drop security evtx csv · detect permission changes on evtx log files or channels · identify access restrictions preventing forensic reading · surface acl modifications locking investigators out of log data · runs locally
4670 on .evtx / winevt paths · 4656 deny handles · 4688 wevtutil sl /ca · admin read deny = critical
drop security evtx csv exports