drop sysmon evtx csv and security 4688 evtx csv · detect processes where displayed command line differs from actual execution · identify ntcreateuserprocess command line tricks · surface argument spoofing hiding attacker payloads · runs locally
drop sysmon evtx csv and security 4688 evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof