drop evtx and mft csv · six-phase kill chain · persistence through vss prep · timeline csv · runs locally
sources
drop evtx csv · mft csv
security/system/powershell evtx · mftecmd mft export
phases: persistence · discovery · credential access · lateral movement · staging archives · final prep (vss/bcdedit)
drop evtx csv and mft csv exports (multiple files OK)