KQL Search

Query Details

Sdclt UAC

Query

DeviceProcessEvents
| where (FileName ==@"sdclt.exe" or ProcessVersionInfoOriginalFileName == @"sdclt.exe")  and ProcessCommandLine contains "kickoffelev"

Explanation

This query is looking for events related to a specific process called "sdclt.exe" and checking if the process command line contains the term "kickoffelev".

Details

Ali Hussein

Released: September 19, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents,FileName,ProcessVersionInfoOriginalFileName,ProcessCommandLine

Operators

whereor====andcontains

KQL Search

Sdclt UAC

Query

Explanation

Details

Actions