drop security evtx csv and registry export · detect application whitelisting policy removal · identify applocker rules deleted · surface wdac policy bypasses and removals · runs locally
artifacts
drop security / applocker evtx csv · registry (multi-file)
or click
8003–8008 AppLocker · 3076/3077 WDAC · SrpV2 registry · 4688 LOLBin bypass
drop security evtx csv · applocker evtx · registry export