drop 4688 or sysmon evtx csv · detect processes using legitimate windows binary names from wrong paths · identify masquerading attacks · surface svchost lsass and other system binary impersonation · runs locally
drop 4688 or sysmon evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof