drop powershell operational evtx csv and security evtx csv · detect script block logging disablement · identify registry changes disabling powershell logging · surface gaps in powershell execution record · runs locally
artifacts
drop powershell operational / security evtx csv · registry (multi-file)
or click
4104 gaps · 4657 registry mods · PS v2 downgrade · AMSI bypass correlation
drop powershell operational evtx csv · security evtx · registry export