Sign In
In this section

Native Windows IR — When You Have Nothing but the OS

90-120 minutes · Module 1 · Free
What you already know

The specialized toolkit is complete. This section covers the fallback — Windows built-in commands that work on systems where KAPE, Velociraptor, and your other tools cannot be deployed. Knowing these commands means you are never without evidence collection capability.

When KAPE cannot be deployed and Velociraptor is not installed, the built-in Windows commands are still available. Knowing them means you are never without evidence collection capability.

Scenario

The compromised system is a legacy server where KAPE cannot be deployed — no USB access, execution policy blocks unknown binaries, and change management prevents installing software during business hours. You still need evidence. Windows ships with tools that can collect volatile state, query event logs, and capture network connections without installing anything.

Native Windows IR — When You Have Nothing but the OS

When the forensic tools are not available yet

You are on a call with a panicking sysadmin. A server is behaving strangely and they think it is compromised. You need them to capture volatile data — running processes, network connections, logged-in users — before anyone reboots the system. They do not have KAPE. They do not have EZTools. They have a command prompt and PowerShell. What do you tell them to run? Native Windows commands are the fallback when proper forensic tools have not been deployed yet — and knowing them means you can guide a non-forensic responder through critical evidence capture over the phone.

Every forensic tool in this course — KAPE, EZTools, Velociraptor, Volatility 3 — is superior to native Windows commands for its specific purpose. KAPE's two-pass collection with raw disk access captures locked files that native commands cannot touch. EZTools parse binary artifacts into structured timeline data that native commands cannot produce. Velociraptor provides enterprise-scale hunting that native commands cannot replicate. Volatility 3 analyzes memory structures that native commands cannot access.

But tools require deployment. They must be downloaded, transferred to the target system, and executed — and every one of those steps can be blocked. Application whitelisting (AppLocker, WDAC) blocks execution of unknown binaries. USB ports may be disabled via Group Policy. Network shares may be inaccessible if the compromised network segment is isolated. Change management processes may prohibit deploying software to production servers without a change request that takes 24-48 hours to approve. During an insider threat investigation, deploying visible forensic tools alerts the subject of the investigation.

In all of these scenarios, native Windows commands work. They are built into the operating system. They execute regardless of application whitelisting (they are signed Microsoft binaries). They require no file transfer. They leave minimal forensic footprint. And critically, they provide the evidence needed for the first 15 minutes of an investigation — the initial triage that determines whether this is a false positive, an active incident requiring immediate containment, or a historical compromise requiring comprehensive evidence preservation.

The experienced IR practitioner knows both: the optimal dedicated tool for each task AND the native fallback that works when that tool is unavailable. This subsection provides the fallback — organized not by command name but by investigation question.

NATIVE WINDOWS IR — FOUR EVIDENCE CATEGORIES PROCESSES Commands: Get-CimInstance Win32_Process tasklist /v /fo csv wmic process get name,pid,ppid,cmd "What is running? Who spawned it?" Replaces: Volatility PsList + CmdLine NETWORK Commands: Get-NetTCPConnection netstat -anob Get-DnsClientCache / ipconfig /all "Who is this system talking to?" Replaces: Volatility NetScan PERSISTENCE Commands: Get-ScheduledTask sc query / Get-Service reg query Run keys "What survives a reboot?" Replaces: RECmd / Autoruns EVENT LOGS Commands: Get-WinEvent wevtutil epl (export .evtx) wevtutil qe (query events) "What happened chronologically?" Replaces: EvtxECmd + Maps No downloads. No installations. Available on every Windows system. Native commands collect ~60-70% of the evidence needed for initial triage and containment decisions. The bridge technique: wevtutil epl exports .evtx files for EvtxECmd analysis on the forensic workstation.
Figure IR1.9: Four native evidence categories available on every Windows system without tool installation. Each category maps to a specific investigation question and replaces a specific dedicated tool when that tool cannot be deployed.

Process investigation: "What is running and who spawned it?"

Process data is the most volatile native evidence — processes terminate constantly, and the process that was running when you logged in may not be running 5 minutes later. Collect process data first.

# NATIVE: Complete process inventory with command lines and parent relationships
# This is the native equivalent of Volatility PsList + CmdLine + PsTree
$processes = Get-CimInstance Win32_Process | ForEach-Object {
    $parent = Get-CimInstance Win32_Process -Filter "ProcessId=$($_.ParentProcessId)" -ErrorAction SilentlyContinue
    $owner = try { $_.GetOwner() } catch { $null }
    [PSCustomObject]@{
        PID           = $_.ProcessId
        Name          = $_.Name
        PPID          = $_.ParentProcessId
        ParentName    = if ($parent) { $parent.Name } else { "N/A (exited)" }
        CommandLine   = $_.CommandLine
        ExecutablePath = $_.ExecutablePath
        Owner         = if ($owner) { "$($owner.Domain)\$($owner.User)" } else { "N/A" }
        CreationDate  = $_.CreationDate
        SessionId     = $_.SessionId
        HandleCount   = $_.HandleCount
        ThreadCount   = $_.ThreadCount
        WorkingSetMB  = [math]::Round($_.WorkingSetSize / 1MB, 1)
    }
}
$processes | Export-Csv "C:\IR\Evidence\processes_native.csv" -NoTypeInformation
$processes | Sort-Object CreationDate -Descending | Format-Table PID, Name, PPID, ParentName, CreationDate -AutoSize | Out-String | Write-Host

What to look for in the output — the investigation interpretation:

Suspicious parent-child relationships. Every process has a parent (the process that created it). Normal parent-child patterns are well-documented: services.exe → svchost.exe, explorer.exe → user applications, cmd.exe or powershell.exe → child processes launched by the user. Suspicious patterns include: outlook.exe → powershell.exe (phishing payload execution — T1566.001), svchost.exe → cmd.exe (unusual — svchost rarely spawns command shells), wmiprvse.exe → powershell.exe (WMI-based lateral movement — T1047), rundll32.exe with no parent or an unusual parent (process injection staging — T1218.011).

Processes running from unusual paths. Legitimate system processes run from C:\Windows\System32\ or C:\Program Files\. A svchost.exe running from C:\Users\Public\ or C:\ProgramData\ is almost certainly malicious — the attacker named their payload after a legitimate process to avoid casual detection (T1036.005 — Masquerading).

Encoded PowerShell command lines. A powershell.exe process with -enc, -encodedcommand, -nop -w hidden, or Base64 strings in the command line is a strong indicator of attacker activity. Legitimate administrative PowerShell rarely uses encoded commands with hidden windows.

Recently created processes. Sort by CreationDate descending. Processes created in the last few minutes — especially cmd.exe, powershell.exe, or unknown executables — may represent active attacker activity.

Worked investigation finding — adapt for your IR reports

Finding: Native process inventory on SERVER-NGE-DC01 identified `svchost.exe` (PID 7284) running from `C:\ProgramData\Microsoft\Crypto\svchost.exe` with parent `wmiprvse.exe` (PID 3012). The legitimate svchost.exe resides in C:\Windows\System32\. The executable path and the WMI parent process indicate this is a masquerading payload launched via WMI remote execution.

Proves

A process named svchost.exe is running from a non-standard path, launched by the WMI provider. This is consistent with attacker lateral movement using WMI (T1047) with a masqueraded binary (T1036.005).

Doesn't prove

What the payload does, when it was first deployed, or who initiated the WMI command.

Next step

Collect the binary from C:\ProgramData\Microsoft\Crypto\svchost.exe for hash analysis. Check the network connections for PID 7284 to identify C2 communication. Query the WMI event log for the originating system.

# CMD FALLBACK (if PowerShell is restricted or unavailable):
tasklist /v /fo csv > C:\IR\Evidence\tasklist.csv
wmic process get processid,parentprocessid,name,commandline,executablepath,creationdate /format:csv > C:\IR\Evidence\wmic_processes.csv

Process enumeration answers "what is running." The next question is "what is that process talking to" — the network connections that reveal command and control channels, lateral movement, and data exfiltration.

