Skip to content
.evtx

Posts tagged "{tag}": #incident-response

← Back to blog
Detecting lateral movement in Security.evtx
How real adversary tools move host-to-host in Windows estates, and the precise event ID combinations in Security.evtx that catch PsExec, Impacket, and WMIExec.
evtxlateral-movementdfirincident-response
Event log clearing and the gaps that survive
How attackers clear Windows event logs, what evidence remains on disk and in forwarded channels, and the difference between wevtutil cl and thread-suspension tools like Invoke-Phant0m.
evtxanti-forensicsdfirincident-response
EVTX triage: what to read first when you have an hour and a host
A practitioner's order of operations for triaging Windows Event Logs during incident response — which channels matter, which event IDs lie to you, and where Sysmon does the heavy lifting.
evtxincident-responsewindows-event-logssysmon