drop security system and powershell evtx csvs · detect wevtutil execution patterns · identify log clearing commands · correlate with process creation events · surface log manipulation operations · runs locally
evtx csv
drop evtx csv (multi-file)
or click
4688 process creation · 4104 script blocks · 1102/104 clear correlation · rapid-fire clears
drop security · system · powershell · sysmon evtx csvs