess}},
    @{N='ProcessPath'; E={(Get-Process -Id $_.OwningProcess -EA 0).Path}},
    CreationTime
$connections | Export-Csv "C:\IR\Evidence\connections_native.csv" -NoTypeInformation

# NATIVE: DNS cache — recently resolved domains (C2 indicator)
# DNS cache entries persist for minutes after the connection closes
# Even if netstat shows no active C2 connection, the DNS resolution
# for the C2 domain may still be cached here
Get-DnsClientCache | Select-Object Entry, RecordName, RecordType, Data, TimeToLive, Section |
    Export-Csv "C:\IR\Evidence\dns_cache_native.csv" -NoTypeInformation

# NATIVE: ARP table — MAC-to-IP mappings for the local network
# Reveals which hosts this system has communicated with recently
Get-NetNeighbor | Where-Object { $_.State -ne 'Unreachable' } |
    Select-Object IPAddress, LinkLayerAddress, State, InterfaceAlias |
    Export-Csv "C:\IR\Evidence\arp_native.csv" -NoTypeInformation

# NATIVE: Network shares — check for attacker-created shares
Get-SmbShare | Select-Object Name, Path, Description, CurrentUsers |
    Export-Csv "C:\IR\Evidence\shares_native.csv" -NoTypeInformation

# NATIVE: Active SMB sessions — who is connected to this system
Get-SmbSession -ErrorAction SilentlyContinue |
    Select-Object ClientComputerName, ClientUserName, NumOpens |
    Export-Csv "C:\IR\Evidence\smb_sessions_native.csv" -NoTypeInformation

# NATIVE: Open files on shares — what remote users are accessing
Get-SmbOpenFile -ErrorAction SilentlyContinue |
    Select-Object ClientComputerName, ClientUserName, Path |
    Export-Csv "C:\IR\Evidence\smb_openfiles_native.csv" -NoTypeInformation

# NATIVE: Listening ports — what services are exposed
Get-NetTCPConnection -State Listen |
    Select-Object LocalAddress, LocalPort,
    @{N='Process'; E={(Get-Process -Id $_.OwningProcess -EA 0).ProcessName}} |
    Sort-Object LocalPort |
    Export-Csv "C:\IR\Evidence\listening_ports_native.csv" -NoTypeInformation

# NATIVE: Firewall rules — check for attacker modifications
Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' -and $_.Direction -eq 'Inbound' -and $_.Action -eq 'Allow' } |
    Select-Object DisplayName, Profile, LocalPort, RemoteAddress |
    Export-Csv "C:\IR\Evidence\firewall_inbound_native.csv" -NoTypeInformation
# NATIVE: Scheduled tasks — most common persistence mechanism (T1053.005)
$tasks = Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' } | ForEach-Object {
    $info = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        TaskName    = $_.TaskName
        TaskPath    = $_.TaskPath
        State       = $_.State
        Actions     = ($_.Actions | ForEach-Object { "$($_.Execute) $($_.Arguments)" }) -join "; "
        Triggers    = ($_.Triggers | ForEach-Object { $_.GetType().Name }) -join "; "
        RunAs       = $_.Principal.UserId
        LastRunTime = $info.LastRunTime
        NextRunTime = $info.NextRunTime
    }
}
$tasks | Export-Csv "C:\IR\Evidence\schtasks_native.csv" -NoTypeInformation

# NATIVE: Services — service persistence (T1543.003)
Get-CimInstance Win32_Service |
    Select-Object Name, DisplayName, State, StartMode, PathName, StartName, Description |
    Export-Csv "C:\IR\Evidence\services_native.csv" -NoTypeInformation

# NATIVE: Registry Run keys — autostart persistence (T1547.001)
$runKeys = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"
)
$runResults = foreach ($key in $runKeys) {
    if (Test-Path $key) {
        $props = Get-ItemProperty $key -ErrorAction SilentlyContinue
        $props.PSObject.Properties |
            Where-Object { $_.Name -notin @('PSPath','PSParentPath','PSChildName','PSDrive','PSProvider') } |
            ForEach-Object {
                [PSCustomObject]@{ Key = $key; Name = $_.Name; Value = $_.Value }
            }
    }
}
$runResults | Export-Csv "C:\IR\Evidence\run_keys_native.csv" -NoTypeInformation

# NATIVE: Startup folder contents
$startupPaths = @(
    "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
)
$startupFiles = foreach ($p in $startupPaths) {
    Get-ChildItem $p -ErrorAction SilentlyContinue |
        Select-Object Name, FullName, CreationTime, LastWriteTime, Length
}
$startupFiles | Export-Csv "C:\IR\Evidence\startup_folders_native.csv" -NoTypeInformation

# NATIVE: Local user accounts — check for attacker-created accounts (T1136.001)
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet, PasswordExpires,
    Description, SID, @{N='PasswordNeverExpires'; E={$_.PasswordNeverExpires}} |
    Export-Csv "C:\IR\Evidence\local_users_native.csv" -NoTypeInformation

# NATIVE: Local admin group — unauthorized privilege escalation
Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue |
    Select-Object Name, ObjectClass, PrincipalSource |
    Export-Csv "C:\IR\Evidence\local_admins_native.csv" -NoTypeInformation

# NATIVE: WMI event subscriptions — advanced persistence (T1546.003)
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -ErrorAction SilentlyContinue |
    Select-Object Name, Query, QueryLanguage |
    Export-Csv "C:\IR\Evidence\wmi_filters_native.csv" -NoTypeInformation
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -ErrorAction SilentlyContinue |
    Select-Object Name, CommandLineTemplate, ExecutablePath |
    Export-Csv "C:\IR\Evidence\wmi_consumers_native.csv" -NoTypeInformation
# NATIVE: High-value event IDs — the events that matter for IR
# Each query targets a specific investigation question

# 4624 — Successful logons: who logged in, when, from where, how
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddDays(-7)} -MaxEvents 2000 -EA 0 |
    Select-Object TimeCreated,
    @{N='User'; E={$_.Properties[5].Value}},
    @{N='Domain'; E={$_.Properties[6].Value}},
    @{N='LogonType'; E={$_.Properties[8].Value}},
    @{N='LogonProcess'; E={$_.Properties[9].Value}},
    @{N='SourceIP'; E={$_.Properties[18].Value}},
    @{N='SourcePort'; E={$_.Properties[19].Value}} |
    Export-Csv "C:\IR\Evidence\logons_native.csv" -NoTypeInformation
# LogonType 2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock,
# 10=RemoteInteractive(RDP), 11=CachedInteractive

# 4625 — Failed logons: brute force, password spray, credential stuffing
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-7)} -MaxEvents 2000 -EA 0 |
    Select-Object TimeCreated,
    @{N='User'; E={$_.Properties[5].Value}},
    @{N='SourceIP'; E={$_.Properties[19].Value}},
    @{N='SubStatus'; E={$_.Properties[9].Value}} |
    Export-Csv "C:\IR\Evidence\failed_logons_native.csv" -NoTypeInformation

# 4688 — Process creation: what executed (requires audit policy)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddDays(-1)} -MaxEvents 5000 -EA 0 |
    Select-Object TimeCreated,
    @{N='NewProcess'; E={$_.Properties[5].Value}},
    @{N='CommandLine'; E={$_.Properties[8].Value}},
    @{N='ParentProcess'; E={$_.Properties[13].Value}},
    @{N='User'; E={$_.Properties[1].Value}} |
    Export-Csv "C:\IR\Evidence\process_creation_native.csv" -NoTypeInformation

# 7045 — Service installed: persistence detection
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} -MaxEvents 200 -EA 0 |
    Select-Object TimeCreated,
    @{N='ServiceName'; E={$_.Properties[0].Value}},
    @{N='ImagePath'; E={$_.Properties[1].Value}},
    @{N='ServiceType'; E={$_.Properties[2].Value}},
    @{N='StartType'; E={$_.Properties[3].Value}},
    @{N='AccountName'; E={$_.Properties[4].Value}} |
    Export-Csv "C:\IR\Evidence\service_installs_native.csv" -NoTypeInformation

# 4104 — PowerShell ScriptBlock logging: attacker commands
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} -MaxEvents 1000 -EA 0 |
    Select-Object TimeCreated,
    @{N='ScriptBlock'; E={$_.Properties[2].Value}},
    @{N='Path'; E={$_.Properties[4].Value}} |
    Export-Csv "C:\IR\Evidence\powershell_scripts_native.csv" -NoTypeInformation

