drop security evtx csv · detect changes to security descriptors on forensically significant objects · identify permission modifications locking out investigators · surface acl changes enabling attacker persistence or data access · runs locally
security evtx csv
drop security evtx csv (multi-file)
or click
4670 all object types · SDDL DACL/SACL diff · sensitive files · lsass process · 4703 privilege changes · rapid ACL clusters
drop security evtx csv (4670, 4703)