Query Details
Registry Credential Theft
Query
//Credential theft from registry. Defender for Endpoint connected to Sentinel.
DeviceProcessEvents
| where FileName =~ 'reg.exe'
| where ProcessCommandLine has_all('save','hklm','sam')
| project DeviceId, Timestamp, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine
Explanation
This query is searching for instances where the "reg.exe" file is used and the process command line contains the words "save", "hklm", and "sam". It then selects specific information about the device, timestamp, initiating process, process ID, file name, and process command line.
Details
Rod Trent
Released: August 12, 2021
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,ProcessCommandLine
Operators
where=~has_allproject