drop security evtx csv · detect token privilege abuse for privilege escalation or anti-forensic purposes · identify sebackupprivilege and serestoreprivilege abuse accessing restricted files · surface token manipulation events · runs locally
Event 4703 · 4672 · 4648 · 4624 · SeBackup · SeRestore · SeDebug · token impersonation
drop security evtx csv