Attempted Credential Dump From Registry Via Reg.exe
This search looks for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline,
This content is not mapped to any local saved search. Add mapping
Attempted Credential Dump From Registry Via Reg.exe Help
This search looks for the process reg.exe with the "save" parameter, which specifies a binary export from the registry. In addition, it looks for the keys that contain the hashed credentials, which attackers may retrieve and use for brute-force attacks in order to harvest legitimate credentials.