drop security evtx csv · detect smb network share access log gaps · identify share access audit disable events · surface lateral movement that was logged then cleared · runs locally
security evtx
drop security evtx csv
or click
5140/5145 gaps >30m · 4719 file share audit disable · ADMIN$/IPC$/C$ lateral patterns · remote wevtutil after ADMIN$
drop security evtx csv (5140–5145 share access events)