Registry Credential Theft
Query
//Credential theft from registry. Defender for Endpoint connected to Sentinel.
DeviceProcessEvents
| where FileName =~ 'reg.exe'
| where ProcessCommandLine has_all('save','hklm','sam')
| project DeviceId, Timestamp, InitiatingProcessId, InitiatingProcessFileName, ProcessId, FileName, ProcessCommandLineExplanation
This query is searching for instances where the "reg.exe" file is used and the process command line contains the words "save", "hklm", and "sam". It then selects specific information about the device, timestamp, initiating process, process ID, file name, and process command line.
Details

Rod Trent
Released: August 12, 2021
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsFileNameProcessCommandLine
Operators
where=~has_allproject