drop security evtx csv or registry diff export · detect persistence mechanism removal · identify autorun keys deleted during investigation window · surface attacker cleanup of persistence artifacts · runs locally
inputs
drop security evtx csv, .reg diff, or autoruns csv (multi-file)
or click
4657/4660 on Run, Winlogon, Services, IFEO · before/after .reg or snapshot csv · paired autoruns csv
drop security evtx csv, registry diff, or autoruns csv