drop security evtx csv and system evtx csv · detect ntlm relay attack artifacts · identify responder and inveigh execution remnants · surface forced authentication attempts and credential capture patterns · runs locally
Responder · Inveigh · ntlmrelayx · 4648 UNC · 4624 type 3 spikes · 4625 NTLM failures · 4776 bursts · LLMNR poisoning · SMB signing
drop security evtx csv · system evtx csv · optional sysmon / prefetch / registry