drop sysmon evtx csv · detect thread context modification for code injection · identify process access patterns consistent with suspend-modify-resume thread hijacking · surface thread execution redirection in trusted processes · runs locally
drop sysmon evtx csv · local only
heuristic screener · vendor schema varies · not definitive proof