drop sysmon evtx csv and mft csv · detect create-execute-delete patterns for executables · identify short-lived pe files indicating staged execution · surface doppelganging and dropper cleanup patterns · runs locally
drop sysmon evtx csv and mft csv · local only
heuristic screener · vendor schema varies · not definitive proof