drop system evtx csv and registry export · detect lsa protection disabled · identify credential guard removal · surface attempts to weaken credential protection enabling credential theft · runs locally
RunAsPPL · LsaCfgFlags · VBS · Event 12/1074 · 4656/4661 · Sysmon 10 lsass access
drop system evtx csv · security evtx csv · registry export