drop sysmon evtx csv or system evtx csv · detect unsigned and vulnerable kernel driver loads · identify bring your own vulnerable driver artifacts · surface kernel-level anti-forensic driver installations · runs locally
drop sysmon evtx csv or system evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof