drop prefetch shimcache or 4688 evtx csv · detect wireshark tshark and network capture tool execution · identify attacker network reconnaissance via packet capture · surface forensic vs attacker tool context · runs locally
drop prefetch shimcache or 4688 evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof