drop security evtx csv and system evtx csv · detect remote forensic collection agent activity · identify velociraptor grr and edrmdr collection artifacts · surface evidence of remote live response operations · runs locally
Velociraptor · GRR · KAPE · EDR agents · 7045 service install · Sysmon 3 · collection ZIP / _kape_ output
drop security / system evtx · prefetch · shimcache · mft csv