drop system evtx csv · detect rapid service deletion patterns · identify attacker persistence mechanism removal · surface service install-then-delete lifecycle indicating attack tool cleanup · runs locally
7045/4697 install · registry service key delete · 60s burst windows · known-bad name patterns · remote 4697 correlation
drop system and security evtx csv exports