# 1102 — Audit log cleared: anti-forensics indicator
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} -MaxEvents 50 -EA 0 |
    Select-Object TimeCreated, @{N='ClearedBy'; E={$_.Properties[1].Value}} |
    Export-Csv "C:\IR\Evidence\log_cleared_native.csv" -NoTypeInformation

# CRITICAL BRIDGE: Export raw .evtx files for EvtxECmd analysis
# This is the most important native command for connecting to the
# dedicated tool pipeline — wevtutil exports the binary .evtx files
# that EvtxECmd can parse with 700+ maps on the forensic workstation
$logsToExport = @(
    'Security', 'System', 'Application',
    'Microsoft-Windows-PowerShell/Operational',
    'Microsoft-Windows-Sysmon/Operational',
    'Microsoft-Windows-TaskScheduler/Operational',
    'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational',
    'Microsoft-Windows-Windows Defender/Operational'
)
foreach ($log in $logsToExport) {
    $safeName = $log -replace '[/\\ ]', '_'
    wevtutil epl $log "C:\IR\Evidence\${safeName}.evtx" 2>$null
    if ($?) { Write-Host "  Exported: $log" -ForegroundColor Green }
}
# Collect-Native.ps1 — Native IR collection requiring zero tool installation
# Include in the jump bag alongside KAPE and Velociraptor collector
# Usage: .\Collect-Native.ps1 -OutputDir "C:\IR\Evidence\NativeCollection"

param([string]$OutputDir = "C:\IR\Evidence\Native_$(hostname)_$(Get-Date -Format 'yyyyMMdd_HHmm')")
New-Item -ItemType Directory -Path $OutputDir -Force | Out-Null
$startTime = Get-Date

Write-Host "=== Native IR Collection — $(hostname) ===" -ForegroundColor Cyan
Write-Host "Output: $OutputDir" -ForegroundColor White
Write-Host "Started: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss UTC' -AsUTC)" -ForegroundColor White

# System context
systeminfo > "$OutputDir\systeminfo.txt"
whoami /all > "$OutputDir\whoami.txt"
ipconfig /all > "$OutputDir\ipconfig.txt"

# Processes (volatile — collect first)
Get-CimInstance Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine, ExecutablePath, CreationDate |
    Export-Csv "$OutputDir\processes.csv" -NoTypeInformation
Write-Host "  [1/7] Processes: DONE" -ForegroundColor Green

# Network (volatile — collect second)
Get-NetTCPConnection | Where-Object { $_.State -ne 'Bound' } |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess, CreationTime |
    Export-Csv "$OutputDir\connections.csv" -NoTypeInformation
Get-DnsClientCache | Export-Csv "$OutputDir\dns_cache.csv" -NoTypeInformation
Get-NetNeighbor | Where-Object { $_.State -ne 'Unreachable' } | Export-Csv "$OutputDir\arp.csv" -NoTypeInformation
Write-Host "  [2/7] Network: DONE" -ForegroundColor Green

# Persistence
Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' } |
    Select-Object TaskName, TaskPath, State, @{N='Actions'; E={($_.Actions | ForEach-Object { "$($_.Execute) $($_.Arguments)" }) -join "; "}} |
    Export-Csv "$OutputDir\scheduled_tasks.csv" -NoTypeInformation
Get-CimInstance Win32_Service | Select-Object Name, State, StartMode, PathName, StartName |
    Export-Csv "$OutputDir\services.csv" -NoTypeInformation
Get-LocalUser | Export-Csv "$OutputDir\local_users.csv" -NoTypeInformation
Get-LocalGroupMember -Group "Administrators" -EA 0 | Export-Csv "$OutputDir\local_admins.csv" -NoTypeInformation
Write-Host "  [3/7] Persistence: DONE" -ForegroundColor Green

# Registry Run keys
$runKeys = @("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run","HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
foreach ($key in $runKeys) {
    if (Test-Path $key) { Get-ItemProperty $key | Out-File "$OutputDir\run_keys.txt" -Append }
}
Write-Host "  [4/7] Registry: DONE" -ForegroundColor Green

# WMI persistence
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -EA 0 | Out-File "$OutputDir\wmi_persistence.txt"
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -EA 0 | Out-File "$OutputDir\wmi_persistence.txt" -Append
Write-Host "  [5/7] WMI: DONE" -ForegroundColor Green

# Firewall and shares
Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' -and $_.Direction -eq 'Inbound' -and $_.Action -eq 'Allow' } |
    Select-Object DisplayName, Profile | Export-Csv "$OutputDir\firewall_inbound.csv" -NoTypeInformation
Get-SmbShare | Export-Csv "$OutputDir\shares.csv" -NoTypeInformation
Write-Host "  [6/7] Firewall/Shares: DONE" -ForegroundColor Green

# Event log export (bridge to EvtxECmd analysis)
$logs = @('Security','System','Application','Microsoft-Windows-PowerShell/Operational',
    'Microsoft-Windows-Sysmon/Operational','Microsoft-Windows-TaskScheduler/Operational')
foreach ($log in $logs) {
    $safe = $log -replace '[/\\ ]', '_'
    wevtutil epl $log "$OutputDir\${safe}.evtx" 2>$null
}
Write-Host "  [7/7] Event logs exported: DONE" -ForegroundColor Green

$elapsed = (Get-Date) - $startTime
Write-Host "`n=== Collection complete in $([math]::Round($elapsed.TotalSeconds))s ===" -ForegroundColor Cyan
Write-Host "Transfer $OutputDir to the forensic workstation." -ForegroundColor White
Write-Host "Parse .evtx files with EvtxECmd. Run Hayabusa for threat detection." -ForegroundColor White
Expand for Deeper Context

But tools require deployment. They must be downloaded, transferred to the target system, and executed — and every one of those steps can be blocked. Application whitelisting (AppLocker, WDAC) blocks execution of unknown binaries. USB ports may be disabled via Group Policy. Network shares may be inaccessible if the compromised network segment is isolated. Change management processes may prohibit deploying software to production servers without a change request that takes 24-48 hours to approve. During an insider threat investigation, deploying visible forensic tools alerts the subject of the investigation.

In all of these scenarios, native Windows commands work. They are built into the operating system. They execute regardless of application whitelisting (they are signed Microsoft binaries). They require no file transfer. They leave minimal forensic footprint. And critically, they provide the evidence needed for the first 15 minutes of an investigation — the initial triage that determines whether this is a false positive, an active incident requiring immediate containment, or a historical compromise requiring comprehensive evidence preservation.

The experienced IR practitioner knows both: the optimal dedicated tool for each task AND the native fallback that works when that tool is unavailable. This subsection provides the fallback — organized not by command name but by investigation question.

NATIVE WINDOWS IR — FOUR EVIDENCE CATEGORIES PROCESSES Commands: Get-CimInstance Win32_Process tasklist /v /fo csv wmic process get name,pid,ppid,cmd "What is running? Who spawned it?" Replaces: Volatility PsList + CmdLine NETWORK Commands: Get-NetTCPConnection netstat -anob Get-DnsClientCache / ipconfig /all "Who is this system talking to?" Replaces: Volatility NetScan PERSISTENCE Commands: Get-ScheduledTask sc query / Get-Service reg query Run keys "What survives a reboot?" Replaces: RECmd / Autoruns EVENT LOGS Commands: Get-WinEvent wevtutil epl (export .evtx) wevtutil qe (query events) "What happened chronologically?" Replaces: EvtxECmd + Maps No downloads. No installations. Available on every Windows system. Native commands collect ~60-70% of the evidence needed for initial triage and containment decisions. The bridge technique: wevtutil epl exports .evtx files for EvtxECmd analysis on the forensic workstation.
Figure IR1.9: Four native evidence categories available on every Windows system without tool installation. Each category maps to a specific investigation question and replaces a specific dedicated tool when that tool cannot be deployed.

---

Process investigation: "What is running and who spawned it?"

Process data is the most volatile native evidence — processes terminate constantly, and the process that was running when you logged in may not be running 5 minutes later. Collect process data first.

What to look for in the output — the investigation interpretation:

Suspicious parent-child relationships. Every process has a parent (the process that created it). Normal parent-child patterns are well-documented: services.exe → svchost.exe, explorer.exe → user applications, cmd.exe or powershell.exe → child processes launched by the user. Suspicious patterns include: outlook.exe → powershell.exe (phishing payload execution — T1566.001), svchost.exe → cmd.exe (unusual — svchost rarely spawns command shells), wmiprvse.exe → powershell.exe (WMI-based lateral movement — T1047), rundll32.exe with no parent or an unusual parent (process injection staging — T1218.011).

Processes running from unusual paths. Legitimate system processes run from C:\Windows\System32\ or C:\Program Files\. A svchost.exe running from C:\Users\Public\ or C:\ProgramData\ is almost certainly malicious — the attacker named their payload after a legitimate process to avoid casual detection (T1036.005 — Masquerading).

Encoded PowerShell command lines. A powershell.exe process with -enc, -encodedcommand, -nop -w hidden, or Base64 strings in the command line is a strong indicator of attacker activity. Legitimate administrative PowerShell rarely uses encoded commands with hidden windows.

Recently created processes. Sort by CreationDate descending. Processes created in the last few minutes — especially cmd.exe, powershell.exe, or unknown executables — may represent active attacker activity.

Worked investigation finding — adapt for your IR reports:

Finding: Native process inventory on SERVER-NGE-DC01 identified svchost.exe (PID 7284) running from C:\ProgramData\Microsoft\Crypto\svchost.exe with parent wmiprvse.exe (PID 3012). The legitimate svchost.exe resides in C:\Windows\System32\. The executable path and the WMI parent process indicate this is a masquerading payload launched via WMI remote execution.

Proves: A process named svchost.exe is running from a non-standard path, launched by the WMI provider. This is consistent with attacker lateral movement using WMI (T1047) with a masqueraded binary (T1036.005). Does not prove: What the payload does, when it was first deployed, or who initiated the WMI command. Next step: Collect the binary from C:\ProgramData\Microsoft\Crypto\svchost.exe for hash analysis. Check the network connections for PID 7284 to identify C2 communication. Query the WMI event log for the originating system.

---

Network investigation: "Who is this system talking to?"

Investigation interpretation: Cross-reference the connections output with the process inventory. For every Established connection to an external IP: identify the owning process by PID, check whether that process is expected to make external connections (browsers yes, svchost.exe to unknown IPs no), and check whether the remote IP resolves to a known service or an unknown VPS provider. The DNS cache provides additional context — domains that resolved to the remote IP, which may reveal whether the connection is to a legitimate CDN or a suspicious hosting provider.

Worked investigation finding:

Finding: Native network inventory identified PID 7284 (svchost.exe from C:\ProgramData\) maintaining an Established TCP connection to 203.0.113.47:443. DNS cache contains an entry for update-service.northgateeng.com resolving to 203.0.113.47 — this domain is not a legitimate Northgate Engineering domain and uses a typosquat pattern consistent with C2 infrastructure.

Proves: The masquerading process identified in the process investigation is actively communicating with an external IP over HTTPS. The DNS cache confirms the C2 domain name. Does not prove: What data is being exfiltrated, how long the connection has been active, or whether other endpoints are communicating with the same C2. Next step: Block 203.0.113.47 at the firewall. Isolate the endpoint. Hunt for the same C2 domain across the fleet using Velociraptor or Defender XDR Advanced Hunting.

---

Persistence investigation: "What survives a reboot?"

What makes a scheduled task or service suspicious: Tasks or services that run executables from AppData, Temp, ProgramData, Public, or user profile directories. Tasks with names that mimic legitimate Windows tasks but with slight variations (e.g., "WindowsUpdate" instead of "Windows Update"). Services with binary paths containing PowerShell, CMD, mshta, wscript, cscript, or rundll32. Tasks that run as SYSTEM with recently created trigger conditions. WMI event subscriptions are particularly suspicious — legitimate applications rarely use WMI persistence, but APT groups and advanced attackers frequently do (T1546.003).

---

Event log investigation: "What happened chronologically?"

The wevtutil epl bridge is the single most important native IR technique. It exports the binary .evtx files from the target system — files that can then be transferred to the forensic workstation and parsed with EvtxECmd (which applies 700+ enrichment maps) and Hayabusa (which applies 4,000+ Sigma rules). This means native collection feeds directly into the dedicated tool analysis pipeline: collect natively on the restricted target, analyze with full tooling on the workstation.

---

The complete native collection script

---

Native commands vs dedicated tools: what you gain and what you lose

What native commands provide that dedicated tools do not: Immediate availability on any Windows system. No deployment approval required. No file transfer required. No application whitelisting bypass required. The fastest path from "alert received" to "evidence collected" — 30 seconds to run the collection script versus 5-10 minutes to deploy and run KAPE.

