T1174 Password Filter DLL #31
Description
The EQL query for "T1174 Password Filter DLL" shows
registry where hive.hklm and
registry_path == "SYSTEM\ControlSet\Control\Lsa\Notification Packages*"
| unique registry_path, process_path
the registry path should be "SYSTEM\*ControlSet*\Control\Lsa\Notification Packages" as the above condition does not allow to search for LSA "notification packages" from "currentcontrolset"
(thats * around ControlSet)
https://eqllib.readthedocs.io/en/latest/analytics/ae6ae50f-69f3-4e85-bfe2-2db9d1422517.html