Network investigation: "Who is this system talking to?"

# NATIVE: Active network connections mapped to owning process
# Equivalent of Volatility NetScan + Velociraptor connections artifact
$connections = Get-NetTCPConnection |
    Where-Object { $_.State -eq 'Established' -or $_.State -eq 'Listen' } |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State,
    @{N='ProcessName'; E={(Get-Process -Id $_.OwningProcess -EA 0).ProcessName}},
    @{N='PID'; E={$_.OwningProcess}},
    @{N='ProcessPath'; E={(Get-Process -Id $_.OwningProcess -EA 0).Path}},
    CreationTime
$connections | Export-Csv "C:\IR\Evidence\connections_native.csv" -NoTypeInformation

# NATIVE: DNS cache — recently resolved domains (C2 indicator)
# DNS cache entries persist for minutes after the connection closes
# Even if netstat shows no active C2 connection, the DNS resolution
# for the C2 domain may still be cached here
Get-DnsClientCache | Select-Object Entry, RecordName, RecordType, Data, TimeToLive, Section |
    Export-Csv "C:\IR\Evidence\dns_cache_native.csv" -NoTypeInformation

# NATIVE: ARP table — MAC-to-IP mappings for the local network
# Reveals which hosts this system has communicated with recently
Get-NetNeighbor | Where-Object { $_.State -ne 'Unreachable' } |
    Select-Object IPAddress, LinkLayerAddress, State, InterfaceAlias |
    Export-Csv "C:\IR\Evidence\arp_native.csv" -NoTypeInformation

# NATIVE: Network shares — check for attacker-created shares
Get-SmbShare | Select-Object Name, Path, Description, CurrentUsers |
    Export-Csv "C:\IR\Evidence\shares_native.csv" -NoTypeInformation

# NATIVE: Active SMB sessions — who is connected to this system
Get-SmbSession -ErrorAction SilentlyContinue |
    Select-Object ClientComputerName, ClientUserName, NumOpens |
    Export-Csv "C:\IR\Evidence\smb_sessions_native.csv" -NoTypeInformation

# NATIVE: Open files on shares — what remote users are accessing
Get-SmbOpenFile -ErrorAction SilentlyContinue |
    Select-Object ClientComputerName, ClientUserName, Path |
    Export-Csv "C:\IR\Evidence\smb_openfiles_native.csv" -NoTypeInformation

# NATIVE: Listening ports — what services are exposed
Get-NetTCPConnection -State Listen |
    Select-Object LocalAddress, LocalPort,
    @{N='Process'; E={(Get-Process -Id $_.OwningProcess -EA 0).ProcessName}} |
    Sort-Object LocalPort |
    Export-Csv "C:\IR\Evidence\listening_ports_native.csv" -NoTypeInformation

# NATIVE: Firewall rules — check for attacker modifications
Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' -and $_.Direction -eq 'Inbound' -and $_.Action -eq 'Allow' } |
    Select-Object DisplayName, Profile, LocalPort, RemoteAddress |
    Export-Csv "C:\IR\Evidence\firewall_inbound_native.csv" -NoTypeInformation

Investigation interpretation: Cross-reference the connections output with the process inventory. For every Established connection to an external IP: identify the owning process by PID, check whether that process is expected to make external connections (browsers yes, svchost.exe to unknown IPs no), and check whether the remote IP resolves to a known service or an unknown VPS provider. The DNS cache provides additional context — domains that resolved to the remote IP, which may reveal whether the connection is to a legitimate CDN or a suspicious hosting provider.

Worked investigation finding

Finding: Native network inventory identified PID 7284 (svchost.exe from C:\ProgramData\) maintaining an Established TCP connection to 203.0.113.47:443. DNS cache contains an entry for `update-service.northgateeng.com` resolving to 203.0.113.47 — this domain is not a legitimate Northgate Engineering domain and uses a typosquat pattern consistent with C2 infrastructure.

Proves

The masquerading process identified in the process investigation is actively communicating with an external IP over HTTPS. The DNS cache confirms the C2 domain name.

Doesn't prove

What data is being exfiltrated, how long the connection has been active, or whether other endpoints are communicating with the same C2.

Next step

Block 203.0.113.47 at the firewall. Isolate the endpoint. Hunt for the same C2 domain across the fleet using Velociraptor or Defender XDR Advanced Hunting.

Persistence investigation: "What survives a reboot?"

# NATIVE: Scheduled tasks — most common persistence mechanism (T1053.005)
$tasks = Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' } | ForEach-Object {
    $info = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        TaskName    = $_.TaskName
        TaskPath    = $_.TaskPath
        State       = $_.State
        Actions     = ($_.Actions | ForEach-Object { "$($_.Execute) $($_.Arguments)" }) -join "; "
        Triggers    = ($_.Triggers | ForEach-Object { $_.GetType().Name }) -join "; "
        RunAs       = $_.Principal.UserId
        LastRunTime = $info.LastRunTime
        NextRunTime = $info.NextRunTime
    }
}
$tasks | Export-Csv "C:\IR\Evidence\schtasks_native.csv" -NoTypeInformation

# NATIVE: Services — service persistence (T1543.003)
Get-CimInstance Win32_Service |
    Select-Object Name, DisplayName, State, StartMode, PathName, StartName, Description |
    Export-Csv "C:\IR\Evidence\services_native.csv" -NoTypeInformation

# NATIVE: Registry Run keys — autostart persistence (T1547.001)
$runKeys = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"
)
$runResults = foreach ($key in $runKeys) {
    if (Test-Path $key) {
        $props = Get-ItemProperty $key -ErrorAction SilentlyContinue
        $props.PSObject.Properties |
            Where-Object { $_.Name -notin @('PSPath','PSParentPath','PSChildName','PSDrive','PSProvider') } |
            ForEach-Object {
                [PSCustomObject]@{ Key = $key; Name = $_.Name; Value = $_.Value }
            }
    }
}
$runResults | Export-Csv "C:\IR\Evidence\run_keys_native.csv" -NoTypeInformation

# NATIVE: Startup folder contents
$startupPaths = @(
    "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
    "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
)
$startupFiles = foreach ($p in $startupPaths) {
    Get-ChildItem $p -ErrorAction SilentlyContinue |
        Select-Object Name, FullName, CreationTime, LastWriteTime, Length
}
$startupFiles | Export-Csv "C:\IR\Evidence\startup_folders_native.csv" -NoTypeInformation

# NATIVE: Local user accounts — check for attacker-created accounts (T1136.001)
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet, PasswordExpires,
    Description, SID, @{N='PasswordNeverExpires'; E={$_.PasswordNeverExpires}} |
    Export-Csv "C:\IR\Evidence\local_users_native.csv" -NoTypeInformation

# NATIVE: Local admin group — unauthorized privilege escalation
Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue |
    Select-Object Name, ObjectClass, PrincipalSource |
    Export-Csv "C:\IR\Evidence\local_admins_native.csv" -NoTypeInformation

# NATIVE: WMI event subscriptions — advanced persistence (T1546.003)
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -ErrorAction SilentlyContinue |
    Select-Object Name, Query, QueryLanguage |
    Export-Csv "C:\IR\Evidence\wmi_filters_native.csv" -NoTypeInformation
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -ErrorAction SilentlyContinue |
    Select-Object Name, CommandLineTemplate, ExecutablePath |
    Export-Csv "C:\IR\Evidence\wmi_consumers_native.csv" -NoTypeInformation

What makes a scheduled task or service suspicious: Tasks or services that run executables from AppData, Temp, ProgramData, Public, or user profile directories. Tasks with names that mimic legitimate Windows tasks but with slight variations (e.g., "WindowsUpdate" instead of "Windows Update"). Services with binary paths containing PowerShell, CMD, mshta, wscript, cscript, or rundll32. Tasks that run as SYSTEM with recently created trigger conditions. WMI event subscriptions are particularly suspicious — legitimate applications rarely use WMI persistence, but APT groups and advanced attackers frequently do (T1546.003).

