From 6fe0f3f2456c2355b9cca6d1ddae1dfe167e82be Mon Sep 17 00:00:00 2001 From: wikijm Date: Sat, 4 Jan 2025 01:18:25 +0000 Subject: [PATCH] Apply automatic changes --- .../proc_creation_win_addinutil_uncommon_child_process.md | 2 +- .../proc_creation_win_appvlp_uncommon_child_process.md | 2 +- .../proc_creation_win_aspnet_compiler_exectuion.md | 2 +- .../proc_creation_win_aspnet_compiler_susp_child_process.md | 2 +- .../proc_creation_win_aspnet_compiler_susp_paths.md | 2 +- .../proc_creation_win_at_interactive_execution.md | 2 +- .../proc_creation_win_auditpol_nt_resource_kit_usage.md | 2 +- .../proc_creation_win_bginfo_suspicious_child_process.md | 2 +- .../proc_creation_win_bginfo_uncommon_child_process.md | 2 +- .../proc_creation_win_bitlockertogo_execution.md | 2 +- .../proc_creation_win_browsers_chromium_headless_debugging.md | 2 +- .../proc_creation_win_browsers_chromium_headless_exec.md | 2 +- ...roc_creation_win_browsers_chromium_headless_file_download.md | 2 +- .../proc_creation_win_browsers_chromium_load_extension.md | 2 +- .../proc_creation_win_browsers_chromium_mockbin_abuse.md | 2 +- .../proc_creation_win_browsers_chromium_susp_load_extension.md | 2 +- .../proc_creation_win_browsers_inline_file_download.md | 2 +- .../proc_creation_win_browsers_remote_debugging.md | 2 +- .../proc_creation_win_browsers_tor_execution.md | 2 +- .../proc_creation_win_calc_uncommon_exec.md | 2 +- .../proc_creation_win_chcp_codepage_lookup.md | 2 +- .../proc_creation_win_chcp_codepage_switch.md | 2 +- .../proc_creation_win_cloudflared_portable_execution.md | 2 +- .../proc_creation_win_cloudflared_tunnel_cleanup.md | 2 +- .../proc_creation_win_cloudflared_tunnel_run.md | 2 +- .../proc_creation_win_cmd_curl_download_exec_combo.md | 2 +- .../proc_creation_win_cmd_dosfuscation.md | 2 +- .../proc_creation_win_cmd_http_appdata.md | 2 +- ...proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md | 2 +- .../proc_creation_win_cmd_no_space_execution.md | 2 +- .../proc_creation_win_cmd_ntdllpipe_redirect.md | 2 +- .../proc_creation_win_cmd_ping_del_combined_execution.md | 2 +- .../proc_creation_win_cmd_shadowcopy_access.md | 2 +- .../proc_creation_win_cmd_sticky_key_like_backdoor_execution.md | 2 +- .../proc_creation_win_cmd_sticky_keys_replace.md | 2 +- .../proc_creation_win_cmd_type_arbitrary_file_download.md | 2 +- .../proc_creation_win_cmd_unusual_parent.md | 2 +- .../proc_creation_win_cmstp_execution_by_creation.md | 2 +- .../proc_creation_win_conhost_legacy_option.md | 2 +- .../proc_creation_win_conhost_path_traversal.md | 2 +- .../proc_creation_win_conhost_uncommon_parent.md | 2 +- .../proc_creation_win_csc_susp_dynamic_compilation.md | 2 +- .../proc_creation_win_curl_susp_download.md | 2 +- .../proc_creation_win_defaultpack_uncommon_child_process.md | 2 +- .../proc_creation_win_desktopimgdownldr_remote_file_download.md | 2 +- .../proc_creation_win_desktopimgdownldr_susp_execution.md | 2 +- .../proc_creation_win_devinit_lolbin_usage.md | 2 +- .../proc_creation_win_dfsvc_suspicious_child_processes.md | 2 +- .../proc_creation_win_diskshadow_child_process_susp.md | 2 +- .../proc_creation_win_dism_remove.md | 2 +- .../proc_creation_win_dll_sideload_vmware_xfer.md | 2 +- .../proc_creation_win_dllhost_no_cli_execution.md | 2 +- .../proc_creation_win_dns_exfiltration_tools_execution.md | 2 +- .../proc_creation_win_dns_susp_child_process.md | 2 +- .../proc_creation_win_dnscmd_discovery.md | 2 +- ...c_creation_win_dnscmd_install_new_server_level_plugin_dll.md | 2 +- .../proc_creation_win_dnx_execute_csharp_code.md | 2 +- .../proc_creation_win_dtrace_kernel_dump.md | 2 +- .../proc_creation_win_esentutl_params.md | 2 +- .../proc_creation_win_eventvwr_susp_child_process.md | 2 +- .../proc_creation_win_expand_cabinet_files.md | 2 +- .../proc_creation_win_explorer_break_process_tree.md | 2 +- ...oc_creation_win_explorer_folder_shortcut_via_shell_binary.md | 2 +- .../proc_creation_win_explorer_nouaccheck.md | 2 +- .../proc_creation_win_findstr_recon_pipe_output.md | 2 +- .../proc_creation_win_forfiles_child_process_masquerading.md | 2 +- .../proc_creation_win_format_uncommon_filesystem_load.md | 2 +- ...c_creation_win_gfxdownloadwrapper_arbitrary_file_download.md | 2 +- .../proc_creation_win_googleupdate_susp_child_process.md | 2 +- .../proc_creation_win_gpg4win_decryption.md | 2 +- .../proc_creation_win_gpg4win_encryption.md | 2 +- .../proc_creation_win_gpg4win_susp_location.md | 2 +- .../proc_creation_win_gpresult_execution.md | 2 +- .../proc_creation_win_gup_arbitrary_binary_execution.md | 2 +- .../proc_creation_win_gup_suspicious_execution.md | 2 +- .../proc_creation_win_hh_html_help_susp_child_process.md | 2 +- .../proc_creation_win_hktl_adcspwn.md | 2 +- .../proc_creation_win_hktl_bloodhound_sharphound.md | 2 +- .../proc_creation_win_hktl_c3_rundll32_pattern.md | 2 +- .../proc_creation_win_hktl_cobaltstrike_process_patterns.md | 2 +- .../proc_creation_win_hktl_covenant.md | 2 +- .../proc_creation_win_hktl_crackmapexec_execution.md | 2 +- .../proc_creation_win_hktl_crackmapexec_execution_patterns.md | 2 +- .../proc_creation_win_hktl_crackmapexec_patterns.md | 2 +- .../proc_creation_win_hktl_dinjector.md | 2 +- .../proc_creation_win_hktl_empire_powershell_launch.md | 2 +- .../proc_creation_win_hktl_empire_powershell_uac_bypass.md | 2 +- .../proc_creation_win_hktl_evil_winrm.md | 2 +- .../proc_creation_win_hktl_execution_via_pe_metadata.md | 2 +- .../proc_creation_win_hktl_hashcat.md | 2 +- .../proc_creation_win_hktl_htran_or_natbypass.md | 2 +- .../proc_creation_win_hktl_hydra.md | 2 +- .../proc_creation_win_hktl_impacket_lateral_movement.md | 2 +- .../proc_creation_win_hktl_impacket_tools.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_clip.md | 2 +- ...on_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_stdin.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_var.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_compress.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_stdin.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_var.md | 2 +- .../proc_creation_win_hktl_jlaive_batch_execution.md | 2 +- .../proc_creation_win_hktl_lazagne.md | 2 +- .../proc_creation_win_hktl_meterpreter_getsystem.md | 2 +- .../proc_creation_win_hktl_mimikatz_command_line.md | 2 +- ...roc_creation_win_hktl_powersploit_empire_default_schtasks.md | 2 +- .../proc_creation_win_hktl_pypykatz.md | 2 +- .../proc_creation_win_hktl_quarks_pwdump.md | 2 +- .../proc_creation_win_hktl_redmimicry_winnti_playbook.md | 2 +- .../proc_creation_win_hktl_relay_attacks_tools.md | 2 +- .../proc_creation_win_hktl_sharp_chisel.md | 2 +- .../proc_creation_win_hktl_sharpersist.md | 2 +- .../proc_creation_win_hktl_sharpevtmute.md | 2 +- .../proc_creation_win_hktl_sharpup.md | 2 +- .../proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md | 2 +- .../proc_creation_win_hktl_silenttrinity_stager.md | 2 +- .../proc_creation_win_hktl_sliver_c2_execution_pattern.md | 2 +- .../proc_creation_win_hktl_soaphound_execution.md | 2 +- .../proc_creation_win_hktl_winpwn.md | 2 +- .../proc_creation_win_hktl_wmiexec_default_powershell.md | 2 +- .../proc_creation_win_hktl_xordump.md | 2 +- .../proc_creation_win_hktl_zipexec.md | 2 +- .../proc_creation_win_hostname_execution.md | 2 +- .../proc_creation_win_hwp_exploits.md | 2 +- .../proc_creation_win_hxtsr_masquerading.md | 2 +- .../proc_creation_win_iis_susp_module_registration.md | 2 +- .../proc_creation_win_imagingdevices_unusual_parents.md | 2 +- .../proc_creation_win_infdefaultinstall_execute_sct_scripts.md | 2 +- .../proc_creation_win_instalutil_no_log_execution.md | 2 +- .../proc_creation_win_java_keytool_susp_child_process.md | 2 +- .../proc_creation_win_java_manageengine_susp_child_process.md | 2 +- .../proc_creation_win_java_remote_debugging.md | 2 +- .../proc_creation_win_java_susp_child_process.md | 2 +- .../proc_creation_win_java_susp_child_process_2.md | 2 +- .../proc_creation_win_java_sysaidserver_susp_child_process.md | 2 +- .../proc_creation_win_kavremover_uncommon_execution.md | 2 +- .../proc_creation_win_link_uncommon_parent_process.md | 2 +- .../proc_creation_win_lolbin_customshellhost.md | 2 +- .../proc_creation_win_lolbin_device_credential_deployment.md | 2 +- .../proc_creation_win_lolbin_devtoolslauncher.md | 2 +- .../proc_creation_win_lolbin_diantz_ads.md | 2 +- .../proc_creation_win_lolbin_diantz_remote_cab.md | 2 +- .../proc_creation_win_lolbin_extrac32_ads.md | 2 +- .../proc_creation_win_lolbin_launch_vsdevshell.md | 2 +- .../proc_creation_win_lolbin_mavinject_process_injection.md | 2 +- .../proc_creation_win_lolbin_msdeploy.md | 2 +- .../proc_creation_win_lolbin_msdt_answer_file.md | 2 +- .../proc_creation_win_lolbin_openwith.md | 2 +- .../proc_creation_win_lolbin_pcalua.md | 2 +- .../proc_creation_win_lolbin_pcwrun.md | 2 +- .../proc_creation_win_lolbin_pcwrun_follina.md | 2 +- .../proc_creation_win_lolbin_pester.md | 2 +- .../proc_creation_win_lolbin_pester_1.md | 2 +- .../proc_creation_win_lolbin_printbrm.md | 2 +- .../proc_creation_win_lolbin_pubprn.md | 2 +- .../proc_creation_win_lolbin_register_app.md | 2 +- .../proc_creation_win_lolbin_replace.md | 2 +- .../proc_creation_win_lolbin_runexehelper.md | 2 +- .../proc_creation_win_lolbin_runscripthelper.md | 2 +- .../proc_creation_win_lolbin_settingsynchost.md | 2 +- .../proc_creation_win_lolbin_sftp.md | 2 +- ...proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md | 2 +- .../proc_creation_win_lolbin_susp_grpconv.md | 2 +- .../proc_creation_win_lolbin_susp_sqldumper_activity.md | 2 +- ...ation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md | 2 +- .../proc_creation_win_lolbin_tracker.md | 2 +- .../proc_creation_win_lolbin_tttracer_mod_load.md | 2 +- .../proc_creation_win_lolbin_utilityfunctions.md | 2 +- .../proc_creation_win_lolbin_visual_basic_compiler.md | 2 +- .../proc_creation_win_lsass_process_clone.md | 2 +- .../proc_creation_win_mftrace_child_process.md | 2 +- .../proc_creation_win_mmc_mmc20_lateral_movement.md | 2 +- .../proc_creation_win_mmc_susp_child_process.md | 2 +- .../proc_creation_win_mpcmdrun_dll_sideload_defender.md | 2 +- .../proc_creation_win_mshta_inline_vbscript.md | 2 +- .../proc_creation_win_mshta_lethalhta_technique.md | 2 +- .../proc_creation_win_mshta_susp_execution.md | 2 +- .../proc_creation_win_msiexec_embedding.md | 2 +- .../proc_creation_win_msiexec_execute_dll.md | 2 +- .../proc_creation_win_msiexec_web_install.md | 2 +- .../proc_creation_win_msra_process_injection.md | 2 +- .../proc_creation_win_mssql_susp_child_process.md | 2 +- .../proc_creation_win_mssql_veaam_susp_child_processes.md | 2 +- .../proc_creation_win_mstsc_rdp_hijack_shadowing.md | 2 +- .../proc_creation_win_msxsl_execution.md | 2 +- .../proc_creation_win_msxsl_remote_execution.md | 2 +- .../proc_creation_win_node_abuse.md | 2 +- .../proc_creation_win_node_adobe_creative_cloud_abuse.md | 2 +- .../proc_creation_win_nslookup_domain_discovery.md | 2 +- .../proc_creation_win_ntdsutil_usage.md | 2 +- .../proc_creation_win_odbcconf_uncommon_child_process.md | 2 +- ...roc_creation_win_office_onenote_embedded_script_execution.md | 2 +- ...eation_win_office_outlook_enable_unsafe_client_mail_rules.md | 2 +- .../proc_creation_win_office_outlook_execution_from_temp.md | 2 +- .../proc_creation_win_office_outlook_susp_child_processes.md | 2 +- ...c_creation_win_office_outlook_susp_child_processes_remote.md | 2 +- .../proc_creation_win_office_spawn_exe_from_users_directory.md | 2 +- .../proc_creation_win_pdqdeploy_runner_susp_children.md | 2 +- .../proc_creation_win_ping_hex_ip.md | 2 +- .../proc_creation_win_plink_port_forwarding.md | 2 +- .../proc_creation_win_plink_susp_tunneling.md | 2 +- .../proc_creation_win_powershell_amsi_init_failed_bypass.md | 2 +- .../proc_creation_win_powershell_amsi_null_bits_bypass.md | 2 +- .../proc_creation_win_powershell_audio_capture.md | 2 +- .../proc_creation_win_powershell_base64_encoded_obfusc.md | 2 +- .../proc_creation_win_powershell_base64_frombase64string.md | 2 +- .../proc_creation_win_powershell_base64_iex.md | 2 +- .../proc_creation_win_powershell_base64_mppreference.md | 2 +- ...c_creation_win_powershell_base64_reflection_assembly_load.md | 2 +- ...ion_win_powershell_base64_reflection_assembly_load_obfusc.md | 2 +- .../proc_creation_win_powershell_cl_invocation.md | 2 +- .../proc_creation_win_powershell_cl_loadassembly.md | 2 +- .../proc_creation_win_powershell_cl_mutexverifiers.md | 2 +- .../proc_creation_win_powershell_create_service.md | 2 +- .../proc_creation_win_powershell_decode_gzip.md | 2 +- .../proc_creation_win_powershell_defender_disable_feature.md | 2 +- .../proc_creation_win_powershell_defender_exclusion.md | 2 +- .../proc_creation_win_powershell_disable_ie_features.md | 2 +- .../proc_creation_win_powershell_downgrade_attack.md | 2 +- .../proc_creation_win_powershell_download_com_cradles.md | 2 +- .../proc_creation_win_powershell_download_cradle_obfuscated.md | 2 +- .../proc_creation_win_powershell_download_cradles.md | 2 +- .../proc_creation_win_powershell_download_dll.md | 2 +- .../proc_creation_win_powershell_download_iex.md | 2 +- .../proc_creation_win_powershell_dsinternals_cmdlets.md | 2 +- .../proc_creation_win_powershell_email_exfil.md | 2 +- ...ation_win_powershell_enable_susp_windows_optional_feature.md | 2 +- .../proc_creation_win_powershell_encode.md | 2 +- .../proc_creation_win_powershell_exec_data_file.md | 2 +- .../proc_creation_win_powershell_export_certificate.md | 2 +- .../proc_creation_win_powershell_frombase64string.md | 2 +- .../proc_creation_win_powershell_frombase64string_archive.md | 2 +- .../proc_creation_win_powershell_get_clipboard.md | 2 +- .../proc_creation_win_powershell_get_localgroup_member_recon.md | 2 +- .../proc_creation_win_powershell_getprocess_lsass.md | 2 +- .../proc_creation_win_powershell_iex_patterns.md | 2 +- .../proc_creation_win_powershell_import_cert_susp_locations.md | 2 +- .../proc_creation_win_powershell_import_module_susp_dirs.md | 2 +- .../proc_creation_win_powershell_invocation_specific.md | 2 +- .../proc_creation_win_powershell_mailboxexport_share.md | 2 +- .../proc_creation_win_powershell_malicious_cmdlets.md | 2 +- .../proc_creation_win_powershell_msexchange_transport_agent.md | 2 +- .../proc_creation_win_powershell_obfuscation_via_utf8.md | 2 +- .../proc_creation_win_powershell_public_folder.md | 2 +- ...roc_creation_win_powershell_remotefxvgpudisablement_abuse.md | 2 +- .../proc_creation_win_powershell_remove_mppreference.md | 2 +- .../proc_creation_win_powershell_run_script_from_ads.md | 2 +- ...proc_creation_win_powershell_run_script_from_input_stream.md | 2 +- .../proc_creation_win_powershell_sam_access.md | 2 +- .../proc_creation_win_powershell_script_engine_parent.md | 2 +- .../proc_creation_win_powershell_shadowcopy_deletion.md | 2 +- .../proc_creation_win_powershell_susp_download_patterns.md | 2 +- .../proc_creation_win_powershell_susp_parameter_variation.md | 2 +- .../proc_creation_win_powershell_susp_ps_appdata.md | 2 +- .../proc_creation_win_powershell_susp_ps_downloadfile.md | 2 +- .../proc_creation_win_powershell_token_obfuscation.md | 2 +- .../proc_creation_win_powershell_x509enrollment.md | 2 +- .../proc_creation_win_powershell_zip_compress.md | 2 +- .../proc_creation_win_pressanykey_lolbin_execution.md | 2 +- .../proc_creation_win_print_remote_file_copy.md | 2 +- .../proc_creation_win_provlaunch_potential_abuse.md | 2 +- .../proc_creation_win_provlaunch_susp_child_process.md | 2 +- .../proc_creation_win_psr_capture_screenshots.md | 2 +- .../proc_creation_win_pua_3proxy_execution.md | 2 +- .../proc_creation_win_pua_adfind_enumeration.md | 2 +- .../proc_creation_win_pua_adfind_susp_usage.md | 2 +- .../proc_creation_win_pua_advancedrun_priv_user.md | 2 +- .../proc_creation_win_pua_chisel.md | 2 +- .../proc_creation_win_pua_cleanwipe.md | 2 +- .../proc_creation_win_pua_csexec.md | 2 +- .../proc_creation_win_pua_defendercheck.md | 2 +- .../proc_creation_win_pua_ditsnap.md | 2 +- .../proc_creation_win_pua_mouselock_execution.md | 2 +- .../proc_creation_win_pua_netcat.md | 2 +- .../proc_creation_win_pua_netscan.md | 2 +- .../proc_creation_win_pua_ngrok.md | 2 +- .../proc_creation_win_pua_nircmd_as_system.md | 2 +- .../proc_creation_win_pua_rcedit_execution.md | 2 +- .../proc_creation_win_pua_rclone_execution.md | 2 +- .../proc_creation_win_pua_runxcmd.md | 2 +- .../proc_creation_win_pua_webbrowserpassview.md | 2 +- .../proc_creation_win_python_adidnsdump.md | 2 +- .../proc_creation_win_python_pty_spawn.md | 2 +- .../proc_creation_win_qemu_suspicious_execution.md | 2 +- .../proc_creation_win_query_session_exfil.md | 2 +- .../proc_creation_win_quickassist_execution.md | 2 +- .../proc_creation_win_rar_compress_data.md | 2 +- .../proc_creation_win_rar_compression_with_password.md | 2 +- .../proc_creation_win_rar_susp_greedy_compression.md | 2 +- .../proc_creation_win_rasdial_execution.md | 2 +- .../proc_creation_win_reg_add_run_key.md | 2 +- .../proc_creation_win_reg_bitlocker.md | 2 +- ...oc_creation_win_reg_credential_access_via_password_filter.md | 2 +- .../proc_creation_win_reg_defender_exclusion.md | 2 +- ...c_creation_win_reg_direct_asep_registry_keys_modification.md | 2 +- .../proc_creation_win_reg_disable_sec_services.md | 2 +- ..._creation_win_reg_enumeration_for_credentials_in_registry.md | 2 +- .../proc_creation_win_reg_lsa_disable_restricted_admin.md | 2 +- .../proc_creation_win_reg_machineguid.md | 2 +- .../proc_creation_win_reg_nolmhash.md | 2 +- .../proc_creation_win_reg_open_command.md | 2 +- .../proc_creation_win_reg_screensaver.md | 2 +- .../proc_creation_win_reg_service_imagepath_change.md | 2 +- .../proc_creation_win_reg_software_discovery.md | 2 +- .../proc_creation_win_reg_volsnap_disable.md | 2 +- .../proc_creation_win_reg_write_protect_for_storage_disabled.md | 2 +- .../proc_creation_win_regedit_trustedinstaller.md | 2 +- .../proc_creation_win_registry_cimprovider_dll_load.md | 2 +- ...roc_creation_win_registry_enumeration_for_credentials_cli.md | 2 +- ...win_registry_ie_security_zone_protocol_defaults_downgrade.md | 2 +- .../proc_creation_win_registry_install_reg_debugger_backdoor.md | 2 +- .../proc_creation_win_registry_logon_script.md | 2 +- .../proc_creation_win_registry_new_network_provider.md | 2 +- ...tion_win_registry_office_disable_python_security_warnings.md | 2 +- ...reation_win_registry_privilege_escalation_via_service_key.md | 2 +- ...roc_creation_win_registry_provlaunch_provisioning_command.md | 2 +- ...proc_creation_win_registry_set_unsecure_powershell_policy.md | 2 +- .../proc_creation_win_registry_special_accounts_hide_user.md | 2 +- .../proc_creation_win_registry_typed_paths_persistence.md | 2 +- .../proc_creation_win_regsvr32_flags_anomaly.md | 2 +- .../proc_creation_win_regsvr32_susp_child_process.md | 2 +- .../proc_creation_win_regsvr32_susp_parent.md | 2 +- .../proc_creation_win_remote_access_tools_anydesk.md | 2 +- ...on_win_remote_access_tools_anydesk_piped_password_via_cli.md | 2 +- ...c_creation_win_remote_access_tools_anydesk_silent_install.md | 2 +- .../proc_creation_win_remote_access_tools_anydesk_susp_exec.md | 2 +- .../proc_creation_win_remote_access_tools_gotoopener.md | 2 +- .../proc_creation_win_remote_access_tools_logmein.md | 2 +- .../proc_creation_win_remote_access_tools_meshagent_exec.md | 2 +- ...eation_win_remote_access_tools_rurat_non_default_location.md | 2 +- .../proc_creation_win_remote_access_tools_screenconnect.md | 2 +- ..._remote_access_tools_screenconnect_installation_cli_param.md | 2 +- ...n_remote_access_tools_screenconnect_remote_execution_susp.md | 2 +- ...c_creation_win_remote_access_tools_screenconnect_webshell.md | 2 +- .../proc_creation_win_remote_access_tools_simple_help.md | 2 +- ...on_win_remote_access_tools_teamviewer_incoming_connection.md | 2 +- .../proc_creation_win_remote_time_discovery.md | 2 +- .../proc_creation_win_renamed_jusched.md | 2 +- .../proc_creation_win_renamed_rundll32_dllregisterserver.md | 2 +- .../proc_creation_win_renamed_rurat.md | 2 +- .../proc_creation_win_rpcping_credential_capture.md | 2 +- .../proc_creation_win_rundll32_inline_vbs.md | 2 +- .../proc_creation_win_rundll32_mshtml_runhtmlapplication.md | 2 +- .../proc_creation_win_rundll32_no_params.md | 2 +- .../proc_creation_win_rundll32_run_locations.md | 2 +- .../proc_creation_win_rundll32_setupapi_installhinfsection.md | 2 +- .../proc_creation_win_rundll32_spawn_explorer.md | 2 +- .../proc_creation_win_rundll32_susp_activity.md | 2 +- .../proc_creation_win_rundll32_susp_shellexec_execution.md | 2 +- ...oc_creation_win_rundll32_susp_shellexec_ordinal_execution.md | 2 +- .../proc_creation_win_rundll32_susp_shimcache_flush.md | 2 +- .../proc_creation_win_rundll32_sys.md | 2 +- .../proc_creation_win_rundll32_webdav_client_susp_execution.md | 2 +- .../proc_creation_win_rundll32_without_parameters.md | 2 +- .../proc_creation_win_runonce_execution.md | 2 +- ...roc_creation_win_sc_change_sevice_image_path_by_non_admin.md | 2 +- .../proc_creation_win_sc_create_service.md | 2 +- .../proc_creation_win_sc_new_kernel_driver.md | 2 +- .../proc_creation_win_sc_service_path_modification.md | 2 +- .../proc_creation_win_sc_service_tamper_for_persistence.md | 2 +- .../proc_creation_win_schtasks_appdata_local_system.md | 2 +- .../proc_creation_win_schtasks_change.md | 2 +- .../proc_creation_win_schtasks_creation.md | 2 +- .../proc_creation_win_schtasks_creation_temp_folder.md | 2 +- .../proc_creation_win_schtasks_delete.md | 2 +- .../proc_creation_win_schtasks_delete_all.md | 2 +- .../proc_creation_win_schtasks_disable.md | 2 +- .../proc_creation_win_schtasks_env_folder.md | 2 +- .../proc_creation_win_schtasks_guid_task_name.md | 2 +- .../proc_creation_win_schtasks_powershell_persistence.md | 2 +- .../proc_creation_win_schtasks_susp_pattern.md | 2 +- .../proc_creation_win_schtasks_system.md | 2 +- .../proc_creation_win_scrcons_susp_child_process.md | 2 +- .../proc_creation_win_sdclt_child_process.md | 2 +- .../proc_creation_win_sdiagnhost_susp_child.md | 2 +- .../proc_creation_win_servu_susp_child_process.md | 2 +- .../proc_creation_win_setres_uncommon_child_process.md | 2 +- .../proc_creation_win_setup16_custom_lst_execution.md | 2 +- .../proc_creation_win_shutdown_execution.md | 2 +- .../proc_creation_win_shutdown_logoff.md | 2 +- .../proc_creation_win_sigverif_uncommon_child_process.md | 2 +- .../proc_creation_win_sndvol_susp_child_processes.md | 2 +- .../proc_creation_win_soundrecorder_audio_capture.md | 2 +- .../proc_creation_win_splwow64_cli_anomaly.md | 2 +- .../proc_creation_win_sqlcmd_veeam_db_recon.md | 2 +- .../proc_creation_win_sqlcmd_veeam_dump.md | 2 +- .../proc_creation_win_sqlite_chromium_profile_data.md | 2 +- .../proc_creation_win_sqlite_firefox_gecko_profile_data.md | 2 +- .../proc_creation_win_squirrel_download.md | 2 +- .../proc_creation_win_squirrel_proxy_execution.md | 2 +- .../proc_creation_win_ssh_port_forward.md | 2 +- .../proc_creation_win_ssh_proxy_execution.md | 2 +- .../proc_creation_win_ssh_rdp_tunneling.md | 2 +- .../proc_creation_win_ssm_agent_abuse.md | 2 +- .../proc_creation_win_stordiag_susp_child_process.md | 2 +- .../proc_creation_win_susp_16bit_application.md | 2 +- .../proc_creation_win_susp_add_user_local_admin_group.md | 2 +- .../proc_creation_win_susp_add_user_privileged_group.md | 2 +- .../proc_creation_win_susp_add_user_remote_desktop_group.md | 2 +- .../proc_creation_win_susp_alternate_data_streams.md | 2 +- ...eation_win_susp_always_install_elevated_windows_installer.md | 2 +- .../proc_creation_win_susp_appx_execution.md | 2 +- ...ion_win_susp_arbitrary_shell_execution_via_settingcontent.md | 2 +- .../proc_creation_win_susp_archiver_iso_phishing.md | 2 +- .../proc_creation_win_susp_bad_opsec_sacrificial_processes.md | 2 +- ...tion_win_susp_browser_launch_from_document_reader_process.md | 2 +- .../proc_creation_win_susp_cli_obfuscation_escape_char.md | 2 +- ...proc_creation_win_susp_commandline_path_traversal_evasion.md | 2 +- .../proc_creation_win_susp_crypto_mining_monero.md | 2 +- .../proc_creation_win_susp_data_exfiltration_via_cli.md | 2 +- .../proc_creation_win_susp_disable_raccine.md | 2 +- .../proc_creation_win_susp_double_extension.md | 2 +- .../proc_creation_win_susp_double_extension_parent.md | 2 +- .../proc_creation_win_susp_download_office_domain.md | 2 +- .../proc_creation_win_susp_dumpstack_log_evasion.md | 2 +- .../proc_creation_win_susp_electron_app_children.md | 2 +- .../proc_creation_win_susp_embed_exe_lnk.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_1.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_2.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_3.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_4.md | 2 +- .../proc_creation_win_susp_etw_modification_cmdline.md | 2 +- .../proc_creation_win_susp_etw_trace_evasion.md | 2 +- .../proc_creation_win_susp_eventlog_clear.md | 2 +- ..._creation_win_susp_execution_from_public_folder_as_parent.md | 2 +- .../proc_creation_win_susp_execution_path.md | 2 +- .../proc_creation_win_susp_gather_network_info_execution.md | 2 +- .../proc_creation_win_susp_hidden_dir_index_allocation.md | 2 +- .../proc_creation_win_susp_hiding_malware_in_fonts_folder.md | 2 +- .../proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md | 2 +- .../proc_creation_win_susp_image_missing.md | 2 +- .../proc_creation_win_susp_inline_base64_mz_header.md | 2 +- .../proc_creation_win_susp_inline_win_api_access.md | 2 +- .../proc_creation_win_susp_jwt_token_search.md | 2 +- ...oc_creation_win_susp_local_system_owner_account_discovery.md | 2 +- .../proc_creation_win_susp_lsass_dmp_cli_keywords.md | 2 +- .../proc_creation_win_susp_ms_appinstaller_download.md | 2 +- .../proc_creation_win_susp_network_command.md | 2 +- .../proc_creation_win_susp_network_scan_loop.md | 2 +- .../proc_creation_win_susp_network_sniffing.md | 2 +- .../proc_creation_win_susp_no_image_name.md | 2 +- .../proc_creation_win_susp_non_exe_image.md | 2 +- .../proc_creation_win_susp_non_priv_reg_or_ps.md | 2 +- .../proc_creation_win_susp_ntds.md | 2 +- .../proc_creation_win_susp_nteventlogfile_usage.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_path_use_cli.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_path_use_image.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_cli.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_image.md | 2 +- .../proc_creation_win_susp_obfuscated_ip_download.md | 2 +- .../proc_creation_win_susp_obfuscated_ip_via_cli.md | 2 +- .../proc_creation_win_susp_parents.md | 2 +- .../proc_creation_win_susp_privilege_escalation_cli_patterns.md | 2 +- .../proc_creation_win_susp_proc_wrong_parent.md | 2 +- .../proc_creation_win_susp_progname.md | 2 +- .../proc_creation_win_susp_recycle_bin_fake_execution.md | 2 +- .../proc_creation_win_susp_redirect_local_admin_share.md | 2 +- .../proc_creation_win_susp_remote_desktop_tunneling.md | 2 +- .../proc_creation_win_susp_right_to_left_override.md | 2 +- .../proc_creation_win_susp_script_exec_from_temp.md | 2 +- .../proc_creation_win_susp_sensitive_file_access_shadowcopy.md | 2 +- .../proc_creation_win_susp_service_creation.md | 2 +- .../proc_creation_win_susp_service_dir.md | 2 +- .../proc_creation_win_susp_shell_spawn_susp_program.md | 2 +- .../proc_creation_win_susp_sysnative.md | 2 +- .../proc_creation_win_susp_system_exe_anomaly.md | 2 +- .../proc_creation_win_susp_system_user_anomaly.md | 2 +- .../proc_creation_win_susp_sysvol_access.md | 2 +- .../proc_creation_win_susp_task_folder_evasion.md | 2 +- .../proc_creation_win_susp_use_of_vsjitdebugger_bin.md | 2 +- .../proc_creation_win_susp_weak_or_abused_passwords.md | 2 +- .../proc_creation_win_susp_web_request_cmd_and_cmdlets.md | 2 +- .../proc_creation_win_susp_whoami_as_param.md | 2 +- .../proc_creation_win_susp_workfolders.md | 2 +- .../proc_creation_win_svchost_execution_with_no_cli_flags.md | 2 +- .../proc_creation_win_svchost_termserv_proc_spawn.md | 2 +- .../proc_creation_win_svchost_uncommon_parent_process.md | 2 +- .../proc_creation_win_sysinternals_eula_accepted.md | 2 +- .../proc_creation_win_sysinternals_procdump.md | 2 +- .../proc_creation_win_sysinternals_procdump_evasion.md | 2 +- .../proc_creation_win_sysinternals_procdump_lsass.md | 2 +- ...c_creation_win_sysinternals_psexec_paexec_escalate_system.md | 2 +- .../proc_creation_win_sysinternals_psexec_remote_execution.md | 2 +- .../proc_creation_win_sysinternals_psexesvc_as_system.md | 2 +- .../proc_creation_win_sysinternals_susp_psexec_paexec_flags.md | 2 +- .../proc_creation_win_sysinternals_sysmon_config_update.md | 2 +- .../proc_creation_win_sysinternals_sysmon_uninstall.md | 2 +- .../proc_creation_win_sysinternals_tools_masquerading.md | 2 +- .../proc_creation_win_sysprep_appdata.md | 2 +- .../proc_creation_win_takeown_recursive_own.md | 2 +- .../proc_creation_win_tapinstall_execution.md | 2 +- .../proc_creation_win_taskkill_sep.md | 2 +- .../proc_creation_win_taskmgr_localsystem.md | 2 +- .../proc_creation_win_taskmgr_susp_child_process.md | 2 +- ...oc_creation_win_teams_suspicious_command_line_cred_access.md | 2 +- .../proc_creation_win_tscon_localsystem.md | 2 +- .../proc_creation_win_tscon_rdp_redirect.md | 2 +- .../proc_creation_win_uac_bypass_changepk_slui.md | 2 +- .../proc_creation_win_uac_bypass_cleanmgr.md | 2 +- .../proc_creation_win_uac_bypass_cmstp_com_object_access.md | 2 +- .../proc_creation_win_uac_bypass_computerdefaults.md | 2 +- .../proc_creation_win_uac_bypass_consent_comctl32.md | 2 +- .../proc_creation_win_uac_bypass_dismhost.md | 2 +- .../proc_creation_win_uac_bypass_eventvwr_recentviews.md | 2 +- .../proc_creation_win_uac_bypass_fodhelper.md | 2 +- .../proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md | 2 +- .../proc_creation_win_uac_bypass_idiagnostic_profile.md | 2 +- .../proc_creation_win_uac_bypass_ieinstal.md | 2 +- .../proc_creation_win_uac_bypass_msconfig_gui.md | 2 +- .../proc_creation_win_uac_bypass_ntfs_reparse_point.md | 2 +- .../proc_creation_win_uac_bypass_pkgmgr_dism.md | 2 +- .../proc_creation_win_uac_bypass_sdclt.md | 2 +- .../proc_creation_win_uac_bypass_trustedpath.md | 2 +- .../proc_creation_win_uac_bypass_winsat.md | 2 +- .../proc_creation_win_uac_bypass_wmp.md | 2 +- .../proc_creation_win_uac_bypass_wsreset_integrity_level.md | 2 +- .../proc_creation_win_ultravnc_susp_execution.md | 2 +- .../proc_creation_win_uninstall_crowdstrike_falcon.md | 2 +- .../proc_creation_win_userinit_uncommon_child_processes.md | 2 +- .../proc_creation_win_virtualbox_execution.md | 2 +- .../proc_creation_win_virtualbox_vboxdrvinst_execution.md | 2 +- .../proc_creation_win_vscode_child_processes_anomalies.md | 2 +- .../proc_creation_win_vscode_tunnel_remote_shell_.md | 2 +- .../proc_creation_win_vscode_tunnel_service_install.md | 2 +- .../proc_creation_win_vslsagent_agentextensionpath_load.md | 2 +- ...proc_creation_win_wab_execution_from_non_default_location.md | 2 +- .../proc_creation_win_wab_unusual_parents.md | 2 +- .../proc_creation_win_webdav_lnk_execution.md | 2 +- .../proc_creation_win_webshell_chopper.md | 2 +- .../proc_creation_win_webshell_hacking.md | 2 +- ...creation_win_webshell_susp_process_spawned_from_webserver.md | 2 +- .../proc_creation_win_webshell_tool_recon.md | 2 +- .../proc_creation_win_wermgr_susp_child_process.md | 2 +- .../proc_creation_win_wermgr_susp_exec_location.md | 2 +- .../proc_creation_win_windows_terminal_susp_children.md | 2 +- .../proc_creation_win_winrar_exfil_dmp_files.md | 2 +- .../proc_creation_win_winrar_uncommon_folder_execution.md | 2 +- .../proc_creation_win_winrm_awl_bypass.md | 2 +- ...proc_creation_win_winrm_remote_powershell_session_process.md | 2 +- .../proc_creation_win_winrm_susp_child_process.md | 2 +- .../proc_creation_win_winzip_password_compression.md | 2 +- .../proc_creation_win_wmi_backdoor_exchange_transport_agent.md | 2 +- .../proc_creation_win_wmi_persistence_script_event_consumer.md | 2 +- .../proc_creation_win_wmic_eventconsumer_creation.md | 2 +- .../proc_creation_win_wmic_susp_process_creation.md | 2 +- .../proc_creation_win_wmic_uninstall_security_products.md | 2 +- .../proc_creation_win_wmic_xsl_script_processing.md | 2 +- .../proc_creation_win_wmiprvse_susp_child_processes.md | 2 +- .../proc_creation_win_wpbbin_potential_persistence.md | 2 +- .../proc_creation_win_wscript_cscript_dropper.md | 2 +- .../proc_creation_win_wscript_cscript_susp_child_processes.md | 2 +- .../proc_creation_win_wsl_child_processes_anomalies.md | 2 +- .../proc_creation_win_wsl_windows_binaries_execution.md | 2 +- ...oc_creation_win_wusa_cab_files_extraction_from_susp_paths.md | 2 +- .../proc_creation_win_wusa_susp_parent_execution.md | 2 +- .../proc_creation_win_xwizard_runwizard_com_object_exec.md | 2 +- 558 files changed, 558 insertions(+), 558 deletions(-) diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md index 22241d5ab..ee10e6260 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\addinutil.exe" and (not (tgt.process.image.path contains ":\Windows\System32\conhost.exe" or tgt.process.image.path contains ":\Windows\System32\werfault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\werfault.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md index fdf0a4cb4..cfb1b40b2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\appvlp.exe" and (not (tgt.process.image.path contains ":\Windows\SysWOW64\rundll32.exe" or tgt.process.image.path contains ":\Windows\System32\rundll32.exe")) and (not ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\msoasb.exe") or ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\SkypeSrv\") and tgt.process.image.path contains "\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\MSOUC.EXE"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md index aa115b2cb..0b484f5bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md index d090a3cd8..fcc1da269 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\aspnet_compiler.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\notepad.exe") or (tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\AppData\Local\Roaming\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md index 8196ae08c..b3f2e1f92 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe" and (tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Local\Roaming\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains ":\Windows\System32\Tasks\" or tgt.process.cmdline contains ":\Windows\Tasks\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md index a12499af7..f48ac650c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\at.exe" and tgt.process.cmdline contains "interactive")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md index 84e3da87a..3aef0278e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md index 4ddb77965..4921e2e8e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\" or tgt.process.image.path contains "\AppData\Roaming\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\PerfLogs\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md index aae9b2b06..e0ae48fa9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md index 8c6f8c429..1e9a5a9c6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\BitLockerToGo.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md index 28d4b04db..cb0414c09 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--remote-debugging-" and tgt.process.cmdline contains "--user-data-dir" and tgt.process.cmdline contains "--headless")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md index 60861d3b8..fd00a98aa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md index 92ad0a943..db4433149 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and (tgt.process.cmdline contains "--headless" and tgt.process.cmdline contains "dump-dom" and tgt.process.cmdline contains "http"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md index c3e88c362..ce675d815 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md index c7568dac9..dd4b5259d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless" and (tgt.process.cmdline contains "://run.mocky" or tgt.process.cmdline contains "://mockbin"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md index df748627d..aaeb3d4bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\wscript.exe") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md index 6db234d9b..c443b5bcf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "http" and (tgt.process.cmdline contains ".7z" or tgt.process.cmdline contains ".dat" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".ps1" or tgt.process.cmdline contains ".psm1" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md index 19b2145ae..fe77ad8eb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --remote-debugging-" or (tgt.process.image.path contains "\firefox.exe" and tgt.process.cmdline contains " -start-debugger-server"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md index ac840c062..63bf0c151 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tor.exe" or tgt.process.image.path contains "\Tor Browser\Browser\firefox.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md index 3c095b90e..963ccef9a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\calc.exe " or (tgt.process.image.path contains "\calc.exe" and (not (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\" or tgt.process.image.path contains ":\Windows\WinSxS\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md index eaaeff64f..0b8848796 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\cmd.exe" and (src.process.cmdline contains " -c " or src.process.cmdline contains " /c " or src.process.cmdline contains " –c " or src.process.cmdline contains " —c " or src.process.cmdline contains " ―c " or src.process.cmdline contains " -r " or src.process.cmdline contains " /r " or src.process.cmdline contains " –r " or src.process.cmdline contains " —r " or src.process.cmdline contains " ―r " or src.process.cmdline contains " -k " or src.process.cmdline contains " /k " or src.process.cmdline contains " –k " or src.process.cmdline contains " —k " or src.process.cmdline contains " ―k ") and tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains "chcp" or tgt.process.cmdline contains "chcp " or tgt.process.cmdline contains "chcp "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md index 858873e2d..d975701bb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains " 936" or tgt.process.cmdline contains " 1258"))) | columns src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md index 01b2807ec..577c116c9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cloudflared.exe" and (not (tgt.process.image.path contains ":\Program Files (x86)\cloudflared\" or tgt.process.image.path contains ":\Program Files\cloudflared\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md index cf80157ac..383f5a87e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains "cleanup ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-connector-id "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md index 8f98fffe1..a4a4ff5c5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains " run ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-credentials-contents " or tgt.process.cmdline contains "-credentials-file " or tgt.process.cmdline contains "-token "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md index 1e777521d..02a928fad 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " –c " or tgt.process.cmdline contains " —c " or tgt.process.cmdline contains " ―c ") and (tgt.process.cmdline contains "curl " and tgt.process.cmdline contains "http" and tgt.process.cmdline contains "-o" and tgt.process.cmdline contains "&"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md index c9df77ac2..631b9cc44 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "^^" or tgt.process.cmdline contains "^|^" or tgt.process.cmdline contains ",;," or tgt.process.cmdline contains ";;;;" or tgt.process.cmdline contains ";; ;;" or tgt.process.cmdline contains "(,(," or tgt.process.cmdline contains "%COMSPEC:~" or tgt.process.cmdline contains " c^m^d" or tgt.process.cmdline contains "^c^m^d" or tgt.process.cmdline contains " c^md" or tgt.process.cmdline contains " cm^d" or tgt.process.cmdline contains "^cm^d" or tgt.process.cmdline contains " s^et " or tgt.process.cmdline contains " s^e^t " or tgt.process.cmdline contains " se^t ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md index 149d1eb3f..fe313e16b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "://" and tgt.process.cmdline contains "%AppData%"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md index b1690b2fa..82b95ac83 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "mklink" and tgt.process.cmdline contains "HarddiskVolumeShadowCopy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md index cd530f5ac..5633ff76a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "cmd.exe/c" or tgt.process.cmdline contains "\cmd/c" or tgt.process.cmdline contains "\"cmd/c" or tgt.process.cmdline contains "cmd.exe/k" or tgt.process.cmdline contains "\cmd/k" or tgt.process.cmdline contains "\"cmd/k" or tgt.process.cmdline contains "cmd.exe/r" or tgt.process.cmdline contains "\cmd/r" or tgt.process.cmdline contains "\"cmd/r") or (tgt.process.cmdline contains "/cwhoami" or tgt.process.cmdline contains "/cpowershell" or tgt.process.cmdline contains "/cschtasks" or tgt.process.cmdline contains "/cbitsadmin" or tgt.process.cmdline contains "/ccertutil" or tgt.process.cmdline contains "/kwhoami" or tgt.process.cmdline contains "/kpowershell" or tgt.process.cmdline contains "/kschtasks" or tgt.process.cmdline contains "/kbitsadmin" or tgt.process.cmdline contains "/kcertutil") or (tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /r")) and (not ((tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /r ") or (tgt.process.cmdline contains "AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules" or tgt.process.cmdline contains "cmd.exe/c ." or tgt.process.cmdline="cmd.exe /c"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md index e456369a7..5c11e41ec 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "type %windir%\system32\ntdll.dll" or tgt.process.cmdline contains "type %systemroot%\system32\ntdll.dll" or tgt.process.cmdline contains "type c:\windows\system32\ntdll.dll" or tgt.process.cmdline contains "\ntdll.dll > \\.\pipe\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md index 5e7eee1df..fa6509ca8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ") and tgt.process.cmdline contains "Nul" and (tgt.process.cmdline contains " -f " or tgt.process.cmdline contains " /f " or tgt.process.cmdline contains " –f " or tgt.process.cmdline contains " —f " or tgt.process.cmdline contains " ―f " or tgt.process.cmdline contains " -q " or tgt.process.cmdline contains " /q " or tgt.process.cmdline contains " –q " or tgt.process.cmdline contains " —q " or tgt.process.cmdline contains " ―q ") and (tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "del "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md index f157a4bfc..452c2cb6d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md index 037999929..7a3af63cf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\winlogon.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "Magnify.exe" or tgt.process.cmdline contains "Narrator.exe" or tgt.process.cmdline contains "DisplaySwitch.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md index 2bde9475d..bd624f744 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "/y " and tgt.process.cmdline contains "C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md index e95fe4594..cde24246a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > \\") or (tgt.process.cmdline contains "type \\" and tgt.process.cmdline contains " > "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md index e39c7c10a..463147a72 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\ctfmon.exe" or src.process.image.path contains "\dllhost.exe" or src.process.image.path contains "\epad.exe" or src.process.image.path contains "\FlashPlayerUpdateService.exe" or src.process.image.path contains "\GoogleUpdate.exe" or src.process.image.path contains "\jucheck.exe" or src.process.image.path contains "\jusched.exe" or src.process.image.path contains "\LogonUI.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\SearchIndexer.exe" or src.process.image.path contains "\SearchProtocolHost.exe" or src.process.image.path contains "\SIHClient.exe" or src.process.image.path contains "\sihost.exe" or src.process.image.path contains "\slui.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\sppsvc.exe" or src.process.image.path contains "\taskhostw.exe" or src.process.image.path contains "\unsecapp.exe" or src.process.image.path contains "\WerFault.exe" or src.process.image.path contains "\wermgr.exe" or src.process.image.path contains "\wlanext.exe" or src.process.image.path contains "\WUDFHost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md index c837d8f14..14df4eeca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\cmstp.exe") | columns tgt.process.cmdline,src.process.cmdline,Details ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md index 4655297fc..744a491ee 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","S-1-16-12288")) and (tgt.process.cmdline contains "conhost.exe" and tgt.process.cmdline contains "0xffffffff" and tgt.process.cmdline contains "-ForceV1"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md index f358aa21a..3870b3c8d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.cmdline contains "conhost" and tgt.process.cmdline contains "/../../")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md index 6320d2348..08f663ec1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\conhost.exe" and (src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\smss.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\userinit.exe" or src.process.image.path contains "\wininit.exe" or src.process.image.path contains "\winlogon.exe")) and (not (src.process.cmdline contains "-k apphost -s AppHostSvc" or src.process.cmdline contains "-k imgsvc" or src.process.cmdline contains "-k localService -p -s RemoteRegistry" or src.process.cmdline contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or src.process.cmdline contains "-k NetSvcs -p -s NcaSvc" or src.process.cmdline contains "-k netsvcs -p -s NetSetupSvc" or src.process.cmdline contains "-k netsvcs -p -s wlidsvc" or src.process.cmdline contains "-k NetworkService -p -s DoSvc" or src.process.cmdline contains "-k wsappx -p -s AppXSvc" or src.process.cmdline contains "-k wsappx -p -s ClipSVC")) and (not (src.process.cmdline contains "C:\Program Files (x86)\Dropbox\Client\" or src.process.cmdline contains "C:\Program Files\Dropbox\Client\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md index d684420d5..cd105c5b8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csc.exe" and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\Windows\Temp\") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Pictures\")) or tgt.process.cmdline matches "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not ((src.process.image.path contains "C:\Program Files (x86)\" or src.process.image.path contains "C:\Program Files\") or src.process.image.path="C:\Windows\System32\sdiagnhost.exe" or src.process.image.path="C:\Windows\System32\inetsrv\w3wp.exe")) and (not ((src.process.image.path in ("C:\ProgramData\chocolatey\choco.exe","C:\ProgramData\chocolatey\tools\shimgen.exe")) or src.process.cmdline contains "\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" or (src.process.cmdline contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or src.process.cmdline contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or src.process.cmdline contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md index 9a5429e5e..5455238fb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\curl.exe" or tgt.process.displayName="The curl executable") and ((tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "C:\PerfLogs\" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Windows\Temp\") or (tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".gif" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".temp" or tgt.process.cmdline contains ".tmp" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs")) and (not (src.process.image.path="C:\Program Files\Git\usr\bin\sh.exe" and tgt.process.image.path="C:\Program Files\Git\mingw64\bin\curl.exe" and (tgt.process.cmdline contains "--silent --show-error --output " and tgt.process.cmdline contains "gfw-httpget-" and tgt.process.cmdline contains "AppData"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md index 2b55703bf..dcac90cb6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\DefaultPack.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md index 6227ef2d8..a753c7320 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\desktopimgdownldr.exe" and src.process.image.path contains "\desktopimgdownldr.exe" and tgt.process.cmdline contains "/lockscreenurl:http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md index 12172cb67..95e72c3d6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /lockscreenurl:" and (not (tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".png"))) or (tgt.process.cmdline contains "reg delete" and tgt.process.cmdline contains "\PersonalizationCSP"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md index 63c0ad58d..8ca50ad5f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -t msi-install " and tgt.process.cmdline contains " -i http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md index 07f6cc9bd..91e4bb6f1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\AppData\Local\Apps\2.0\" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md index 689395595..68a87ed6b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\diskshadow.exe" and (tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md index 07202aa93..8a8bd99cf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\DismHost.exe" and (src.process.cmdline contains "/Online" and src.process.cmdline contains "/Disable-Feature")) or (tgt.process.image.path contains "\Dism.exe" and (tgt.process.cmdline contains "/Online" and tgt.process.cmdline contains "/Disable-Feature")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md index 9c1544d38..35d0d5954 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VMwareXferlogs.exe" and (not tgt.process.image.path contains "C:\Program Files\VMware\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md index b6d48094a..931c35f44 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dllhost.exe" and (tgt.process.cmdline in ("dllhost.exe","dllhost"))) and (not not (tgt.process.cmdline matches "\.*")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md index abcb6a8bf..e24ccd0f2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\iodine.exe" or tgt.process.image.path contains "\dnscat2")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md index 1020624f5..600cf0c7e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\dns.exe" and (not tgt.process.image.path contains "\conhost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md index 444b00162..b248a66be 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/enumrecords" or tgt.process.cmdline contains "/enumzones" or tgt.process.cmdline contains "/ZonePrint" or tgt.process.cmdline contains "/info"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md index c73423075..3d174d76d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/config" and tgt.process.cmdline contains "/serverlevelplugindll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md index 6e7ab8273..00a40023a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\dnx.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md index 33b932f26..5cc081516 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dtrace.exe" and tgt.process.cmdline contains "lkd(0)") or (tgt.process.cmdline contains "syscall:::return" and tgt.process.cmdline contains "lkd("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md index dee9bf679..cb2d44984 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "esentutl" and tgt.process.cmdline contains " /p")) | columns tgt.process.user,tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md index aedc16a4f..a969ee76f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\eventvwr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\WerFault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\WerFault.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md index a36cd5357..f1d724280 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\expand.exe" and (tgt.process.cmdline contains "-F:" or tgt.process.cmdline contains "/F:" or tgt.process.cmdline contains "–F:" or tgt.process.cmdline contains "—F:" or tgt.process.cmdline contains "―F:")) and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\ProgramData" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\Admin$\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\C$\" or tgt.process.cmdline contains "\Temporary Internet") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\"))) and (not (src.process.image.path="C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" and tgt.process.cmdline contains "C:\ProgramData\Dell\UpdateService\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md index 46289d921..fb27f21bb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or ((tgt.process.cmdline contains "explorer.exe") and (tgt.process.cmdline contains " -root," or tgt.process.cmdline contains " /root," or tgt.process.cmdline contains " –root," or tgt.process.cmdline contains " —root," or tgt.process.cmdline contains " ―root,")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md index 228df45d5..fc5cda7de 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "shell:mycomputerfolder")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md index 8620c2956..43287bb07 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "/NOUACCHECK") and (not (src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" or src.process.image.path="C:\Windows\System32\svchost.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md index 5120d8a6f..f1b67ee71 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ipconfig*|*find*" or tgt.process.cmdline="*net*|*find*" or tgt.process.cmdline="*netstat*|*find*" or tgt.process.cmdline="*ping*|*find*" or tgt.process.cmdline="*systeminfo*|*find*" or tgt.process.cmdline="*tasklist*|*find*" or tgt.process.cmdline="*whoami*|*find*")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md index ee928f0e5..c857d5549 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.cmdline contains ".exe" or src.process.cmdline contains ".exe\"") and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "/c echo \"") and (not ((src.process.image.path contains ":\Windows\System32\" or src.process.image.path contains ":\Windows\SysWOW64\") and src.process.image.path contains "\forfiles.exe" and (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\") and tgt.process.image.path contains "\cmd.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md index 91e7fbe8e..bc2aa68cf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\format.com" and tgt.process.cmdline contains "/fs:") and (not (tgt.process.cmdline contains "/fs:exFAT" or tgt.process.cmdline contains "/fs:FAT" or tgt.process.cmdline contains "/fs:NTFS" or tgt.process.cmdline contains "/fs:ReFS" or tgt.process.cmdline contains "/fs:UDF")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md index 6f979d358..20e53536f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\GfxDownloadWrapper.exe" and (tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://")) and (not tgt.process.cmdline contains "https://gameplayapi.intel.com/"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md index 352216046..215ffe1b2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\GoogleUpdate.exe" and (not ((tgt.process.image.path contains "\Google" or (tgt.process.image.path contains "\setup.exe" or tgt.process.image.path contains "chrome_updater.exe" or tgt.process.image.path contains "chrome_installer.exe")) or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md index 2097e295b..24c28bbe9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -d " and tgt.process.cmdline contains "passphrase"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md index eb51bc053..d3071639b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "passphrase"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md index 5465141a8..5e32c0d30 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GNU Privacy Guard (GnuPG)" or tgt.process.displayName="GnuPG’s OpenPGP tool") and tgt.process.cmdline contains "-passphrase" and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Roaming\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md index 1c6cbf321..12a2cc0e0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\gpresult.exe" and (tgt.process.cmdline contains "/z" or tgt.process.cmdline contains "/v"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md index 24d71b0d6..2181be51b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\gup.exe" and tgt.process.image.path contains "\explorer.exe") and (not ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "\Notepad++\notepad++.exe") or src.process.image.path contains "\Notepad++\updater\" or not (tgt.process.cmdline matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md index 79fd03737..c366835e5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\GUP.exe" and (not ((tgt.process.image.path contains "\Program Files\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\Program Files (x86)\Notepad++\updater\GUP.exe") or (tgt.process.image.path contains "\Users\" and (tgt.process.image.path contains "\AppData\Local\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\AppData\Roaming\Notepad++\updater\GUP.exe")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md index 08ca42e5f..89a5e2e03 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\hh.exe" and (tgt.process.image.path contains "\CertReq.exe" or tgt.process.image.path contains "\CertUtil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\installutil.exe" or tgt.process.image.path contains "\MSbuild.exe" or tgt.process.image.path contains "\MSHTA.EXE" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md index 0ea6d8b3e..be6a197cf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --adcs " and tgt.process.cmdline contains " --port ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md index f02973882..3f7641497 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName contains "SharpHound" or tgt.process.displayName contains "SharpHound" or (tgt.process.publisher contains "SpecterOps" or tgt.process.publisher contains "evil corp") or (tgt.process.image.path contains "\Bloodhound.exe" or tgt.process.image.path contains "\SharpHound.exe")) or (tgt.process.cmdline contains " -CollectionMethod All " or tgt.process.cmdline contains " --CollectionMethods Session " or tgt.process.cmdline contains " --Loop --Loopduration " or tgt.process.cmdline contains " --PortScanTimeout " or tgt.process.cmdline contains ".exe -c All -d " or tgt.process.cmdline contains "Invoke-Bloodhound" or tgt.process.cmdline contains "Get-BloodHoundData") or (tgt.process.cmdline contains " -JsonFolder " and tgt.process.cmdline contains " -ZipFileName ") or (tgt.process.cmdline contains " DCOnly " and tgt.process.cmdline contains " --NoSaveCache "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md index c0e678f75..f18f64e2f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains ".dll" and tgt.process.cmdline contains "StartNodeRelay")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md index 2798bc626..b2cd1f97a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd.exe /C whoami" and src.process.image.path contains "C:\Temp\") or ((src.process.image.path contains "\runonce.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.cmdline contains "cmd.exe /c echo" and tgt.process.cmdline contains "> \\.\pipe")) or ((src.process.cmdline contains "cmd.exe /C echo" and src.process.cmdline contains " > \\.\pipe") and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1") or (src.process.cmdline contains "/C whoami" and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md index 4456efd59..17572bc80 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-Sta" and tgt.process.cmdline contains "-Nop" and tgt.process.cmdline contains "-Window" and tgt.process.cmdline contains "Hidden") and (tgt.process.cmdline contains "-Command" or tgt.process.cmdline contains "-EncodedCommand")) or (tgt.process.cmdline contains "sv o (New-Object IO.MemorySteam);sv d " or tgt.process.cmdline contains "mshta file.hta" or tgt.process.cmdline contains "GruntHTTP" or tgt.process.cmdline contains "-EncodedCommand cwB2ACAAbwAgA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md index f5810f97a..6083cd2b8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\crackmapexec.exe" or tgt.process.cmdline contains " -M pe_inject " or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -x ") or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -H 'NTHASH'") or (tgt.process.cmdline contains " mssql " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -d ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -H " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -o ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " --local-auth")) or ((tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p ") and (tgt.process.cmdline contains " 10." and tgt.process.cmdline contains " 192.168." and tgt.process.cmdline contains "/24 ")))) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md index b87bd40b4..ba7d02209 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*cmd.exe /Q /c * 1> \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > *\Temp\* 2>&1*" or tgt.process.cmdline contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or tgt.process.cmdline contains "powershell.exe -noni -nop -w 1 -enc ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md index 9e20b8bac..5fe237cf6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "tasklist /fi " and tgt.process.cmdline contains "Imagename eq lsass.exe") and (tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd /k ") and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) or (tgt.process.cmdline contains "do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump" and tgt.process.cmdline contains "\Windows\Temp\" and tgt.process.cmdline contains " full" and tgt.process.cmdline contains "%%B") or (tgt.process.cmdline contains "tasklist /v /fo csv" and tgt.process.cmdline contains "findstr /i \"lsass\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md index 1192088ce..7e71d8436 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /am51" and tgt.process.cmdline contains " /password")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md index 58b7833ce..7e2890e58 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -sta -NonI -W Hidden -Enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc " or tgt.process.cmdline contains " -NoP -NonI -W Hidden -enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc" or tgt.process.cmdline contains " -enc SQB" or tgt.process.cmdline contains " -nop -exec bypass -EncodedCommand ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md index 16a546ed1..593627296 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)" or tgt.process.cmdline contains " -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md index e9a2aa65a..0a785ff15 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ruby.exe" and (tgt.process.cmdline contains "-i " and tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md index 2501d040f..36b1c9228 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.publisher="Cube0x0") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md index dbb5d6676..2c6917eca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hashcat.exe" or (tgt.process.cmdline contains "-a " and tgt.process.cmdline contains "-m 1000 " and tgt.process.cmdline contains "-r "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md index cb7713f04..705cd6727 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\htran.exe" or tgt.process.image.path contains "\lcx.exe") or (tgt.process.cmdline contains ".exe -tran " or tgt.process.cmdline contains ".exe -slave "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md index 81ea67100..5259f4a7e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p ") and (tgt.process.cmdline contains "^USER^" or tgt.process.cmdline contains "^PASS^"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md index 6e52e0f45..f31bc695b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\mmc.exe" or src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\services.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/Q" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "\\127.0.0.1\" and tgt.process.cmdline contains "&1")) or ((src.process.cmdline contains "svchost.exe -k netsvcs" or src.process.cmdline contains "taskeng.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/C" and tgt.process.cmdline contains "Windows\Temp\" and tgt.process.cmdline contains "&1")))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md index edf357eea..37042aa27 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\goldenPac" or tgt.process.image.path contains "\karmaSMB" or tgt.process.image.path contains "\kintercept" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\rpcdump" or tgt.process.image.path contains "\samrdump" or tgt.process.image.path contains "\secretsdump" or tgt.process.image.path contains "\smbexec" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\wmiexec" or tgt.process.image.path contains "\wmipersist") or (tgt.process.image.path contains "\atexec_windows.exe" or tgt.process.image.path contains "\dcomexec_windows.exe" or tgt.process.image.path contains "\dpapi_windows.exe" or tgt.process.image.path contains "\findDelegation_windows.exe" or tgt.process.image.path contains "\GetADUsers_windows.exe" or tgt.process.image.path contains "\GetNPUsers_windows.exe" or tgt.process.image.path contains "\getPac_windows.exe" or tgt.process.image.path contains "\getST_windows.exe" or tgt.process.image.path contains "\getTGT_windows.exe" or tgt.process.image.path contains "\GetUserSPNs_windows.exe" or tgt.process.image.path contains "\ifmap_windows.exe" or tgt.process.image.path contains "\mimikatz_windows.exe" or tgt.process.image.path contains "\netview_windows.exe" or tgt.process.image.path contains "\nmapAnswerMachine_windows.exe" or tgt.process.image.path contains "\opdump_windows.exe" or tgt.process.image.path contains "\psexec_windows.exe" or tgt.process.image.path contains "\rdp_check_windows.exe" or tgt.process.image.path contains "\sambaPipe_windows.exe" or tgt.process.image.path contains "\smbclient_windows.exe" or tgt.process.image.path contains "\smbserver_windows.exe" or tgt.process.image.path contains "\sniff_windows.exe" or tgt.process.image.path contains "\sniffer_windows.exe" or tgt.process.image.path contains "\split_windows.exe" or tgt.process.image.path contains "\ticketer_windows.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md index dfaf0fb5e..730d40741 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "clipboard]::" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "/r"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md index 7ec187d07..ab7d90177 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline matches "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or tgt.process.cmdline matches "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or tgt.process.cmdline matches "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or tgt.process.cmdline matches "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or tgt.process.cmdline matches "\\*mdr\\*\\W\\s*\\)\\.Name" or tgt.process.cmdline matches "\\$VerbosePreference\\.ToString\\(" or tgt.process.cmdline matches "\\[String\\]\\s*\\$VerbosePreference")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md index 8850f1950..344b15715 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md index 229fedef7..96f12417b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md index a5ac09677..97655b12f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "text.encoding]::ascii") and (tgt.process.cmdline contains "system.io.compression.deflatestream" or tgt.process.cmdline contains "system.io.streamreader" or tgt.process.cmdline contains "readtoend("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md index 68c07eaeb..bbd94f292 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md index 202bf4d4d..361872f94 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md index 87562bfda..ebd841c20 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "set" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "vbscript:createobject" and tgt.process.cmdline contains ".run" and tgt.process.cmdline contains "(window.close)")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md index 19b77efcb..5469be241 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "&&set" and tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "{0}" or tgt.process.cmdline contains "{1}" or tgt.process.cmdline contains "{2}" or tgt.process.cmdline contains "{3}" or tgt.process.cmdline contains "{4}" or tgt.process.cmdline contains "{5}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md index 87f7a4490..cbbd7077c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" and src.process.cmdline contains ".bat") and ((tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "powershell.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "pwsh.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\attrib.exe" and (tgt.process.cmdline contains "+s" and tgt.process.cmdline contains "+h" and tgt.process.cmdline contains ".bat.