Credential Access

ProcDump

Description: Identify systems that the ProcDump EULA has been accepted. Read more about the technique here.

• mtime = Time that EULA was accepted

Author: @eric_capuano

Query:

Windows

SELECT datetime(mtime, 'unixepoch', 'localtime') AS EULA_accepted,path 
FROM registry 
WHERE path LIKE 'HKEY_USERS\%\Software\Sysinternals\ProcDump\EulaAccepted';