Event log investigation: "What happened chronologically?"

# NATIVE: High-value event IDs — the events that matter for IR
# Each query targets a specific investigation question

# 4624 — Successful logons: who logged in, when, from where, how
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddDays(-7)} -MaxEvents 2000 -EA 0 |
    Select-Object TimeCreated,
    @{N='User'; E={$_.Properties[5].Value}},
    @{N='Domain'; E={$_.Properties[6].Value}},
    @{N='LogonType'; E={$_.Properties[8].Value}},
    @{N='LogonProcess'; E={$_.Properties[9].Value}},
    @{N='SourceIP'; E={$_.Properties[18].Value}},
    @{N='SourcePort'; E={$_.Properties[19].Value}} |
    Export-Csv "C:\IR\Evidence\logons_native.csv" -NoTypeInformation
# LogonType 2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock,
# 10=RemoteInteractive(RDP), 11=CachedInteractive

# 4625 — Failed logons: brute force, password spray, credential stuffing
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-7)} -MaxEvents 2000 -EA 0 |
    Select-Object TimeCreated,
    @{N='User'; E={$_.Properties[5].Value}},
    @{N='SourceIP'; E={$_.Properties[19].Value}},
    @{N='SubStatus'; E={$_.Properties[9].Value}} |
    Export-Csv "C:\IR\Evidence\failed_logons_native.csv" -NoTypeInformation

# 4688 — Process creation: what executed (requires audit policy)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddDays(-1)} -MaxEvents 5000 -EA 0 |
    Select-Object TimeCreated,
    @{N='NewProcess'; E={$_.Properties[5].Value}},
    @{N='CommandLine'; E={$_.Properties[8].Value}},
    @{N='ParentProcess'; E={$_.Properties[13].Value}},
    @{N='User'; E={$_.Properties[1].Value}} |
    Export-Csv "C:\IR\Evidence\process_creation_native.csv" -NoTypeInformation

# 7045 — Service installed: persistence detection
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} -MaxEvents 200 -EA 0 |
    Select-Object TimeCreated,
    @{N='ServiceName'; E={$_.Properties[0].Value}},
    @{N='ImagePath'; E={$_.Properties[1].Value}},
    @{N='ServiceType'; E={$_.Properties[2].Value}},
    @{N='StartType'; E={$_.Properties[3].Value}},
    @{N='AccountName'; E={$_.Properties[4].Value}} |
    Export-Csv "C:\IR\Evidence\service_installs_native.csv" -NoTypeInformation

# 4104 — PowerShell ScriptBlock logging: attacker commands
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} -MaxEvents 1000 -EA 0 |
    Select-Object TimeCreated,
    @{N='ScriptBlock'; E={$_.Properties[2].Value}},
    @{N='Path'; E={$_.Properties[4].Value}} |
    Export-Csv "C:\IR\Evidence\powershell_scripts_native.csv" -NoTypeInformation

# 1102 — Audit log cleared: anti-forensics indicator
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=1102} -MaxEvents 50 -EA 0 |
    Select-Object TimeCreated, @{N='ClearedBy'; E={$_.Properties[1].Value}} |
    Export-Csv "C:\IR\Evidence\log_cleared_native.csv" -NoTypeInformation

# CRITICAL BRIDGE: Export raw .evtx files for EvtxECmd analysis
# This is the most important native command for connecting to the
# dedicated tool pipeline — wevtutil exports the binary .evtx files
# that EvtxECmd can parse with 700+ maps on the forensic workstation
$logsToExport = @(
    'Security', 'System', 'Application',
    'Microsoft-Windows-PowerShell/Operational',
    'Microsoft-Windows-Sysmon/Operational',
    'Microsoft-Windows-TaskScheduler/Operational',
    'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational',
    'Microsoft-Windows-Windows Defender/Operational'
)
foreach ($log in $logsToExport) {
    $safeName = $log -replace '[/\\ ]', '_'
    wevtutil epl $log "C:\IR\Evidence\${safeName}.evtx" 2>$null
    if ($?) { Write-Host "  Exported: $log" -ForegroundColor Green }
}

