drop security evtx csv · reconstruct privilege changes · 4672 special privileges · 4673 privileged service calls · 4674 operations on privileged objects · token elevation events · runs locally
security evtx csv
drop evtx csv
or click
4672 · 4673 · 4674 · 4624 · 4648 · 4703 — evtxecmd / chainsaw security export
drop security evtx csv (4672, 4673, 4674, 4624, 4648, 4703)