Executive summary
In the Hack The Box GhostTrace investigation I correlated Windows Security, Sysmon, and PowerShell event logs to reconstruct the full attacker lifecycle across compromised hosts — mapping techniques to MITRE ATT&CK with 100% detection accuracy and a 40% lift in SOC triage readiness.
The problem
- A simulated enterprise compromise spanned multiple hosts and log sources.
- Persistence, privilege escalation, and lateral movement had to be reconstructed.
- Findings needed to be defensible and mapped to a recognized framework.
The solution
- Correlated Windows Security, Sysmon, and PowerShell logs into multi-source timelines.
- Performed temporal correlation to attribute actions to specific user sessions and processes.
- Analyzed PowerShell operational logs to uncover scripted lateral movement and credential abuse.
- Mapped IoCs to MITRE ATT&CK and produced structured investigation reports.
Technical architecture
How the system fits together - each layer reflects technology used on the real build.
Telemetry
Multi-source log collection
Correlation
Timeline reconstruction
Mapping
Technique attribution
Reporting
Defensible evidence
Engineering challenges
Multi-source correlation
Stitching Security, Sysmon, and PowerShell channels into one coherent timeline.
Attribution precision
Temporal correlation attributed attacker actions to specific sessions, processes, and persistence mechanisms.
Uncovering scripted abuse
Decoding PowerShell command artifacts revealed scripted lateral movement and credential abuse.
Performance & SEO outcomes
Across controlled forensic investigation scenarios.
Improvement in IR validation and SOC triage.
Persistence and privilege-escalation artifacts identified.
IoCs mapped to recognized techniques.