drop security evtx csv · correlate logon type 3 ntlm events with admin share access · detect pth patterns · 4624 ntlm logon type 3 without password spray · runs locally
security evtx csv
drop evtx csv
or click
4624 · 4625 · 5140 · 5145 — evtxecmd / chainsaw export
drop security evtx csv (4624, 4625, 5140)