Detecting RegPwn by Behavior, Not Binary

This hunt report presents a Kusto detection that reconstructs a multi-stage exploit narrative abusing osk.exe and Windows accessibility broker behavior: it correlates non-standard osk.exe launches, SYSTEM-brokered execution via atbroker/winlogon, symbolic link or session ATConfig registry activity, and writes to sensitive registry targets (service/run keys) to identify persistence or privilege escalation. The query groups events by DeviceId, SessionId and time buckets, extracts process and registry artifacts, and produces a staged view of observed activity to reduce fragile exact-match rules while preserving the attack story for effective hunting and alerting.