Windows Artifacts (EZ Tools / Autoruns / Event Logs)

What problem does it solve?

Windows incident response often stalls because analysts need reliable evidence of execution, persistence, and user activity across many host-based artifacts.

Core Features & Use Cases

• Execution evidence extraction: Pulls and parses Prefetch, Amcache, Shimcache/AppCompatCache, MFT/USN Change Journal, and timeline artifacts to reconstruct what ran and when.
• Persistence and autorun triage: Guides review of ASEP/Autorunsc outputs (services, drivers, tasks, boot execute, WMI, etc.) to identify suspicious enabled persistence.
• Event log investigation: Parses EVTX logs and highlights key authentication, process creation, PowerShell, RDP, Defender, task scheduler, WMI, and system events to connect host behavior to suspicious activity.
• Practical pivots and correlation: Uses hashes, timestamps, and artifacts’ paths to pivot across outputs and reduce false positives (e.g., timestomping confidence rules).

Quick Start

Run this skill by parsing Windows evidence artifacts into CSV outputs (Prefetch, Amcache/Shimcache, MFT/USN, and EVTX) and then pivot on hashes, timestamps, and suspicious paths to build an execution/persistence timeline.