Query Details
Change PKSLUI Tampering
Query
Query: DeviceProcessEvents | where InitiatingProcessParentFileName =~ "slui.exe" | where InitiatingProcessFileName =~ "changepk.exe" | where ProcessIntegrityLevel == "High"
Explanation
This query is looking for device process events where the parent file name is "slui.exe", the file name is "changepk.exe", and the process integrity level is "High".
Details
Ali Hussein
Released: September 19, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,InitiatingProcessParentFileName,slui.exe,InitiatingProcessFileName,changepk.exe,ProcessIntegrityLevel,High
Operators
| project DeviceNameInitiatingProcessParentFileNameInitiatingProcessFileNameProcessIntegrityLevel