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md index b4f0afac2..17c8e6e1c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\lazagne.exe" or ((tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Tmp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Users\Public\") and (tgt.process.cmdline contains ".exe all" or tgt.process.cmdline contains ".exe browsers" or tgt.process.cmdline contains ".exe chats" or tgt.process.cmdline contains ".exe databases" or tgt.process.cmdline contains ".exe games" or tgt.process.cmdline contains ".exe git" or tgt.process.cmdline contains ".exe mails" or tgt.process.cmdline contains ".exe maven" or tgt.process.cmdline contains ".exe memory" or tgt.process.cmdline contains ".exe multimedia" or tgt.process.cmdline contains ".exe sysadmin" or tgt.process.cmdline contains ".exe unused" or tgt.process.cmdline contains ".exe wifi" or tgt.process.cmdline contains ".exe windows")) or ((tgt.process.cmdline contains "all " or tgt.process.cmdline contains "browsers " or tgt.process.cmdline contains "chats " or tgt.process.cmdline contains "databases " or tgt.process.cmdline contains "games " or tgt.process.cmdline contains "git " or tgt.process.cmdline contains "mails " or tgt.process.cmdline contains "maven " or tgt.process.cmdline contains "memory " or tgt.process.cmdline contains "multimedia " or tgt.process.cmdline contains "php " or tgt.process.cmdline contains "svn " or tgt.process.cmdline contains "sysadmin " or tgt.process.cmdline contains "unused " or tgt.process.cmdline contains "wifi " or tgt.process.cmdline contains "windows ") and (tgt.process.cmdline contains "-oA" or tgt.process.cmdline contains "-oJ" or tgt.process.cmdline contains "-oN" or tgt.process.cmdline contains "-output" or tgt.process.cmdline contains "-password" or tgt.process.cmdline contains "-1Password" or tgt.process.cmdline contains "-apachedirectorystudio" or tgt.process.cmdline contains "-autologon" or tgt.process.cmdline contains "-ChromiumBased" or tgt.process.cmdline contains "-composer" or tgt.process.cmdline contains "-coreftp" or tgt.process.cmdline contains "-credfiles" or tgt.process.cmdline contains "-credman" or tgt.process.cmdline contains "-cyberduck" or tgt.process.cmdline contains "-dbvis" or tgt.process.cmdline contains "-EyeCon" or tgt.process.cmdline contains "-filezilla" or tgt.process.cmdline contains "-filezillaserver" or tgt.process.cmdline contains "-ftpnavigator" or tgt.process.cmdline contains "-galconfusion" or tgt.process.cmdline contains "-gitforwindows" or tgt.process.cmdline contains "-hashdump" or tgt.process.cmdline contains "-iisapppool" or tgt.process.cmdline contains "-IISCentralCertP" or tgt.process.cmdline contains "-kalypsomedia" or tgt.process.cmdline contains "-keepass" or tgt.process.cmdline contains "-keepassconfig" or tgt.process.cmdline contains "-lsa_secrets" or tgt.process.cmdline contains "-mavenrepositories" or tgt.process.cmdline contains "-memory_dump" or tgt.process.cmdline contains "-Mozilla" or tgt.process.cmdline contains "-mRemoteNG" or tgt.process.cmdline contains "-mscache" or tgt.process.cmdline contains "-opensshforwindows" or tgt.process.cmdline contains "-openvpn" or tgt.process.cmdline contains "-outlook" or tgt.process.cmdline contains "-pidgin" or tgt.process.cmdline contains "-postgresql" or tgt.process.cmdline contains "-psi-im" or tgt.process.cmdline contains "-puttycm" or tgt.process.cmdline contains "-pypykatz" or tgt.process.cmdline contains "-Rclone" or tgt.process.cmdline contains "-rdpmanager" or tgt.process.cmdline contains "-robomongo" or tgt.process.cmdline contains "-roguestale" or tgt.process.cmdline contains "-skype" or tgt.process.cmdline contains "-SQLDeveloper" or tgt.process.cmdline contains "-squirrel" or tgt.process.cmdline contains "-tortoise" or tgt.process.cmdline contains "-turba" or tgt.process.cmdline contains "-UCBrowser" or tgt.process.cmdline contains "-unattended" or tgt.process.cmdline contains "-vault" or tgt.process.cmdline contains "-vaultfiles" or tgt.process.cmdline contains "-vnc" or tgt.process.cmdline contains "-windows" or tgt.process.cmdline contains "-winscp" or tgt.process.cmdline contains "-wsl")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md index 65fa36939..f806ca3e0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\services.exe" and (((tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "echo" and tgt.process.cmdline contains "\pipe\") and (tgt.process.cmdline contains "cmd" or tgt.process.cmdline contains "%COMSPEC%")) or (tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains ".dll,a" and tgt.process.cmdline contains "/p:")) and (not tgt.process.cmdline contains "MpCmdRun"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md index 6fb61e465..a5544a507 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "DumpCreds" or tgt.process.cmdline contains "mimikatz") or (tgt.process.cmdline contains "::aadcookie" or tgt.process.cmdline contains "::detours" or tgt.process.cmdline contains "::memssp" or tgt.process.cmdline contains "::mflt" or tgt.process.cmdline contains "::ncroutemon" or tgt.process.cmdline contains "::ngcsign" or tgt.process.cmdline contains "::printnightmare" or tgt.process.cmdline contains "::skeleton" or tgt.process.cmdline contains "::preshutdown" or tgt.process.cmdline contains "::mstsc" or tgt.process.cmdline contains "::multirdp") or (tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "crypto::" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "process::" or tgt.process.cmdline contains "vault::"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md index 53cb47cc1..fae51b369 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "powershell.exe -NonI" and tgt.process.cmdline contains "/TN Updater /TR") and (tgt.process.cmdline contains "/SC ONLOGON" or tgt.process.cmdline contains "/SC DAILY /ST" or tgt.process.cmdline contains "/SC ONIDLE" or tgt.process.cmdline contains "/SC HOURLY"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md index c75310fc1..cd836fb85 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\pypykatz.exe" or tgt.process.image.path contains "\python.exe") and (tgt.process.cmdline contains "live" and tgt.process.cmdline contains "registry"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md index 956c213a3..46f2e8e24 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\QuarksPwDump.exe" or (tgt.process.cmdline in (" -dhl"," --dump-hash-local"," -dhdc"," --dump-hash-domain-cached"," --dump-bitlocker"," -dhd "," --dump-hash-domain ","--ntds-file")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md index a27164184..5a488f131 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "gthread-3.6.dll" or tgt.process.cmdline contains "\Windows\Temp\tmp.bat" or tgt.process.cmdline contains "sigcmm-2.4.dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md index 755c5f540..6ee561b8a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "PetitPotam" or tgt.process.image.path contains "RottenPotato" or tgt.process.image.path contains "HotPotato" or tgt.process.image.path contains "JuicyPotato" or tgt.process.image.path contains "\just_dce_" or tgt.process.image.path contains "Juicy Potato" or tgt.process.image.path contains "\temp\rot.exe" or tgt.process.image.path contains "\Potato.exe" or tgt.process.image.path contains "\SpoolSample.exe" or tgt.process.image.path contains "\Responder.exe" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\LocalPotato") or (tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains " smbrelay" or tgt.process.cmdline contains " ntlmrelay" or tgt.process.cmdline contains "cme smb " or tgt.process.cmdline contains " /ntlm:NTLMhash " or tgt.process.cmdline contains "Invoke-PetitPotam" or tgt.process.cmdline="*.exe -t * -p *") or (tgt.process.cmdline contains ".exe -c \"{" and tgt.process.cmdline contains "}\" -z")) and (not (tgt.process.image.path contains "HotPotatoes6" or tgt.process.image.path contains "HotPotatoes7" or tgt.process.image.path contains "HotPotatoes ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md index e5a38aa6a..edfd38714 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpChisel.exe" or tgt.process.displayName="SharpChisel")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md index 5ea235222..aed49a289 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\SharPersist.exe" or tgt.process.displayName="SharPersist") or (tgt.process.cmdline contains " -t schtask -c " or tgt.process.cmdline contains " -t startupfolder -c ") or (tgt.process.cmdline contains " -t reg -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t service -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t schtask -c " and tgt.process.cmdline contains " -m add"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md index dffd92c83..cda5a151c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpEvtMute.exe" or tgt.process.displayName="SharpEvtMute" or (tgt.process.cmdline contains "--Filter \"rule " or tgt.process.cmdline contains "--Encoded --Filter \\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md index 170f7457d..b65b88d09 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpUp.exe" or tgt.process.displayName="SharpUp" or (tgt.process.cmdline contains "HijackablePaths" or tgt.process.cmdline contains "UnquotedServicePath" or tgt.process.cmdline contains "ProcessDLLHijack" or tgt.process.cmdline contains "ModifiableServiceBinaries" or tgt.process.cmdline contains "ModifiableScheduledTask" or tgt.process.cmdline contains "DomainGPPPassword" or tgt.process.cmdline contains "CachedGPPPassword"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md index aaea07f77..b3706c02d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -Inject " and (tgt.process.cmdline contains " -PayloadArgs " or tgt.process.cmdline contains " -PayloadFile ")) or ((tgt.process.cmdline contains " approve " or tgt.process.cmdline contains " create " or tgt.process.cmdline contains " check " or tgt.process.cmdline contains " delete ") and (tgt.process.cmdline contains " /payload:" or tgt.process.cmdline contains " /payload=" or tgt.process.cmdline contains " /updateid:" or tgt.process.cmdline contains " /updateid=")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md index 7d2b3b9ba..ce8914e43 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.displayName contains "st2stager") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md index 094d7d0c0..55cb0885d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md index 9a79d756e..e68fe1ac1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --buildcache " or tgt.process.cmdline contains " --bhdump " or tgt.process.cmdline contains " --certdump " or tgt.process.cmdline contains " --dnsdump ") and (tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " --cachefilename " or tgt.process.cmdline contains " -o " or tgt.process.cmdline contains " --outputdirectory"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md index db947de3c..acfa632e2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Offline_Winpwn" or tgt.process.cmdline contains "WinPwn " or tgt.process.cmdline contains "WinPwn.exe" or tgt.process.cmdline contains "WinPwn.ps1")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md index c6299fda8..438766951 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md index 3d7bada85..208e8f0b1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\xordump.exe" or (tgt.process.cmdline contains " -process lsass.exe " or tgt.process.cmdline contains " -m comsvcs " or tgt.process.cmdline contains " -m dbghelp " or tgt.process.cmdline contains " -m dbgcore "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md index d312a5fbe..239476ab4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip" and tgt.process.cmdline contains "/pass:" and tgt.process.cmdline contains "/user:") or (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md index 653fa8c9f..1d7be0e41 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\HOSTNAME.EXE") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md index e0d8a8970..c844ca10b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Hwp.exe" and tgt.process.image.path contains "\gbb.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md index 49ea65496..c18e621cd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hxtsr.exe" and (not (tgt.process.image.path contains ":\program files\windowsapps\microsoft.windowscommunicationsapps_" and tgt.process.image.path contains "\hxtsr.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md index cb8278fb6..3fae00383 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\w3wp.exe" and (tgt.process.cmdline contains "appcmd.exe add module" or (tgt.process.cmdline contains " system.enterpriseservices.internal.publish" and tgt.process.image.path contains "\powershell.exe") or (tgt.process.cmdline contains "gacutil" and tgt.process.cmdline contains " /I")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md index c10b0c843..58c4d123d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and tgt.process.image.path contains "\ImagingDevices.exe") or src.process.image.path contains "\ImagingDevices.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md index ec6ae9e97..4c61f2841 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "InfDefaultInstall.exe " and tgt.process.cmdline contains ".inf")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md index d55103f5a..ad1a957ce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\InstallUtil.exe" and tgt.process.image.path contains "Microsoft.NET\Framework" and (tgt.process.cmdline contains "/logfile= " and tgt.process.cmdline contains "/LogToConsole=false"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md index 740a40656..ec76635ef 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\keytool.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\query.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md index 6b9656855..0f0433395 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\ManageEngine\ServiceDesk\" and src.process.image.path contains "\java.exe") and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe")) and (not ((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains " stop")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md index 837c45ff2..a3444cfd2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "transport=dt_socket,address=" and (tgt.process.cmdline contains "jre1." or tgt.process.cmdline contains "jdk1.")) and (not (tgt.process.cmdline contains "address=127.0.0.1" or tgt.process.cmdline contains "address=localhost")))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md index 25b710956..32a3bb94a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md index 0b48b26b6..d79cad42c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not (src.process.image.path contains "build" and tgt.process.cmdline contains "build")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md index 9a8c7f306..72400a746 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and src.process.cmdline contains "SysAidServer")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md index bb02e1367..a88daba6c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " run run-cmd " and (not (src.process.image.path contains "\cleanapi.exe" or src.process.image.path contains "\kavremover.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md index 897e188c2..9d6bdf47a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\link.exe" and tgt.process.cmdline contains "LINK /") and (not ((src.process.image.path contains "C:\Program Files\Microsoft Visual Studio\" or src.process.image.path contains "C:\Program Files (x86)\Microsoft Visual Studio\") and (src.process.image.path contains "\VC\bin\" or src.process.image.path contains "\VC\Tools\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md index eac8947aa..a3d751577 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\CustomShellHost.exe" and (not tgt.process.image.path="C:\Windows\explorer.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md index 9d36273c2..d540ff241 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\DeviceCredentialDeployment.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md index f4b1f6cae..487298e66 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\devtoolslauncher.exe" and tgt.process.cmdline contains "LaunchForDeploy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md index c40068084..e6f632195 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md index b40d33b35..49fd17e68 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains " \\" and tgt.process.cmdline contains ".cab")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md index cd694ef7c..b3bfb9013 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "extrac32.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md index bca558f13..eb980ae8e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Launch-VsDevShell.ps1" and (tgt.process.cmdline contains "VsWherePath " or tgt.process.cmdline contains "VsInstallationPath "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md index b0b86aaff..b47085ee2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /INJECTRUNNING " and (not src.process.image.path="C:\Windows\System32\AppVClient.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md index 93c495ff5..7450e9d8c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "verb:sync" and tgt.process.cmdline contains "-source:RunCommand" and tgt.process.cmdline contains "-dest:runCommand") and tgt.process.image.path contains "\msdeploy.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md index eb33b18d2..524d2bff3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\msdt.exe" and tgt.process.cmdline contains "\WINDOWS\diagnostics\index\PCWDiagnostic.xml") and (tgt.process.cmdline contains " -af " or tgt.process.cmdline contains " /af ")) and (not src.process.image.path contains "\pcwrun.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md index 05b50ba8e..b5a588525 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\OpenWith.exe" and tgt.process.cmdline contains "/c")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md index d281d584e..03ebecc62 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcalua.exe" and tgt.process.cmdline contains " -a")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md index e0c442442..b46d3f131 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\pcwrun.exe") | columns ComputerName,tgt.process.user,src.process.cmdline,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md index 6e39f8bc9..32d612b6f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcwrun.exe" and tgt.process.cmdline contains "../")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md index 8cf8f12c2..2a19e92a4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and src.process.cmdline contains "\WindowsPowerShell\Modules\Pester\") and (src.process.cmdline contains "{ Invoke-Pester -EnableExit ;" or src.process.cmdline contains "{ Get-Help \""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md index db06bf18f..a4337769a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Pester" and tgt.process.cmdline contains "Get-Help")) or ((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "pester" and tgt.process.cmdline contains ";")) and (tgt.process.cmdline contains "help" or tgt.process.cmdline contains "?")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md index f1933cb0b..310f25ea3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\PrintBrm.exe" and (tgt.process.cmdline contains " -f" and tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md index d5b49ebc4..9ddd0e3aa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\pubprn.vbs" and tgt.process.cmdline contains "script:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md index 9480f7fa2..55bb8f4f6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\register_app.vbs" and tgt.process.cmdline contains "-register")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md index d591d71e0..4f96dbc7f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\replace.exe" and (tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/a" or tgt.process.cmdline contains "–a" or tgt.process.cmdline contains "—a" or tgt.process.cmdline contains "―a"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md index a063b5355..38393c4ec 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\runexehelper.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md index 56ca99f36..909541774 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Runscripthelper.exe" and tgt.process.cmdline contains "surfacecheck")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md index 9037ee538..d93ac0b90 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\")) and (src.process.cmdline contains "cmd.exe /c" and src.process.cmdline contains "RoamDiag.cmd" and src.process.cmdline contains "-outputpath"))) | columns TargetFilename,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md index 98963165e..6d53e78fa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sftp.exe" and (tgt.process.cmdline contains " -D .." or tgt.process.cmdline contains " -D C:\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md index 3ff29018a..ac9c19b63 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-i" or tgt.process.cmdline contains "/install" or tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/add-driver" or tgt.process.cmdline contains ".inf") and tgt.process.image.path contains "\pnputil.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md index ccabba596..0f33283dd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "grpconv.exe -o" or tgt.process.cmdline contains "grpconv -o")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md index ace6029e8..f95f2b74b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqldumper.exe" and (tgt.process.cmdline contains "0x0110" or tgt.process.cmdline contains "0x01100:40"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md index dafc1295c..4e4e8c18e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SyncAppvPublishingServer.vbs" and tgt.process.cmdline contains ";")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md index 51c0f0cca..6bd090ae0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\tracker.exe" or tgt.process.displayName="Tracker") and (tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " /c ")) and (not (tgt.process.cmdline contains " /ERRORREPORT:PROMPT " or (src.process.image.path contains "\Msbuild\Current\Bin\MSBuild.exe" or src.process.image.path contains "\Msbuild\Current\Bin\amd64\MSBuild.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md index 596b17604..ee3c2127e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\tttracer.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md index 720228369..b5a57db20 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "UtilityFunctions.ps1" or tgt.process.cmdline contains "RegSnapin ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md index 50a61f090..73a7a955d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vbc.exe" and tgt.process.image.path contains "\cvtres.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md index f511a7e79..d302998e0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Windows\System32\lsass.exe" and tgt.process.image.path contains "\Windows\System32\lsass.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md index 47f182f1e..4abfb9d39 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\mftrace.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md index 7da77bc00..2499dd707 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mmc.exe" and tgt.process.cmdline contains "-Embedding")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md index a2db850a5..b3c9d8fa5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\mmc.exe" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe") or tgt.process.image.path contains "\BITSADMIN"))) | columns tgt.process.cmdline,tgt.process.image.path,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md index 43d5dac52..424599155 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\MpCmdRun.exe" or tgt.process.image.path contains "\NisSrv.exe") and (not (tgt.process.image.path contains "C:\Program Files (x86)\Windows Defender\" or tgt.process.image.path contains "C:\Program Files\Microsoft Security Client\" or tgt.process.image.path contains "C:\Program Files\Windows Defender\" or tgt.process.image.path contains "C:\ProgramData\Microsoft\Windows Defender\Platform\" or tgt.process.image.path contains "C:\Windows\WinSxS\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md index 7c4597226..2ae42ebd9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Wscript." and tgt.process.cmdline contains ".Shell" and tgt.process.cmdline contains ".Run")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md index dbb73fb9c..fad91bb28 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mshta.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md index a205346cd..8beae1188 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\mshta.exe" and (tgt.process.cmdline contains "vbscript" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".lnk" or tgt.process.cmdline contains ".xls" or tgt.process.cmdline contains ".doc" or tgt.process.cmdline contains ".zip" or tgt.process.cmdline contains ".dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md index e0362c639..613ff0553 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (src.process.cmdline contains "MsiExec.exe" and src.process.cmdline contains "-Embedding ")) and (not ((tgt.process.image.path contains ":\Windows\System32\cmd.exe" and tgt.process.cmdline contains "C:\Program Files\SplunkUniversalForwarder\bin\") or (tgt.process.cmdline contains "\DismFoDInstall.cmd" or (src.process.cmdline contains "\MsiExec.exe -Embedding " and src.process.cmdline contains "Global\MSI0000")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md index ba5d458f5..3f7f65aca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\msiexec.exe" and (tgt.process.cmdline contains " -y" or tgt.process.cmdline contains " /y" or tgt.process.cmdline contains " –y" or tgt.process.cmdline contains " —y" or tgt.process.cmdline contains " ―y")) and (not (tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" /Y C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y C:\Windows\CCM\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md index a0d3d534c..b4a6ecda0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " msiexec" and tgt.process.cmdline contains "://")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md index ea8fd63d7..d60898f98 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\msra.exe" and src.process.cmdline contains "msra.exe" and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\route.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\whoami.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md index 8022195ba..f2fc2bef6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\wsl.exe")) and (not (src.process.image.path contains "C:\Program Files\Microsoft SQL Server\" and src.process.image.path contains "DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\cmd.exe\" ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md index f0d22b4ce..5dea70a6c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and src.process.cmdline contains "VEEAMSQL") and (((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "-ex " or tgt.process.cmdline contains "bypass" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "copy ")) or (tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\whoami.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md index 1c791ea56..053188f81 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "noconsentprompt" and tgt.process.cmdline contains "shadow:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md index 81e27f6b5..d8d929629 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\msxsl.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md index 2df24d60b..1f6803006 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\msxsl.exe" and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md index c59e7eb97..bc91911f6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\node.exe" and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " --eval ")) and (tgt.process.cmdline contains ".exec(" and tgt.process.cmdline contains "net.socket" and tgt.process.cmdline contains ".connect" and tgt.process.cmdline contains "child_process"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md index 1c820da5b..6530a8a1e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Adobe Creative Cloud Experience\libs\node.exe" and (not tgt.process.cmdline contains "Adobe Creative Cloud Experience\js"))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md index 6a02daa1a..79d095558 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "nslookup" and tgt.process.cmdline contains "_ldap._tcp.dc._msdcs.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md index bbf55058d..811ecd3bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\ntdsutil.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md index c0ea38af6..0fceb715e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\odbcconf.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md index 27b930f4e..cf1fd7251 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\onenote.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and (tgt.process.cmdline contains "\exported\" or tgt.process.cmdline contains "\onenoteofflinecache_files\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md index 457f0ea19..1917de7ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Outlook\Security\EnableUnsafeClientMailRules") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md index c885c9c28..361aa0f25 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\Temporary Internet Files\Content.Outlook\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md index 20e9008e0..dd5c4da0f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\OUTLOOK.EXE" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\msbuild.exe" or tgt.process.image.path contains "\msdt.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md index e1baebba1..cbd30cdc3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\outlook.exe" and tgt.process.image.path contains "\\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md index 186b9f2e5..d297edf78 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WINWORD.EXE" or src.process.image.path contains "\EXCEL.EXE" or src.process.image.path contains "\POWERPNT.exe" or src.process.image.path contains "\MSPUB.exe" or src.process.image.path contains "\VISIO.exe" or src.process.image.path contains "\MSACCESS.exe" or src.process.image.path contains "\EQNEDT32.exe") and tgt.process.image.path contains "C:\users\" and tgt.process.image.path contains ".exe") and (not tgt.process.image.path contains "\Teams.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md index 1ffcbb6e8..018626997 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\PDQDeployRunner-" and ((tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\TEMP\" or tgt.process.image.path contains "\AppData\Local\Temp") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -encodedcommand " or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "http" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md index d78c8506d..7116c9def 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ping.exe" and tgt.process.cmdline contains "0x")) | columns src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md index 1a1e584a2..b273fee21 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Command-line SSH, Telnet, and Rlogin client" and tgt.process.cmdline contains " -R ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md index cd2a86467..b0b4f1380 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":127.0.0.1:3389") or ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":3389") and (tgt.process.cmdline contains " -P 443" or tgt.process.cmdline contains " -P 22")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md index e3ec1bf80..c18d3bdbb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "System.Management.Automation.AmsiUtils" and tgt.process.cmdline contains "amsiInitFailed") or (tgt.process.cmdline contains "[Ref].Assembly.GetType" and tgt.process.cmdline contains "SetValue($null,$true)" and tgt.process.cmdline contains "NonPublic,Static"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md index 435c99297..dfba29094 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "if(0){{{0}}}' -f $(0 -as [char]) +" or tgt.process.cmdline contains "#")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md index 7d67d3afe..8b58753ae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WindowsAudioDevice-Powershell-Cmdlet" or tgt.process.cmdline contains "Toggle-AudioDevice" or tgt.process.cmdline contains "Get-AudioDevice " or tgt.process.cmdline contains "Set-AudioDevice " or tgt.process.cmdline contains "Write-AudioDevice ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md index e5abab143..440605292 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IAAtAGIAeABvAHIAIAAwAHgA" or tgt.process.cmdline contains "AALQBiAHgAbwByACAAMAB4A" or tgt.process.cmdline contains "gAC0AYgB4AG8AcgAgADAAeA" or tgt.process.cmdline contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or tgt.process.cmdline contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or tgt.process.cmdline contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md index b4499cece..d911e22fa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OjpGcm9tQmFzZTY0U3RyaW5n" or tgt.process.cmdline contains "o6RnJvbUJhc2U2NFN0cmluZ" or tgt.process.cmdline contains "6OkZyb21CYXNlNjRTdHJpbm" or (tgt.process.cmdline contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or tgt.process.cmdline contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or tgt.process.cmdline contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md index 6dea21b65..54eb1507a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "SUVYIChb" or tgt.process.cmdline contains "lFWCAoW" or tgt.process.cmdline contains "JRVggKF" or tgt.process.cmdline contains "aWV4IChb" or tgt.process.cmdline contains "lleCAoW" or tgt.process.cmdline contains "pZXggKF" or tgt.process.cmdline contains "aWV4IChOZX" or tgt.process.cmdline contains "lleCAoTmV3" or tgt.process.cmdline contains "pZXggKE5ld" or tgt.process.cmdline contains "SUVYIChOZX" or tgt.process.cmdline contains "lFWCAoTmV3" or tgt.process.cmdline contains "JRVggKE5ld" or tgt.process.cmdline contains "SUVYKF" or tgt.process.cmdline contains "lFWChb" or tgt.process.cmdline contains "JRVgoW" or tgt.process.cmdline contains "aWV4KF" or tgt.process.cmdline contains "lleChb" or tgt.process.cmdline contains "pZXgoW" or tgt.process.cmdline contains "aWV4KE5ld" or tgt.process.cmdline contains "lleChOZX" or tgt.process.cmdline contains "pZXgoTmV3" or tgt.process.cmdline contains "SUVYKE5ld" or tgt.process.cmdline contains "lFWChOZX" or tgt.process.cmdline contains "JRVgoTmV3" or tgt.process.cmdline contains "SUVYKCgn" or tgt.process.cmdline contains "lFWCgoJ" or tgt.process.cmdline contains "JRVgoKC" or tgt.process.cmdline contains "aWV4KCgn" or tgt.process.cmdline contains "lleCgoJ" or tgt.process.cmdline contains "pZXgoKC") or (tgt.process.cmdline contains "SQBFAFgAIAAoAFsA" or tgt.process.cmdline contains "kARQBYACAAKABbA" or tgt.process.cmdline contains "JAEUAWAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAFsA" or tgt.process.cmdline contains "kAZQB4ACAAKABbA" or tgt.process.cmdline contains "pAGUAeAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kAZQB4ACAAKABOAGUAdw" or tgt.process.cmdline contains "pAGUAeAAgACgATgBlAHcA" or tgt.process.cmdline contains "SQBFAFgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kARQBYACAAKABOAGUAdw" or tgt.process.cmdline contains "JAEUAWAAgACgATgBlAHcA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md index faa9bee6c..8a19b8d17 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "QWRkLU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "BZGQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "U2V0LU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "TZXQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "YWRkLW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "hZGQtbXBwcmVmZXJlbmNlI" or tgt.process.cmdline contains "c2V0LW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "zZXQtbXBwcmVmZXJlbmNlI") or (tgt.process.cmdline contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md index 644cb9f3c..46ff40fe0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or tgt.process.cmdline contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or tgt.process.cmdline contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or tgt.process.cmdline contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or tgt.process.cmdline contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md index e4babf3a4..d2bbcacfd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md index 61670c307..f6f203177 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SyncInvoke ") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md index 4afabf9e6..886130548 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "LoadAssemblyFromPath " or tgt.process.cmdline contains "LoadAssemblyFromNS ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md index 3c65c2ed1..e8d6ddff9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\powershell.exe" and tgt.process.cmdline contains " -nologo -windowstyle minimized -file ") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Windows\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md index 546184163..4fd1bfbf6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md index c0dab80c9..391fd3965 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "GZipStream" and tgt.process.cmdline contains "::Decompress")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md index ed2c4e842..635cf3ed2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains "DisableArchiveScanning " or tgt.process.cmdline contains "DisableRealtimeMonitoring " or tgt.process.cmdline contains "DisableIOAVProtection " or tgt.process.cmdline contains "DisableBehaviorMonitoring " or tgt.process.cmdline contains "DisableBlockAtFirstSeen " or tgt.process.cmdline contains "DisableCatchupFullScan " or tgt.process.cmdline contains "DisableCatchupQuickScan ") and (tgt.process.cmdline contains "$true" or tgt.process.cmdline contains " 1 ")) or ((tgt.process.cmdline contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or tgt.process.cmdline contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or tgt.process.cmdline contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or tgt.process.cmdline contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or tgt.process.cmdline contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or tgt.process.cmdline contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or tgt.process.cmdline contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or tgt.process.cmdline contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or tgt.process.cmdline contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or tgt.process.cmdline contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or tgt.process.cmdline contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") or (tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md index ba2bfdbf1..7bc4820db 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains " -ExclusionPath " or tgt.process.cmdline contains " -ExclusionExtension " or tgt.process.cmdline contains " -ExclusionProcess " or tgt.process.cmdline contains " -ExclusionIpAddress "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md index ba8cd291e..c3c2e2c27 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -name IEHarden " and tgt.process.cmdline contains " -value 0 ") or (tgt.process.cmdline contains " -name DEPOff " and tgt.process.cmdline contains " -value 1 ") or (tgt.process.cmdline contains " -name DisableFirstRunCustomize " and tgt.process.cmdline contains " -value 2 "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md index c27f117fd..d3828001c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains " -version 2 " or tgt.process.cmdline contains " -versio 2 " or tgt.process.cmdline contains " -versi 2 " or tgt.process.cmdline contains " -vers 2 " or tgt.process.cmdline contains " -ver 2 " or tgt.process.cmdline contains " -ve 2 " or tgt.process.cmdline contains " -v 2 "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md index a78573780..d0b0ad8fc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[Type]::GetTypeFromCLSID(" and (tgt.process.cmdline contains "0002DF01-0000-0000-C000-000000000046" or tgt.process.cmdline contains "F6D90F16-9C73-11D3-B32E-00C04F990BB4" or tgt.process.cmdline contains "F5078F35-C551-11D3-89B9-0000F81FE221" or tgt.process.cmdline contains "88d96a0a-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "AFBA6B42-5692-48EA-8141-DC517DCF0EF1" or tgt.process.cmdline contains "AFB40FFD-B609-40A3-9828-F88BBE11E4E3" or tgt.process.cmdline contains "88d96a0b-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "2087c2f4-2cef-4953-a8ab-66779b670495" or tgt.process.cmdline contains "000209FF-0000-0000-C000-000000000046" or tgt.process.cmdline contains "00024500-0000-0000-C000-000000000046"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md index d8572d708..e95a7248d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "http://127.0.0.1" and tgt.process.cmdline contains "%{(IRM $_)}" and tgt.process.cmdline contains ".SubString.ToString()[67,72,64]-Join" and tgt.process.cmdline contains "Import-Module"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md index 743d163b4..b71ef0d08 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md index abf35e548..13ed7a1f1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "IWR ") and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "OutFile" and tgt.process.cmdline contains ".dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md index edc72f819..90632ffe9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ") and (tgt.process.cmdline contains ";iex $" or tgt.process.cmdline contains "| IEX" or tgt.process.cmdline contains "|IEX " or tgt.process.cmdline contains "I`E`X" or tgt.process.cmdline contains "I`EX" or tgt.process.cmdline contains "IE`X" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "IEX (" or tgt.process.cmdline contains "IEX(" or tgt.process.cmdline contains "Invoke-Expression"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md index 1f2e4012c..f6ded899d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-ADDBSidHistory" or tgt.process.cmdline contains "Add-ADNgcKey" or tgt.process.cmdline contains "Add-ADReplNgcKey" or tgt.process.cmdline contains "ConvertFrom-ADManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-GPPrefPassword" or tgt.process.cmdline contains "ConvertFrom-ManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-UnattendXmlPassword" or tgt.process.cmdline contains "ConvertFrom-UnicodePassword" or tgt.process.cmdline contains "ConvertTo-AADHash" or tgt.process.cmdline contains "ConvertTo-GPPrefPassword" or tgt.process.cmdline contains "ConvertTo-KerberosKey" or tgt.process.cmdline contains "ConvertTo-LMHash" or tgt.process.cmdline contains "ConvertTo-MsoPasswordHash" or tgt.process.cmdline contains "ConvertTo-NTHash" or tgt.process.cmdline contains "ConvertTo-OrgIdHash" or tgt.process.cmdline contains "ConvertTo-UnicodePassword" or tgt.process.cmdline contains "Disable-ADDBAccount" or tgt.process.cmdline contains "Enable-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBBackupKey" or tgt.process.cmdline contains "Get-ADDBDomainController" or tgt.process.cmdline contains "Get-ADDBGroupManagedServiceAccount" or tgt.process.cmdline contains "Get-ADDBKdsRootKey" or tgt.process.cmdline contains "Get-ADDBSchemaAttribute" or tgt.process.cmdline contains "Get-ADDBServiceAccount" or tgt.process.cmdline contains "Get-ADDefaultPasswordPolicy" or tgt.process.cmdline contains "Get-ADKeyCredential" or tgt.process.cmdline contains "Get-ADPasswordPolicy" or tgt.process.cmdline contains "Get-ADReplAccount" or tgt.process.cmdline contains "Get-ADReplBackupKey" or tgt.process.cmdline contains "Get-ADReplicationAccount" or tgt.process.cmdline contains "Get-ADSIAccount" or tgt.process.cmdline contains "Get-AzureADUserEx" or tgt.process.cmdline contains "Get-BootKey" or tgt.process.cmdline contains "Get-KeyCredential" or tgt.process.cmdline contains "Get-LsaBackupKey" or tgt.process.cmdline contains "Get-LsaPolicy" or tgt.process.cmdline contains "Get-SamPasswordPolicy" or tgt.process.cmdline contains "Get-SysKey" or tgt.process.cmdline contains "Get-SystemKey" or tgt.process.cmdline contains "New-ADDBRestoreFromMediaScript" or tgt.process.cmdline contains "New-ADKeyCredential" or tgt.process.cmdline contains "New-ADNgcKey" or tgt.process.cmdline contains "New-NTHashSet" or tgt.process.cmdline contains "Remove-ADDBObject" or tgt.process.cmdline contains "Save-DPAPIBlob" or tgt.process.cmdline contains "Set-ADAccountPasswordHash" or tgt.process.cmdline contains "Set-ADDBAccountPassword" or tgt.process.cmdline contains "Set-ADDBBootKey" or tgt.process.cmdline contains "Set-ADDBDomainController" or tgt.process.cmdline contains "Set-ADDBPrimaryGroup" or tgt.process.cmdline contains "Set-ADDBSysKey" or tgt.process.cmdline contains "Set-AzureADUserEx" or tgt.process.cmdline contains "Set-LsaPolicy" or tgt.process.cmdline contains "Set-SamAccountPasswordHash" or tgt.process.cmdline contains "Set-WinUserPasswordHash" or tgt.process.cmdline contains "Test-ADDBPasswordQuality" or tgt.process.cmdline contains "Test-ADPasswordQuality" or tgt.process.cmdline contains "Test-ADReplPasswordQuality" or tgt.process.cmdline contains "Test-PasswordQuality" or tgt.process.cmdline contains "Unlock-ADDBAccount" or tgt.process.cmdline contains "Write-ADNgcKey" or tgt.process.cmdline contains "Write-ADReplNgcKey")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md index b7d99b059..c0e249a9c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Add-PSSnapin" and tgt.process.cmdline contains "Get-Recipient" and tgt.process.cmdline contains "-ExpandProperty" and tgt.process.cmdline contains "EmailAddresses" and tgt.process.cmdline contains "SmtpAddress" and tgt.process.cmdline contains "-hidetableheaders"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md index 7656bfa36..74b767920 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Enable-WindowsOptionalFeature" and tgt.process.cmdline contains "-Online" and tgt.process.cmdline contains "-FeatureName") and (tgt.process.cmdline contains "TelnetServer" or tgt.process.cmdline contains "Internet-Explorer-Optional-amd64" or tgt.process.cmdline contains "TFTP" or tgt.process.cmdline contains "SMB1Protocol" or tgt.process.cmdline contains "Client-ProjFS" or tgt.process.cmdline contains "Microsoft-Windows-Subsystem-Linux"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md index 5f3a29a69..6c49b2a02 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -enco" or tgt.process.cmdline contains " -ec ")) and (not (tgt.process.cmdline contains " -Encoding " or (src.process.image.path contains "C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or src.process.image.path contains "\gc_worker.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md index d52da8081..f678ee384 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-Expression " or tgt.process.cmdline contains "Invoke-Command " or tgt.process.cmdline contains "icm ") and (tgt.process.cmdline contains "cat " or tgt.process.cmdline contains "get-content " or tgt.process.cmdline contains "type ") and tgt.process.cmdline contains " -raw")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md index 0106d822a..aca997c3e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Export-PfxCertificate " or tgt.process.cmdline contains "Export-Certificate ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md index bcdc97ae0..348dcecde 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::FromBase64String(") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md index ba5eb5c0f..526f6de44 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "FromBase64String" and tgt.process.cmdline contains "MemoryStream" and tgt.process.cmdline contains "H4sI")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md index 29e9f647b..cce198ea3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Get-Clipboard") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md index 63ccdaf10..ea3429d11 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-LocalGroupMember " and (tgt.process.cmdline contains "domain admins" or tgt.process.cmdline contains " administrator" or tgt.process.cmdline contains " administrateur" or tgt.process.cmdline contains "enterprise admins" or tgt.process.cmdline contains "Exchange Trusted Subsystem" or tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md index 0827d7595..f3090a8d1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-Process lsas" or tgt.process.cmdline contains "ps lsas" or tgt.process.cmdline contains "gps lsas")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md index 9a425a57a..f0f913e87 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " | iex;" or tgt.process.cmdline contains " | iex " or tgt.process.cmdline contains " | iex}" or tgt.process.cmdline contains " | IEX ;" or tgt.process.cmdline contains " | IEX -Error" or tgt.process.cmdline contains " | IEX (new" or tgt.process.cmdline contains ");IEX ")) and (tgt.process.cmdline contains "::FromBase64String" or tgt.process.cmdline contains ".GetString([System.Convert]::")) or (tgt.process.cmdline contains ")|iex;$" or tgt.process.cmdline contains ");iex($" or tgt.process.cmdline contains ");iex $" or tgt.process.cmdline contains " | IEX | " or tgt.process.cmdline contains " | iex\\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md index dc8afeaeb..d7c854b62 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Import-Certificate" and tgt.process.cmdline contains " -FilePath " and tgt.process.cmdline contains "Cert:\LocalMachine\Root") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains ":\Windows\TEMP\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md index 4a33cd4e0..e6126716e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Import-Module \"$Env:Temp\" or tgt.process.cmdline contains "Import-Module '$Env:Temp\" or tgt.process.cmdline contains "Import-Module $Env:Temp\" or tgt.process.cmdline contains "Import-Module \"$Env:Appdata\" or tgt.process.cmdline contains "Import-Module '$Env:Appdata\" or tgt.process.cmdline contains "Import-Module $Env:Appdata\" or tgt.process.cmdline contains "Import-Module C:\Users\Public\" or tgt.process.cmdline contains "ipmo \"$Env:Temp\" or tgt.process.cmdline contains "ipmo '$Env:Temp\" or tgt.process.cmdline contains "ipmo $Env:Temp\" or tgt.process.cmdline contains "ipmo \"$Env:Appdata\" or tgt.process.cmdline contains "ipmo '$Env:Appdata\" or tgt.process.cmdline contains "ipmo $Env:Appdata\" or tgt.process.cmdline contains "ipmo C:\Users\Public\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md index 0b8df96bc..3c6f0528d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "[Convert]::FromBase64String") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-noni" and tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-ep" and tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-Enc") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "\software\") or (tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-noprofile" and tgt.process.cmdline contains "-windowstyle" and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "system.net.webclient" and tgt.process.cmdline contains ".download") or (tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object" and tgt.process.cmdline contains "Net.WebClient" and tgt.process.cmdline contains ".Download")) and (not (tgt.process.cmdline contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or tgt.process.cmdline contains "Write-ChocolateyWarning")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md index 28fc3d1cb..73a82b0ae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-MailboxExportRequest" and tgt.process.cmdline contains " -Mailbox " and tgt.process.cmdline contains " -FilePath \\")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md index dd912eea3..8eb8aa8c3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-Exfiltration" or tgt.process.cmdline contains "Add-Persistence" or tgt.process.cmdline contains "Add-RegBackdoor" or tgt.process.cmdline contains "Add-RemoteRegBackdoor" or tgt.process.cmdline contains "Add-ScrnSaveBackdoor" or tgt.process.cmdline contains "Check-VM" or tgt.process.cmdline contains "ConvertTo-Rc4ByteStream" or tgt.process.cmdline contains "Decrypt-Hash" or tgt.process.cmdline contains "Disable-ADIDNSNode" or tgt.process.cmdline contains "Disable-MachineAccount" or tgt.process.cmdline contains "Do-Exfiltration" or tgt.process.cmdline contains "Enable-ADIDNSNode" or tgt.process.cmdline contains "Enable-MachineAccount" or tgt.process.cmdline contains "Enabled-DuplicateToken" or tgt.process.cmdline contains "Exploit-Jboss" or tgt.process.cmdline contains "Export-ADR" or tgt.process.cmdline contains "Export-ADRCSV" or tgt.process.cmdline contains "Export-ADRExcel" or tgt.process.cmdline contains "Export-ADRHTML" or tgt.process.cmdline contains "Export-ADRJSON" or tgt.process.cmdline contains "Export-ADRXML" or tgt.process.cmdline contains "Find-Fruit" or tgt.process.cmdline contains "Find-GPOLocation" or tgt.process.cmdline contains "Find-TrustedDocuments" or tgt.process.cmdline contains "Get-ADIDNS" or tgt.process.cmdline contains "Get-ApplicationHost" or tgt.process.cmdline contains "Get-ChromeDump" or tgt.process.cmdline contains "Get-ClipboardContents" or tgt.process.cmdline contains "Get-FoxDump" or tgt.process.cmdline contains "Get-GPPPassword" or tgt.process.cmdline contains "Get-IndexedItem" or tgt.process.cmdline contains "Get-KerberosAESKey" or tgt.process.cmdline contains "Get-Keystrokes" or tgt.process.cmdline contains "Get-LSASecret" or tgt.process.cmdline contains "Get-MachineAccountAttribute" or tgt.process.cmdline contains "Get-MachineAccountCreator" or tgt.process.cmdline contains "Get-PassHashes" or tgt.process.cmdline contains "Get-RegAlwaysInstallElevated" or tgt.process.cmdline contains "Get-RegAutoLogon" or tgt.process.cmdline contains "Get-RemoteBootKey" or tgt.process.cmdline contains "Get-RemoteCachedCredential" or tgt.process.cmdline contains "Get-RemoteLocalAccountHash" or tgt.process.cmdline contains "Get-RemoteLSAKey" or tgt.process.cmdline contains "Get-RemoteMachineAccountHash" or tgt.process.cmdline contains "Get-RemoteNLKMKey" or tgt.process.cmdline contains "Get-RickAstley" or tgt.process.cmdline contains "Get-Screenshot" or tgt.process.cmdline contains "Get-SecurityPackages" or tgt.process.cmdline contains "Get-ServiceFilePermission" or tgt.process.cmdline contains "Get-ServicePermission" or tgt.process.cmdline contains "Get-ServiceUnquoted" or tgt.process.cmdline contains "Get-SiteListPassword" or tgt.process.cmdline contains "Get-System" or tgt.process.cmdline contains "Get-TimedScreenshot" or tgt.process.cmdline contains "Get-UnattendedInstallFile" or tgt.process.cmdline contains "Get-Unconstrained" or tgt.process.cmdline contains "Get-USBKeystrokes" or tgt.process.cmdline contains "Get-VaultCredential" or tgt.process.cmdline contains "Get-VulnAutoRun" or tgt.process.cmdline contains "Get-VulnSchTask" or tgt.process.cmdline contains "Grant-ADIDNSPermission" or tgt.process.cmdline contains "Gupt-Backdoor" or tgt.process.cmdline contains "HTTP-Login" or tgt.process.cmdline contains "Install-ServiceBinary" or tgt.process.cmdline contains "Install-SSP" or tgt.process.cmdline contains "Invoke-ACLScanner" or tgt.process.cmdline contains "Invoke-ADRecon" or tgt.process.cmdline contains "Invoke-ADSBackdoor" or tgt.process.cmdline contains "Invoke-AgentSmith" or tgt.process.cmdline contains "Invoke-AllChecks" or tgt.process.cmdline contains "Invoke-ARPScan" or tgt.process.cmdline contains "Invoke-AzureHound" or tgt.process.cmdline contains "Invoke-BackdoorLNK" or tgt.process.cmdline contains "Invoke-BadPotato" or tgt.process.cmdline contains "Invoke-BetterSafetyKatz" or tgt.process.cmdline contains "Invoke-BypassUAC" or tgt.process.cmdline contains "Invoke-Carbuncle" or tgt.process.cmdline contains "Invoke-Certify" or tgt.process.cmdline contains "Invoke-ConPtyShell" or tgt.process.cmdline contains "Invoke-CredentialInjection" or tgt.process.cmdline contains "Invoke-DAFT" or tgt.process.cmdline contains "Invoke-DCSync" or tgt.process.cmdline contains "Invoke-DinvokeKatz" or tgt.process.cmdline contains "Invoke-DllInjection" or tgt.process.cmdline contains "Invoke-DNSUpdate" or tgt.process.cmdline contains "Invoke-DomainPasswordSpray" or tgt.process.cmdline contains "Invoke-DowngradeAccount" or tgt.process.cmdline contains "Invoke-EgressCheck" or tgt.process.cmdline contains "Invoke-Eyewitness" or tgt.process.cmdline contains "Invoke-FakeLogonScreen" or tgt.process.cmdline contains "Invoke-Farmer" or tgt.process.cmdline contains "Invoke-Get-RBCD-Threaded" or tgt.process.cmdline contains "Invoke-Gopher" or tgt.process.cmdline contains "Invoke-Grouper" or tgt.process.cmdline contains "Invoke-HandleKatz" or tgt.process.cmdline contains "Invoke-ImpersonatedProcess" or tgt.process.cmdline contains "Invoke-ImpersonateSystem" or tgt.process.cmdline contains "Invoke-InteractiveSystemPowerShell" or tgt.process.cmdline contains "Invoke-Internalmonologue" or tgt.process.cmdline contains "Invoke-Inveigh" or tgt.process.cmdline contains "Invoke-InveighRelay" or tgt.process.cmdline contains "Invoke-KrbRelay" or tgt.process.cmdline contains "Invoke-LdapSignCheck" or tgt.process.cmdline contains "Invoke-Lockless" or tgt.process.cmdline contains "Invoke-MalSCCM" or tgt.process.cmdline contains "Invoke-Mimikatz" or tgt.process.cmdline contains "Invoke-Mimikittenz" or tgt.process.cmdline contains "Invoke-MITM6" or tgt.process.cmdline contains "Invoke-NanoDump" or tgt.process.cmdline contains "Invoke-NetRipper" or tgt.process.cmdline contains "Invoke-Nightmare" or tgt.process.cmdline contains "Invoke-NinjaCopy" or tgt.process.cmdline contains "Invoke-OfficeScrape" or tgt.process.cmdline contains "Invoke-OxidResolver" or tgt.process.cmdline contains "Invoke-P0wnedshell" or tgt.process.cmdline contains "Invoke-Paranoia" or tgt.process.cmdline contains "Invoke-PortScan" or tgt.process.cmdline contains "Invoke-PoshRatHttp" or tgt.process.cmdline contains "Invoke-PostExfil" or tgt.process.cmdline contains "Invoke-PowerDump" or tgt.process.cmdline contains "Invoke-PowerShellTCP" or tgt.process.cmdline contains "Invoke-PowerShellWMI" or tgt.process.cmdline contains "Invoke-PPLDump" or tgt.process.cmdline contains "Invoke-PsExec" or tgt.process.cmdline contains "Invoke-PSInject" or tgt.process.cmdline contains "Invoke-PsUaCme" or tgt.process.cmdline contains "Invoke-ReflectivePEInjection" or tgt.process.cmdline contains "Invoke-ReverseDNSLookup" or tgt.process.cmdline contains "Invoke-Rubeus" or tgt.process.cmdline contains "Invoke-RunAs" or tgt.process.cmdline contains "Invoke-SafetyKatz" or tgt.process.cmdline contains "Invoke-SauronEye" or tgt.process.cmdline contains "Invoke-SCShell" or tgt.process.cmdline contains "Invoke-Seatbelt" or tgt.process.cmdline contains "Invoke-ServiceAbuse" or tgt.process.cmdline contains "Invoke-ShadowSpray" or tgt.process.cmdline contains "Invoke-Sharp" or tgt.process.cmdline contains "Invoke-Shellcode" or tgt.process.cmdline contains "Invoke-SMBScanner" or tgt.process.cmdline contains "Invoke-Snaffler" or tgt.process.cmdline contains "Invoke-Spoolsample" or tgt.process.cmdline contains "Invoke-SpraySinglePassword" or tgt.process.cmdline contains "Invoke-SSHCommand" or tgt.process.cmdline contains "Invoke-StandIn" or tgt.process.cmdline contains "Invoke-StickyNotesExtract" or tgt.process.cmdline contains "Invoke-SystemCommand" or tgt.process.cmdline contains "Invoke-Tasksbackdoor" or tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains "Invoke-Thunderfox" or tgt.process.cmdline contains "Invoke-ThunderStruck" or tgt.process.cmdline contains "Invoke-TokenManipulation" or tgt.process.cmdline contains "Invoke-Tokenvator" or tgt.process.cmdline contains "Invoke-TotalExec" or tgt.process.cmdline contains "Invoke-UrbanBishop" or tgt.process.cmdline contains "Invoke-UserHunter" or tgt.process.cmdline contains "Invoke-VoiceTroll" or tgt.process.cmdline contains "Invoke-Whisker" or tgt.process.cmdline contains "Invoke-WinEnum" or tgt.process.cmdline contains "Invoke-winPEAS" or tgt.process.cmdline contains "Invoke-WireTap" or tgt.process.cmdline contains "Invoke-WmiCommand" or tgt.process.cmdline contains "Invoke-WMIExec" or tgt.process.cmdline contains "Invoke-WScriptBypassUAC" or tgt.process.cmdline contains "Invoke-Zerologon" or tgt.process.cmdline contains "MailRaider" or tgt.process.cmdline contains "New-ADIDNSNode" or tgt.process.cmdline contains "New-DNSRecordArray" or tgt.process.cmdline contains "New-HoneyHash" or tgt.process.cmdline contains "New-InMemoryModule" or tgt.process.cmdline contains "New-MachineAccount" or tgt.process.cmdline contains "New-SOASerialNumberArray" or tgt.process.cmdline contains "Out-Minidump" or tgt.process.cmdline contains "Port-Scan" or tgt.process.cmdline contains "PowerBreach" or tgt.process.cmdline contains "powercat " or tgt.process.cmdline contains "PowerUp" or tgt.process.cmdline contains "PowerView" or tgt.process.cmdline contains "Remove-ADIDNSNode" or tgt.process.cmdline contains "Remove-MachineAccount" or tgt.process.cmdline contains "Remove-Update" or tgt.process.cmdline contains "Rename-ADIDNSNode" or tgt.process.cmdline contains "Revoke-ADIDNSPermission" or tgt.process.cmdline contains "Set-ADIDNSNode" or tgt.process.cmdline contains "Set-MacAttribute" or tgt.process.cmdline contains "Set-MachineAccountAttribute" or tgt.process.cmdline contains "Set-Wallpaper" or tgt.process.cmdline contains "Show-TargetScreen" or tgt.process.cmdline contains "Start-CaptureServer" or tgt.process.cmdline contains "Start-Dnscat2" or tgt.process.cmdline contains "Start-WebcamRecorder" or tgt.process.cmdline contains "VolumeShadowCopyTools")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md index 4d25516fe..4cb99f4b5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Install-TransportAgent") | columns AssemblyPath ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md index 189b81968..d2060113b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "(WCHAR)0x") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md index d0f28c6f4..ea4a3f6cd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "-f C:\Users\Public" or tgt.process.cmdline contains "-f \"C:\Users\Public" or tgt.process.cmdline contains "-f %Public%" or tgt.process.cmdline contains "-fi C:\Users\Public" or tgt.process.cmdline contains "-fi \"C:\Users\Public" or tgt.process.cmdline contains "-fi %Public%" or tgt.process.cmdline contains "-fil C:\Users\Public" or tgt.process.cmdline contains "-fil \"C:\Users\Public" or tgt.process.cmdline contains "-fil %Public%" or tgt.process.cmdline contains "-file C:\Users\Public" or tgt.process.cmdline contains "-file \"C:\Users\Public" or tgt.process.cmdline contains "-file %Public%"))) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md index 62595d2ff..543f426f5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisableme")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md index c1f081a1f..749c472f2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Remove-MpPreference" and (tgt.process.cmdline contains "-ControlledFolderAccessProtectedFolders " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Ids " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Actions " or tgt.process.cmdline contains "-CheckForSignaturesBeforeRunningScan "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md index f62504dd8..8157af1cb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Get-Content" and tgt.process.cmdline contains "-Stream"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md index 2ecafe309..876abb228 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline matches "\\s-\\s*<")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md index 07a9be587..258dd0821 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\HarddiskVolumeShadowCopy" and tgt.process.cmdline contains "System32\config\sam") and (tgt.process.cmdline contains "Copy-Item" or tgt.process.cmdline contains "cp $_." or tgt.process.cmdline contains "cpi $_." or tgt.process.cmdline contains "copy $_." or tgt.process.cmdline contains ".File]::Copy("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md index 2e2769e6c..98032cf48 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not tgt.process.image.path contains "\Health Service State\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md index e5b9bb4d8..40b1ae2ab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Get-WmiObject" or tgt.process.cmdline contains "gwmi" or tgt.process.cmdline contains "Get-CimInstance" or tgt.process.cmdline contains "gcim") and tgt.process.cmdline contains "Win32_ShadowCopy" and (tgt.process.cmdline contains ".Delete()" or tgt.process.cmdline contains "Remove-WmiObject" or tgt.process.cmdline contains "rwmi" or tgt.process.cmdline contains "Remove-CimInstance" or tgt.process.cmdline contains "rcim"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md index 1375af525..550d8bf9d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IEX ((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX (New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX(New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains " -command (New-Object System.Net.WebClient).DownloadFile(" or tgt.process.cmdline contains " -c (New-Object System.Net.WebClient).DownloadFile(")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md index 8dc191bce..429fa1c0c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -windowstyle h " or tgt.process.cmdline contains " -windowstyl h" or tgt.process.cmdline contains " -windowsty h" or tgt.process.cmdline contains " -windowst h" or tgt.process.cmdline contains " -windows h" or tgt.process.cmdline contains " -windo h" or tgt.process.cmdline contains " -wind h" or tgt.process.cmdline contains " -win h" or tgt.process.cmdline contains " -wi h" or tgt.process.cmdline contains " -win h " or tgt.process.cmdline contains " -win hi " or tgt.process.cmdline contains " -win hid " or tgt.process.cmdline contains " -win hidd " or tgt.process.cmdline contains " -win hidde " or tgt.process.cmdline contains " -NoPr " or tgt.process.cmdline contains " -NoPro " or tgt.process.cmdline contains " -NoProf " or tgt.process.cmdline contains " -NoProfi " or tgt.process.cmdline contains " -NoProfil " or tgt.process.cmdline contains " -nonin " or tgt.process.cmdline contains " -nonint " or tgt.process.cmdline contains " -noninte " or tgt.process.cmdline contains " -noninter " or tgt.process.cmdline contains " -nonintera " or tgt.process.cmdline contains " -noninterac " or tgt.process.cmdline contains " -noninteract " or tgt.process.cmdline contains " -noninteracti " or tgt.process.cmdline contains " -noninteractiv " or tgt.process.cmdline contains " -ec " or tgt.process.cmdline contains " -encodedComman " or tgt.process.cmdline contains " -encodedComma " or tgt.process.cmdline contains " -encodedComm " or tgt.process.cmdline contains " -encodedCom " or tgt.process.cmdline contains " -encodedCo " or tgt.process.cmdline contains " -encodedC " or tgt.process.cmdline contains " -encoded " or tgt.process.cmdline contains " -encode " or tgt.process.cmdline contains " -encod " or tgt.process.cmdline contains " -enco " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -executionpolic " or tgt.process.cmdline contains " -executionpoli " or tgt.process.cmdline contains " -executionpol " or tgt.process.cmdline contains " -executionpo " or tgt.process.cmdline contains " -executionp " or tgt.process.cmdline contains " -execution bypass" or tgt.process.cmdline contains " -executio bypass" or tgt.process.cmdline contains " -executi bypass" or tgt.process.cmdline contains " -execut bypass" or tgt.process.cmdline contains " -execu bypass" or tgt.process.cmdline contains " -exec bypass" or tgt.process.cmdline contains " -exe bypass" or tgt.process.cmdline contains " -ex bypass" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " /windowstyle h " or tgt.process.cmdline contains " /windowstyl h" or tgt.process.cmdline contains " /windowsty h" or tgt.process.cmdline contains " /windowst h" or tgt.process.cmdline contains " /windows h" or tgt.process.cmdline contains " /windo h" or tgt.process.cmdline contains " /wind h" or tgt.process.cmdline contains " /win h" or tgt.process.cmdline contains " /wi h" or tgt.process.cmdline contains " /win h " or tgt.process.cmdline contains " /win hi " or tgt.process.cmdline contains " /win hid " or tgt.process.cmdline contains " /win hidd " or tgt.process.cmdline contains " /win hidde " or tgt.process.cmdline contains " /NoPr " or tgt.process.cmdline contains " /NoPro " or tgt.process.cmdline contains " /NoProf " or tgt.process.cmdline contains " /NoProfi " or tgt.process.cmdline contains " /NoProfil " or tgt.process.cmdline contains " /nonin " or tgt.process.cmdline contains " /nonint " or tgt.process.cmdline contains " /noninte " or tgt.process.cmdline contains " /noninter " or tgt.process.cmdline contains " /nonintera " or tgt.process.cmdline contains " /noninterac " or tgt.process.cmdline contains " /noninteract " or tgt.process.cmdline contains " /noninteracti " or tgt.process.cmdline contains " /noninteractiv " or tgt.process.cmdline contains " /ec " or tgt.process.cmdline contains " /encodedComman " or tgt.process.cmdline contains " /encodedComma " or tgt.process.cmdline contains " /encodedComm " or tgt.process.cmdline contains " /encodedCom " or tgt.process.cmdline contains " /encodedCo " or tgt.process.cmdline contains " /encodedC " or tgt.process.cmdline contains " /encoded " or tgt.process.cmdline contains " /encode " or tgt.process.cmdline contains " /encod " or tgt.process.cmdline contains " /enco " or tgt.process.cmdline contains " /en " or tgt.process.cmdline contains " /executionpolic " or tgt.process.cmdline contains " /executionpoli " or tgt.process.cmdline contains " /executionpol " or tgt.process.cmdline contains " /executionpo " or tgt.process.cmdline contains " /executionp " or tgt.process.cmdline contains " /execution bypass" or tgt.process.cmdline contains " /executio bypass" or tgt.process.cmdline contains " /executi bypass" or tgt.process.cmdline contains " /execut bypass" or tgt.process.cmdline contains " /execu bypass" or tgt.process.cmdline contains " /exec bypass" or tgt.process.cmdline contains " /exe bypass" or tgt.process.cmdline contains " /ex bypass" or tgt.process.cmdline contains " /ep bypass"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md index 7ecc318c9..2fa9295a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "powershell.exe" or tgt.process.cmdline contains "\powershell" or tgt.process.cmdline contains "\pwsh" or tgt.process.cmdline contains "pwsh.exe") and ((tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "\AppData\") and (tgt.process.cmdline contains "Local\" or tgt.process.cmdline contains "Roaming\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md index 35726586e..48c40be6b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".DownloadFile" and tgt.process.cmdline contains "System.Net.WebClient")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md index c4bee728a..cf91c5b87 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline matches "\\w+`(\\w+|-|.)`[\\w+|\\s]" or tgt.process.cmdline matches ""(\\{\\d\\})+"\\s*-f" or tgt.process.cmdline matches "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not tgt.process.cmdline contains "${env:path}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md index 476a1bfa1..bd6e94448 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "X509Enrollment.CBinaryConverter" or tgt.process.cmdline contains "884e2002-217d-11da-b2a4-000e7bbb2b09")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md index a6bf74277..be5ed1838 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath $env:TEMP*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*:\Windows\Temp\*")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md index cef3aba81..acef2202a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\Microsoft.NodejsTools.PressAnyKey.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md index b3bb579e7..fb47707c1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\print.exe" and tgt.process.cmdline contains "print" and (tgt.process.cmdline contains "/D" and tgt.process.cmdline contains ".exe")) and (not tgt.process.cmdline contains "print.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md index 90f32f7b9..ccd8a3139 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and (not ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md index c4ec6919a..c4d498a4b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md index 66e1aa165..a1b1f09a8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Psr.exe" and (tgt.process.cmdline contains "/start" or tgt.process.cmdline contains "-start"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md index 19c1746c1..f828dfadf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\3proxy.exe" or tgt.process.displayName="3proxy - tiny proxy server" or tgt.process.cmdline contains ".exe -i127.0.0.1 -p")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md index 756f00a17..cf342df04 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lockoutduration" or tgt.process.cmdline contains "lockoutthreshold" or tgt.process.cmdline contains "lockoutobservationwindow" or tgt.process.cmdline contains "maxpwdage" or tgt.process.cmdline contains "minpwdage" or tgt.process.cmdline contains "minpwdlength" or tgt.process.cmdline contains "pwdhistorylength" or tgt.process.cmdline contains "pwdproperties") or tgt.process.cmdline contains "-sc admincountdmp" or tgt.process.cmdline contains "-sc exchaddresses")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md index f1daa3df7..0e75703e0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "domainlist" or tgt.process.cmdline contains "trustdmp" or tgt.process.cmdline contains "dcmodes" or tgt.process.cmdline contains "adinfo" or tgt.process.cmdline contains " dclist " or tgt.process.cmdline contains "computer_pwdnotreqd" or tgt.process.cmdline contains "objectcategory=" or tgt.process.cmdline contains "-subnets -f" or tgt.process.cmdline contains "name=\"Domain Admins\"" or tgt.process.cmdline contains "-sc u:" or tgt.process.cmdline contains "domainncs" or tgt.process.cmdline contains "dompol" or tgt.process.cmdline contains " oudmp " or tgt.process.cmdline contains "subnetdmp" or tgt.process.cmdline contains "gpodmp" or tgt.process.cmdline contains "fspdmp" or tgt.process.cmdline contains "users_noexpire" or tgt.process.cmdline contains "computers_active" or tgt.process.cmdline contains "computers_pwdnotreqd")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md index 3af006e3a..437aeda98 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/EXEFilename" or tgt.process.cmdline contains "/CommandLine") and ((tgt.process.cmdline contains " /RunAs 8 " or tgt.process.cmdline contains " /RunAs 4 " or tgt.process.cmdline contains " /RunAs 10 " or tgt.process.cmdline contains " /RunAs 11 ") or (tgt.process.cmdline contains "/RunAs 8" or tgt.process.cmdline contains "/RunAs 4" or tgt.process.cmdline contains "/RunAs 10" or tgt.process.cmdline contains "/RunAs 11")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md index d8bdd3159..455d128b9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chisel.exe" or ((tgt.process.cmdline contains "exe client " or tgt.process.cmdline contains "exe server ") and (tgt.process.cmdline contains "-socks5" or tgt.process.cmdline contains "-reverse" or tgt.process.cmdline contains " r:" or tgt.process.cmdline contains ":127.0.0.1:" or tgt.process.cmdline contains "-tls-skip-verify " or tgt.process.cmdline contains ":socks")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md index f73671a99..72cdd6045 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SepRemovalToolNative_x64.exe" or (tgt.process.image.path contains "\CATClean.exe" and tgt.process.cmdline contains "--uninstall") or (tgt.process.image.path contains "\NetInstaller.exe" and tgt.process.cmdline contains "-r") or (tgt.process.image.path contains "\WFPUnins.exe" and (tgt.process.cmdline contains "/uninstall" and tgt.process.cmdline contains "/enterprise")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md index 00e9870b2..afe60f5c8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csexec.exe" or tgt.process.displayName="csexec")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md index 88509fdfa..e93864d5b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DefenderCheck.exe" or tgt.process.displayName="DefenderCheck")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md index 0c0af5dc4..a7519a2d0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ditsnap.exe" or tgt.process.cmdline contains "ditsnap.