The wevtutil epl bridge is the single most important native IR technique. It exports the binary .evtx files from the target system — files that can then be transferred to the forensic workstation and parsed with EvtxECmd (which applies 700+ enrichment maps) and Hayabusa (which applies 4,000+ Sigma rules). This means native collection feeds directly into the dedicated tool analysis pipeline: collect natively on the restricted target, analyze with full tooling on the workstation.

The complete native collection script

# Collect-Native.ps1 — Native IR collection requiring zero tool installation
# Include in the jump bag alongside KAPE and Velociraptor collector
# Usage: .\Collect-Native.ps1 -OutputDir "C:\IR\Evidence\NativeCollection"

param([string]$OutputDir = "C:\IR\Evidence\Native_$(hostname)_$(Get-Date -Format 'yyyyMMdd_HHmm')")
New-Item -ItemType Directory -Path $OutputDir -Force | Out-Null
$startTime = Get-Date

Write-Host "=== Native IR Collection — $(hostname) ===" -ForegroundColor Cyan
Write-Host "Output: $OutputDir" -ForegroundColor White
Write-Host "Started: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss UTC' -AsUTC)" -ForegroundColor White

# System context
systeminfo > "$OutputDir\systeminfo.txt"
whoami /all > "$OutputDir\whoami.txt"
ipconfig /all > "$OutputDir\ipconfig.txt"

# Processes (volatile — collect first)
Get-CimInstance Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine, ExecutablePath, CreationDate |
    Export-Csv "$OutputDir\processes.csv" -NoTypeInformation
Write-Host "  [1/7] Processes: DONE" -ForegroundColor Green

# Network (volatile — collect second)
Get-NetTCPConnection | Where-Object { $_.State -ne 'Bound' } |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess, CreationTime |
    Export-Csv "$OutputDir\connections.csv" -NoTypeInformation
Get-DnsClientCache | Export-Csv "$OutputDir\dns_cache.csv" -NoTypeInformation
Get-NetNeighbor | Where-Object { $_.State -ne 'Unreachable' } | Export-Csv "$OutputDir\arp.csv" -NoTypeInformation
Write-Host "  [2/7] Network: DONE" -ForegroundColor Green

# Persistence
Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' } |
    Select-Object TaskName, TaskPath, State, @{N='Actions'; E={($_.Actions | ForEach-Object { "$($_.Execute) $($_.Arguments)" }) -join "; "}} |
    Export-Csv "$OutputDir\scheduled_tasks.csv" -NoTypeInformation
Get-CimInstance Win32_Service | Select-Object Name, State, StartMode, PathName, StartName |
    Export-Csv "$OutputDir\services.csv" -NoTypeInformation
Get-LocalUser | Export-Csv "$OutputDir\local_users.csv" -NoTypeInformation
Get-LocalGroupMember -Group "Administrators" -EA 0 | Export-Csv "$OutputDir\local_admins.csv" -NoTypeInformation
Write-Host "  [3/7] Persistence: DONE" -ForegroundColor Green

# Registry Run keys
$runKeys = @("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run","HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run")
foreach ($key in $runKeys) {
    if (Test-Path $key) { Get-ItemProperty $key | Out-File "$OutputDir\run_keys.txt" -Append }
}
Write-Host "  [4/7] Registry: DONE" -ForegroundColor Green

# WMI persistence
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -EA 0 | Out-File "$OutputDir\wmi_persistence.txt"
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -EA 0 | Out-File "$OutputDir\wmi_persistence.txt" -Append
Write-Host "  [5/7] WMI: DONE" -ForegroundColor Green

