drop powershell operational evtx csv · detect clm bypass techniques · LanguageMode transitions · clm probes · alternate host bypass · export csv · runs locally
4104 script blocks · 4103 LanguageMode · optional security 4688 for msbuild/installutil hosts
drop powershell operational 4104/4103 csv · optional 4688 for host bypass correlation