auto-generated queries from markdown notes

queries/windows/lsa_secrets.yml

@@ -0,0 +1,15 @@
+title: T1003.004 LSA Secrets
+description: For simplicity, we're detecting a Cmdline used for both psexec (the test)
+  as well as direct reg.exe LSA extraction.
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Credential Access
+   technique: T1003
+   subtechnique: 004
+operating_system: windows
+query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"
+false_positives: null
+tags: null
+