drop security evtx csv · detect handle duplication from privileged processes to attacker processes · identify token duplication and privilege escalation via handle table manipulation · surface cross-process resource theft · runs locally
drop security evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof