Query Details
Secretsdump Execution
Query
DeviceImageLoadEvents | where InitiatingProcessFileName contains "svchost.exe" and FileName contains "regsvc.dll" | where InitiatingProcessCommandLine != @"svchost.exe -k LocalService"
Explanation
This KQL (Kusto Query Language) query is searching through the DeviceImageLoadEvents table for specific events. Here's a simple summary:
- It looks for events where the initiating process's file name contains "svchost.exe".
- It also checks that the file name involved in the event contains "regsvc.dll".
- Additionally, it filters out any events where the command line used to start the initiating process is exactly "svchost.exe -k LocalService".
In essence, the query is identifying instances where "svchost.exe" is involved in loading "regsvc.dll", but not when "svchost.exe" is running with the command line "svchost.exe -k LocalService".
Details
Ali Hussein
Released: March 20, 2024
Tables
DeviceImageLoadEvents
Keywords
DeviceImageLoadEvents
Operators
containsand!=