Update windows_sensitive_registry_hive_dump_via_commandline.yml

Author: nasbench

detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml

@@ -1,7 +1,7 @@
 name: Windows Sensitive Registry Hive Dump Via CommandLine
 id: 5aaff29d-0cce-405b-9ee8-5d06b49d045e
-version: 5
-date: '2025-05-02'
+version: 6
+date: '2025-06-02'
 author: Michael Haag, Patrick Bareiss, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -20,8 +20,9 @@ data_source:
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where ((`process_reg` Processes.process
   IN ("*save*", "*export*")) OR (`process_regedit` Processes.process IN ("*/E *",
-  "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE*", "*HKLM*") AND Processes.process
-  IN ("*SAM*", "*System*", "*Security*") by Processes.action Processes.dest Processes.original_file_name
+  "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE\SAM*", "*HKEY_LOCAL_MACHINE\System*", 
+  "*HKEY_LOCAL_MACHINE\Security*", "*HKLM\SAM*", "*HKLM\System*", "*HKLM\Security*") 
+  by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash