Windows Forensics & Intrusion Detection: Detecting Threats with Logs, PowerShell & Sysmon | Ep. 5

🔍 In this episode of the Everyday Cyber Podcast, host Alex Reid takes you deep into the world of Windows forensics and intrusion detection — revealing how defenders can track advanced attacks using native event logs, system artifacts, and modern blue team tools.

You’ll learn how to detect lateral movement, uncover PowerShell abuse, and investigate attacker activity using Prefetch, AppCompatCache, Amcache.hve, and Event ID correlation. We also cover how Sysmon dramatically improves visibility for detecting real-world threats.

🔐 Topics covered in this episode:

• Prefetch, AppCompatCache, and Amcache forensic analysis

• Tracking attacker movement with Event IDs 4648, 4688, and 7045

• How to detect PsExec, WMI, and PowerShell Remoting

• PowerShell logging: Script Block Logging, Downgrade Attacks, and Defense

• Why Sysmon is a game-changer for endpoint intrusion detection

• Real-world examples of "living off the land" attacks and how to catch them

• Using event log artifacts to build a timeline of attacker behavior

Whether you're a SOC analyst, threat hunter, or just starting your cybersecurity career, this episode helps you level up your understanding of endpoint detection and response using only what’s built into the operating system.

Windows forensics

Intrusion detection

Cybersecurity podcast

SOC analyst tools

Threat detection

Event log analysis

PowerShell logging

Sysmon for security

Lateral movement detection

Amcache analysis

AppCompatCache

Prefetch forensic evidence

PsExec detection

WMI attack investigation

EDR strategies

Windows endpoint visibility

Security operations center

Detecting attacker behavior

Digital forensics podcast

Cybersecurity incident response