windows-threat-hunt

Windows Threat Hunt (Zimmerman Coverage + More)

Condensed doctrine for Windows evidence hunting:

• Extract all relevant activity artifacts (raw + tool outputs).
• Normalize everything into ECS-like documents.
• Preserve provenance (evidence.path + evidence.system.path).
• Block verdicts until 5 validation layers pass.

Non-Negotiable Principle

NO_VERDICT is the default state. A verdict is allowed only when all five layers pass.

Mandatory Visibility Scope

At minimum, ingest:

1. All EVTX logs
2. All main Registry hives + user hives (SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT, NTUSER.DAT, UsrClass.dat, Amcache.hve)
3. Shellbags evidence (from NTUSER/UsrClass paths)
4. Prefetch (*.pf)
5. MFT ($MFT) + USN Journal ($Extend\\$UsnJrnl:$J when available)
6. JumpLists/LNK activity artifacts
7. SRUM and other activity databases/log stores
8. Any textual activity log (*.log, *.etl, *.txt, *.json, *.xml, *.csv) with path-derived indexing
9. Zimmerman outputs (EvtxECmd, RECmd, MFTECmd, PECmd, SBECmd, SrumECmd, JLECmd, LECmd, etc.) when CSVs exist

Indexing Contract

Default prefix: windows-evidence

• {prefix}-evtx
• {prefix}-registry
• {prefix}-shellbags
• {prefix}-prefetch
• {prefix}-mft
• {prefix}-usnjrnl
• {prefix}-shortcuts
• {prefix}-srum
• {prefix}-exec-events
• {prefix}-artifact-inventory
• {prefix}-log-<path-derived-name>
• {prefix}-zimmerman-<tool> (when Zimmerman CSV outputs are found)

Quick Start

1. Ingest Windows full visibility:

uv run ${CLAUDE_PLUGIN_ROOT}/skills/windows-threat-hunt/scripts/ingest_windows_full_visibility.py \
  --evidence-root /path/to/evidence \
  --es-url http://localhost:9200 \
  --index-prefix windows-evidence

2. Validate mandatory 5 layers:

uv run ${CLAUDE_PLUGIN_ROOT}/skills/windows-threat-hunt/scripts/validate_windows_5_layers.py \
  --es-url http://localhost:9200 \
  --index-prefix windows-evidence \
  --output /path/to/evidence/windows-validation-report.json

3. Verdict gate:

• All layers PASS -> VERDICT_ALLOWED
• Any FAIL -> NO_VERDICT

5 Validation Layers

1. Collection completeness across required Windows artifacts
2. ECS + provenance integrity
3. Cross-source corroboration (EVTX, prefetch, registry, logs, exec events)
4. Statistical guard with base-rate Bayesian check
5. Adversarial checklist sign-off

Core Principles

1. check persistence — Run keys, services, scheduled tasks, WMI subscriptions.
2. avoid trust process names — svchost.exe in wrong path is a red flag.
3. check PowerShell logs — ScriptBlock and Module logging reveal commands.
4. Avoid skipping Sysmon data — process creation, network, and file events.
5. validate with 5-layer gate — no verdict without multi-source confirmation.

Reference

For field details, Zimmerman mapping, and analyst checklist, see reference.md.