Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Assuming that you have a machine that is properly BitLocker'ed, then the machine will need to be running to extract the SAM and SYSTEM files. This first query looks for any access to the HKLM that happens via a command or script that is not executed by system. The second query looks for usage of reg or regedit by anyone who is not system.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | ab0afd3c-47fc-4a82-83ad-5c92528bdf08 |
| Tactics | Privilege escalation, Exploit |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
DeviceProcessEvents |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