Update windows_sensitive_registry_hive_dump_via_commandline.yml

pyth0n1c · web-flow · commit b849dd201aae · 2025-06-02T13:30:46.000-07:00
Need extra backslash to escape registry path backslash in SPL
diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml
@@ -20,8 +20,8 @@ data_source:
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where ((`process_reg` Processes.process
   IN ("*save*", "*export*")) OR (`process_regedit` Processes.process IN ("*/E *",
-  "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE\SAM*", "*HKEY_LOCAL_MACHINE\System*", 
-  "*HKEY_LOCAL_MACHINE\Security*", "*HKLM\SAM*", "*HKLM\System*", "*HKLM\Security*") 
+  "*-E *"))) AND Processes.process IN ("*HKEY_LOCAL_MACHINE\\SAM*", "*HKEY_LOCAL_MACHINE\\System*", 
+  "*HKEY_LOCAL_MACHINE\\Security*", "*HKLM\\SAM*", "*HKLM\\System*", "*HKLM\\Security*") 
   by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
