Forum Discussion

zlate81's avatar
zlate81
Copper Contributor
Jul 09, 2025

MDE not detecting regsecrets.py from impacket-toolkit

In a recent red-team engagement we got exposed to the regsecrets.py toolkit which made it possible to extract SAM hive without any detection from the MDE. I have tried to use advanced hunting to see...
zlate81's avatar
zlate81
Copper Contributor
Jul 10, 2025

Why is Microsoft not making this kind of data available in the advanced hunting ?

I have marked a few things i can see in the device timeline but I'm not able to find it in the advanced hunting logs:

 

In the table DeviceRegistryEvents there are only  the ActionTypes:

  • RegistryKeyDeleted
  • RegistryKeyCreated
  • RegistryValueSet
  • RegistryValueDeleted

Hope someone can shed some light on this.

defensiveorigins's avatar
defensiveorigins
Copper Contributor
Aug 19, 2025

This is a tough one to catch, to be sure (red teamer here). However, depending on your log stack, ingestion configuration, etc, my first advice is make sure you are collecting process invocation (4688) events. This tool also uses the RemoteRegistry service to perform its operations over SMB/445 - so there might be some additional opportunities there. While this is not a perfect detection mechanism, it should get you moving in the right direction. 

Sentinel KQL I use for this detect:
SecurityEvent
| where EventID == 4688
| where CommandLine contains "RemoteRegistry"
| project TimeGenerated , Computer , ParentProcessName , CommandLine

Resources