Apply automatic changes

wikijm · Jan 13, 2025 · 481cf28 · 481cf28
1 parent 37493c1
commit 481cf28
Show file tree

Hide file tree

Showing 558 changed files with 558 additions and 558 deletions.
diff --git a/... Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md b/... Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\addinutil.exe" and (not (tgt.process.image.path contains ":\Windows\System32\conhost.exe" or tgt.process.image.path contains ":\Windows\System32\werfault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\werfault.exe"))))
 ```
 

diff --git a/...Q - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md b/...Q - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\appvlp.exe" and (not (tgt.process.image.path contains ":\Windows\SysWOW64\rundll32.exe" or tgt.process.image.path contains ":\Windows\System32\rundll32.exe")) and (not ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\msoasb.exe") or ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\SkypeSrv\") and tgt.process.image.path contains "\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\MSOUC.EXE")))))
 ```
 

diff --git a/...ne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md b/...ne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe"))
 ```
 

diff --git a/...indows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md b/...indows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\aspnet_compiler.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\notepad.exe") or (tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\AppData\Local\Roaming\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\"))))
 ```
 

diff --git a/...e_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md b/...e_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe" and (tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Local\Roaming\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains ":\Windows\System32\Tasks\" or tgt.process.cmdline contains ":\Windows\Tasks\")))
 ```
 

diff --git a/...One_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md b/...One_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\at.exe" and tgt.process.cmdline contains "interactive"))
 ```
 

diff --git a/... - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md b/... - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none"))
 ```
 

diff --git a/...- Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md b/...- Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\" or tgt.process.image.path contains "\AppData\Roaming\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\PerfLogs\"))))
 ```
 

diff --git a/...Q - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md b/...Q - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe"))
 ```
 

diff --git a/...lOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md b/...lOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\BitLockerToGo.exe")
 ```
 

diff --git a/...dows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md b/...dows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--remote-debugging-" and tgt.process.cmdline contains "--user-data-dir" and tgt.process.cmdline contains "--headless"))
 ```
 

diff --git a/...- Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md b/...- Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless"))
 ```
 

diff --git a/... Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md b/... Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and (tgt.process.cmdline contains "--headless" and tgt.process.cmdline contains "dump-dom" and tgt.process.cmdline contains "http")))
 ```
 

diff --git a/... Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md b/... Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension="))
 ```
 

diff --git a/...- Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md b/...- Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless" and (tgt.process.cmdline contains "://run.mocky" or tgt.process.cmdline contains "://mockbin")))
 ```
 

diff --git a/...ows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md b/...ows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\wscript.exe") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension="))
 ```
 

diff --git a/...Q - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md b/...Q - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "http" and (tgt.process.cmdline contains ".7z" or tgt.process.cmdline contains ".dat" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".ps1" or tgt.process.cmdline contains ".psm1" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".zip")))
 ```
 

diff --git a/...ne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md b/...ne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --remote-debugging-" or (tgt.process.image.path contains "\firefox.exe" and tgt.process.cmdline contains " -start-debugger-server")))
 ```
 

diff --git a/...elOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md b/...elOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tor.exe" or tgt.process.image.path contains "\Tor Browser\Browser\firefox.exe"))
 ```
 

diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\calc.exe " or (tgt.process.image.path contains "\calc.exe" and (not (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\" or tgt.process.image.path contains ":\Windows\WinSxS\")))))
 ```
 

diff --git a/...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md b/...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\cmd.exe" and (src.process.cmdline contains " -c " or src.process.cmdline contains " /c " or src.process.cmdline contains " –c " or src.process.cmdline contains " —c " or src.process.cmdline contains " ―c " or src.process.cmdline contains " -r " or src.process.cmdline contains " /r " or src.process.cmdline contains " –r " or src.process.cmdline contains " —r " or src.process.cmdline contains " ―r " or src.process.cmdline contains " -k " or src.process.cmdline contains " /k " or src.process.cmdline contains " –k " or src.process.cmdline contains " —k " or src.process.cmdline contains " ―k ") and tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains "chcp" or tgt.process.cmdline contains "chcp " or tgt.process.cmdline contains "chcp  ")))
 ```
 

diff --git a/...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md b/...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains " 936" or tgt.process.cmdline contains " 1258"))) | columns src.process.cmdline
 ```
 

diff --git a/... - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md b/... - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cloudflared.exe" and (not (tgt.process.image.path contains ":\Program Files (x86)\cloudflared\" or tgt.process.image.path contains ":\Program Files\cloudflared\"))))
 ```
 

diff --git a/...e_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md b/...e_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains "cleanup ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-connector-id ")))
 ```
 

diff --git a/...elOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md b/...elOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains " run ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-credentials-contents " or tgt.process.cmdline contains "-credentials-file " or tgt.process.cmdline contains "-token ")))
 ```
 

diff --git a/...PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md b/...PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " –c " or tgt.process.cmdline contains " —c " or tgt.process.cmdline contains " ―c ") and (tgt.process.cmdline contains "curl " and tgt.process.cmdline contains "http" and tgt.process.cmdline contains "-o" and tgt.process.cmdline contains "&")))
 ```
 

diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "^^" or tgt.process.cmdline contains "^|^" or tgt.process.cmdline contains ",;," or tgt.process.cmdline contains ";;;;" or tgt.process.cmdline contains ";; ;;" or tgt.process.cmdline contains "(,(," or tgt.process.cmdline contains "%COMSPEC:~" or tgt.process.cmdline contains " c^m^d" or tgt.process.cmdline contains "^c^m^d" or tgt.process.cmdline contains " c^md" or tgt.process.cmdline contains " cm^d" or tgt.process.cmdline contains "^cm^d" or tgt.process.cmdline contains " s^et " or tgt.process.cmdline contains " s^e^t " or tgt.process.cmdline contains " se^t "))
 ```
 

diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "://" and tgt.process.cmdline contains "%AppData%"))) | columns tgt.process.cmdline,src.process.cmdline
 ```
 

diff --git a/...s Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md b/...s Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "mklink" and tgt.process.cmdline contains "HarddiskVolumeShadowCopy"))
 ```
 

diff --git a/...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md b/...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "cmd.exe/c" or tgt.process.cmdline contains "\cmd/c" or tgt.process.cmdline contains "\"cmd/c" or tgt.process.cmdline contains "cmd.exe/k" or tgt.process.cmdline contains "\cmd/k" or tgt.process.cmdline contains "\"cmd/k" or tgt.process.cmdline contains "cmd.exe/r" or tgt.process.cmdline contains "\cmd/r" or tgt.process.cmdline contains "\"cmd/r") or (tgt.process.cmdline contains "/cwhoami" or tgt.process.cmdline contains "/cpowershell" or tgt.process.cmdline contains "/cschtasks" or tgt.process.cmdline contains "/cbitsadmin" or tgt.process.cmdline contains "/ccertutil" or tgt.process.cmdline contains "/kwhoami" or tgt.process.cmdline contains "/kpowershell" or tgt.process.cmdline contains "/kschtasks" or tgt.process.cmdline contains "/kbitsadmin" or tgt.process.cmdline contains "/kcertutil") or (tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /r")) and (not ((tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /r ") or (tgt.process.cmdline contains "AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules" or tgt.process.cmdline contains "cmd.exe/c ." or tgt.process.cmdline="cmd.exe /c")))))
 ```
 

diff --git a/...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md b/...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "type %windir%\system32\ntdll.dll" or tgt.process.cmdline contains "type %systemroot%\system32\ntdll.dll" or tgt.process.cmdline contains "type c:\windows\system32\ntdll.dll" or tgt.process.cmdline contains "\ntdll.dll > \\.\pipe\"))
 ```
 

diff --git a/...- Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md b/...- Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2025 01:26:51):
+// Translated content (automatically translated on 13-01-2025 01:23:40):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ") and tgt.process.cmdline contains "Nul" and (tgt.process.cmdline contains " -f " or tgt.process.cmdline contains " /f " or tgt.process.cmdline contains " –f " or tgt.process.cmdline contains " —f " or tgt.process.cmdline contains " ―f " or tgt.process.cmdline contains " -q " or tgt.process.cmdline contains " /q " or tgt.process.cmdline contains " –q " or tgt.process.cmdline contains " —q " or tgt.process.cmdline contains " ―q ") and (tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "del ")))
 ```