What dedicated tools provide that native commands do not: Raw disk access for locked files (native commands cannot copy the $MFT, active registry hives, or locked event log files while the OS is running — wevtutil epl exports a copy, not the locked original). Binary artifact parsing (native commands cannot parse Prefetch, Amcache, or ShimCache — these require PECmd and AmcacheParser). Structured timeline output (native commands produce per-query CSVs, not the unified categorized output that KAPE + !EZParser provides). Enterprise-scale collection (native commands run on one system at a time — Velociraptor hunts across the fleet).

The production workflow when tools cannot be deployed: Run Collect-Native.ps1 on the restricted target (30 seconds). Transfer the output folder to the forensic workstation (USB, network copy, or manual transfer). Parse the exported .evtx files with EvtxECmd and Hayabusa (2-5 minutes). Analyze the native CSVs (processes, connections, persistence) alongside the parsed event logs in Timeline Explorer. This hybrid workflow provides 80-90% of the investigation capability of a full KAPE + EZTools pipeline, using native collection on the target and dedicated analysis on the workstation.

Compliance Myth
"Native Windows commands are not forensically useful — you need proper forensic tools."
Production reality: Native commands cannot access locked files ($MFT, active registry hives), cannot parse binary artifacts (Prefetch, Amcache), and cannot produce the structured timeline output that EZTools provide. But they CAN collect running processes with command lines and parent relationships, active network connections with process attribution, scheduled tasks, services, registry Run keys, local accounts, WMI subscriptions, DNS cache, firewall rules, and event logs — which is 60-70% of the evidence needed for initial triage and containment decisions. When the choice is native collection now versus dedicated tool collection in 2 hours (after deployment approval, file transfer, and setup), native collection wins. Start native for immediate triage. Follow with KAPE when available for the remaining artifacts.

Build it: Run the native collection and compare to KAPE

Run Collect-Native

Run Collect-Native.ps1 on your forensic workstation. Then run KAPE with !SANS_Triage + !EZParser on the same system. Compare the outputs: what does KAPE collect that the native script does not? (Answer: $MFT, locked registry hives, Prefetch files, Amcache, ShimCache, browser artifacts, Jump Lists, LNK files, and parsed timeline output.) What does the native script collect that KAPE does not emphasize? (Answer: live process inventory with parent-child relationships, active network connections with process attribution, DNS cache, ARP table, SMB sessions, firewall rules.) The two approaches are complementary — not competing.

Investigate: Find the bridge between native and dedicated analysis

In the native collection output, find the exported .evtx files. Transfer them to a separate directory. Run EvtxECmd against them: EvtxECmd.exe -d "path\to\exported\evtx" --csv output --csvf parsed.csv. Open the parsed CSV in Timeline Explorer. Now run Hayabusa: hayabusa.exe csv-timeline -d "path\to\exported\evtx" -o hayabusa.csv -T -E --no-color. Open the Hayabusa output in Timeline Explorer. You now have full EvtxECmd parsing (700+ maps) and full Hayabusa threat detection (4,000+ Sigma rules) against event logs that were collected using nothing but the built-in wevtutil command. This is the bridge.

Beyond this investigation

The techniques taught in this subsection apply beyond the specific scenario presented here. The same evidence sources, tools, and analytical methods are used across ransomware, BEC, insider threat, and APT investigations — the context changes but the methodology is consistent.

Artifact Output
Native IR capability operational at depth: You have a comprehensive library of native Windows commands organized by investigation question (processes, network, persistence, event logs). You understand what native commands provide (60-70% of triage evidence, immediate availability) and what they lack (locked files, binary parsing, structured timelines). The Collect-Native.ps1 script provides one-pass native collection. The wevtutil bridge technique connects native collection to the EvtxECmd + Hayabusa analysis pipeline. Native IR is the fallback when dedicated tools cannot be deployed — and the first 30 seconds of evidence collection when time is the priority.
Next objective → IR1.10 Scanning and Detection Tools
Decision point

You discover evidence that the attacker has been in the environment for 90 days. The CISO asks: 'Why did our SOC not detect this sooner?' How do you answer constructively?

Answer with facts, not defensiveness. 'The attacker used [specific techniques] that our current detection rules do not cover. The investigation identified [N] detection gaps — [list the specific ATT&CK techniques that were not detected]. The IR-to-DE handoff includes these gaps as detection engineering sprint items. Estimated time to close: [N weeks].' This answer is honest (we missed it), specific (here is what we missed and why), and forward-looking (here is how we fix it). The PIR action items transform the detection failure into a measurable improvement program.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →