drop security evtx csv · detect registry key permission changes · identify keys locked from forensic access · surface permission modifications enabling or concealing attacker persistence · runs locally
4670 registry object ACL changes · SDDL DACL/SACL diff · admin lockout & Everyone-write flags
drop security evtx csv exports (event 4670)