drop system evtx csv or registry export · detect network adapter mac address changes · identify locally administered mac addresses indicating spoofing · surface adapter reconfiguration events · runs locally
artifacts
drop system evtx csv or adapter registry export
or click
NetworkAddress registry override · LAA bit (x2/x6/xA/xE) · events 10400 / 4004 / adapter disable-enable cycles
drop system evtx csv or network adapter registry export