# Firewall and shares
Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' -and $_.Direction -eq 'Inbound' -and $_.Action -eq 'Allow' } |
    Select-Object DisplayName, Profile | Export-Csv "$OutputDir\firewall_inbound.csv" -NoTypeInformation
Get-SmbShare | Export-Csv "$OutputDir\shares.csv" -NoTypeInformation
Write-Host "  [6/7] Firewall/Shares: DONE" -ForegroundColor Green

# Event log export (bridge to EvtxECmd analysis)
$logs = @('Security','System','Application','Microsoft-Windows-PowerShell/Operational',
    'Microsoft-Windows-Sysmon/Operational','Microsoft-Windows-TaskScheduler/Operational')
foreach ($log in $logs) {
    $safe = $log -replace '[/\\ ]', '_'
    wevtutil epl $log "$OutputDir\${safe}.evtx" 2>$null
}
Write-Host "  [7/7] Event logs exported: DONE" -ForegroundColor Green

$elapsed = (Get-Date) - $startTime
Write-Host "`n=== Collection complete in $([math]::Round($elapsed.TotalSeconds))s ===" -ForegroundColor Cyan
Write-Host "Transfer $OutputDir to the forensic workstation." -ForegroundColor White
Write-Host "Parse .evtx files with EvtxECmd. Run Hayabusa for threat detection." -ForegroundColor White

Native commands vs dedicated tools: what you gain and what you lose

What native commands provide that dedicated tools do not: Immediate availability on any Windows system. No deployment approval required. No file transfer required. No application whitelisting bypass required. The fastest path from "alert received" to "evidence collected" — 30 seconds to run the collection script versus 5-10 minutes to deploy and run KAPE.

What dedicated tools provide that native commands do not: Raw disk access for locked files (native commands cannot copy the $MFT, active registry hives, or locked event log files while the OS is running — wevtutil epl exports a copy, not the locked original). Binary artifact parsing (native commands cannot parse Prefetch, Amcache, or ShimCache — these require PECmd and AmcacheParser). Structured timeline output (native commands produce per-query CSVs, not the unified categorized output that KAPE + !EZParser provides). Enterprise-scale collection (native commands run on one system at a time — Velociraptor hunts across the fleet).

The production workflow when tools cannot be deployed: Run Collect-Native.ps1 on the restricted target (30 seconds). Transfer the output folder to the forensic workstation (USB, network copy, or manual transfer). Parse the exported .evtx files with EvtxECmd and Hayabusa (2-5 minutes). Analyze the native CSVs (processes, connections, persistence) alongside the parsed event logs in Timeline Explorer. This hybrid workflow provides 80-90% of the investigation capability of a full KAPE + EZTools pipeline, using native collection on the target and dedicated analysis on the workstation.

Common misconception

"Native Windows commands are not forensically useful — you need proper forensic tools." Production reality: Native commands cannot access locked files ($MFT, active registry hives), cannot parse binary artifacts (Prefetch, Amcache), and cannot produce the structured timeline output that EZTools provide. But they CAN collect running processes with command lines and parent relationships, active network connections with process attribution, scheduled tasks, services, registry Run keys, local accounts, WMI subscriptions, DNS cache, firewall rules, and event logs — which is 60-70% of the evidence needed for initial triage and containment decisions. When the choice is native collection now versus dedicated tool collection in 2 hours (after deployment approval, file transfer, and setup), native collection wins. Start native for immediate triage. Follow with KAPE when available for the remaining artifacts.

Investigation Principle

Every tool in the IR toolkit covers evidence that no other tool can reach. Remove one category and you lose visibility into the evidence type it handles. The toolkit is complete when every evidence source from every environment in the IR0.1 incident walkthrough has a tool that can collect, parse, or query it.

Next

Section 1.10 installs the scanning and detection tools — YARA, Loki, Hayabusa. KAPE collects and EZTools parse, but neither tells you whether a specific artifact is malicious. The scanning tools bridge that gap.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →