Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Assuming that you have a machine that is properly BitLocker'ed, then the machine will need to be running to extract the SAM and SYSTEM files. This first query looks for any access to the HKLM that happens via a command or script that is not executed by system. The second query looks for usage of reg or regedit by anyone who is not system.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | ab0afd3c-47fc-4a82-83ad-5c92528bdf08 |
| Tactics | Privilege escalation, Exploit |
| Required Connectors | MicrosoftThreatProtection |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Exploits/CVE-2021-36934%20usage%20detection.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