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md index 1f7f8d6cb..aeffdfa3b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName contains "Mouse Lock" or tgt.process.publisher contains "Misc314" or tgt.process.cmdline contains "Mouse Lock_")) | columns tgt.process.displayName,tgt.process.publisher,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md index d79e18bc4..a10753ca6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\nc.exe" or tgt.process.image.path contains "\ncat.exe" or tgt.process.image.path contains "\netcat.exe") or (tgt.process.cmdline contains " -lvp " or tgt.process.cmdline contains " -lvnp" or tgt.process.cmdline contains " -l -v -p " or tgt.process.cmdline contains " -lv -p " or tgt.process.cmdline contains " -l --proxy-type http " or tgt.process.cmdline contains " -vnl --exec " or tgt.process.cmdline contains " -vnl -e " or tgt.process.cmdline contains " --lua-exec " or tgt.process.cmdline contains " --sh-exec "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md index 58f2f62a1..96721f7b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\netscan.exe" or tgt.process.displayName="Network Scanner" or tgt.process.displayName="Application for scanning networks")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md index f835473c3..e27799f92 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tcp 139" or tgt.process.cmdline contains " tcp 445" or tgt.process.cmdline contains " tcp 3389" or tgt.process.cmdline contains " tcp 5985" or tgt.process.cmdline contains " tcp 5986") or (tgt.process.cmdline contains " start " and tgt.process.cmdline contains "--all" and tgt.process.cmdline contains "--config" and tgt.process.cmdline contains ".yml") or (tgt.process.image.path contains "ngrok.exe" and (tgt.process.cmdline contains " tcp " or tgt.process.cmdline contains " http " or tgt.process.cmdline contains " authtoken ")) or (tgt.process.cmdline contains ".exe authtoken " or tgt.process.cmdline contains ".exe start --all"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md index bb603599a..168dc5d25 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " runassystem ") | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md index c92775336..41e55c0e0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rcedit-x64.exe" or tgt.process.image.path contains "\rcedit-x86.exe") or tgt.process.displayName="Edit resources of exe" or tgt.process.displayName="rcedit") and tgt.process.cmdline contains "--set-" and (tgt.process.cmdline contains "OriginalFileName" or tgt.process.cmdline contains "CompanyName" or tgt.process.cmdline contains "FileDescription" or tgt.process.cmdline contains "ProductName" or tgt.process.cmdline contains "ProductVersion" or tgt.process.cmdline contains "LegalCopyright"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md index 067ffaf31..1b10f5e34 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "--config " and tgt.process.cmdline contains "--no-check-certificate " and tgt.process.cmdline contains " copy ") or ((tgt.process.image.path contains "\rclone.exe" or tgt.process.displayName="Rsync for cloud storage") and (tgt.process.cmdline contains "pass" or tgt.process.cmdline contains "user" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "sync" or tgt.process.cmdline contains "config" or tgt.process.cmdline contains "lsd" or tgt.process.cmdline contains "remote" or tgt.process.cmdline contains "ls" or tgt.process.cmdline contains "mega" or tgt.process.cmdline contains "pcloud" or tgt.process.cmdline contains "ftp" or tgt.process.cmdline contains "ignore-existing" or tgt.process.cmdline contains "auto-confirm" or tgt.process.cmdline contains "transfers" or tgt.process.cmdline contains "multi-thread-streams" or tgt.process.cmdline contains "no-check-certificate ")))) | columns tgt.process.cmdline,src.process.cmdline,Details ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md index a9460be30..35dd01030 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /account=system " or tgt.process.cmdline contains " /account=ti ") and tgt.process.cmdline contains "/exec=")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md index 46ea4d2ab..6cc9c93bf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Web Browser Password Viewer" or tgt.process.image.path contains "\WebBrowserPassView.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md index cb3b82e46..44ad9af0f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\python.exe" and tgt.process.cmdline contains "adidnsdump")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md index c2e61f8d7..97bc5a139 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "python.exe" or tgt.process.image.path contains "python3.exe" or tgt.process.image.path contains "python2.exe") and ((tgt.process.cmdline contains "import pty" and tgt.process.cmdline contains ".spawn(") or tgt.process.cmdline contains "from pty import spawn"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md index 49a000302..ce3c18a16 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-m 1M" or tgt.process.cmdline contains "-m 2M" or tgt.process.cmdline contains "-m 3M") and (tgt.process.cmdline contains "restrict=off" and tgt.process.cmdline contains "-netdev " and tgt.process.cmdline contains "connect=" and tgt.process.cmdline contains "-nographic")) and (not (tgt.process.cmdline contains " -cdrom " or tgt.process.cmdline contains " type=virt " or tgt.process.cmdline contains " -blockdev ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md index 62b3f2e6f..ba2bd5a57 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains ":\Windows\System32\query.exe" and (tgt.process.cmdline contains "session >" or tgt.process.cmdline contains "process >"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_quickassist_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_quickassist_execution.md index 265fb1aa0..674fdd242 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_quickassist_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_quickassist_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\QuickAssist.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md index e4c8dc9e2..f4336caab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rar.exe" and tgt.process.cmdline contains " a ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md index 01daff8af..20ae017de 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -hp" and (tgt.process.cmdline contains " -m" or tgt.process.cmdline contains " a "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md index d683f3d9a..f9211a95e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.displayName="Command line RAR") or (tgt.process.cmdline contains ".exe a " or tgt.process.cmdline contains " a -m")) and ((tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " -r ") and (tgt.process.cmdline="* *:\\*.*" or tgt.process.cmdline="* *:\\\*.*" or tgt.process.cmdline="* *:\$Recycle.bin\*" or tgt.process.cmdline="* *:\PerfLogs\*" or tgt.process.cmdline="* *:\Temp*" or tgt.process.cmdline="* *:\Users\Public\*" or tgt.process.cmdline="* *:\Windows\*" or tgt.process.cmdline contains " %public%")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md index 14a38cd8e..3a9866862 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "rasdial.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md index 8d4c2692c..03ee54bb1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains " ADD " and tgt.process.cmdline contains "Software\Microsoft\Windows\CurrentVersion\Run")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md index 4d7e847a8..e22cc5188 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "REG" and tgt.process.cmdline contains "ADD" and tgt.process.cmdline contains "\SOFTWARE\Policies\Microsoft\FVE" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/f") and (tgt.process.cmdline contains "EnableBDEWithNoTPM" or tgt.process.cmdline contains "UseAdvancedStartup" or tgt.process.cmdline contains "UseTPM" or tgt.process.cmdline contains "UseTPMKey" or tgt.process.cmdline contains "UseTPMKeyPIN" or tgt.process.cmdline contains "RecoveryKeyMessageSource" or tgt.process.cmdline contains "UseTPMPIN" or tgt.process.cmdline contains "RecoveryKeyMessage"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md index 43b185c30..0a068b956 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "scecli\0" and tgt.process.cmdline contains "reg add")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md index 130dcf007..a24286657 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" or tgt.process.cmdline contains "SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths") and (tgt.process.cmdline contains "ADD " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_DWORD " and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "0"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md index 561be0375..22ec97ac0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and tgt.process.cmdline contains "add") and (tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Windows" or tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" or tgt.process.cmdline contains "\system\CurrentControlSet\Control\SafeBoot\AlternateShell"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md index 267eb1ac0..40771fee3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add") and ((tgt.process.cmdline contains "d 4" and tgt.process.cmdline contains "v Start") and (tgt.process.cmdline contains "\AppIDSvc" or tgt.process.cmdline contains "\MsMpSvc" or tgt.process.cmdline contains "\NisSrv" or tgt.process.cmdline contains "\SecurityHealthService" or tgt.process.cmdline contains "\Sense" or tgt.process.cmdline contains "\UsoSvc" or tgt.process.cmdline contains "\WdBoot" or tgt.process.cmdline contains "\WdFilter" or tgt.process.cmdline contains "\WdNisDrv" or tgt.process.cmdline contains "\WdNisSvc" or tgt.process.cmdline contains "\WinDefend" or tgt.process.cmdline contains "\wscsvc" or tgt.process.cmdline contains "\wuauserv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md index 7c6329bd3..4143500bc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains " query " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_SZ" and tgt.process.cmdline contains "/s")) and ((tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKLM") or (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKCU") or tgt.process.cmdline contains "HKCU\Software\SimonTatham\PuTTY\Sessions"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md index 858c16fa2..0a3a42550 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa\" and tgt.process.cmdline contains "DisableRestrictedAdmin")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md index e3c5951e6..58cd2f4e2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Cryptography" and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "MachineGuid"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md index 8a25938fe..f2273102d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "NoLMHash" and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md index 683d8665a..8de5c38e6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/ve " and tgt.process.cmdline contains "/d") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "DelegateExecute") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md index 2c1b6445b..40057d420 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "HKEY_CURRENT_USER\Control Panel\Desktop" or tgt.process.cmdline contains "HKCU\Control Panel\Desktop")) and ((tgt.process.cmdline contains "/v ScreenSaveActive" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 1" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaveTimeout" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaverIsSecure" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 0" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v SCRNSAVE.EXE" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains ".scr" and tgt.process.cmdline contains "/f")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md index fcc364831..59b4239c5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "add " and tgt.process.cmdline contains "SYSTEM\CurrentControlSet\Services\" and tgt.process.cmdline contains " ImagePath ")) and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " –d " or tgt.process.cmdline contains " —d " or tgt.process.cmdline contains " ―d "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md index fc66b1e3a..e8f568f51 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "query" and tgt.process.cmdline contains "\software\" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "svcversion"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md index 8faff642e..f430536cf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Services\VSS\Diag" and tgt.process.cmdline contains "/d Disabled")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md index 10c97c04c..c6b75d4c2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control" and tgt.process.cmdline contains "Write Protection" and tgt.process.cmdline contains "0" and tgt.process.cmdline contains "storage")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md index 124601f44..0e8f6bed3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\regedit.exe" and (src.process.image.path contains "\TrustedInstaller.exe" or src.process.image.path contains "\ProcessHacker.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md index cdbf6a08c..f58f16991 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\register-cimprovider.exe" and (tgt.process.cmdline contains "-path" and tgt.process.cmdline contains "dll"))) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md index 4342451d6..b2234c1de 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\Sessions" or tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\SshHostKeys\" or tgt.process.cmdline contains "\Software\Mobatek\MobaXterm\" or tgt.process.cmdline contains "\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin" or tgt.process.cmdline contains "\Software\Aerofox\FoxmailPreview" or tgt.process.cmdline contains "\Software\Aerofox\Foxmail\V3.1" or tgt.process.cmdline contains "\Software\IncrediMail\Identities" or tgt.process.cmdline contains "\Software\Qualcomm\Eudora\CommandLine" or tgt.process.cmdline contains "\Software\RimArts\B2\Settings" or tgt.process.cmdline contains "\Software\OpenVPN-GUI\configs" or tgt.process.cmdline contains "\Software\Martin Prikryl\WinSCP 2\Sessions" or tgt.process.cmdline contains "\Software\FTPWare\COREFTP\Sites" or tgt.process.cmdline contains "\Software\DownloadManager\Passwords" or tgt.process.cmdline contains "\Software\OpenSSH\Agent\Keys" or tgt.process.cmdline contains "\Software\TightVNC\Server" or tgt.process.cmdline contains "\Software\ORL\WinVNC3\Password" or tgt.process.cmdline contains "\Software\RealVNC\WinVNC4")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md index 8136ea66a..7f905a175 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" and tgt.process.cmdline contains "http" and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md index 0ac51334e..251c25d4a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\CurrentVersion\Image File Execution Options\" and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "magnify.exe" or tgt.process.cmdline contains "narrator.exe" or tgt.process.cmdline contains "displayswitch.exe" or tgt.process.cmdline contains "atbroker.exe" or tgt.process.cmdline contains "HelpPane.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md index dbb60363a..8483d4827 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "UserInitMprLogonScript") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md index 37f8921cc..8bde000ec 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Services\" and tgt.process.cmdline contains "\NetworkProvider")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md index 884a0760d..d94f1e7ef 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Office\" and tgt.process.cmdline contains "\Excel\Security" and tgt.process.cmdline contains "PythonFunctionWarnings") and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md index 85c85dba5..8812158c7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("Medium","S-1-16-8192")) and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "services") and (tgt.process.cmdline contains "\ImagePath" or tgt.process.cmdline contains "\FailureCommand" or tgt.process.cmdline contains "\ServiceDll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md index e5fa6a9f5..d2455c6d5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SOFTWARE\Microsoft\Provisioning\Commands\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md index 8991c71c8..2ab337ded 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\ShellIds\Microsoft.PowerShell\ExecutionPolicy" or tgt.process.cmdline contains "\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy") and (tgt.process.cmdline contains "Bypass" or tgt.process.cmdline contains "RemoteSigned" or tgt.process.cmdline contains "Unrestricted"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md index dac12004b..55895a05a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/d 0"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md index 56707a90c..ed82f0755 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md index ab28e0712..b071df892 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\regsvr32.exe" and (tgt.process.cmdline contains " -i:" or tgt.process.cmdline contains " /i:" or tgt.process.cmdline contains " –i:" or tgt.process.cmdline contains " —i:" or tgt.process.cmdline contains " ―i:")) and (not tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md index 02c4e8a65..59f213e73 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\regsvr32.exe" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\werfault.exe" and tgt.process.cmdline contains " -u -p ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md index cabe20d63..cd4553fd5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell_ise.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\wscript.exe") and tgt.process.image.path contains "\regsvr32.exe") and (not (src.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains " /s C:\Windows\System32\RpcProxy\RpcProxy.dll")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md index a51a86b7d..c7bd06b02 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md index e6cc96b71..24c397203 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "echo " and tgt.process.cmdline contains ".exe --set-password")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md index d56933744..76f5a3d0d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--install" and tgt.process.cmdline contains "--start-with-win" and tgt.process.cmdline contains "--silent")) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md index 54f19a3a9..4e9735423 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH") and (not (tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "Program Files (x86)\AnyDesk" or tgt.process.image.path contains "Program Files\AnyDesk")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md index 6d9c519b3..6220d1f50 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="GoTo Opener" or tgt.process.displayName="GoTo Opener" or tgt.process.publisher="LogMeIn, Inc.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md index a231ac060..474df1ec1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="LMIGuardianSvc" or tgt.process.displayName="LMIGuardianSvc" or tgt.process.publisher="LogMeIn, Inc.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md index 8a0bddf24..cf9814e61 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\meshagent.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md index 0cea91c5a..e5ed86d01 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe") or tgt.process.displayName="Remote Utilities") and (not (tgt.process.image.path contains "C:\Program Files\Remote Utilities" or tgt.process.image.path contains "C:\Program Files (x86)\Remote Utilities")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md index 7d3a97d2d..b8f57398f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="ScreenConnect Service" or tgt.process.displayName="ScreenConnect" or tgt.process.publisher="ScreenConnect Software")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md index 111f79672..e05d9f9f5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "e=Access&" and tgt.process.cmdline contains "y=Guest&" and tgt.process.cmdline contains "&p=" and tgt.process.cmdline contains "&c=" and tgt.process.cmdline contains "&k=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md index 3e1fd73d9..714d64c85 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains ":\Windows\TEMP\ScreenConnect\" and src.process.cmdline contains "run.cmd") and (tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wevtutil.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md index e061e0a03..e72121941 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\ScreenConnect.Service.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md index f325084cf..1289d9fb7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\JWrapper-Remote Access\" or tgt.process.image.path contains "\JWrapper-Remote Support\") and tgt.process.image.path contains "\SimpleService.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md index eeebd16a5..0305fe023 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="TeamViewer_Desktop.exe" and src.process.image.path="TeamViewer_Service.exe" and tgt.process.cmdline contains "TeamViewer_Desktop.exe --IPCport 5939 --Module 1")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md index ff990cd92..0cf5cf599 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "time") or (tgt.process.image.path contains "\w32tm.exe" and tgt.process.cmdline contains "tz"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md index 0ef10210f..f541fbd36 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName in ("Java Update Scheduler","Java(TM) Update Scheduler")) and (not tgt.process.image.path contains "\jusched.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md index a7b80c782..eec769369 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "DllRegisterServer" and (not tgt.process.image.path contains "\rundll32.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md index 5d55142d1..2e47ad435 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Remote Utilities" and (not (tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md index eff651fbe..01492ffb1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rpcping.exe" and (tgt.process.cmdline contains "-s" or tgt.process.cmdline contains "/s" or tgt.process.cmdline contains "–s" or tgt.process.cmdline contains "—s" or tgt.process.cmdline contains "―s") and (((tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u") and (tgt.process.cmdline contains "NTLM")) or ((tgt.process.cmdline contains "-t" or tgt.process.cmdline contains "/t" or tgt.process.cmdline contains "–t" or tgt.process.cmdline contains "—t" or tgt.process.cmdline contains "―t") and (tgt.process.cmdline contains "ncacn_np"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md index b2fcf4637..7f529ea7d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains "Execute" and tgt.process.cmdline contains "RegRead" and tgt.process.cmdline contains "window.close")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md index 006d337e6..ac83a6d06 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\..\" and tgt.process.cmdline contains "mshtml") and (tgt.process.cmdline contains "#135" or tgt.process.cmdline contains "RunHTMLApplication"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md index c8a74704f..9e6b36a49 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\rundll32.exe" or tgt.process.cmdline contains "\rundll32.exe\"" or tgt.process.cmdline contains "\rundll32") and (not (src.process.image.path contains "\AppData\Local\" or src.process.image.path contains "\Microsoft\Edge\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md index cceff0d5a..f4186ff63 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\RECYCLER\" or tgt.process.image.path contains ":\SystemVolumeInformation\") or (tgt.process.image.path contains "C:\Windows\Tasks\" or tgt.process.image.path contains "C:\Windows\debug\" or tgt.process.image.path contains "C:\Windows\fonts\" or tgt.process.image.path contains "C:\Windows\help\" or tgt.process.image.path contains "C:\Windows\drivers\" or tgt.process.image.path contains "C:\Windows\addins\" or tgt.process.image.path contains "C:\Windows\cursors\" or tgt.process.image.path contains "C:\Windows\system32\tasks\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md index a997ca0d7..3ec4d3b45 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\runonce.exe" and src.process.image.path contains "\rundll32.exe" and (src.process.cmdline contains "setupapi.dll" and src.process.cmdline contains "InstallHinfSection"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md index 03e6860d4..9c9042093 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\rundll32.exe" and tgt.process.image.path contains "\explorer.exe") and (not src.process.cmdline contains "\shell32.dll,Control_RunDLL"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md index 0e77a0199..cd4fb84ce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "javascript:" and tgt.process.cmdline contains ".RegisterXLL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURLA") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "FileProtocolHandler") or (tgt.process.cmdline contains "zipfldr.dll" and tgt.process.cmdline contains "RouteTheCall") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "Control_RunDLL") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "ShellExec_RunDLL") or (tgt.process.cmdline contains "mshtml.dll" and tgt.process.cmdline contains "PrintHTML") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieframe.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "shdocvw.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "syssetup.dll" and tgt.process.cmdline contains "SetupInfObjectInstallAction") or (tgt.process.cmdline contains "setupapi.dll" and tgt.process.cmdline contains "InstallHinfSection") or (tgt.process.cmdline contains "pcwutl.dll" and tgt.process.cmdline contains "LaunchApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbShortcut") or (tgt.process.cmdline contains "scrobj.dll" and tgt.process.cmdline contains "GenerateTypeLib" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "shimgvw.dll" and tgt.process.cmdline contains "ImageView_Fullscreen" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "comsvcs.dll" and tgt.process.cmdline contains "MiniDump")) and (not (tgt.process.cmdline contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (src.process.image.path="C:\Windows\System32\control.exe" and src.process.cmdline contains ".cpl" and (tgt.process.cmdline contains "Shell32.dll" and tgt.process.cmdline contains "Control_RunDLL" and tgt.process.cmdline contains ".cpl")) or (src.process.image.path="C:\Windows\System32\control.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\Windows\System32\" and tgt.process.cmdline contains ".cpl\","))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md index 00df6d7a4..3c195afc1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ShellExec_RunDLL" and (tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "comspec" or tgt.process.cmdline contains "iex" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "msiexec" or tgt.process.cmdline contains "odbcconf" or tgt.process.cmdline contains "regsvr32"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.md index 0361e2645..23ae0ae61 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains "SHELL32.DLL" and (src.process.cmdline contains "#568" or src.process.cmdline contains "#570" or src.process.cmdline contains "#572" or src.process.cmdline contains "#576")) and (((src.process.cmdline contains "comspec" or src.process.cmdline contains "iex" or src.process.cmdline contains "Invoke-" or src.process.cmdline contains "msiexec" or src.process.cmdline contains "odbcconf" or src.process.cmdline contains "regsvr32") or (src.process.cmdline contains "\Desktop\" or src.process.cmdline contains "\ProgramData\" or src.process.cmdline contains "\Temp\" or src.process.cmdline contains "\Users\Public\")) or (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\msxsl.exe" or tgt.process.image.path contains "\odbcconf.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md index 0f4c62a73..1a919e335 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "apphelp.dll") and (tgt.process.cmdline contains "ShimFlushCache" or tgt.process.cmdline contains "#250")) or ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "kernel32.dll") and (tgt.process.cmdline contains "BaseFlushAppcompatCache" or tgt.process.cmdline contains "#46")))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md index fc39e4e9d..582dfa7ad 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and (tgt.process.cmdline contains ".sys," or tgt.process.cmdline contains ".sys "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md index adc939314..50c43be51 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\svchost.exe" and src.process.cmdline contains "-s WebClient" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "C:\windows\system32\davclnt.dll,DavSetCookie" and tgt.process.cmdline matches "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") and (not (tgt.process.cmdline contains "://10." or tgt.process.cmdline contains "://192.168." or tgt.process.cmdline contains "://172.16." or tgt.process.cmdline contains "://172.17." or tgt.process.cmdline contains "://172.18." or tgt.process.cmdline contains "://172.19." or tgt.process.cmdline contains "://172.20." or tgt.process.cmdline contains "://172.21." or tgt.process.cmdline contains "://172.22." or tgt.process.cmdline contains "://172.23." or tgt.process.cmdline contains "://172.24." or tgt.process.cmdline contains "://172.25." or tgt.process.cmdline contains "://172.26." or tgt.process.cmdline contains "://172.27." or tgt.process.cmdline contains "://172.28." or tgt.process.cmdline contains "://172.29." or tgt.process.cmdline contains "://172.30." or tgt.process.cmdline contains "://172.31." or tgt.process.cmdline contains "://127." or tgt.process.cmdline contains "://169.254.")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md index c8d4248ac..74d533383 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline in ("rundll32.exe","rundll32"))) | columns ComputerName,SubjectUserName,tgt.process.cmdline,tgt.process.image.path,src.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md index cf1751678..ade8c4411 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\runonce.exe" or tgt.process.displayName="Run Once Wrapper") and (tgt.process.cmdline contains "/AlternateShellStartup" or tgt.process.cmdline contains "/r"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md index 9ccb22578..559deb8c0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sc.exe" and (tgt.process.integrityLevel in ("Medium","S-1-16-8192"))) and ((tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") or (tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md index 16e5d45af..4419090b5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md index e225f71cd..93c957b1f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" or tgt.process.cmdline contains "config") and (tgt.process.cmdline contains "binPath" and tgt.process.cmdline contains "type" and tgt.process.cmdline contains "kernel"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md index 8a1961c9f..d1e3aa220 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md index 5e0dd8c52..fbd61e606 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "config " and tgt.process.cmdline contains "binpath=") or (tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command=")) or (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "FailureCommand") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "ImagePath")) and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin$" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh$" or tgt.process.cmdline contains ".reg$" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md index f6827f2c3..04b8cf0be 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "/RU" and tgt.process.cmdline contains "/TR" and tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\") and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "TeamViewer_.exe") and tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/TN TVInstallRestore")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md index 4c2136180..517a749a9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /Change " and tgt.process.cmdline contains " /TN ")) and (tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\WINDOWS\Temp\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Perflogs\" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%") and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "bash.exe" or tgt.process.cmdline contains "bash " or tgt.process.cmdline contains "scrcons" or tgt.process.cmdline contains "wmic " or tgt.process.cmdline contains "wmic.exe" or tgt.process.cmdline contains "forfiles" or tgt.process.cmdline contains "scriptrunner" or tgt.process.cmdline contains "hh.exe" or tgt.process.cmdline contains "hh "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md index 8f936d0c3..a9cac186a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (not (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md index d0d7863fc..1aba4ffa4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /create " and tgt.process.cmdline contains " /sc once " and tgt.process.cmdline contains "\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md index aa89916a9..af6326956 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "/tn") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md index 9475c78af..641e4c966 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /delete " and tgt.process.cmdline contains "/tn \*" and tgt.process.cmdline contains " /f"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md index e04c7a51f..2cf17a29f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Change" and tgt.process.cmdline contains "/TN" and tgt.process.cmdline contains "/disable") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md index 01c7fb4fd..110f9bb88 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Users\All Users\" or tgt.process.cmdline contains ":\Users\Default\" or tgt.process.cmdline contains ":\Users\Public" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%")) or (src.process.cmdline contains "\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\Users\Public" or tgt.process.cmdline contains "%Public%"))) and (not ((src.process.cmdline contains "unattended.ini" or tgt.process.cmdline contains "update_task.xml") or tgt.process.cmdline contains "/Create /TN TVInstallRestore /TR" or (tgt.process.cmdline contains "/Create /Xml \"C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\.CR." and tgt.process.cmdline contains "Avira_Security_Installation.xml") or ((tgt.process.cmdline contains "/Create /F /TN" and tgt.process.cmdline contains "/Xml " and tgt.process.cmdline contains "\AppData\Local\Temp\is-" and tgt.process.cmdline contains "Avira_") and (tgt.process.cmdline contains ".tmp\UpdateFallbackTask.xml" or tgt.process.cmdline contains ".tmp\WatchdogServiceControlManagerTimeout.xml" or tgt.process.cmdline contains ".tmp\SystrayAutostart.xml" or tgt.process.cmdline contains ".tmp\MaintenanceTask.xml")) or (tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "/Create /TN \"klcp_update\" /XML " and tgt.process.cmdline contains "\klcp_update_task.xml"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md index eba74ae6a..009c2eddb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (tgt.process.cmdline contains "/TN \"{" or tgt.process.cmdline contains "/TN '{" or tgt.process.cmdline contains "/TN {") and (tgt.process.cmdline contains "}\"" or tgt.process.cmdline contains "}'" or tgt.process.cmdline contains "} "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md index 2bafdff47..086d412e5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\WINDOWS\System32\svchost.exe" and (src.process.cmdline contains "-k netsvcs" and src.process.cmdline contains "-s Schedule") and (tgt.process.cmdline contains " -windowstyle hidden" or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " -noni"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md index 3ac6d317f..a01db8aa4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (((tgt.process.cmdline contains "/sc minute " or tgt.process.cmdline contains "/ru system ") and (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r ")) or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -w hidden " or tgt.process.cmdline contains " bypass " or tgt.process.cmdline contains " IEX" or tgt.process.cmdline contains ".DownloadData" or tgt.process.cmdline contains ".DownloadFile" or tgt.process.cmdline contains ".DownloadString" or tgt.process.cmdline contains "/c start /min " or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "mshta http" or tgt.process.cmdline contains "mshta.exe http") or ((tgt.process.cmdline contains ":\ProgramData\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%") and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "curl" or tgt.process.cmdline contains "wscript"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md index b74bf5f45..e48709819 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /change " or tgt.process.cmdline contains " /create ")) and tgt.process.cmdline contains "/ru " and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/TN TVInstallRestore" and tgt.process.cmdline contains "\TeamViewer_.exe")) or (tgt.process.cmdline contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or tgt.process.cmdline contains ":\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe" or tgt.process.cmdline contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md index fd7a3085c..fd6d7578a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\scrcons.exe" and (tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\msbuild.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md index d9b5dd634..6bac310f0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\sdclt.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md index bb0286a52..81a9b41cc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sdiagnhost.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\taskkill.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\calc.exe")) and (not ((tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "bits") or (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "-noprofile -" or tgt.process.cmdline contains "-noprofile")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md index 7b20fea20..853a3fef1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Serv-U.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md index 7603c9f72..1ec6d79f2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\setres.exe" and tgt.process.image.path contains "\choice") and (not (tgt.process.image.path contains "C:\Windows\System32\choice.exe" or tgt.process.image.path contains "C:\Windows\SysWOW64\choice.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setup16_custom_lst_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setup16_custom_lst_execution.md index 8b767dd57..ff7b27ea6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setup16_custom_lst_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setup16_custom_lst_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path="C:\Windows\SysWOW64\setup16.exe" and src.process.cmdline contains " -m ") and (not tgt.process.image.path contains "C:\~MSSETUP.T\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md index 479ff310b..2f81dfb77 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and (tgt.process.cmdline contains "/r " or tgt.process.cmdline contains "/s "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md index cd3d15ec4..7f78b6394 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and tgt.process.cmdline contains "/l")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md index d42b9324e..90d05399b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\sigverif.exe" and (not (tgt.process.image.path in ("C:\Windows\System32\WerFault.exe","C:\Windows\SysWOW64\WerFault.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md index 12f6c61d2..8b82fe6ce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\SndVol.exe" and (not (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains " shell32.dll,Control_RunDLL ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md index 4d074d91a..c4fde1f9a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SoundRecorder.exe" and tgt.process.cmdline contains "/FILE")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md index b50438968..35664f2cc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\splwow64.exe" and tgt.process.cmdline contains "splwow64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md index 4726b7554..605c58a58 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "VeeamBackup" and tgt.process.cmdline contains "From ")) and (tgt.process.cmdline contains "BackupRepositories" or tgt.process.cmdline contains "Backups" or tgt.process.cmdline contains "Credentials" or tgt.process.cmdline contains "HostCreds" or tgt.process.cmdline contains "SmbFileShares" or tgt.process.cmdline contains "Ssh_creds" or tgt.process.cmdline contains "VSphereInfo"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md index 902a33eec..8a0a73911 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "SELECT" and tgt.process.cmdline contains "TOP" and tgt.process.cmdline contains "[VeeamBackup].[dbo].[Credentials]"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md index eaba8e018..0eb38fd45 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "\User Data\" or tgt.process.cmdline contains "\Opera Software\" or tgt.process.cmdline contains "\ChromiumViewer\") and (tgt.process.cmdline contains "Login Data" or tgt.process.cmdline contains "Cookies" or tgt.process.cmdline contains "Web Data" or tgt.process.cmdline contains "History" or tgt.process.cmdline contains "Bookmarks"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md index cc23fb7e9..0c3398d04 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "cookies.sqlite" or tgt.process.cmdline contains "places.sqlite"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md index 3d0a8d149..1b3ff214f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains " --download " or tgt.process.cmdline contains " --update " or tgt.process.cmdline contains " --updateRollback=") and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md index 0d9a7ac1f..9ab74ea29 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--processStartAndWait" or tgt.process.cmdline contains "--createShortcut")) and (not ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Discord\Update.exe" and tgt.process.cmdline contains " --processStart" and tgt.process.cmdline contains "Discord.exe") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\GitHubDesktop\Update.exe" and tgt.process.cmdline contains "GitHubDesktop.exe") and (tgt.process.cmdline contains "--createShortcut" or tgt.process.cmdline contains "--processStartAndWait")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Microsoft\Teams\Update.exe" and tgt.process.cmdline contains "Teams.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\yammerdesktop\Update.exe" and tgt.process.cmdline contains "Yammer.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md index 91c7843c7..d1174cb32 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " /R " or tgt.process.cmdline contains " –R " or tgt.process.cmdline contains " —R " or tgt.process.cmdline contains " ―R "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md index 471678ed1..e9ef19780 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\System32\OpenSSH\sshd.exe" or (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains "ProxyCommand=" or (tgt.process.cmdline contains "PermitLocalCommand" and tgt.process.cmdline contains "LocalCommand"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md index 20d6fddb0..736da635b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and tgt.process.cmdline contains ":3389")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md index 2e25db78a..bef9e1479 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\amazon-ssm-agent.exe" and (tgt.process.cmdline contains "-register " and tgt.process.cmdline contains "-code " and tgt.process.cmdline contains "-id " and tgt.process.cmdline contains "-region "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md index dcf00d373..82cb30077 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\stordiag.exe" and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\fltmc.exe")) and (not (src.process.image.path contains "c:\windows\system32\" or src.process.image.path contains "c:\windows\syswow64\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md index 737cdc335..bcb62646a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ntvdm.exe" or tgt.process.image.path contains "\csrstub.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md index d956d48c7..24472c2ca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains " administrators " or tgt.process.cmdline contains " administrateur"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md index ae51138dc..9fc844b40 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Group Policy Creator Owners" or tgt.process.cmdline contains "Schema Admins"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md index bac2658da..1e9939344 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md index b420254b9..52dc72766 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "txt:" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > ") or (tgt.process.cmdline contains "makecab " and tgt.process.cmdline contains ".cab") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains " export ") or (tgt.process.cmdline contains "regedit " and tgt.process.cmdline contains " /E ") or (tgt.process.cmdline contains "esentutl " and tgt.process.cmdline contains " /y " and tgt.process.cmdline contains " /d " and tgt.process.cmdline contains " /o ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md index f8c848c7e..a3344e25d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\Windows\Installer\" and tgt.process.image.path contains "msi") and tgt.process.image.path contains "tmp") or (tgt.process.image.path contains "\msiexec.exe" and (tgt.process.integrityLevel in ("System","S-1-16-16384")))) and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and (not (src.process.image.path="C:\Windows\System32\services.exe" or (tgt.process.cmdline contains "\system32\msiexec.exe /V" or src.process.cmdline contains "\system32\msiexec.exe /V") or src.process.image.path contains "C:\ProgramData\Sophos\" or src.process.image.path contains "C:\ProgramData\Avira\" or (src.process.image.path contains "C:\Program Files\Avast Software\" or src.process.image.path contains "C:\Program Files (x86)\Avast Software\") or (src.process.image.path contains "C:\Program Files\Google\Update\" or src.process.image.path contains "C:\Program Files (x86)\Google\Update\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md index 54de44187..1c6474902 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "C:\Program Files\WindowsApps\" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Base64")) and (not (src.process.image.path contains ":\Program Files\WindowsApps\Microsoft.WindowsTerminal" and src.process.image.path contains "\WindowsTerminal.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\pwsh.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md index bcfcea571..bd0153450 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".SettingContent-ms" and (not tgt.process.cmdline contains "immersivecontrolpanel"))) | columns ParentProcess,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md index 172d491b7..38e0a5cf1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\Winrar.exe" or src.process.image.path contains "\7zFM.exe" or src.process.image.path contains "\peazip.exe") and (tgt.process.image.path contains "\isoburn.exe" or tgt.process.image.path contains "\PowerISO.exe" or tgt.process.image.path contains "\ImgBurn.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md index 75c2dadf3..640f2cbe3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\WerFault.exe" and tgt.process.cmdline contains "WerFault.exe") or (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or (tgt.process.image.path contains "\regsvcs.exe" and tgt.process.cmdline contains "regsvcs.exe") or (tgt.process.image.path contains "\regasm.exe" and tgt.process.cmdline contains "regasm.exe") or (tgt.process.image.path contains "\regsvr32.exe" and tgt.process.cmdline contains "regsvr32.exe")) and (not ((src.process.image.path contains "\AppData\Local\Microsoft\EdgeUpdate\Install\{" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or ((src.process.image.path contains "\AppData\Local\BraveSoftware\Brave-Browser\Application\" or src.process.image.path contains "\AppData\Local\Google\Chrome\Application\") and src.process.image.path contains "\Installer\setup.exe" and src.process.cmdline contains "--uninstall " and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md index 552c28a36..a5e4b58b5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "Acrobat Reader" or src.process.image.path contains "Microsoft Office" or src.process.image.path contains "PDF Reader") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\firefox.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\maxthon.exe" or tgt.process.image.path contains "\seamonkey.exe" or tgt.process.image.path contains "\vivaldi.exe" or tgt.process.image.path contains "") and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md index 0c8c018a7..7c64a8c9d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "h^t^t^p" or tgt.process.cmdline contains "h\"t\"t\"p")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md index 0e8fbb1ef..84baba6e6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Windows\" and (tgt.process.cmdline contains "\..\Windows\" or tgt.process.cmdline contains "\..\System32\" or tgt.process.cmdline contains "\..\..\")) or tgt.process.cmdline contains ".exe\..\") and (not (tgt.process.cmdline contains "\Google\Drive\googledrivesync.exe\..\" or tgt.process.cmdline contains "\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md index 6c3a905d4..75cacdd9b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --cpu-priority=" or tgt.process.cmdline contains "--donate-level=0" or tgt.process.cmdline contains " -o pool." or tgt.process.cmdline contains " --nicehash" or tgt.process.cmdline contains " --algo=rx/0 " or tgt.process.cmdline contains "stratum+tcp://" or tgt.process.cmdline contains "stratum+udp://" or tgt.process.cmdline contains "LS1kb25hdGUtbGV2ZWw9" or tgt.process.cmdline contains "0tZG9uYXRlLWxldmVsP" or tgt.process.cmdline contains "tLWRvbmF0ZS1sZXZlbD" or tgt.process.cmdline contains "c3RyYXR1bSt0Y3A6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdGNwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3RjcDovL" or tgt.process.cmdline contains "c3RyYXR1bSt1ZHA6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdWRwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3VkcDovL") and (not (tgt.process.cmdline contains " pool.c " or tgt.process.cmdline contains " pool.o " or tgt.process.cmdline contains "gcc -")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md index ec7918fd0..2963b80c0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl ") and (tgt.process.cmdline contains " -ur" and tgt.process.cmdline contains " -me" and tgt.process.cmdline contains " -b" and tgt.process.cmdline contains " POST ")) or ((tgt.process.image.path contains "\curl.exe" and tgt.process.cmdline contains "--ur") and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " --data ")) or (tgt.process.image.path contains "\wget.exe" and (tgt.process.cmdline contains "--post-data" or tgt.process.cmdline contains "--post-file"))) and ((tgt.process.cmdline contains "Get-Content" or tgt.process.cmdline contains "GetBytes" or tgt.process.cmdline contains "hostname" or tgt.process.cmdline contains "ifconfig" or tgt.process.cmdline contains "ipconfig" or tgt.process.cmdline contains "net view" or tgt.process.cmdline contains "netstat" or tgt.process.cmdline contains "nltest" or tgt.process.cmdline contains "qprocess" or tgt.process.cmdline contains "sc query" or tgt.process.cmdline contains "systeminfo" or tgt.process.cmdline contains "tasklist" or tgt.process.cmdline contains "ToBase64String" or tgt.process.cmdline contains "whoami") or (tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > " and tgt.process.cmdline contains " C:\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md index b08b79e7a..5e284ca55 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "taskkill " and tgt.process.cmdline contains "RaccineSettings.exe") or (tgt.process.cmdline contains "reg.exe" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "Raccine Tray") or (tgt.process.cmdline contains "schtasks" and tgt.process.cmdline contains "/DELETE" and tgt.process.cmdline contains "Raccine Rules Updater"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md index ba774801a..7780101ce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ".doc.exe" or tgt.process.image.path contains ".docx.exe" or tgt.process.image.path contains ".xls.exe" or tgt.process.image.path contains ".xlsx.exe" or tgt.process.image.path contains ".ppt.exe" or tgt.process.image.path contains ".pptx.exe" or tgt.process.image.path contains ".rtf.exe" or tgt.process.image.path contains ".pdf.exe" or tgt.process.image.path contains ".txt.exe" or tgt.process.image.path contains " .exe" or tgt.process.image.path contains "______.exe" or tgt.process.image.path contains ".doc.js" or tgt.process.image.path contains ".docx.js" or tgt.process.image.path contains ".xls.js" or tgt.process.image.path contains ".xlsx.js" or tgt.process.image.path contains ".ppt.js" or tgt.process.image.path contains ".pptx.js" or tgt.process.image.path contains ".rtf.js" or tgt.process.image.path contains ".pdf.js" or tgt.process.image.path contains ".txt.js") and (tgt.process.cmdline contains ".doc.exe" or tgt.process.cmdline contains ".docx.exe" or tgt.process.cmdline contains ".xls.exe" or tgt.process.cmdline contains ".xlsx.exe" or tgt.process.cmdline contains ".ppt.exe" or tgt.process.cmdline contains ".pptx.exe" or tgt.process.cmdline contains ".rtf.exe" or tgt.process.cmdline contains ".pdf.exe" or tgt.process.cmdline contains ".txt.exe" or tgt.process.cmdline contains " .exe" or tgt.process.cmdline contains "______.exe" or tgt.process.cmdline contains ".doc.js" or tgt.process.cmdline contains ".docx.js" or tgt.process.cmdline contains ".xls.js" or tgt.process.cmdline contains ".xlsx.js" or tgt.process.cmdline contains ".ppt.js" or tgt.process.cmdline contains ".pptx.js" or tgt.process.cmdline contains ".rtf.js" or tgt.process.cmdline contains ".pdf.js" or tgt.process.cmdline contains ".txt.js"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md index f871bf79c..4a2265582 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains ".doc.lnk" or src.process.image.path contains ".docx.lnk" or src.process.image.path contains ".xls.lnk" or src.process.image.path contains ".xlsx.lnk" or src.process.image.path contains ".ppt.lnk" or src.process.image.path contains ".pptx.lnk" or src.process.image.path contains ".rtf.lnk" or src.process.image.path contains ".pdf.lnk" or src.process.image.path contains ".txt.lnk" or src.process.image.path contains ".doc.js" or src.process.image.path contains ".docx.js" or src.process.image.path contains ".xls.js" or src.process.image.path contains ".xlsx.js" or src.process.image.path contains ".ppt.js" or src.process.image.path contains ".pptx.js" or src.process.image.path contains ".rtf.js" or src.process.image.path contains ".pdf.js" or src.process.image.path contains ".txt.js") or (src.process.cmdline contains ".doc.lnk" or src.process.cmdline contains ".docx.lnk" or src.process.cmdline contains ".xls.lnk" or src.process.cmdline contains ".xlsx.lnk" or src.process.cmdline contains ".ppt.lnk" or src.process.cmdline contains ".pptx.lnk" or src.process.cmdline contains ".rtf.lnk" or src.process.cmdline contains ".pdf.lnk" or src.process.cmdline contains ".txt.lnk" or src.process.cmdline contains ".doc.js" or src.process.cmdline contains ".docx.js" or src.process.cmdline contains ".xls.js" or src.process.cmdline contains ".xlsx.js" or src.process.cmdline contains ".ppt.js" or src.process.cmdline contains ".pptx.js" or src.process.cmdline contains ".rtf.js" or src.process.cmdline contains ".pdf.js" or src.process.cmdline contains ".txt.js"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md index e47f60dab..df965c354 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\wget.exe") or (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains ".DownloadString(")) and (tgt.process.cmdline contains "https://attachment.outlook.live.net/owa/" or tgt.process.cmdline contains "https://onenoteonlinesync.onenote.com/onenoteonlinesync/"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md index aab4afade..a324201f6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DumpStack.log" or tgt.process.cmdline contains " -o DumpStack.log")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md index 128eb0fd3..edbb9fb8a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\chrome.exe" or src.process.image.path contains "\discord.exe" or src.process.image.path contains "\GitHubDesktop.exe" or src.process.image.path contains "\keybase.exe" or src.process.image.path contains "\msedge.exe" or src.process.image.path contains "\msedgewebview2.exe" or src.process.image.path contains "\msteams.exe" or src.process.image.path contains "\slack.exe" or src.process.image.path contains "\teams.exe") and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\Windows\Temp\")) and (not (src.process.image.path contains "\Discord.exe" and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "\NVSMI\nvidia-smi.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md index df448e057..b9491b8bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\explorer.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".lnk"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md index 0a0dbe393..3e61b9e0b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "😀" or tgt.process.cmdline contains "😃" or tgt.process.cmdline contains "😄" or tgt.process.cmdline contains "😁" or tgt.process.cmdline contains "😆" or tgt.process.cmdline contains "😅" or tgt.process.cmdline contains "😂" or tgt.process.cmdline contains "🤣" or tgt.process.cmdline contains "🥲" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "☺️" or tgt.process.cmdline contains "😊" or tgt.process.cmdline contains "😇" or tgt.process.cmdline contains "🙂" or tgt.process.cmdline contains "🙃" or tgt.process.cmdline contains "😉" or tgt.process.cmdline contains "😌" or tgt.process.cmdline contains "😍" or tgt.process.cmdline contains "🥰" or tgt.process.cmdline contains "😘" or tgt.process.cmdline contains "😗" or tgt.process.cmdline contains "😙" or tgt.process.cmdline contains "😚" or tgt.process.cmdline contains "😋" or tgt.process.cmdline contains "😛" or tgt.process.cmdline contains "😝" or tgt.process.cmdline contains "😜" or tgt.process.cmdline contains "🤪" or tgt.process.cmdline contains "🤨" or tgt.process.cmdline contains "🧐" or tgt.process.cmdline contains "🤓" or tgt.process.cmdline contains "😎" or tgt.process.cmdline contains "🥸" or tgt.process.cmdline contains "🤩" or tgt.process.cmdline contains "🥳" or tgt.process.cmdline contains "😏" or tgt.process.cmdline contains "😒" or tgt.process.cmdline contains "😞" or tgt.process.cmdline contains "😔" or tgt.process.cmdline contains "😟" or tgt.process.cmdline contains "😕" or tgt.process.cmdline contains "🙁" or tgt.process.cmdline contains "☹️" or tgt.process.cmdline contains "😣" or tgt.process.cmdline contains "😖" or tgt.process.cmdline contains "😫" or tgt.process.cmdline contains "😩" or tgt.process.cmdline contains "🥺" or tgt.process.cmdline contains "😢" or tgt.process.cmdline contains "😭" or tgt.process.cmdline contains "😮‍💨" or tgt.process.cmdline contains "😤" or tgt.process.cmdline contains "😠" or tgt.process.cmdline contains "😡" or tgt.process.cmdline contains "🤬" or tgt.process.cmdline contains "🤯" or tgt.process.cmdline contains "😳" or tgt.process.cmdline contains "🥵" or tgt.process.cmdline contains "🥶" or tgt.process.cmdline contains "😱" or tgt.process.cmdline contains "😨" or tgt.process.cmdline contains "😰" or tgt.process.cmdline contains "😥" or tgt.process.cmdline contains "😓" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🤗" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🤔" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🤭" or tgt.process.cmdline contains "🤫" or tgt.process.cmdline contains "🤥" or tgt.process.cmdline contains "😶" or tgt.process.cmdline contains "😶‍🌫️" or tgt.process.cmdline contains "😐" or tgt.process.cmdline contains "😑" or tgt.process.cmdline contains "😬" or tgt.process.cmdline contains "🫠" or tgt.process.cmdline contains "🙄" or tgt.process.cmdline contains "😯" or tgt.process.cmdline contains "😦" or tgt.process.cmdline contains "😧" or tgt.process.cmdline contains "😮" or tgt.process.cmdline contains "😲" or tgt.process.cmdline contains "🥱" or tgt.process.cmdline contains "😴" or tgt.process.cmdline contains "🤤" or tgt.process.cmdline contains "😪" or tgt.process.cmdline contains "😵" or tgt.process.cmdline contains "😵‍💫" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🤐" or tgt.process.cmdline contains "🥴" or tgt.process.cmdline contains "🤢" or tgt.process.cmdline contains "🤮" or tgt.process.cmdline contains "🤧" or tgt.process.cmdline contains "😷" or tgt.process.cmdline contains "🤒" or tgt.process.cmdline contains "🤕" or tgt.process.cmdline contains "🤑" or tgt.process.cmdline contains "🤠" or tgt.process.cmdline contains "😈" or tgt.process.cmdline contains "👿" or tgt.process.cmdline contains "👹" or tgt.process.cmdline contains "👺" or tgt.process.cmdline contains "🤡" or tgt.process.cmdline contains "💩" or tgt.process.cmdline contains "👻" or tgt.process.cmdline contains "💀" or tgt.process.cmdline contains "☠️" or tgt.process.cmdline contains "👽" or tgt.process.cmdline contains "👾" or tgt.process.cmdline contains "🤖" or tgt.process.cmdline contains "🎃" or tgt.process.cmdline contains "😺" or tgt.process.cmdline contains "😸" or tgt.process.cmdline contains "😹" or tgt.process.cmdline contains "😻" or tgt.process.cmdline contains "😼" or tgt.process.cmdline contains "😽" or tgt.process.cmdline contains "🙀" or tgt.process.cmdline contains "😿" or tgt.process.cmdline contains "😾" or tgt.process.cmdline contains "👋" or tgt.process.cmdline contains "🤚" or tgt.process.cmdline contains "🖐" or tgt.process.cmdline contains "✋" or tgt.process.cmdline contains "🖖" or tgt.process.cmdline contains "👌" or tgt.process.cmdline contains "🤌" or tgt.process.cmdline contains "🤏" or tgt.process.cmdline contains "✌️" or tgt.process.cmdline contains "🤞" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🤟" or tgt.process.cmdline contains "🤘" or tgt.process.cmdline contains "🤙" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "👈" or tgt.process.cmdline contains "👉" or tgt.process.cmdline contains "👆" or tgt.process.cmdline contains "🖕" or tgt.process.cmdline contains "👇" or tgt.process.cmdline contains "☝️" or tgt.process.cmdline contains "👍" or tgt.process.cmdline contains "👎" or tgt.process.cmdline contains "✊" or tgt.process.cmdline contains "👊" or tgt.process.cmdline contains "🤛" or tgt.process.cmdline contains "🤜" or tgt.process.cmdline contains "👏" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🙌" or tgt.process.cmdline contains "👐" or tgt.process.cmdline contains "🤲" or tgt.process.cmdline contains "🤝" or tgt.process.cmdline contains "🙏" or tgt.process.cmdline contains "✍️" or tgt.process.cmdline contains "💪" or tgt.process.cmdline contains "🦾" or tgt.process.cmdline contains "🦵" or tgt.process.cmdline contains "🦿" or tgt.process.cmdline contains "🦶" or tgt.process.cmdline contains "👣" or tgt.process.cmdline contains "👂" or tgt.process.cmdline contains "🦻" or tgt.process.cmdline contains "👃" or tgt.process.cmdline contains "🫀" or tgt.process.cmdline contains "🫁" or tgt.process.cmdline contains "🧠" or tgt.process.cmdline contains "🦷" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "👀" or tgt.process.cmdline contains "👁" or tgt.process.cmdline contains "👅" or tgt.process.cmdline contains "👄" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "💋" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "👶" or tgt.process.cmdline contains "👧" or tgt.process.cmdline contains "🧒" or tgt.process.cmdline contains "👦" or tgt.process.cmdline contains "👩" or tgt.process.cmdline contains "🧑" or tgt.process.cmdline contains "👨" or tgt.process.cmdline contains "👩‍🦱" or tgt.process.cmdline contains "🧑‍🦱" or tgt.process.cmdline contains "👨‍🦱" or tgt.process.cmdline contains "👩‍🦰" or tgt.process.cmdline contains "🧑‍🦰" or tgt.process.cmdline contains "👨‍🦰" or tgt.process.cmdline contains "👱‍♀️" or tgt.process.cmdline contains "👱" or tgt.process.cmdline contains "👱‍♂️" or tgt.process.cmdline contains "👩‍🦳" or tgt.process.cmdline contains "🧑‍🦳" or tgt.process.cmdline contains "👨‍🦳" or tgt.process.cmdline contains "👩‍🦲" or tgt.process.cmdline contains "🧑‍🦲" or tgt.process.cmdline contains "👨‍🦲" or tgt.process.cmdline contains "🧔‍♀️" or tgt.process.cmdline contains "🧔" or tgt.process.cmdline contains "🧔‍♂️" or tgt.process.cmdline contains "👵" or tgt.process.cmdline contains "🧓" or tgt.process.cmdline contains "👴" or tgt.process.cmdline contains "👲" or tgt.process.cmdline contains "👳‍♀️" or tgt.process.cmdline contains "👳" or tgt.process.cmdline contains "👳‍♂️" or tgt.process.cmdline contains "🧕" or tgt.process.cmdline contains "👮‍♀️" or tgt.process.cmdline contains "👮" or tgt.process.cmdline contains "👮‍♂️" or tgt.process.cmdline contains "👷‍♀️" or tgt.process.cmdline contains "👷" or tgt.process.cmdline contains "👷‍♂️" or tgt.process.cmdline contains "💂‍♀️" or tgt.process.cmdline contains "💂" or tgt.process.cmdline contains "💂‍♂️" or tgt.process.cmdline contains "🕵️‍♀️" or tgt.process.cmdline contains "🕵️" or tgt.process.cmdline contains "🕵️‍♂️" or tgt.process.cmdline contains "👩‍⚕️" or tgt.process.cmdline contains "🧑‍⚕️" or tgt.process.cmdline contains "👨‍⚕️" or tgt.process.cmdline contains "👩‍🌾" or tgt.process.cmdline contains "🧑‍🌾" or tgt.process.cmdline contains "👨‍🌾" or tgt.process.cmdline contains "👩‍🍳" or tgt.process.cmdline contains "🧑‍🍳" or tgt.process.cmdline contains "👨‍🍳" or tgt.process.cmdline contains "👩‍🎓" or tgt.process.cmdline contains "🧑‍🎓" or tgt.process.cmdline contains "👨‍🎓" or tgt.process.cmdline contains "👩‍🎤" or tgt.process.cmdline contains "🧑‍🎤" or tgt.process.cmdline contains "👨‍🎤" or tgt.process.cmdline contains "👩‍🏫" or tgt.process.cmdline contains "🧑‍🏫" or tgt.process.cmdline contains "👨‍🏫" or tgt.process.cmdline contains "👩‍🏭" or tgt.process.cmdline contains "🧑‍🏭" or tgt.process.cmdline contains "👨‍🏭" or tgt.process.cmdline contains "👩‍💻" or tgt.process.cmdline contains "🧑‍💻" or tgt.process.cmdline contains "👨‍💻" or tgt.process.cmdline contains "👩‍💼" or tgt.process.cmdline contains "🧑‍💼" or tgt.process.cmdline contains "👨‍💼" or tgt.process.cmdline contains "👩‍🔧" or tgt.process.cmdline contains "🧑‍🔧" or tgt.process.cmdline contains "👨‍🔧" or tgt.process.cmdline contains "👩‍🔬" or tgt.process.cmdline contains "🧑‍🔬" or tgt.process.cmdline contains "👨‍🔬" or tgt.process.cmdline contains "👩‍🎨" or tgt.process.cmdline contains "🧑‍🎨" or tgt.process.cmdline contains "👨‍🎨" or tgt.process.cmdline contains "👩‍🚒" or tgt.process.cmdline contains "🧑‍🚒" or tgt.process.cmdline contains "👨‍🚒" or tgt.process.cmdline contains "👩‍✈️" or tgt.process.cmdline contains "🧑‍✈️" or tgt.process.cmdline contains "👨‍✈️" or tgt.process.cmdline contains "👩‍🚀" or tgt.process.cmdline contains "🧑‍🚀" or tgt.process.cmdline contains "👨‍🚀" or tgt.process.cmdline contains "👩‍⚖️" or tgt.process.cmdline contains "🧑‍⚖️" or tgt.process.cmdline contains "👨‍⚖️" or tgt.process.cmdline contains "👰‍♀️" or tgt.process.cmdline contains "👰" or tgt.process.cmdline contains "👰‍♂️" or tgt.process.cmdline contains "🤵‍♀️" or tgt.process.cmdline contains "🤵" or tgt.process.cmdline contains "🤵‍♂️" or tgt.process.cmdline contains "👸" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🤴" or tgt.process.cmdline contains "🥷" or tgt.process.cmdline contains "🦸‍♀️" or tgt.process.cmdline contains "🦸" or tgt.process.cmdline contains "🦸‍♂️" or tgt.process.cmdline contains "🦹‍♀️" or tgt.process.cmdline contains "🦹" or tgt.process.cmdline contains "🦹‍♂️" or tgt.process.cmdline contains "🤶" or tgt.process.cmdline contains "🧑‍🎄" or tgt.process.cmdline contains "🎅" or tgt.process.cmdline contains "🧙‍♀️" or tgt.process.cmdline contains "🧙" or tgt.process.cmdline contains "🧙‍♂️" or tgt.process.cmdline contains "🧝‍♀️" or tgt.process.cmdline contains "🧝" or tgt.process.cmdline contains "🧝‍♂️" or tgt.process.cmdline contains "🧛‍♀️" or tgt.process.cmdline contains "🧛" or tgt.process.cmdline contains "🧛‍♂️" or tgt.process.cmdline contains "🧟‍♀️" or tgt.process.cmdline contains "🧟" or tgt.process.cmdline contains "🧟‍♂️" or tgt.process.cmdline contains "🧞‍♀️" or tgt.process.cmdline contains "🧞" or tgt.process.cmdline contains "🧞‍♂️" or tgt.process.cmdline contains "🧜‍♀️" or tgt.process.cmdline contains "🧜" or tgt.process.cmdline contains "🧜‍♂️" or tgt.process.cmdline contains "🧚‍♀️" or tgt.process.cmdline contains "🧚" or tgt.process.cmdline contains "🧚‍♂️" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "👼" or tgt.process.cmdline contains "🤰" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🤱" or tgt.process.cmdline contains "👩‍🍼" or tgt.process.cmdline contains "🧑‍🍼" or tgt.process.cmdline contains "👨‍🍼" or tgt.process.cmdline contains "🙇‍♀️" or tgt.process.cmdline contains "🙇" or tgt.process.cmdline contains "🙇‍♂️" or tgt.process.cmdline contains "💁‍♀️" or tgt.process.cmdline contains "💁" or tgt.process.cmdline contains "💁‍♂️" or tgt.process.cmdline contains "🙅‍♀️" or tgt.process.cmdline contains "🙅" or tgt.process.cmdline contains "🙅‍♂️" or tgt.process.cmdline contains "🙆‍♀️" or tgt.process.cmdline contains "🙆" or tgt.process.cmdline contains "🙆‍♂️" or tgt.process.cmdline contains "🙋‍♀️" or tgt.process.cmdline contains "🙋" or tgt.process.cmdline contains "🙋‍♂️" or tgt.process.cmdline contains "🧏‍♀️" or tgt.process.cmdline contains "🧏" or tgt.process.cmdline contains "🧏‍♂️" or tgt.process.cmdline contains "🤦‍♀️" or tgt.process.cmdline contains "🤦" or tgt.process.cmdline contains "🤦‍♂️" or tgt.process.cmdline contains "🤷‍♀️" or tgt.process.cmdline contains "🤷" or tgt.process.cmdline contains "🤷‍♂️" or tgt.process.cmdline contains "🙎‍♀️" or tgt.process.cmdline contains "🙎" or tgt.process.cmdline contains "🙎‍♂️" or tgt.process.cmdline contains "🙍‍♀️" or tgt.process.cmdline contains "🙍" or tgt.process.cmdline contains "🙍‍♂️" or tgt.process.cmdline contains "💇‍♀️" or tgt.process.cmdline contains "💇" or tgt.process.cmdline contains "💇‍♂️" or tgt.process.cmdline contains "💆‍♀️" or tgt.process.cmdline contains "💆" or tgt.process.cmdline contains "💆‍♂️" or tgt.process.cmdline contains "🧖‍♀️" or tgt.process.cmdline contains "🧖" or tgt.process.cmdline contains "🧖‍♂️" or tgt.process.cmdline contains "💅" or tgt.process.cmdline contains "💃" or tgt.process.cmdline contains "🕺" or tgt.process.cmdline contains "👯‍♀️" or tgt.process.cmdline contains "👯" or tgt.process.cmdline contains "👯‍♂️" or tgt.process.cmdline contains "🕴" or tgt.process.cmdline contains "👩‍🦽" or tgt.process.cmdline contains "🧑‍🦽" or tgt.process.cmdline contains "👨‍🦽" or tgt.process.cmdline contains "👩‍🦼" or tgt.process.cmdline contains "🧑‍🦼" or tgt.process.cmdline contains "👨‍🦼" or tgt.process.cmdline contains "🚶‍♀️" or tgt.process.cmdline contains "🚶" or tgt.process.cmdline contains "🚶‍♂️" or tgt.process.cmdline contains "👩‍🦯" or tgt.process.cmdline contains "🧑‍🦯" or tgt.process.cmdline contains "👨‍🦯" or tgt.process.cmdline contains "🧎‍♀️" or tgt.process.cmdline contains "🧎" or tgt.process.cmdline contains "🧎‍♂️" or tgt.process.cmdline contains "🏃‍♀️" or tgt.process.cmdline contains "🏃" or tgt.process.cmdline contains "🏃‍♂️" or tgt.process.cmdline contains "🧍‍♀️" or tgt.process.cmdline contains "🧍" or tgt.process.cmdline contains "🧍‍♂️" or tgt.process.cmdline contains "👭" or tgt.process.cmdline contains "🧑‍🤝‍🧑" or tgt.process.cmdline contains "👬" or tgt.process.cmdline contains "👫" or tgt.process.cmdline contains "👩‍❤️‍👩" or tgt.process.cmdline contains "💑" or tgt.process.cmdline contains "👨‍❤️‍👨" or tgt.process.cmdline contains "👩‍❤️‍👨" or tgt.process.cmdline contains "👩‍❤️‍💋‍👩" or tgt.process.cmdline contains "💏" or tgt.process.cmdline contains "👨‍❤️‍💋‍👨" or tgt.process.cmdline contains "👩‍❤️‍💋‍👨" or tgt.process.cmdline contains "👪" or tgt.process.cmdline contains "👨‍👩‍👦" or tgt.process.cmdline contains "👨‍👩‍👧" or tgt.process.cmdline contains "👨‍👩‍👧‍👦" or tgt.process.cmdline contains "👨‍👩‍👦‍👦" or tgt.process.cmdline contains "👨‍👩‍👧‍👧" or tgt.process.cmdline contains "👨‍👨‍👦" or tgt.process.cmdline contains "👨‍👨‍👧" or tgt.process.cmdline contains "👨‍👨‍👧‍👦" or tgt.process.cmdline contains "👨‍👨‍👦‍👦" or tgt.process.cmdline contains "👨‍👨‍👧‍👧" or tgt.process.cmdline contains "👩‍👩‍👦" or tgt.process.cmdline contains "👩‍👩‍👧" or tgt.process.cmdline contains "👩‍👩‍👧‍👦" or tgt.process.cmdline contains "👩‍👩‍👦‍👦" or tgt.process.cmdline contains "👩‍👩‍👧‍👧" or tgt.process.cmdline contains "👨‍👦" or tgt.process.cmdline contains "👨‍👦‍👦" or tgt.process.cmdline contains "👨‍👧" or tgt.process.cmdline contains "👨‍👧‍👦" or tgt.process.cmdline contains "👨‍👧‍👧" or tgt.process.cmdline contains "👩‍👦" or tgt.process.cmdline contains "👩‍👦‍👦" or tgt.process.cmdline contains "👩‍👧" or tgt.process.cmdline contains "👩‍👧‍👦" or tgt.process.cmdline contains "👩‍👧‍👧" or tgt.process.cmdline contains "🗣" or tgt.process.cmdline contains "👤" or tgt.process.cmdline contains "👥" or tgt.process.cmdline contains "🫂" or tgt.process.cmdline contains "🧳" or tgt.process.cmdline contains "🌂" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🧵" or tgt.process.cmdline contains "🪡" or tgt.process.cmdline contains "🪢" or tgt.process.cmdline contains "🧶" or tgt.process.cmdline contains "👓" or tgt.process.cmdline contains "🕶" or tgt.process.cmdline contains "🥽" or tgt.process.cmdline contains "🥼" or tgt.process.cmdline contains "🦺" or tgt.process.cmdline contains "👔" or tgt.process.cmdline contains "👕" or tgt.process.cmdline contains "👖" or tgt.process.cmdline contains "🧣" or tgt.process.cmdline contains "🧤" or tgt.process.cmdline contains "🧥" or tgt.process.cmdline contains "🧦" or tgt.process.cmdline contains "👗" or tgt.process.cmdline contains "👘" or tgt.process.cmdline contains "🥻" or tgt.process.cmdline contains "🩴" or tgt.process.cmdline contains "🩱" or tgt.process.cmdline contains "🩲" or tgt.process.cmdline contains "🩳" or tgt.process.cmdline contains "👙" or tgt.process.cmdline contains "👚" or tgt.process.cmdline contains "👛" or tgt.process.cmdline contains "👜" or tgt.process.cmdline contains "👝" or tgt.process.cmdline contains "🎒" or tgt.process.cmdline contains "👞" or tgt.process.cmdline contains "👟" or tgt.process.cmdline contains "🥾" or tgt.process.cmdline contains "🥿" or tgt.process.cmdline contains "👠" or tgt.process.cmdline contains "👡" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "👢" or tgt.process.cmdline contains "👑" or tgt.process.cmdline contains "👒" or tgt.process.cmdline contains "🎩" or tgt.process.cmdline contains "🎓" or tgt.process.cmdline contains "🧢" or tgt.process.cmdline contains "⛑" or tgt.process.cmdline contains "🪖" or tgt.process.cmdline contains "💄" or tgt.process.cmdline contains "💍" or tgt.process.cmdline contains "💼" or tgt.process.cmdline contains "👋🏻" or tgt.process.cmdline contains "🤚🏻" or tgt.process.cmdline contains "🖐🏻" or tgt.process.cmdline contains "✋🏻" or tgt.process.cmdline contains "🖖🏻" or tgt.process.cmdline contains "👌🏻" or tgt.process.cmdline contains "🤌🏻" or tgt.process.cmdline contains "🤏🏻" or tgt.process.cmdline contains "✌🏻" or tgt.process.cmdline contains "🤞🏻" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🤟🏻" or tgt.process.cmdline contains "🤘🏻" or tgt.process.cmdline contains "🤙🏻" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "👈🏻" or tgt.process.cmdline contains "👉🏻" or tgt.process.cmdline contains "👆🏻" or tgt.process.cmdline contains "🖕🏻" or tgt.process.cmdline contains "👇🏻" or tgt.process.cmdline contains "☝🏻" or tgt.process.cmdline contains "👍🏻" or tgt.process.cmdline contains "👎🏻" or tgt.process.cmdline contains "✊🏻" or tgt.process.cmdline contains "👊🏻" or tgt.process.cmdline contains "🤛🏻" or tgt.process.cmdline contains "🤜🏻" or tgt.process.cmdline contains "👏🏻" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🙌🏻" or tgt.process.cmdline contains "👐🏻" or tgt.process.cmdline contains "🤲🏻" or tgt.process.cmdline contains "🙏🏻" or tgt.process.cmdline contains "✍🏻" or tgt.process.cmdline contains "💪🏻" or tgt.process.cmdline contains "🦵🏻" or tgt.process.cmdline contains "🦶🏻" or tgt.process.cmdline contains "👂🏻" or tgt.process.cmdline contains "🦻🏻" or tgt.process.cmdline contains "👃🏻" or tgt.process.cmdline contains "👶🏻" or tgt.process.cmdline contains "👧🏻" or tgt.process.cmdline contains "🧒🏻" or tgt.process.cmdline contains "👦🏻" or tgt.process.cmdline contains "👩🏻" or tgt.process.cmdline contains "🧑🏻" or tgt.process.cmdline contains "👨🏻" or tgt.process.cmdline contains "👩🏻‍🦱" or tgt.process.cmdline contains "🧑🏻‍🦱" or tgt.process.cmdline contains "👨🏻‍🦱" or tgt.process.cmdline contains "👩🏻‍🦰" or tgt.process.cmdline contains "🧑🏻‍🦰" or tgt.process.cmdline contains "👨🏻‍🦰" or tgt.process.cmdline contains "👱🏻‍♀️" or tgt.process.cmdline contains "👱🏻" or tgt.process.cmdline contains "👱🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍🦳" or tgt.process.cmdline contains "🧑🏻‍🦳" or tgt.process.cmdline contains "👨🏻‍🦳" or tgt.process.cmdline contains "👩🏻‍🦲" or tgt.process.cmdline contains "🧑🏻‍🦲" or tgt.process.cmdline contains "👨🏻‍🦲" or tgt.process.cmdline contains "🧔🏻‍♀️" or tgt.process.cmdline contains "🧔🏻" or tgt.process.cmdline contains "🧔🏻‍♂️" or tgt.process.cmdline contains "👵🏻" or tgt.process.cmdline contains "🧓🏻" or tgt.process.cmdline contains "👴🏻" or tgt.process.cmdline contains "👲🏻" or tgt.process.cmdline contains "👳🏻‍♀️" or tgt.process.cmdline contains "👳🏻" or tgt.process.cmdline contains "👳🏻‍♂️" or tgt.process.cmdline contains "🧕🏻" or tgt.process.cmdline contains "👮🏻‍♀️" or tgt.process.cmdline contains "👮🏻" or tgt.process.cmdline contains "👮🏻‍♂️" or tgt.process.cmdline contains "👷🏻‍♀️" or tgt.process.cmdline contains "👷🏻" or tgt.process.cmdline contains "👷🏻‍♂️" or tgt.process.cmdline contains "💂🏻‍♀️" or tgt.process.cmdline contains "💂🏻" or tgt.process.cmdline contains "💂🏻‍♂️" or tgt.process.cmdline contains "🕵🏻‍♀️" or tgt.process.cmdline contains "🕵🏻" or tgt.process.cmdline contains "🕵🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍⚕️" or tgt.process.cmdline contains "🧑🏻‍⚕️" or tgt.process.cmdline contains "👨🏻‍⚕️" or tgt.process.cmdline contains "👩🏻‍🌾" or tgt.process.cmdline contains "🧑🏻‍🌾" or tgt.process.cmdline contains "👨🏻‍🌾" or tgt.process.cmdline contains "👩🏻‍🍳" or tgt.process.cmdline contains "🧑🏻‍🍳" or tgt.process.cmdline contains "👨🏻‍🍳" or tgt.process.cmdline contains "👩🏻‍🎓" or tgt.process.cmdline contains "🧑🏻‍🎓" or tgt.process.cmdline contains "👨🏻‍🎓" or tgt.process.cmdline contains "👩🏻‍🎤" or tgt.process.cmdline contains "🧑🏻‍🎤" or tgt.process.cmdline contains "👨🏻‍🎤" or tgt.process.cmdline contains "👩🏻‍🏫" or tgt.process.cmdline contains "🧑🏻‍🏫" or tgt.process.cmdline contains "👨🏻‍🏫" or tgt.process.cmdline contains "👩🏻‍🏭" or tgt.process.cmdline contains "🧑🏻‍🏭" or tgt.process.cmdline contains "👨🏻‍🏭" or tgt.process.cmdline contains "👩🏻‍💻" or tgt.process.cmdline contains "🧑🏻‍💻" or tgt.process.cmdline contains "👨🏻‍💻" or tgt.process.cmdline contains "👩🏻‍💼" or tgt.process.cmdline contains "🧑🏻‍💼" or tgt.process.cmdline contains "👨🏻‍💼" or tgt.process.cmdline contains "👩🏻‍🔧" or tgt.process.cmdline contains "🧑🏻‍🔧" or tgt.process.cmdline contains "👨🏻‍🔧" or tgt.process.cmdline contains "👩🏻‍🔬" or tgt.process.cmdline contains "🧑🏻‍🔬" or tgt.process.cmdline contains "👨🏻‍🔬" or tgt.process.cmdline contains "👩🏻‍🎨" or tgt.process.cmdline contains "🧑🏻‍🎨" or tgt.process.cmdline contains "👨🏻‍🎨" or tgt.process.cmdline contains "👩🏻‍🚒" or tgt.process.cmdline contains "🧑🏻‍🚒" or tgt.process.cmdline contains "👨🏻‍🚒" or tgt.process.cmdline contains "👩🏻‍✈️" or tgt.process.cmdline contains "🧑🏻‍✈️" or tgt.process.cmdline contains "👨🏻‍✈️" or tgt.process.cmdline contains "👩🏻‍🚀" or tgt.process.cmdline contains "🧑🏻‍🚀" or tgt.process.cmdline contains "👨🏻‍🚀" or tgt.process.cmdline contains "👩🏻‍⚖️" or tgt.process.cmdline contains "🧑🏻‍⚖️" or tgt.process.cmdline contains "👨🏻‍⚖️" or tgt.process.cmdline contains "👰🏻‍♀️" or tgt.process.cmdline contains "👰🏻" or tgt.process.cmdline contains "👰🏻‍♂️" or tgt.process.cmdline contains "🤵🏻‍♀️" or tgt.process.cmdline contains "🤵🏻" or tgt.process.cmdline contains "🤵🏻‍♂️" or tgt.process.cmdline contains "👸🏻" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🤴🏻" or tgt.process.cmdline contains "🥷🏻" or tgt.process.cmdline contains "🦸🏻‍♀️" or tgt.process.cmdline contains "🦸🏻" or tgt.process.cmdline contains "🦸🏻‍♂️" or tgt.process.cmdline contains "🦹🏻‍♀️" or tgt.process.cmdline contains "🦹🏻" or tgt.process.cmdline contains "🦹🏻‍♂️" or tgt.process.cmdline contains "🤶🏻" or tgt.process.cmdline contains "🧑🏻‍🎄" or tgt.process.cmdline contains "🎅🏻" or tgt.process.cmdline contains "🧙🏻‍♀️" or tgt.process.cmdline contains "🧙🏻" or tgt.process.cmdline contains "🧙🏻‍♂️" or tgt.process.cmdline contains "🧝🏻‍♀️" or tgt.process.cmdline contains "🧝🏻" or tgt.process.cmdline contains "🧝🏻‍♂️" or tgt.process.cmdline contains "🧛🏻‍♀️" or tgt.process.cmdline contains "🧛🏻" or tgt.process.cmdline contains "🧛🏻‍♂️" or tgt.process.cmdline contains "🧜🏻‍♀️" or tgt.process.cmdline contains "🧜🏻" or tgt.process.cmdline contains "🧜🏻‍♂️" or tgt.process.cmdline contains "🧚🏻‍♀️" or tgt.process.cmdline contains "🧚🏻" or tgt.process.cmdline contains "🧚🏻‍♂️" or tgt.process.cmdline contains "👼🏻" or tgt.process.cmdline contains "🤰🏻" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🤱🏻" or tgt.process.cmdline contains "👩🏻‍🍼" or tgt.process.cmdline contains "🧑🏻‍🍼" or tgt.process.cmdline contains "👨🏻‍🍼" or tgt.process.cmdline contains "🙇🏻‍♀️" or tgt.process.cmdline contains "🙇🏻" or tgt.process.cmdline contains "🙇🏻‍♂️" or tgt.process.cmdline contains "💁🏻‍♀️" or tgt.process.cmdline contains "💁🏻" or tgt.process.cmdline contains "💁🏻‍♂️" or tgt.process.cmdline contains "🙅🏻‍♀️" or tgt.process.cmdline contains "🙅🏻" or tgt.process.cmdline contains "🙅🏻‍♂️" or tgt.process.cmdline contains "🙆🏻‍♀️" or tgt.process.cmdline contains "🙆🏻" or tgt.process.cmdline contains "🙆🏻‍♂️" or tgt.process.cmdline contains "🙋🏻‍♀️" or tgt.process.cmdline contains "🙋🏻" or tgt.process.cmdline contains "🙋🏻‍♂️" or tgt.process.cmdline contains "🧏🏻‍♀️" or tgt.process.cmdline contains "🧏🏻" or tgt.process.cmdline contains "🧏🏻‍♂️" or tgt.process.cmdline contains "🤦🏻‍♀️" or tgt.process.cmdline contains "🤦🏻" or tgt.process.cmdline contains "🤦🏻‍♂️" or tgt.process.cmdline contains "🤷🏻‍♀️" or tgt.process.cmdline contains "🤷🏻" or tgt.process.cmdline contains "🤷🏻‍♂️" or tgt.process.cmdline contains "🙎🏻‍♀️" or tgt.process.cmdline contains "🙎🏻" or tgt.process.cmdline contains "🙎🏻‍♂️" or tgt.process.cmdline contains "🙍🏻‍♀️" or tgt.process.cmdline contains "🙍🏻" or tgt.process.cmdline contains "🙍🏻‍♂️" or tgt.process.cmdline contains "💇🏻‍♀️" or tgt.process.cmdline contains "💇🏻" or tgt.process.cmdline contains "💇🏻‍♂️" or tgt.process.cmdline contains "💆🏻‍♀️" or tgt.process.cmdline contains "💆🏻" or tgt.process.cmdline contains "💆🏻‍♂️" or tgt.process.cmdline contains "🧖🏻‍♀️" or tgt.process.cmdline contains "🧖🏻" or tgt.process.cmdline contains "🧖🏻‍♂️" or tgt.process.cmdline contains "💃🏻" or tgt.process.cmdline contains "🕺🏻" or tgt.process.cmdline contains "🕴🏻" or tgt.process.cmdline contains "👩🏻‍🦽" or tgt.process.cmdline contains "🧑🏻‍🦽" or tgt.process.cmdline contains "👨🏻‍🦽" or tgt.process.cmdline contains "👩🏻‍🦼" or tgt.process.cmdline contains "🧑🏻‍🦼" or tgt.process.cmdline contains "👨🏻‍🦼" or tgt.process.cmdline contains "🚶🏻‍♀️" or tgt.process.cmdline contains "🚶🏻" or tgt.process.cmdline contains "🚶🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍🦯" or tgt.process.cmdline contains "🧑🏻‍🦯" or tgt.process.cmdline contains "👨🏻‍🦯" or tgt.process.cmdline contains "🧎🏻‍♀️" or tgt.process.cmdline contains "🧎🏻" or tgt.process.cmdline contains "🧎🏻‍♂️" or tgt.process.cmdline contains "🏃🏻‍♀️" or tgt.process.cmdline contains "🏃🏻" or tgt.process.cmdline contains "🏃🏻‍♂️" or tgt.process.cmdline contains "🧍🏻‍♀️" or tgt.process.cmdline contains "🧍🏻" or tgt.process.cmdline contains "🧍🏻‍♂️" or tgt.process.cmdline contains "👭🏻" or tgt.process.cmdline contains "🧑🏻‍🤝‍🧑🏻" or tgt.process.cmdline contains "👬🏻" or tgt.process.cmdline contains "👫🏻" or tgt.process.cmdline contains "🧗🏻‍♀️" or tgt.process.cmdline contains "🧗🏻" or tgt.process.cmdline contains "🧗🏻‍♂️" or tgt.process.cmdline contains "🏇🏻" or tgt.process.cmdline contains "🏂🏻" or tgt.process.cmdline contains "🏌🏻‍♀️" or tgt.process.cmdline contains "🏌🏻" or tgt.process.cmdline contains "🏌🏻‍♂️" or tgt.process.cmdline contains "🏄🏻‍♀️" or tgt.process.cmdline contains "🏄🏻" or tgt.process.cmdline contains "🏄🏻‍♂️" or tgt.process.cmdline contains "🚣🏻‍♀️" or tgt.process.cmdline contains "🚣🏻" or tgt.process.cmdline contains "🚣🏻‍♂️" or tgt.process.cmdline contains "🏊🏻‍♀️" or tgt.process.cmdline contains "🏊🏻" or tgt.process.cmdline contains "🏊🏻‍♂️" or tgt.process.cmdline contains "⛹🏻‍♀️" or tgt.process.cmdline contains "⛹🏻" or tgt.process.cmdline contains "⛹🏻‍♂️" or tgt.process.cmdline contains "🏋🏻‍♀️" or tgt.process.cmdline contains "🏋🏻" or tgt.process.cmdline contains "🏋🏻‍♂️" or tgt.process.cmdline contains "🚴🏻‍♀️" or tgt.process.cmdline contains "🚴🏻" or tgt.process.cmdline contains "🚴🏻‍♂️" or tgt.process.cmdline contains "🚵🏻‍♀️" or tgt.process.cmdline contains "🚵🏻" or tgt.process.cmdline contains "🚵🏻‍♂️" or tgt.process.cmdline contains "🤸🏻‍♀️" or tgt.process.cmdline contains "🤸🏻" or tgt.process.cmdline contains "🤸🏻‍♂️" or tgt.process.cmdline contains "🤽🏻‍♀️" or tgt.process.cmdline contains "🤽🏻" or tgt.process.cmdline contains "🤽🏻‍♂️" or tgt.process.cmdline contains "🤾🏻‍♀️" or tgt.process.cmdline contains "🤾🏻" or tgt.process.cmdline contains "🤾🏻‍♂️" or tgt.process.cmdline contains "🤹🏻‍♀️" or tgt.process.cmdline contains "🤹🏻" or tgt.process.cmdline contains "🤹🏻‍♂️" or tgt.process.cmdline contains "🧘🏻‍♀️" or tgt.process.cmdline contains "🧘🏻" or tgt.process.cmdline contains "🧘🏻‍♂️" or tgt.process.cmdline contains "🛀🏻" or tgt.process.cmdline contains "🛌🏻" or tgt.process.cmdline contains "👋🏼" or tgt.process.cmdline contains "🤚🏼" or tgt.process.cmdline contains "🖐🏼" or tgt.process.cmdline contains "✋🏼" or tgt.process.cmdline contains "🖖🏼" or tgt.process.cmdline contains "👌🏼" or tgt.process.cmdline contains "🤌🏼" or tgt.process.cmdline contains "🤏🏼" or tgt.process.cmdline contains "✌🏼" or tgt.process.cmdline contains "🤞🏼" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🤟🏼" or tgt.process.cmdline contains "🤘🏼" or tgt.process.cmdline contains "🤙🏼" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "👈🏼" or tgt.process.cmdline contains "👉🏼" or tgt.process.cmdline contains "👆🏼" or tgt.process.cmdline contains "🖕🏼" or tgt.process.cmdline contains "👇🏼" or tgt.process.cmdline contains "☝🏼" or tgt.process.cmdline contains "👍🏼" or tgt.process.cmdline contains "👎🏼" or tgt.process.cmdline contains "✊🏼" or tgt.process.cmdline contains "👊🏼" or tgt.process.cmdline contains "🤛🏼" or tgt.process.cmdline contains "🤜🏼" or tgt.process.cmdline contains "👏🏼" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🙌🏼" or tgt.process.cmdline contains "👐🏼" or tgt.process.cmdline contains "🤲🏼" or tgt.process.cmdline contains "🙏🏼" or tgt.process.cmdline contains "✍🏼" or tgt.process.cmdline contains "💪🏼" or tgt.process.cmdline contains "🦵🏼" or tgt.process.cmdline contains "🦶🏼" or tgt.process.cmdline contains "👂🏼" or tgt.process.cmdline contains "🦻🏼" or tgt.process.cmdline contains "👃🏼" or tgt.process.cmdline contains "👶🏼" or tgt.process.cmdline contains "👧🏼" or tgt.process.cmdline contains "🧒🏼" or tgt.process.cmdline contains "👦🏼" or tgt.process.cmdline contains "👩🏼" or tgt.process.cmdline contains "🧑🏼" or tgt.process.cmdline contains "👨🏼" or tgt.process.cmdline contains "👩🏼‍🦱" or tgt.process.cmdline contains "🧑🏼‍🦱" or tgt.process.cmdline contains "👨🏼‍🦱" or tgt.process.cmdline contains "👩🏼‍🦰" or tgt.process.cmdline contains "🧑🏼‍🦰" or tgt.process.cmdline contains "👨🏼‍🦰" or tgt.process.cmdline contains "👱🏼‍♀️" or tgt.process.cmdline contains "👱🏼" or tgt.process.cmdline contains "👱🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍🦳" or tgt.process.cmdline contains "🧑🏼‍🦳" or tgt.process.cmdline contains "👨🏼‍🦳" or tgt.process.cmdline contains "👩🏼‍🦲" or tgt.process.cmdline contains "🧑🏼‍🦲" or tgt.process.cmdline contains "👨🏼‍🦲" or tgt.process.cmdline contains "🧔🏼‍♀️" or tgt.process.cmdline contains "🧔🏼" or tgt.process.cmdline contains "🧔🏼‍♂️" or tgt.process.cmdline contains "👵🏼" or tgt.process.cmdline contains "🧓🏼" or tgt.process.cmdline contains "👴🏼" or tgt.process.cmdline contains "👲🏼" or tgt.process.cmdline contains "👳🏼‍♀️" or tgt.process.cmdline contains "👳🏼" or tgt.process.cmdline contains "👳🏼‍♂️" or tgt.process.cmdline contains "🧕🏼" or tgt.process.cmdline contains "👮🏼‍♀️" or tgt.process.cmdline contains "👮🏼" or tgt.process.cmdline contains "👮🏼‍♂️" or tgt.process.cmdline contains "👷🏼‍♀️" or tgt.process.cmdline contains "👷🏼" or tgt.process.cmdline contains "👷🏼‍♂️" or tgt.process.cmdline contains "💂🏼‍♀️" or tgt.process.cmdline contains "💂🏼" or tgt.process.cmdline contains "💂🏼‍♂️" or tgt.process.cmdline contains "🕵🏼‍♀️" or tgt.process.cmdline contains "🕵🏼" or tgt.process.cmdline contains "🕵🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍⚕️" or tgt.process.cmdline contains "🧑🏼‍⚕️" or tgt.process.cmdline contains "👨🏼‍⚕️" or tgt.process.cmdline contains "👩🏼‍🌾" or tgt.process.cmdline contains "🧑🏼‍🌾" or tgt.process.cmdline contains "👨🏼‍🌾" or tgt.process.cmdline contains "👩🏼‍🍳" or tgt.process.cmdline contains "🧑🏼‍🍳" or tgt.process.cmdline contains "👨🏼‍🍳" or tgt.process.cmdline contains "👩🏼‍🎓" or tgt.process.cmdline contains "🧑🏼‍🎓" or tgt.process.cmdline contains "👨🏼‍🎓" or tgt.process.cmdline contains "👩🏼‍🎤" or tgt.process.cmdline contains "🧑🏼‍🎤" or tgt.process.cmdline contains "👨🏼‍🎤" or tgt.process.cmdline contains "👩🏼‍🏫" or tgt.process.cmdline contains "🧑🏼‍🏫" or tgt.process.cmdline contains "👨🏼‍🏫" or tgt.process.cmdline contains "👩🏼‍🏭" or tgt.process.cmdline contains "🧑🏼‍🏭" or tgt.process.cmdline contains "👨🏼‍🏭" or tgt.process.cmdline contains "👩🏼‍💻" or tgt.process.cmdline contains "🧑🏼‍💻" or tgt.process.cmdline contains "👨🏼‍💻" or tgt.process.cmdline contains "👩🏼‍💼" or tgt.process.cmdline contains "🧑🏼‍💼" or tgt.process.cmdline contains "👨🏼‍💼" or tgt.process.cmdline contains "👩🏼‍🔧" or tgt.process.cmdline contains "🧑🏼‍🔧" or tgt.process.cmdline contains "👨🏼‍🔧" or tgt.process.cmdline contains "👩🏼‍🔬" or tgt.process.cmdline contains "🧑🏼‍🔬" or tgt.process.cmdline contains "👨🏼‍🔬" or tgt.process.cmdline contains "👩🏼‍🎨" or tgt.process.cmdline contains "🧑🏼‍🎨" or tgt.process.cmdline contains "👨🏼‍🎨" or tgt.process.cmdline contains "👩🏼‍🚒" or tgt.process.cmdline contains "🧑🏼‍🚒" or tgt.process.cmdline contains "👨🏼‍🚒" or tgt.process.cmdline contains "👩🏼‍✈️" or tgt.process.cmdline contains "🧑🏼‍✈️" or tgt.process.cmdline contains "👨🏼‍✈️" or tgt.process.cmdline contains "👩🏼‍🚀" or tgt.process.cmdline contains "🧑🏼‍🚀" or tgt.process.cmdline contains "👨🏼‍🚀" or tgt.process.cmdline contains "👩🏼‍⚖️" or tgt.process.cmdline contains "🧑🏼‍⚖️" or tgt.process.cmdline contains "👨🏼‍⚖️" or tgt.process.cmdline contains "👰🏼‍♀️" or tgt.process.cmdline contains "👰🏼" or tgt.process.cmdline contains "👰🏼‍♂️" or tgt.process.cmdline contains "🤵🏼‍♀️" or tgt.process.cmdline contains "🤵🏼" or tgt.process.cmdline contains "🤵🏼‍♂️" or tgt.process.cmdline contains "👸🏼" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🤴🏼" or tgt.process.cmdline contains "🥷🏼" or tgt.process.cmdline contains "🦸🏼‍♀️" or tgt.process.cmdline contains "🦸🏼" or tgt.process.cmdline contains "🦸🏼‍♂️" or tgt.process.cmdline contains "🦹🏼‍♀️" or tgt.process.cmdline contains "🦹🏼" or tgt.process.cmdline contains "🦹🏼‍♂️" or tgt.process.cmdline contains "🤶🏼" or tgt.process.cmdline contains "🧑🏼‍🎄" or tgt.process.cmdline contains "🎅🏼" or tgt.process.cmdline contains "🧙🏼‍♀️" or tgt.process.cmdline contains "🧙🏼" or tgt.process.cmdline contains "🧙🏼‍♂️" or tgt.process.cmdline contains "🧝🏼‍♀️" or tgt.process.cmdline contains "🧝🏼" or tgt.process.cmdline contains "🧝🏼‍♂️" or tgt.process.cmdline contains "🧛🏼‍♀️" or tgt.process.cmdline contains "🧛🏼" or tgt.process.cmdline contains "🧛🏼‍♂️" or tgt.process.cmdline contains "🧜🏼‍♀️" or tgt.process.cmdline contains "🧜🏼" or tgt.process.cmdline contains "🧜🏼‍♂️" or tgt.process.cmdline contains "🧚🏼‍♀️" or tgt.process.cmdline contains "🧚🏼" or tgt.process.cmdline contains "🧚🏼‍♂️" or tgt.process.cmdline contains "👼🏼" or tgt.process.cmdline contains "🤰🏼" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🤱🏼" or tgt.process.cmdline contains "👩🏼‍🍼" or tgt.process.cmdline contains "🧑🏼‍🍼" or tgt.process.cmdline contains "👨🏼‍🍼" or tgt.process.cmdline contains "🙇🏼‍♀️" or tgt.process.cmdline contains "🙇🏼" or tgt.process.cmdline contains "🙇🏼‍♂️" or tgt.process.cmdline contains "💁🏼‍♀️" or tgt.process.cmdline contains "💁🏼" or tgt.process.cmdline contains "💁🏼‍♂️" or tgt.process.cmdline contains "🙅🏼‍♀️" or tgt.process.cmdline contains "🙅🏼" or tgt.process.cmdline contains "🙅🏼‍♂️" or tgt.process.cmdline contains "🙆🏼‍♀️" or tgt.process.cmdline contains "🙆🏼" or tgt.process.cmdline contains "🙆🏼‍♂️" or tgt.process.cmdline contains "🙋🏼‍♀️" or tgt.process.cmdline contains "🙋🏼" or tgt.process.cmdline contains "🙋🏼‍♂️" or tgt.process.cmdline contains "🧏🏼‍♀️" or tgt.process.cmdline contains "🧏🏼" or tgt.process.cmdline contains "🧏🏼‍♂️" or tgt.process.cmdline contains "🤦🏼‍♀️" or tgt.process.cmdline contains "🤦🏼" or tgt.process.cmdline contains "🤦🏼‍♂️" or tgt.process.cmdline contains "🤷🏼‍♀️")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md index 80489e70b..af8074f82 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🤷🏼" or tgt.process.cmdline contains "🤷🏼‍♂️" or tgt.process.cmdline contains "🙎🏼‍♀️" or tgt.process.cmdline contains "🙎🏼" or tgt.process.cmdline contains "🙎🏼‍♂️" or tgt.process.cmdline contains "🙍🏼‍♀️" or tgt.process.cmdline contains "🙍🏼" or tgt.process.cmdline contains "🙍🏼‍♂️" or tgt.process.cmdline contains "💇🏼‍♀️" or tgt.process.cmdline contains "💇🏼" or tgt.process.cmdline contains "💇🏼‍♂️" or tgt.process.cmdline contains "💆🏼‍♀️" or tgt.process.cmdline contains "💆🏼" or tgt.process.cmdline contains "💆🏼‍♂️" or tgt.process.cmdline contains "🧖🏼‍♀️" or tgt.process.cmdline contains "🧖🏼" or tgt.process.cmdline contains "🧖🏼‍♂️" or tgt.process.cmdline contains "💃🏼" or tgt.process.cmdline contains "🕺🏼" or tgt.process.cmdline contains "🕴🏼" or tgt.process.cmdline contains "👩🏼‍🦽" or tgt.process.cmdline contains "🧑🏼‍🦽" or tgt.process.cmdline contains "👨🏼‍🦽" or tgt.process.cmdline contains "👩🏼‍🦼" or tgt.process.cmdline contains "🧑🏼‍🦼" or tgt.process.cmdline contains "👨🏼‍🦼" or tgt.process.cmdline contains "🚶🏼‍♀️" or tgt.process.cmdline contains "🚶🏼" or tgt.process.cmdline contains "🚶🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍🦯" or tgt.process.cmdline contains "🧑🏼‍🦯" or tgt.process.cmdline contains "👨🏼‍🦯" or tgt.process.cmdline contains "🧎🏼‍♀️" or tgt.process.cmdline contains "🧎🏼" or tgt.process.cmdline contains "🧎🏼‍♂️" or tgt.process.cmdline contains "🏃🏼‍♀️" or tgt.process.cmdline contains "🏃🏼" or tgt.process.cmdline contains "🏃🏼‍♂️" or tgt.process.cmdline contains "🧍🏼‍♀️" or tgt.process.cmdline contains "🧍🏼" or tgt.process.cmdline contains "🧍🏼‍♂️" or tgt.process.cmdline contains "👭🏼" or tgt.process.cmdline contains "🧑🏼‍🤝‍🧑🏼" or tgt.process.cmdline contains "👬🏼" or tgt.process.cmdline contains "👫🏼" or tgt.process.cmdline contains "🧗🏼‍♀️" or tgt.process.cmdline contains "🧗🏼" or tgt.process.cmdline contains "🧗🏼‍♂️" or tgt.process.cmdline contains "🏇🏼" or tgt.process.cmdline contains "🏂🏼" or tgt.process.cmdline contains "🏌🏼‍♀️" or tgt.process.cmdline contains "🏌🏼" or tgt.process.cmdline contains "🏌🏼‍♂️" or tgt.process.cmdline contains "🏄🏼‍♀️" or tgt.process.cmdline contains "🏄🏼" or tgt.process.cmdline contains "🏄🏼‍♂️" or tgt.process.cmdline contains "🚣🏼‍♀️" or tgt.process.cmdline contains "🚣🏼" or tgt.process.cmdline contains "🚣🏼‍♂️" or tgt.process.cmdline contains "🏊🏼‍♀️" or tgt.process.cmdline contains "🏊🏼" or tgt.process.cmdline contains "🏊🏼‍♂️" or tgt.process.cmdline contains "⛹🏼‍♀️" or tgt.process.cmdline contains "⛹🏼" or tgt.process.cmdline contains "⛹🏼‍♂️" or tgt.process.cmdline contains "🏋🏼‍♀️" or tgt.process.cmdline contains "🏋🏼" or tgt.process.cmdline contains "🏋🏼‍♂️" or tgt.process.cmdline contains "🚴🏼‍♀️" or tgt.process.cmdline contains "🚴🏼" or tgt.process.cmdline contains "🚴🏼‍♂️" or tgt.process.cmdline contains "🚵🏼‍♀️" or tgt.process.cmdline contains "🚵🏼" or tgt.process.cmdline contains "🚵🏼‍♂️" or tgt.process.cmdline contains "🤸🏼‍♀️" or tgt.process.cmdline contains "🤸🏼" or tgt.process.cmdline contains "🤸🏼‍♂️" or tgt.process.cmdline contains "🤽🏼‍♀️" or tgt.process.cmdline contains "🤽🏼" or tgt.process.cmdline contains "🤽🏼‍♂️" or tgt.process.cmdline contains "🤾🏼‍♀️" or tgt.process.cmdline contains "🤾🏼" or tgt.process.cmdline contains "🤾🏼‍♂️" or tgt.process.cmdline contains "🤹🏼‍♀️" or tgt.process.cmdline contains "🤹🏼" or tgt.process.cmdline contains "🤹🏼‍♂️" or tgt.process.cmdline contains "🧘🏼‍♀️" or tgt.process.cmdline contains "🧘🏼" or tgt.process.cmdline contains "🧘🏼‍♂️" or tgt.process.cmdline contains "🛀🏼" or tgt.process.cmdline contains "🛌🏼" or tgt.process.cmdline contains "👋🏽" or tgt.process.cmdline contains "🤚🏽" or tgt.process.cmdline contains "🖐🏽" or tgt.process.cmdline contains "✋🏽" or tgt.process.cmdline contains "🖖🏽" or tgt.process.cmdline contains "👌🏽" or tgt.process.cmdline contains "🤌🏽" or tgt.process.cmdline contains "🤏🏽" or tgt.process.cmdline contains "✌🏽" or tgt.process.cmdline contains "🤞🏽" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🤟🏽" or tgt.process.cmdline contains "🤘🏽" or tgt.process.cmdline contains "🤙🏽" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "👈🏽" or tgt.process.cmdline contains "👉🏽" or tgt.process.cmdline contains "👆🏽" or tgt.process.cmdline contains "🖕🏽" or tgt.process.cmdline contains "👇🏽" or tgt.process.cmdline contains "☝🏽" or tgt.process.cmdline contains "👍🏽" or tgt.process.cmdline contains "👎🏽" or tgt.process.cmdline contains "✊🏽" or tgt.process.cmdline contains "👊🏽" or tgt.process.cmdline contains "🤛🏽" or tgt.process.cmdline contains "🤜🏽" or tgt.process.cmdline contains "👏🏽" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🙌🏽" or tgt.process.cmdline contains "👐🏽" or tgt.process.cmdline contains "🤲🏽" or tgt.process.cmdline contains "🙏🏽" or tgt.process.cmdline contains "✍🏽" or tgt.process.cmdline contains "💪🏽" or tgt.process.cmdline contains "🦵🏽" or tgt.process.cmdline contains "🦶🏽" or tgt.process.cmdline contains "👂🏽" or tgt.process.cmdline contains "🦻🏽" or tgt.process.cmdline contains "👃🏽" or tgt.process.cmdline contains "👶🏽" or tgt.process.cmdline contains "👧🏽" or tgt.process.cmdline contains "🧒🏽" or tgt.process.cmdline contains "👦🏽" or tgt.process.cmdline contains "👩🏽" or tgt.process.cmdline contains "🧑🏽" or tgt.process.cmdline contains "👨🏽" or tgt.process.cmdline contains "👩🏽‍🦱" or tgt.process.cmdline contains "🧑🏽‍🦱" or tgt.process.cmdline contains "👨🏽‍🦱" or tgt.process.cmdline contains "👩🏽‍🦰" or tgt.process.cmdline contains "🧑🏽‍🦰" or tgt.process.cmdline contains "👨🏽‍🦰" or tgt.process.cmdline contains "👱🏽‍♀️" or tgt.process.cmdline contains "👱🏽" or tgt.process.cmdline contains "👱🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍🦳" or tgt.process.cmdline contains "🧑🏽‍🦳" or tgt.process.cmdline contains "👨🏽‍🦳" or tgt.process.cmdline contains "👩🏽‍🦲" or tgt.process.cmdline contains "🧑🏽‍🦲" or tgt.process.cmdline contains "👨🏽‍🦲" or tgt.process.cmdline contains "🧔🏽‍♀️" or tgt.process.cmdline contains "🧔🏽" or tgt.process.cmdline contains "🧔🏽‍♂️" or tgt.process.cmdline contains "👵🏽" or tgt.process.cmdline contains "🧓🏽" or tgt.process.cmdline contains "👴🏽" or tgt.process.cmdline contains "👲🏽" or tgt.process.cmdline contains "👳🏽‍♀️" or tgt.process.cmdline contains "👳🏽" or tgt.process.cmdline contains "👳🏽‍♂️" or tgt.process.cmdline contains "🧕🏽" or tgt.process.cmdline contains "👮🏽‍♀️" or tgt.process.cmdline contains "👮🏽" or tgt.process.cmdline contains "👮🏽‍♂️" or tgt.process.cmdline contains "👷🏽‍♀️" or tgt.process.cmdline contains "👷🏽" or tgt.process.cmdline contains "👷🏽‍♂️" or tgt.process.cmdline contains "💂🏽‍♀️" or tgt.process.cmdline contains "💂🏽" or tgt.process.cmdline contains "💂🏽‍♂️" or tgt.process.cmdline contains "🕵🏽‍♀️" or tgt.process.cmdline contains "🕵🏽" or tgt.process.cmdline contains "🕵🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍⚕️" or tgt.process.cmdline contains "🧑🏽‍⚕️" or tgt.process.cmdline contains "👨🏽‍⚕️" or tgt.process.cmdline contains "👩🏽‍🌾" or tgt.process.cmdline contains "🧑🏽‍🌾" or tgt.process.cmdline contains "👨🏽‍🌾" or tgt.process.cmdline contains "👩🏽‍🍳" or tgt.process.cmdline contains "🧑🏽‍🍳" or tgt.process.cmdline contains "👨🏽‍🍳" or tgt.process.cmdline contains "👩🏽‍🎓" or tgt.process.cmdline contains "🧑🏽‍🎓" or tgt.process.cmdline contains "👨🏽‍🎓" or tgt.process.cmdline contains "👩🏽‍🎤" or tgt.process.cmdline contains "🧑🏽‍🎤" or tgt.process.cmdline contains "👨🏽‍🎤" or tgt.process.cmdline contains "👩🏽‍🏫" or tgt.process.cmdline contains "🧑🏽‍🏫" or tgt.process.cmdline contains "👨🏽‍🏫" or tgt.process.cmdline contains "👩🏽‍🏭" or tgt.process.cmdline contains "🧑🏽‍🏭" or tgt.process.cmdline contains "👨🏽‍🏭" or tgt.process.cmdline contains "👩🏽‍💻" or tgt.process.cmdline contains "🧑🏽‍💻" or tgt.process.cmdline contains "👨🏽‍💻" or tgt.process.cmdline contains "👩🏽‍💼" or tgt.process.cmdline contains "🧑🏽‍💼" or tgt.process.cmdline contains "👨🏽‍💼" or tgt.process.cmdline contains "👩🏽‍🔧" or tgt.process.cmdline contains "🧑🏽‍🔧" or tgt.process.cmdline contains "👨🏽‍🔧" or tgt.process.cmdline contains "👩🏽‍🔬" or tgt.process.cmdline contains "🧑🏽‍🔬" or tgt.process.cmdline contains "👨🏽‍🔬" or tgt.process.cmdline contains "👩🏽‍🎨" or tgt.process.cmdline contains "🧑🏽‍🎨" or tgt.process.cmdline contains "👨🏽‍🎨" or tgt.process.cmdline contains "👩🏽‍🚒" or tgt.process.cmdline contains "🧑🏽‍🚒" or tgt.process.cmdline contains "👨🏽‍🚒" or tgt.process.cmdline contains "👩🏽‍✈️" or tgt.process.cmdline contains "🧑🏽‍✈️" or tgt.process.cmdline contains "👨🏽‍✈️" or tgt.process.cmdline contains "👩🏽‍🚀" or tgt.process.cmdline contains "🧑🏽‍🚀" or tgt.process.cmdline contains "👨🏽‍🚀" or tgt.process.cmdline contains "👩🏽‍⚖️" or tgt.process.cmdline contains "🧑🏽‍⚖️" or tgt.process.cmdline contains "👨🏽‍⚖️" or tgt.process.cmdline contains "👰🏽‍♀️" or tgt.process.cmdline contains "👰🏽" or tgt.process.cmdline contains "👰🏽‍♂️" or tgt.process.cmdline contains "🤵🏽‍♀️" or tgt.process.cmdline contains "🤵🏽" or tgt.process.cmdline contains "🤵🏽‍♂️" or tgt.process.cmdline contains "👸🏽" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🤴🏽" or tgt.process.cmdline contains "🥷🏽" or tgt.process.cmdline contains "🦸🏽‍♀️" or tgt.process.cmdline contains "🦸🏽" or tgt.process.cmdline contains "🦸🏽‍♂️" or tgt.process.cmdline contains "🦹🏽‍♀️" or tgt.process.cmdline contains "🦹🏽" or tgt.process.cmdline contains "🦹🏽‍♂️" or tgt.process.cmdline contains "🤶🏽" or tgt.process.cmdline contains "🧑🏽‍🎄" or tgt.process.cmdline contains "🎅🏽" or tgt.process.cmdline contains "🧙🏽‍♀️" or tgt.process.cmdline contains "🧙🏽" or tgt.process.cmdline contains "🧙🏽‍♂️" or tgt.process.cmdline contains "🧝🏽‍♀️" or tgt.process.cmdline contains "🧝🏽" or tgt.process.cmdline contains "🧝🏽‍♂️" or tgt.process.cmdline contains "🧛🏽‍♀️" or tgt.process.cmdline contains "🧛🏽" or tgt.process.cmdline contains "🧛🏽‍♂️" or tgt.process.cmdline contains "🧜🏽‍♀️" or tgt.process.cmdline contains "🧜🏽" or tgt.process.cmdline contains "🧜🏽‍♂️" or tgt.process.cmdline contains "🧚🏽‍♀️" or tgt.process.cmdline contains "🧚🏽" or tgt.process.cmdline contains "🧚🏽‍♂️" or tgt.process.cmdline contains "👼🏽" or tgt.process.cmdline contains "🤰🏽" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🤱🏽" or tgt.process.cmdline contains "👩🏽‍🍼" or tgt.process.cmdline contains "🧑🏽‍🍼" or tgt.process.cmdline contains "👨🏽‍🍼" or tgt.process.cmdline contains "🙇🏽‍♀️" or tgt.process.cmdline contains "🙇🏽" or tgt.process.cmdline contains "🙇🏽‍♂️" or tgt.process.cmdline contains "💁🏽‍♀️" or tgt.process.cmdline contains "💁🏽" or tgt.process.cmdline contains "💁🏽‍♂️" or tgt.process.cmdline contains "🙅🏽‍♀️" or tgt.process.cmdline contains "🙅🏽" or tgt.process.cmdline contains "🙅🏽‍♂️" or tgt.process.cmdline contains "🙆🏽‍♀️" or tgt.process.cmdline contains "🙆🏽" or tgt.process.cmdline contains "🙆🏽‍♂️" or tgt.process.cmdline contains "🙋🏽‍♀️" or tgt.process.cmdline contains "🙋🏽" or tgt.process.cmdline contains "🙋🏽‍♂️" or tgt.process.cmdline contains "🧏🏽‍♀️" or tgt.process.cmdline contains "🧏🏽" or tgt.process.cmdline contains "🧏🏽‍♂️" or tgt.process.cmdline contains "🤦🏽‍♀️" or tgt.process.cmdline contains "🤦🏽" or tgt.process.cmdline contains "🤦🏽‍♂️" or tgt.process.cmdline contains "🤷🏽‍♀️" or tgt.process.cmdline contains "🤷🏽" or tgt.process.cmdline contains "🤷🏽‍♂️" or tgt.process.cmdline contains "🙎🏽‍♀️" or tgt.process.cmdline contains "🙎🏽" or tgt.process.cmdline contains "🙎🏽‍♂️" or tgt.process.cmdline contains "🙍🏽‍♀️" or tgt.process.cmdline contains "🙍🏽" or tgt.process.cmdline contains "🙍🏽‍♂️" or tgt.process.cmdline contains "💇🏽‍♀️" or tgt.process.cmdline contains "💇🏽" or tgt.process.cmdline contains "💇🏽‍♂️" or tgt.process.cmdline contains "💆🏽‍♀️" or tgt.process.cmdline contains "💆🏽" or tgt.process.cmdline contains "💆🏽‍♂️" or tgt.process.cmdline contains "🧖🏽‍♀️" or tgt.process.cmdline contains "🧖🏽" or tgt.process.cmdline contains "🧖🏽‍♂️" or tgt.process.cmdline contains "💃🏽" or tgt.process.cmdline contains "🕺🏽" or tgt.process.cmdline contains "🕴🏽" or tgt.process.cmdline contains "👩🏽‍🦽" or tgt.process.cmdline contains "🧑🏽‍🦽" or tgt.process.cmdline contains "👨🏽‍🦽" or tgt.process.cmdline contains "👩🏽‍🦼" or tgt.process.cmdline contains "🧑🏽‍🦼" or tgt.process.cmdline contains "👨🏽‍🦼" or tgt.process.cmdline contains "🚶🏽‍♀️" or tgt.process.cmdline contains "🚶🏽" or tgt.process.cmdline contains "🚶🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍🦯" or tgt.process.cmdline contains "🧑🏽‍🦯" or tgt.process.cmdline contains "👨🏽‍🦯" or tgt.process.cmdline contains "🧎🏽‍♀️" or tgt.process.cmdline contains "🧎🏽" or tgt.process.cmdline contains "🧎🏽‍♂️" or tgt.process.cmdline contains "🏃🏽‍♀️" or tgt.process.cmdline contains "🏃🏽" or tgt.process.cmdline contains "🏃🏽‍♂️" or tgt.process.cmdline contains "🧍🏽‍♀️" or tgt.process.cmdline contains "🧍🏽" or tgt.process.cmdline contains "🧍🏽‍♂️" or tgt.process.cmdline contains "👭🏽" or tgt.process.cmdline contains "🧑🏽‍🤝‍🧑🏽" or tgt.process.cmdline contains "👬🏽" or tgt.process.cmdline contains "👫🏽" or tgt.process.cmdline contains "🧗🏽‍♀️" or tgt.process.cmdline contains "🧗🏽" or tgt.process.cmdline contains "🧗🏽‍♂️" or tgt.process.cmdline contains "🏇🏽" or tgt.process.cmdline contains "🏂🏽" or tgt.process.cmdline contains "🏌🏽‍♀️" or tgt.process.cmdline contains "🏌🏽" or tgt.process.cmdline contains "🏌🏽‍♂️" or tgt.process.cmdline contains "🏄🏽‍♀️" or tgt.process.cmdline contains "🏄🏽" or tgt.process.cmdline contains "🏄🏽‍♂️" or tgt.process.cmdline contains "🚣🏽‍♀️" or tgt.process.cmdline contains "🚣🏽" or tgt.process.cmdline contains "🚣🏽‍♂️" or tgt.process.cmdline contains "🏊🏽‍♀️" or tgt.process.cmdline contains "🏊🏽" or tgt.process.cmdline contains "🏊🏽‍♂️" or tgt.process.cmdline contains "⛹🏽‍♀️" or tgt.process.cmdline contains "⛹🏽" or tgt.process.cmdline contains "⛹🏽‍♂️" or tgt.process.cmdline contains "🏋🏽‍♀️" or tgt.process.cmdline contains "🏋🏽" or tgt.process.cmdline contains "🏋🏽‍♂️" or tgt.process.cmdline contains "🚴🏽‍♀️" or tgt.process.cmdline contains "🚴🏽" or tgt.process.cmdline contains "🚴🏽‍♂️" or tgt.process.cmdline contains "🚵🏽‍♀️" or tgt.process.cmdline contains "🚵🏽" or tgt.process.cmdline contains "🚵🏽‍♂️" or tgt.process.cmdline contains "🤸🏽‍♀️" or tgt.process.cmdline contains "🤸🏽" or tgt.process.cmdline contains "🤸🏽‍♂️" or tgt.process.cmdline contains "🤽🏽‍♀️" or tgt.process.cmdline contains "🤽🏽" or tgt.process.cmdline contains "🤽🏽‍♂️" or tgt.process.cmdline contains "🤾🏽‍♀️" or tgt.process.cmdline contains "🤾🏽" or tgt.process.cmdline contains "🤾🏽‍♂️" or tgt.process.cmdline contains "🤹🏽‍♀️" or tgt.process.cmdline contains "🤹🏽" or tgt.process.cmdline contains "🤹🏽‍♂️" or tgt.process.cmdline contains "🧘🏽‍♀️" or tgt.process.cmdline contains "🧘🏽" or tgt.process.cmdline contains "🧘🏽‍♂️" or tgt.process.cmdline contains "🛀🏽" or tgt.process.cmdline contains "🛌🏽" or tgt.process.cmdline contains "👋🏾" or tgt.process.cmdline contains "🤚🏾" or tgt.process.cmdline contains "🖐🏾" or tgt.process.cmdline contains "✋🏾" or tgt.process.cmdline contains "🖖🏾" or tgt.process.cmdline contains "👌🏾" or tgt.process.cmdline contains "🤌🏾" or tgt.process.cmdline contains "🤏🏾" or tgt.process.cmdline contains "✌🏾" or tgt.process.cmdline contains "🤞🏾" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🤟🏾" or tgt.process.cmdline contains "🤘🏾" or tgt.process.cmdline contains "🤙🏾" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "👈🏾" or tgt.process.cmdline contains "👉🏾" or tgt.process.cmdline contains "👆🏾" or tgt.process.cmdline contains "🖕🏾" or tgt.process.cmdline contains "👇🏾" or tgt.process.cmdline contains "☝🏾" or tgt.process.cmdline contains "👍🏾" or tgt.process.cmdline contains "👎🏾" or tgt.process.cmdline contains "✊🏾" or tgt.process.cmdline contains "👊🏾" or tgt.process.cmdline contains "🤛🏾" or tgt.process.cmdline contains "🤜🏾" or tgt.process.cmdline contains "👏🏾" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🙌🏾" or tgt.process.cmdline contains "👐🏾" or tgt.process.cmdline contains "🤲🏾" or tgt.process.cmdline contains "🙏🏾" or tgt.process.cmdline contains "✍🏾" or tgt.process.cmdline contains "💪🏾" or tgt.process.cmdline contains "🦵🏾" or tgt.process.cmdline contains "🦶🏾" or tgt.process.cmdline contains "👂🏾" or tgt.process.cmdline contains "🦻🏾" or tgt.process.cmdline contains "👃🏾" or tgt.process.cmdline contains "👶🏾" or tgt.process.cmdline contains "👧🏾" or tgt.process.cmdline contains "🧒🏾" or tgt.process.cmdline contains "👦🏾" or tgt.process.cmdline contains "👩🏾" or tgt.process.cmdline contains "🧑🏾" or tgt.process.cmdline contains "👨🏾" or tgt.process.cmdline contains "👩🏾‍🦱" or tgt.process.cmdline contains "🧑🏾‍🦱" or tgt.process.cmdline contains "👨🏾‍🦱" or tgt.process.cmdline contains "👩🏾‍🦰" or tgt.process.cmdline contains "🧑🏾‍🦰" or tgt.process.cmdline contains "👨🏾‍🦰" or tgt.process.cmdline contains "👱🏾‍♀️" or tgt.process.cmdline contains "👱🏾" or tgt.process.cmdline contains "👱🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍🦳" or tgt.process.cmdline contains "🧑🏾‍🦳" or tgt.process.cmdline contains "👨🏾‍🦳" or tgt.process.cmdline contains "👩🏾‍🦲" or tgt.process.cmdline contains "🧑🏾‍🦲" or tgt.process.cmdline contains "👨🏾‍🦲" or tgt.process.cmdline contains "🧔🏾‍♀️" or tgt.process.cmdline contains "🧔🏾" or tgt.process.cmdline contains "🧔🏾‍♂️" or tgt.process.cmdline contains "👵🏾" or tgt.process.cmdline contains "🧓🏾" or tgt.process.cmdline contains "👴🏾" or tgt.process.cmdline contains "👲🏾" or tgt.process.cmdline contains "👳🏾‍♀️" or tgt.process.cmdline contains "👳🏾" or tgt.process.cmdline contains "👳🏾‍♂️" or tgt.process.cmdline contains "🧕🏾" or tgt.process.cmdline contains "👮🏾‍♀️" or tgt.process.cmdline contains "👮🏾" or tgt.process.cmdline contains "👮🏾‍♂️" or tgt.process.cmdline contains "👷🏾‍♀️" or tgt.process.cmdline contains "👷🏾" or tgt.process.cmdline contains "👷🏾‍♂️" or tgt.process.cmdline contains "💂🏾‍♀️" or tgt.process.cmdline contains "💂🏾" or tgt.process.cmdline contains "💂🏾‍♂️" or tgt.process.cmdline contains "🕵🏾‍♀️" or tgt.process.cmdline contains "🕵🏾" or tgt.process.cmdline contains "🕵🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍⚕️" or tgt.process.cmdline contains "🧑🏾‍⚕️" or tgt.process.cmdline contains "👨🏾‍⚕️" or tgt.process.cmdline contains "👩🏾‍🌾" or tgt.process.cmdline contains "🧑🏾‍🌾" or tgt.process.cmdline contains "👨🏾‍🌾" or tgt.process.cmdline contains "👩🏾‍🍳" or tgt.process.cmdline contains "🧑🏾‍🍳" or tgt.process.cmdline contains "👨🏾‍🍳" or tgt.process.cmdline contains "👩🏾‍🎓" or tgt.process.cmdline contains "🧑🏾‍🎓" or tgt.process.cmdline contains "👨🏾‍🎓" or tgt.process.cmdline contains "👩🏾‍🎤" or tgt.process.cmdline contains "🧑🏾‍🎤" or tgt.process.cmdline contains "👨🏾‍🎤" or tgt.process.cmdline contains "👩🏾‍🏫" or tgt.process.cmdline contains "🧑🏾‍🏫" or tgt.process.cmdline contains "👨🏾‍🏫" or tgt.process.cmdline contains "👩🏾‍🏭" or tgt.process.cmdline contains "🧑🏾‍🏭" or tgt.process.cmdline contains "👨🏾‍🏭" or tgt.process.cmdline contains "👩🏾‍💻" or tgt.process.cmdline contains "🧑🏾‍💻" or tgt.process.cmdline contains "👨🏾‍💻" or tgt.process.cmdline contains "👩🏾‍💼" or tgt.process.cmdline contains "🧑🏾‍💼" or tgt.process.cmdline contains "👨🏾‍💼" or tgt.process.cmdline contains "👩🏾‍🔧" or tgt.process.cmdline contains "🧑🏾‍🔧" or tgt.process.cmdline contains "👨🏾‍🔧" or tgt.process.cmdline contains "👩🏾‍🔬" or tgt.process.cmdline contains "🧑🏾‍🔬" or tgt.process.cmdline contains "👨🏾‍🔬" or tgt.process.cmdline contains "👩🏾‍🎨" or tgt.process.cmdline contains "🧑🏾‍🎨" or tgt.process.cmdline contains "👨🏾‍🎨" or tgt.process.cmdline contains "👩🏾‍🚒" or tgt.process.cmdline contains "🧑🏾‍🚒" or tgt.process.cmdline contains "👨🏾‍🚒" or tgt.process.cmdline contains "👩🏾‍✈️" or tgt.process.cmdline contains "🧑🏾‍✈️" or tgt.process.cmdline contains "👨🏾‍✈️" or tgt.process.cmdline contains "👩🏾‍🚀" or tgt.process.cmdline contains "🧑🏾‍🚀" or tgt.process.cmdline contains "👨🏾‍🚀" or tgt.process.cmdline contains "👩🏾‍⚖️" or tgt.process.cmdline contains "🧑🏾‍⚖️" or tgt.process.cmdline contains "👨🏾‍⚖️" or tgt.process.cmdline contains "👰🏾‍♀️" or tgt.process.cmdline contains "👰🏾" or tgt.process.cmdline contains "👰🏾‍♂️" or tgt.process.cmdline contains "🤵🏾‍♀️" or tgt.process.cmdline contains "🤵🏾" or tgt.process.cmdline contains "🤵🏾‍♂️" or tgt.process.cmdline contains "👸🏾" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🤴🏾" or tgt.process.cmdline contains "🥷🏾" or tgt.process.cmdline contains "🦸🏾‍♀️" or tgt.process.cmdline contains "🦸🏾" or tgt.process.cmdline contains "🦸🏾‍♂️" or tgt.process.cmdline contains "🦹🏾‍♀️" or tgt.process.cmdline contains "🦹🏾" or tgt.process.cmdline contains "🦹🏾‍♂️" or tgt.process.cmdline contains "🤶🏾" or tgt.process.cmdline contains "🧑🏾‍🎄" or tgt.process.cmdline contains "🎅🏾" or tgt.process.cmdline contains "🧙🏾‍♀️" or tgt.process.cmdline contains "🧙🏾" or tgt.process.cmdline contains "🧙🏾‍♂️" or tgt.process.cmdline contains "🧝🏾‍♀️" or tgt.process.cmdline contains "🧝🏾" or tgt.process.cmdline contains "🧝🏾‍♂️" or tgt.process.cmdline contains "🧛🏾‍♀️" or tgt.process.cmdline contains "🧛🏾" or tgt.process.cmdline contains "🧛🏾‍♂️" or tgt.process.cmdline contains "🧜🏾‍♀️" or tgt.process.cmdline contains "🧜🏾" or tgt.process.cmdline contains "🧜🏾‍♂️" or tgt.process.cmdline contains "🧚🏾‍♀️" or tgt.process.cmdline contains "🧚🏾" or tgt.process.cmdline contains "🧚🏾‍♂️" or tgt.process.cmdline contains "👼🏾" or tgt.process.cmdline contains "🤰🏾" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🤱🏾" or tgt.process.cmdline contains "👩🏾‍🍼" or tgt.process.cmdline contains "🧑🏾‍🍼" or tgt.process.cmdline contains "👨🏾‍🍼" or tgt.process.cmdline contains "🙇🏾‍♀️" or tgt.process.cmdline contains "🙇🏾" or tgt.process.cmdline contains "🙇🏾‍♂️" or tgt.process.cmdline contains "💁🏾‍♀️" or tgt.process.cmdline contains "💁🏾" or tgt.process.cmdline contains "💁🏾‍♂️" or tgt.process.cmdline contains "🙅🏾‍♀️" or tgt.process.cmdline contains "🙅🏾" or tgt.process.cmdline contains "🙅🏾‍♂️" or tgt.process.cmdline contains "🙆🏾‍♀️" or tgt.process.cmdline contains "🙆🏾" or tgt.process.cmdline contains "🙆🏾‍♂️" or tgt.process.cmdline contains "🙋🏾‍♀️" or tgt.process.cmdline contains "🙋🏾" or tgt.process.cmdline contains "🙋🏾‍♂️" or tgt.process.cmdline contains "🧏🏾‍♀️" or tgt.process.cmdline contains "🧏🏾" or tgt.process.cmdline contains "🧏🏾‍♂️" or tgt.process.cmdline contains "🤦🏾‍♀️" or tgt.process.cmdline contains "🤦🏾" or tgt.process.cmdline contains "🤦🏾‍♂️" or tgt.process.cmdline contains "🤷🏾‍♀️" or tgt.process.cmdline contains "🤷🏾" or tgt.process.cmdline contains "🤷🏾‍♂️" or tgt.process.cmdline contains "🙎🏾‍♀️" or tgt.process.cmdline contains "🙎🏾" or tgt.process.cmdline contains "🙎🏾‍♂️" or tgt.process.cmdline contains "🙍🏾‍♀️" or tgt.process.cmdline contains "🙍🏾" or tgt.process.cmdline contains "🙍🏾‍♂️" or tgt.process.cmdline contains "💇🏾‍♀️" or tgt.process.cmdline contains "💇🏾" or tgt.process.cmdline contains "💇🏾‍♂️" or tgt.process.cmdline contains "💆🏾‍♀️" or tgt.process.cmdline contains "💆🏾" or tgt.process.cmdline contains "💆🏾‍♂️" or tgt.process.cmdline contains "🧖🏾‍♀️" or tgt.process.cmdline contains "🧖🏾" or tgt.process.cmdline contains "🧖🏾‍♂️" or tgt.process.cmdline contains "💃🏾" or tgt.process.cmdline contains "🕺🏾" or tgt.process.cmdline contains "👩🏾‍🦽" or tgt.process.cmdline contains "🧑🏾‍🦽" or tgt.process.cmdline contains "👨🏾‍🦽" or tgt.process.cmdline contains "👩🏾‍🦼" or tgt.process.cmdline contains "🧑🏾‍🦼" or tgt.process.cmdline contains "👨🏾‍🦼" or tgt.process.cmdline contains "🚶🏾‍♀️" or tgt.process.cmdline contains "🚶🏾" or tgt.process.cmdline contains "🚶🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍🦯" or tgt.process.cmdline contains "🧑🏾‍🦯" or tgt.process.cmdline contains "👨🏾‍🦯" or tgt.process.cmdline contains "🧎🏾‍♀️" or tgt.process.cmdline contains "🧎🏾" or tgt.process.cmdline contains "🧎🏾‍♂️" or tgt.process.cmdline contains "🏃🏾‍♀️" or tgt.process.cmdline contains "🏃🏾" or tgt.process.cmdline contains "🏃🏾‍♂️" or tgt.process.cmdline contains "🧍🏾‍♀️" or tgt.process.cmdline contains "🧍🏾" or tgt.process.cmdline contains "🧍🏾‍♂️" or tgt.process.cmdline contains "👭🏾" or tgt.process.cmdline contains "🧑🏾‍🤝‍🧑🏾" or tgt.process.cmdline contains "👬🏾" or tgt.process.cmdline contains "👫🏾" or tgt.process.cmdline contains "🧗🏾‍♀️" or tgt.process.cmdline contains "🧗🏾" or tgt.process.cmdline contains "🧗🏾‍♂️" or tgt.process.cmdline contains "🏇🏾" or tgt.process.cmdline contains "🏂🏾" or tgt.process.cmdline contains "🏌🏾‍♀️" or tgt.process.cmdline contains "🏌🏾" or tgt.process.cmdline contains "🏌🏾‍♂️" or tgt.process.cmdline contains "🏄🏾‍♀️" or tgt.process.cmdline contains "🏄🏾" or tgt.process.cmdline contains "🏄🏾‍♂️" or tgt.process.cmdline contains "🚣🏾‍♀️" or tgt.process.cmdline contains "🚣🏾" or tgt.process.cmdline contains "🚣🏾‍♂️" or tgt.process.cmdline contains "🏊🏾‍♀️" or tgt.process.cmdline contains "🏊🏾" or tgt.process.cmdline contains "🏊🏾‍♂️" or tgt.process.cmdline contains "⛹🏾‍♀️" or tgt.process.cmdline contains "⛹🏾" or tgt.process.cmdline contains "⛹🏾‍♂️" or tgt.process.cmdline contains "🏋🏾‍♀️" or tgt.process.cmdline contains "🏋🏾" or tgt.process.cmdline contains "🏋🏾‍♂️" or tgt.process.cmdline contains "🚴🏾‍♀️" or tgt.process.cmdline contains "🚴🏾" or tgt.process.cmdline contains "🚴🏾‍♂️" or tgt.process.cmdline contains "🚵🏾‍♀️" or tgt.process.cmdline contains "🚵🏾" or tgt.process.cmdline contains "🚵🏾‍♂️" or tgt.process.cmdline contains "🤸🏾‍♀️" or tgt.process.cmdline contains "🤸🏾" or tgt.process.cmdline contains "🤸🏾‍♂️" or tgt.process.cmdline contains "🤽🏾‍♀️" or tgt.process.cmdline contains "🤽🏾" or tgt.process.cmdline contains "🤽🏾‍♂️" or tgt.process.cmdline contains "🤾🏾‍♀️" or tgt.process.cmdline contains "🤾🏾" or tgt.process.cmdline contains "🤾🏾‍♂️" or tgt.process.cmdline contains "🤹🏾‍♀️" or tgt.process.cmdline contains "🤹🏾" or tgt.process.cmdline contains "🤹🏾‍♂️" or tgt.process.cmdline contains "🧘🏾‍♀️" or tgt.process.cmdline contains "🧘🏾" or tgt.process.cmdline contains "🧘🏾‍♂️" or tgt.process.cmdline contains "🛀🏾" or tgt.process.cmdline contains "🛌🏾" or tgt.process.cmdline contains "👋🏿" or tgt.process.cmdline contains "🤚🏿" or tgt.process.cmdline contains "🖐🏿" or tgt.process.cmdline contains "✋🏿" or tgt.process.cmdline contains "🖖🏿" or tgt.process.cmdline contains "👌🏿" or tgt.process.cmdline contains "🤌🏿" or tgt.process.cmdline contains "🤏🏿" or tgt.process.cmdline contains "✌🏿" or tgt.process.cmdline contains "🤞🏿" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🤟🏿" or tgt.process.cmdline contains "🤘🏿" or tgt.process.cmdline contains "🤙🏿" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "👈🏿" or tgt.process.cmdline contains "👉🏿" or tgt.process.cmdline contains "👆🏿" or tgt.process.cmdline contains "🖕🏿" or tgt.process.cmdline contains "👇🏿" or tgt.process.cmdline contains "☝🏿" or tgt.process.cmdline contains "👍🏿" or tgt.process.cmdline contains "👎🏿" or tgt.process.cmdline contains "✊🏿" or tgt.process.cmdline contains "👊🏿" or tgt.process.cmdline contains "🤛🏿" or tgt.process.cmdline contains "🤜🏿" or tgt.process.cmdline contains "👏🏿" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🙌🏿" or tgt.process.cmdline contains "👐🏿" or tgt.process.cmdline contains "🤲🏿" or tgt.process.cmdline contains "🙏🏿" or tgt.process.cmdline contains "✍🏿" or tgt.process.cmdline contains "🤳🏿" or tgt.process.cmdline contains "💪🏿" or tgt.process.cmdline contains "🦵🏿" or tgt.process.cmdline contains "🦶🏿" or tgt.process.cmdline contains "👂🏿" or tgt.process.cmdline contains "🦻🏿" or tgt.process.cmdline contains "👃🏿" or tgt.process.cmdline contains "👶🏿" or tgt.process.cmdline contains "👧🏿" or tgt.process.cmdline contains "🧒🏿" or tgt.process.cmdline contains "👦🏿" or tgt.process.cmdline contains "👩🏿" or tgt.process.cmdline contains "🧑🏿" or tgt.process.cmdline contains "👨🏿" or tgt.process.cmdline contains "👩🏿‍🦱" or tgt.process.cmdline contains "🧑🏿‍🦱" or tgt.process.cmdline contains "👨🏿‍🦱" or tgt.process.cmdline contains "👩🏿‍🦰" or tgt.process.cmdline contains "🧑🏿‍🦰" or tgt.process.cmdline contains "👨🏿‍🦰" or tgt.process.cmdline contains "👱🏿‍♀️" or tgt.process.cmdline contains "👱🏿" or tgt.process.cmdline contains "👱🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍🦳" or tgt.process.cmdline contains "🧑🏿‍🦳" or tgt.process.cmdline contains "👨🏿‍🦳" or tgt.process.cmdline contains "👩🏿‍🦲" or tgt.process.cmdline contains "🧑🏿‍🦲" or tgt.process.cmdline contains "👨🏿‍🦲" or tgt.process.cmdline contains "🧔🏿‍♀️" or tgt.process.cmdline contains "🧔🏿" or tgt.process.cmdline contains "🧔🏿‍♂️" or tgt.process.cmdline contains "👵🏿" or tgt.process.cmdline contains "🧓🏿" or tgt.process.cmdline contains "👴🏿" or tgt.process.cmdline contains "👲🏿" or tgt.process.cmdline contains "👳🏿‍♀️" or tgt.process.cmdline contains "👳🏿" or tgt.process.cmdline contains "👳🏿‍♂️" or tgt.process.cmdline contains "🧕🏿" or tgt.process.cmdline contains "👮🏿‍♀️" or tgt.process.cmdline contains "👮🏿" or tgt.process.cmdline contains "👮🏿‍♂️" or tgt.process.cmdline contains "👷🏿‍♀️" or tgt.process.cmdline contains "👷🏿" or tgt.process.cmdline contains "👷🏿‍♂️" or tgt.process.cmdline contains "💂🏿‍♀️" or tgt.process.cmdline contains "💂🏿" or tgt.process.cmdline contains "💂🏿‍♂️" or tgt.process.cmdline contains "🕵🏿‍♀️" or tgt.process.cmdline contains "🕵🏿" or tgt.process.cmdline contains "🕵🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍⚕️" or tgt.process.cmdline contains "🧑🏿‍⚕️" or tgt.process.cmdline contains "👨🏿‍⚕️" or tgt.process.cmdline contains "👩🏿‍🌾" or tgt.process.cmdline contains "🧑🏿‍🌾" or tgt.process.cmdline contains "👨🏿‍🌾" or tgt.process.cmdline contains "👩🏿‍🍳" or tgt.process.cmdline contains "🧑🏿‍🍳" or tgt.process.cmdline contains "👨🏿‍🍳" or tgt.process.cmdline contains "👩🏿‍🎓" or tgt.process.cmdline contains "🧑🏿‍🎓" or tgt.process.cmdline contains "👨🏿‍🎓" or tgt.process.cmdline contains "👩🏿‍🎤" or tgt.process.cmdline contains "🧑🏿‍🎤" or tgt.process.cmdline contains "👨🏿‍🎤" or tgt.process.cmdline contains "👩🏿‍🏫" or tgt.process.cmdline contains "🧑🏿‍🏫" or tgt.process.cmdline contains "👨🏿‍🏫" or tgt.process.cmdline contains "👩🏿‍🏭" or tgt.process.cmdline contains "🧑🏿‍🏭" or tgt.process.cmdline contains "👨🏿‍🏭" or tgt.process.cmdline contains "👩🏿‍💻" or tgt.process.cmdline contains "🧑🏿‍💻" or tgt.process.cmdline contains "👨🏿‍💻" or tgt.process.cmdline contains "👩🏿‍💼" or tgt.process.cmdline contains "🧑🏿‍💼" or tgt.process.cmdline contains "👨🏿‍💼" or tgt.process.cmdline contains "👩🏿‍🔧" or tgt.process.cmdline contains "🧑🏿‍🔧" or tgt.process.cmdline contains "👨🏿‍🔧" or tgt.process.cmdline contains "👩🏿‍🔬" or tgt.process.cmdline contains "🧑🏿‍🔬" or tgt.process.cmdline contains "👨🏿‍🔬" or tgt.process.cmdline contains "👩🏿‍🎨" or tgt.process.cmdline contains "🧑🏿‍🎨" or tgt.process.cmdline contains "👨🏿‍🎨" or tgt.process.cmdline contains "👩🏿‍🚒" or tgt.process.cmdline contains "🧑🏿‍🚒" or tgt.process.cmdline contains "👨🏿‍🚒" or tgt.process.cmdline contains "👩🏿‍✈️" or tgt.process.cmdline contains "🧑🏿‍✈️" or tgt.process.cmdline contains "👨🏿‍✈️" or tgt.process.cmdline contains "👩🏿‍🚀" or tgt.process.cmdline contains "🧑🏿‍🚀" or tgt.process.cmdline contains "👨🏿‍🚀" or tgt.process.cmdline contains "👩🏿‍⚖️" or tgt.process.cmdline contains "🧑🏿‍⚖️" or tgt.process.cmdline contains "👨🏿‍⚖️" or tgt.process.cmdline contains "👰🏿‍♀️" or tgt.process.cmdline contains "👰🏿" or tgt.process.cmdline contains "👰🏿‍♂️" or tgt.process.cmdline contains "🤵🏿‍♀️" or tgt.process.cmdline contains "🤵🏿" or tgt.process.cmdline contains "🤵🏿‍♂️" or tgt.process.cmdline contains "👸🏿" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🤴🏿" or tgt.process.cmdline contains "🥷🏿" or tgt.process.cmdline contains "🦸🏿‍♀️" or tgt.process.cmdline contains "🦸🏿" or tgt.process.cmdline contains "🦸🏿‍♂️" or tgt.process.cmdline contains "🦹🏿‍♀️" or tgt.process.cmdline contains "🦹🏿" or tgt.process.cmdline contains "🦹🏿‍♂️" or tgt.process.cmdline contains "🤶🏿" or tgt.process.cmdline contains "🧑🏿‍🎄" or tgt.process.cmdline contains "🎅🏿" or tgt.process.cmdline contains "🧙🏿‍♀️" or tgt.process.cmdline contains "🧙🏿" or tgt.process.cmdline contains "🧙🏿‍♂️" or tgt.process.cmdline contains "🧝🏿‍♀️" or tgt.process.cmdline contains "🧝🏿" or tgt.process.cmdline contains "🧝🏿‍♂️" or tgt.process.cmdline contains "🧛🏿‍♀️" or tgt.process.cmdline contains "🧛🏿" or tgt.process.cmdline contains "🧛🏿‍♂️" or tgt.process.cmdline contains "🧜🏿‍♀️" or tgt.process.cmdline contains "🧜🏿" or tgt.process.cmdline contains "🧜🏿‍♂️" or tgt.process.cmdline contains "🧚🏿‍♀️" or tgt.process.cmdline contains "🧚🏿" or tgt.process.cmdline contains "🧚🏿‍♂️" or tgt.process.cmdline contains "👼🏿" or tgt.process.cmdline contains "🤰🏿" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🤱🏿" or tgt.process.cmdline contains "👩🏿‍🍼" or tgt.process.cmdline contains "🧑🏿‍🍼" or tgt.process.cmdline contains "👨🏿‍🍼" or tgt.process.cmdline contains "🙇🏿‍♀️" or tgt.process.cmdline contains "🙇🏿" or tgt.process.cmdline contains "🙇🏿‍♂️" or tgt.process.cmdline contains "💁🏿‍♀️" or tgt.process.cmdline contains "💁🏿" or tgt.process.cmdline contains "💁🏿‍♂️" or tgt.process.cmdline contains "🙅🏿‍♀️" or tgt.process.cmdline contains "🙅🏿" or tgt.process.cmdline contains "🙅🏿‍♂️" or tgt.process.cmdline contains "🙆🏿‍♀️" or tgt.process.cmdline contains "🙆🏿" or tgt.process.cmdline contains "🙆🏿‍♂️" or tgt.process.cmdline contains "🙋🏿‍♀️" or tgt.process.cmdline contains "🙋🏿" or tgt.process.cmdline contains "🙋🏿‍♂️" or tgt.process.cmdline contains "🧏🏿‍♀️" or tgt.process.cmdline contains "🧏🏿" or tgt.process.cmdline contains "🧏🏿‍♂️" or tgt.process.cmdline contains "🤦🏿‍♀️" or tgt.process.cmdline contains "🤦🏿" or tgt.process.cmdline contains "🤦🏿‍♂️" or tgt.process.cmdline contains "🤷🏿‍♀️" or tgt.process.cmdline contains "🤷🏿" or tgt.process.cmdline contains "🤷🏿‍♂️" or tgt.process.cmdline contains "🙎🏿‍♀️" or tgt.process.cmdline contains "🙎🏿" or tgt.process.cmdline contains "🙎🏿‍♂️" or tgt.process.cmdline contains "🙍🏿‍♀️" or tgt.process.cmdline contains "🙍🏿" or tgt.process.cmdline contains "🙍🏿‍♂️" or tgt.process.cmdline contains "💇🏿‍♀️" or tgt.process.cmdline contains "💇🏿" or tgt.process.cmdline contains "💇🏿‍♂️" or tgt.process.cmdline contains "💆🏿‍♀️" or tgt.process.cmdline contains "💆🏿" or tgt.process.cmdline contains "💆🏿‍♂️" or tgt.process.cmdline contains "🧖🏿‍♀️" or tgt.process.cmdline contains "🧖🏿" or tgt.process.cmdline contains "🧖🏿‍♂️" or tgt.process.cmdline contains "💃🏿" or tgt.process.cmdline contains "🕺🏿" or tgt.process.cmdline contains "🕴🏿" or tgt.process.cmdline contains "👩🏿‍🦽" or tgt.process.cmdline contains "🧑🏿‍🦽" or tgt.process.cmdline contains "👨🏿‍🦽" or tgt.process.cmdline contains "👩🏿‍🦼" or tgt.process.cmdline contains "🧑🏿‍🦼" or tgt.process.cmdline contains "👨🏿‍🦼" or tgt.process.cmdline contains "🚶🏿‍♀️" or tgt.process.cmdline contains "🚶🏿" or tgt.process.cmdline contains "🚶🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍🦯" or tgt.process.cmdline contains "🧑🏿‍🦯" or tgt.process.cmdline contains "👨🏿‍🦯" or tgt.process.cmdline contains "🧎🏿‍♀️" or tgt.process.cmdline contains "🧎🏿" or tgt.process.cmdline contains "🧎🏿‍♂️" or tgt.process.cmdline contains "🏃🏿‍♀️" or tgt.process.cmdline contains "🏃🏿" or tgt.process.cmdline contains "🏃🏿‍♂️" or tgt.process.cmdline contains "🧍🏿‍♀️" or tgt.process.cmdline contains "🧍🏿" or tgt.process.cmdline contains "🧍🏿‍♂️" or tgt.process.cmdline contains "👭🏿" or tgt.process.cmdline contains "🧑🏿‍🤝‍🧑🏿" or tgt.process.cmdline contains "👬🏿" or tgt.process.cmdline contains "👫🏿" or tgt.process.cmdline contains "🧗🏿‍♀️" or tgt.process.cmdline contains "🧗🏿" or tgt.process.cmdline contains "🧗🏿‍♂️" or tgt.process.cmdline contains "🏇🏿" or tgt.process.cmdline contains "🏂🏿" or tgt.process.cmdline contains "🏌🏿‍♀️" or tgt.process.cmdline contains "🏌🏿" or tgt.process.cmdline contains "🏌🏿‍♂️" or tgt.process.cmdline contains "🏄🏿‍♀️" or tgt.process.cmdline contains "🏄🏿" or tgt.process.cmdline contains "🏄🏿‍♂️" or tgt.process.cmdline contains "🚣🏿‍♀️" or tgt.process.cmdline contains "🚣🏿" or tgt.process.cmdline contains "🚣🏿‍♂️" or tgt.process.cmdline contains "🏊🏿‍♀️" or tgt.process.cmdline contains "🏊🏿" or tgt.process.cmdline contains "🏊🏿‍♂️" or tgt.process.cmdline contains "⛹🏿‍♀️" or tgt.process.cmdline contains "⛹🏿" or tgt.process.cmdline contains "⛹🏿‍♂️" or tgt.process.cmdline contains "🏋🏿‍♀️" or tgt.process.cmdline contains "🏋🏿" or tgt.process.cmdline contains "🏋🏿‍♂️" or tgt.process.cmdline contains "🚴🏿‍♀️" or tgt.process.cmdline contains "🚴🏿" or tgt.process.cmdline contains "🚴🏿‍♂️" or tgt.process.cmdline contains "🚵🏿‍♀️" or tgt.process.cmdline contains "🚵🏿" or tgt.process.cmdline contains "🚵🏿‍♂️" or tgt.process.cmdline contains "🤸🏿‍♀️" or tgt.process.cmdline contains "🤸🏿" or tgt.process.cmdline contains "🤸🏿‍♂️" or tgt.process.cmdline contains "🤽🏿‍♀️" or tgt.process.cmdline contains "🤽🏿" or tgt.process.cmdline contains "🤽🏿‍♂️" or tgt.process.cmdline contains "🤾🏿‍♀️" or tgt.process.cmdline contains "🤾🏿" or tgt.process.cmdline contains "🤾🏿‍♂️" or tgt.process.cmdline contains "🤹🏿‍♀️" or tgt.process.cmdline contains "🤹🏿" or tgt.process.cmdline contains "🤹🏿‍♂️" or tgt.process.cmdline contains "🧘🏿‍♀️" or tgt.process.cmdline contains "🧘🏿" or tgt.process.cmdline contains "🧘🏿‍♂️" or tgt.process.cmdline contains "🛀🏿" or tgt.process.cmdline contains "🛌🏿" or tgt.process.cmdline contains "🐶" or tgt.process.cmdline contains "🐱" or tgt.process.cmdline contains "🐭" or tgt.process.cmdline contains "🐹" or tgt.process.cmdline contains "🐰" or tgt.process.cmdline contains "🦊" or tgt.process.cmdline contains "🐻" or tgt.process.cmdline contains "🐼" or tgt.process.cmdline contains "🐻‍❄️" or tgt.process.cmdline contains "🐨" or tgt.process.cmdline contains "🐯" or tgt.process.cmdline contains "🦁" or tgt.process.cmdline contains "🐮" or tgt.process.cmdline contains "🐷" or tgt.process.cmdline contains "🐽" or tgt.process.cmdline contains "🐸" or tgt.process.cmdline contains "🐵" or tgt.process.cmdline contains "🙈" or tgt.process.cmdline contains "🙉" or tgt.process.cmdline contains "🙊" or tgt.process.cmdline contains "🐒" or tgt.process.cmdline contains "🐔" or tgt.process.cmdline contains "🐧" or tgt.process.cmdline contains "🐦" or tgt.process.cmdline contains "🐤" or tgt.process.cmdline contains "🐣" or tgt.process.cmdline contains "🐥")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md index 0c248f760..6625e9bdd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🦆" or tgt.process.cmdline contains "🦅" or tgt.process.cmdline contains "🦉" or tgt.process.cmdline contains "🦇" or tgt.process.cmdline contains "🐺" or tgt.process.cmdline contains "🐗" or tgt.process.cmdline contains "🐴" or tgt.process.cmdline contains "🦄" or tgt.process.cmdline contains "🐝" or tgt.process.cmdline contains "🪱" or tgt.process.cmdline contains "🐛" or tgt.process.cmdline contains "🦋" or tgt.process.cmdline contains "🐌" or tgt.process.cmdline contains "🐞" or tgt.process.cmdline contains "🐜" or tgt.process.cmdline contains "🪰" or tgt.process.cmdline contains "🪲" or tgt.process.cmdline contains "🪳" or tgt.process.cmdline contains "🦟" or tgt.process.cmdline contains "🦗" or tgt.process.cmdline contains "🕷" or tgt.process.cmdline contains "🕸" or tgt.process.cmdline contains "🦂" or tgt.process.cmdline contains "🐢" or tgt.process.cmdline contains "🐍" or tgt.process.cmdline contains "🦎" or tgt.process.cmdline contains "🦖" or tgt.process.cmdline contains "🦕" or tgt.process.cmdline contains "🐙" or tgt.process.cmdline contains "🦑" or tgt.process.cmdline contains "🦐" or tgt.process.cmdline contains "🦞" or tgt.process.cmdline contains "🦀" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🐡" or tgt.process.cmdline contains "🐠" or tgt.process.cmdline contains "🐟" or tgt.process.cmdline contains "🐬" or tgt.process.cmdline contains "🐳" or tgt.process.cmdline contains "🐋" or tgt.process.cmdline contains "🦈" or tgt.process.cmdline contains "🐊" or tgt.process.cmdline contains "🐅" or tgt.process.cmdline contains "🐆" or tgt.process.cmdline contains "🦓" or tgt.process.cmdline contains "🦍" or tgt.process.cmdline contains "🦧" or tgt.process.cmdline contains "🦣" or tgt.process.cmdline contains "🐘" or tgt.process.cmdline contains "🦛" or tgt.process.cmdline contains "🦏" or tgt.process.cmdline contains "🐪" or tgt.process.cmdline contains "🐫" or tgt.process.cmdline contains "🦒" or tgt.process.cmdline contains "🦘" or tgt.process.cmdline contains "🦬" or tgt.process.cmdline contains "🐃" or tgt.process.cmdline contains "🐂" or tgt.process.cmdline contains "🐄" or tgt.process.cmdline contains "🐎" or tgt.process.cmdline contains "🐖" or tgt.process.cmdline contains "🐏" or tgt.process.cmdline contains "🐑" or tgt.process.cmdline contains "🦙" or tgt.process.cmdline contains "🐐" or tgt.process.cmdline contains "🦌" or tgt.process.cmdline contains "🐕" or tgt.process.cmdline contains "🐩" or tgt.process.cmdline contains "🦮" or tgt.process.cmdline contains "🐕‍🦺" or tgt.process.cmdline contains "🐈" or tgt.process.cmdline contains "🐈‍⬛" or tgt.process.cmdline contains "🪶" or tgt.process.cmdline contains "🐓" or tgt.process.cmdline contains "🦃" or tgt.process.cmdline contains "🦤" or tgt.process.cmdline contains "🦚" or tgt.process.cmdline contains "🦜" or tgt.process.cmdline contains "🦢" or tgt.process.cmdline contains "🦩" or tgt.process.cmdline contains "🕊" or tgt.process.cmdline contains "🐇" or tgt.process.cmdline contains "🦝" or tgt.process.cmdline contains "🦨" or tgt.process.cmdline contains "🦡" or tgt.process.cmdline contains "🦫" or tgt.process.cmdline contains "🦦" or tgt.process.cmdline contains "🦥" or tgt.process.cmdline contains "🐁" or tgt.process.cmdline contains "🐀" or tgt.process.cmdline contains "🐿" or tgt.process.cmdline contains "🦔" or tgt.process.cmdline contains "🐾" or tgt.process.cmdline contains "🐉" or tgt.process.cmdline contains "🐲" or tgt.process.cmdline contains "🌵" or tgt.process.cmdline contains "🎄" or tgt.process.cmdline contains "🌲" or tgt.process.cmdline contains "🌳" or tgt.process.cmdline contains "🌴" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🪵" or tgt.process.cmdline contains "🌱" or tgt.process.cmdline contains "🌿" or tgt.process.cmdline contains "☘️" or tgt.process.cmdline contains "🍀" or tgt.process.cmdline contains "🎍" or tgt.process.cmdline contains "🪴" or tgt.process.cmdline contains "🎋" or tgt.process.cmdline contains "🍃" or tgt.process.cmdline contains "🍂" or tgt.process.cmdline contains "🍁" or tgt.process.cmdline contains "🍄" or tgt.process.cmdline contains "🐚" or tgt.process.cmdline contains "🪨" or tgt.process.cmdline contains "🌾" or tgt.process.cmdline contains "💐" or tgt.process.cmdline contains "🌷" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🌹" or tgt.process.cmdline contains "🥀" or tgt.process.cmdline contains "🌺" or tgt.process.cmdline contains "🌸" or tgt.process.cmdline contains "🌼" or tgt.process.cmdline contains "🌻" or tgt.process.cmdline contains "🌞" or tgt.process.cmdline contains "🌝" or tgt.process.cmdline contains "🌛" or tgt.process.cmdline contains "🌜" or tgt.process.cmdline contains "🌚" or tgt.process.cmdline contains "🌕" or tgt.process.cmdline contains "🌖" or tgt.process.cmdline contains "🌗" or tgt.process.cmdline contains "🌘" or tgt.process.cmdline contains "🌑" or tgt.process.cmdline contains "🌒" or tgt.process.cmdline contains "🌓" or tgt.process.cmdline contains "🌔" or tgt.process.cmdline contains "🌙" or tgt.process.cmdline contains "🌎" or tgt.process.cmdline contains "🌍" or tgt.process.cmdline contains "🌏" or tgt.process.cmdline contains "🪐" or tgt.process.cmdline contains "💫" or tgt.process.cmdline contains "⭐️" or tgt.process.cmdline contains "🌟" or tgt.process.cmdline contains "✨" or tgt.process.cmdline contains "⚡️" or tgt.process.cmdline contains "☄️" or tgt.process.cmdline contains "💥" or tgt.process.cmdline contains "🔥" or tgt.process.cmdline contains "🌪" or tgt.process.cmdline contains "🌈" or tgt.process.cmdline contains "☀️" or tgt.process.cmdline contains "🌤" or tgt.process.cmdline contains "⛅️" or tgt.process.cmdline contains "🌥" or tgt.process.cmdline contains "☁️" or tgt.process.cmdline contains "🌦" or tgt.process.cmdline contains "🌧" or tgt.process.cmdline contains "⛈" or tgt.process.cmdline contains "🌩" or tgt.process.cmdline contains "🌨" or tgt.process.cmdline contains "❄️" or tgt.process.cmdline contains "☃️" or tgt.process.cmdline contains "⛄️" or tgt.process.cmdline contains "🌬" or tgt.process.cmdline contains "💨" or tgt.process.cmdline contains "💧" or tgt.process.cmdline contains "💦" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "☔️" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🌊" or tgt.process.cmdline contains "🌫🍏" or tgt.process.cmdline contains "🍎" or tgt.process.cmdline contains "🍐" or tgt.process.cmdline contains "🍊" or tgt.process.cmdline contains "🍋" or tgt.process.cmdline contains "🍌" or tgt.process.cmdline contains "🍉" or tgt.process.cmdline contains "🍇" or tgt.process.cmdline contains "🍓" or tgt.process.cmdline contains "🫐" or tgt.process.cmdline contains "🍈" or tgt.process.cmdline contains "🍒" or tgt.process.cmdline contains "🍑" or tgt.process.cmdline contains "🥭" or tgt.process.cmdline contains "🍍" or tgt.process.cmdline contains "🥥" or tgt.process.cmdline contains "🥝" or tgt.process.cmdline contains "🍅" or tgt.process.cmdline contains "🍆" or tgt.process.cmdline contains "🥑" or tgt.process.cmdline contains "🥦" or tgt.process.cmdline contains "🥬" or tgt.process.cmdline contains "🥒" or tgt.process.cmdline contains "🌶" or tgt.process.cmdline contains "🫑" or tgt.process.cmdline contains "🌽" or tgt.process.cmdline contains "🥕" or tgt.process.cmdline contains "🫒" or tgt.process.cmdline contains "🧄" or tgt.process.cmdline contains "🧅" or tgt.process.cmdline contains "🥔" or tgt.process.cmdline contains "🍠" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🥐" or tgt.process.cmdline contains "🥯" or tgt.process.cmdline contains "🍞" or tgt.process.cmdline contains "🥖" or tgt.process.cmdline contains "🥨" or tgt.process.cmdline contains "🧀" or tgt.process.cmdline contains "🥚" or tgt.process.cmdline contains "🍳" or tgt.process.cmdline contains "🧈" or tgt.process.cmdline contains "🥞" or tgt.process.cmdline contains "🧇" or tgt.process.cmdline contains "🥓" or tgt.process.cmdline contains "🥩" or tgt.process.cmdline contains "🍗" or tgt.process.cmdline contains "🍖" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "🌭" or tgt.process.cmdline contains "🍔" or tgt.process.cmdline contains "🍟" or tgt.process.cmdline contains "🍕" or tgt.process.cmdline contains "🫓" or tgt.process.cmdline contains "🥪" or tgt.process.cmdline contains "🥙" or tgt.process.cmdline contains "🧆" or tgt.process.cmdline contains "🌮" or tgt.process.cmdline contains "🌯" or tgt.process.cmdline contains "🫔" or tgt.process.cmdline contains "🥗" or tgt.process.cmdline contains "🥘" or tgt.process.cmdline contains "🫕" or tgt.process.cmdline contains "🥫" or tgt.process.cmdline contains "🍝" or tgt.process.cmdline contains "🍜" or tgt.process.cmdline contains "🍲" or tgt.process.cmdline contains "🍛" or tgt.process.cmdline contains "🍣" or tgt.process.cmdline contains "🍱" or tgt.process.cmdline contains "🥟" or tgt.process.cmdline contains "🦪" or tgt.process.cmdline contains "🍤" or tgt.process.cmdline contains "🍙" or tgt.process.cmdline contains "🍚" or tgt.process.cmdline contains "🍘" or tgt.process.cmdline contains "🍥" or tgt.process.cmdline contains "🥠" or tgt.process.cmdline contains "🥮" or tgt.process.cmdline contains "🍢" or tgt.process.cmdline contains "🍡" or tgt.process.cmdline contains "🍧" or tgt.process.cmdline contains "🍨" or tgt.process.cmdline contains "🍦" or tgt.process.cmdline contains "🥧" or tgt.process.cmdline contains "🧁" or tgt.process.cmdline contains "🍰" or tgt.process.cmdline contains "🎂" or tgt.process.cmdline contains "🍮" or tgt.process.cmdline contains "🍭" or tgt.process.cmdline contains "🍬" or tgt.process.cmdline contains "🍫" or tgt.process.cmdline contains "🍿" or tgt.process.cmdline contains "🍩" or tgt.process.cmdline contains "🍪" or tgt.process.cmdline contains "🌰" or tgt.process.cmdline contains "🥜" or tgt.process.cmdline contains "🍯" or tgt.process.cmdline contains "🥛" or tgt.process.cmdline contains "🍼" or tgt.process.cmdline contains "🫖" or tgt.process.cmdline contains "☕️" or tgt.process.cmdline contains "🍵" or tgt.process.cmdline contains "🧃" or tgt.process.cmdline contains "🥤" or tgt.process.cmdline contains "🧋" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🍶" or tgt.process.cmdline contains "🍺" or tgt.process.cmdline contains "🍻" or tgt.process.cmdline contains "🥂" or tgt.process.cmdline contains "🍷" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🥃" or tgt.process.cmdline contains "🍸" or tgt.process.cmdline contains "🍹" or tgt.process.cmdline contains "🧉" or tgt.process.cmdline contains "🍾" or tgt.process.cmdline contains "🧊" or tgt.process.cmdline contains "🥄" or tgt.process.cmdline contains "🍴" or tgt.process.cmdline contains "🍽" or tgt.process.cmdline contains "🥣" or tgt.process.cmdline contains "🥡" or tgt.process.cmdline contains "🥢" or tgt.process.cmdline contains "🧂" or tgt.process.cmdline contains "⚽️" or tgt.process.cmdline contains "🏀" or tgt.process.cmdline contains "🏈" or tgt.process.cmdline contains "⚾️" or tgt.process.cmdline contains "🥎" or tgt.process.cmdline contains "🎾" or tgt.process.cmdline contains "🏐" or tgt.process.cmdline contains "🏉" or tgt.process.cmdline contains "🥏" or tgt.process.cmdline contains "🎱" or tgt.process.cmdline contains "🪀" or tgt.process.cmdline contains "🏓" or tgt.process.cmdline contains "🏸" or tgt.process.cmdline contains "🏒" or tgt.process.cmdline contains "🏑" or tgt.process.cmdline contains "🥍" or tgt.process.cmdline contains "🏏" or tgt.process.cmdline contains "🪃" or tgt.process.cmdline contains "🥅" or tgt.process.cmdline contains "⛳️" or tgt.process.cmdline contains "🪁" or tgt.process.cmdline contains "🏹" or tgt.process.cmdline contains "🎣" or tgt.process.cmdline contains "🤿" or tgt.process.cmdline contains "🥊" or tgt.process.cmdline contains "🥋" or tgt.process.cmdline contains "🎽" or tgt.process.cmdline contains "🛹" or tgt.process.cmdline contains "🛼" or tgt.process.cmdline contains "🛷" or tgt.process.cmdline contains "⛸" or tgt.process.cmdline contains "🥌" or tgt.process.cmdline contains "🎿" or tgt.process.cmdline contains "⛷" or tgt.process.cmdline contains "🏂" or tgt.process.cmdline contains "🪂" or tgt.process.cmdline contains "🏋️‍♀️" or tgt.process.cmdline contains "🏋️" or tgt.process.cmdline contains "🏋️‍♂️" or tgt.process.cmdline contains "🤼‍♀️" or tgt.process.cmdline contains "🤼" or tgt.process.cmdline contains "🤼‍♂️" or tgt.process.cmdline contains "🤸‍♀️" or tgt.process.cmdline contains "🤸" or tgt.process.cmdline contains "🤸‍♂️" or tgt.process.cmdline contains "⛹️‍♀️" or tgt.process.cmdline contains "⛹️" or tgt.process.cmdline contains "⛹️‍♂️" or tgt.process.cmdline contains "🤺" or tgt.process.cmdline contains "🤾‍♀️" or tgt.process.cmdline contains "🤾" or tgt.process.cmdline contains "🤾‍♂️" or tgt.process.cmdline contains "🏌️‍♀️" or tgt.process.cmdline contains "🏌️" or tgt.process.cmdline contains "🏌️‍♂️" or tgt.process.cmdline contains "🏇" or tgt.process.cmdline contains "🧘‍♀️" or tgt.process.cmdline contains "🧘" or tgt.process.cmdline contains "🧘‍♂️" or tgt.process.cmdline contains "🏄‍♀️" or tgt.process.cmdline contains "🏄" or tgt.process.cmdline contains "🏄‍♂️" or tgt.process.cmdline contains "🏊‍♀️" or tgt.process.cmdline contains "🏊" or tgt.process.cmdline contains "🏊‍♂️" or tgt.process.cmdline contains "🤽‍♀️" or tgt.process.cmdline contains "🤽" or tgt.process.cmdline contains "🤽‍♂️" or tgt.process.cmdline contains "🚣‍♀️" or tgt.process.cmdline contains "🚣" or tgt.process.cmdline contains "🚣‍♂️" or tgt.process.cmdline contains "🧗‍♀️" or tgt.process.cmdline contains "🧗" or tgt.process.cmdline contains "🧗‍♂️" or tgt.process.cmdline contains "🚵‍♀️" or tgt.process.cmdline contains "🚵" or tgt.process.cmdline contains "🚵‍♂️" or tgt.process.cmdline contains "🚴‍♀️" or tgt.process.cmdline contains "🚴" or tgt.process.cmdline contains "🚴‍♂️" or tgt.process.cmdline contains "🏆" or tgt.process.cmdline contains "🥇" or tgt.process.cmdline contains "🥈" or tgt.process.cmdline contains "🥉" or tgt.process.cmdline contains "🏅" or tgt.process.cmdline contains "🎖" or tgt.process.cmdline contains "🏵" or tgt.process.cmdline contains "🎗" or tgt.process.cmdline contains "🎫" or tgt.process.cmdline contains "🎟" or tgt.process.cmdline contains "🎪" or tgt.process.cmdline contains "🤹" or tgt.process.cmdline contains "🤹‍♂️" or tgt.process.cmdline contains "🤹‍♀️" or tgt.process.cmdline contains "🎭" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "🎨" or tgt.process.cmdline contains "🎬" or tgt.process.cmdline contains "🎤" or tgt.process.cmdline contains "🎧" or tgt.process.cmdline contains "🎼" or tgt.process.cmdline contains "🎹" or tgt.process.cmdline contains "🥁" or tgt.process.cmdline contains "🪘" or tgt.process.cmdline contains "🎷" or tgt.process.cmdline contains "🎺" or tgt.process.cmdline contains "🪗" or tgt.process.cmdline contains "🎸" or tgt.process.cmdline contains "🪕" or tgt.process.cmdline contains "🎻" or tgt.process.cmdline contains "🎲" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "🎯" or tgt.process.cmdline contains "🎳" or tgt.process.cmdline contains "🎮" or tgt.process.cmdline contains "🎰" or tgt.process.cmdline contains "🧩" or tgt.process.cmdline contains "🚗" or tgt.process.cmdline contains "🚕" or tgt.process.cmdline contains "🚙" or tgt.process.cmdline contains "🚌" or tgt.process.cmdline contains "🚎" or tgt.process.cmdline contains "🏎" or tgt.process.cmdline contains "🚓" or tgt.process.cmdline contains "🚑" or tgt.process.cmdline contains "🚒" or tgt.process.cmdline contains "🚐" or tgt.process.cmdline contains "🛻" or tgt.process.cmdline contains "🚚" or tgt.process.cmdline contains "🚛" or tgt.process.cmdline contains "🚜" or tgt.process.cmdline contains "🦯" or tgt.process.cmdline contains "🦽" or tgt.process.cmdline contains "🦼" or tgt.process.cmdline contains "🛴" or tgt.process.cmdline contains "🚲" or tgt.process.cmdline contains "🛵" or tgt.process.cmdline contains "🏍" or tgt.process.cmdline contains "🛺" or tgt.process.cmdline contains "🚨" or tgt.process.cmdline contains "🚔" or tgt.process.cmdline contains "🚍" or tgt.process.cmdline contains "🚘" or tgt.process.cmdline contains "🚖" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🚡" or tgt.process.cmdline contains "🚠" or tgt.process.cmdline contains "🚟" or tgt.process.cmdline contains "🚃" or tgt.process.cmdline contains "🚋" or tgt.process.cmdline contains "🚞" or tgt.process.cmdline contains "🚝" or tgt.process.cmdline contains "🚄" or tgt.process.cmdline contains "🚅" or tgt.process.cmdline contains "🚈" or tgt.process.cmdline contains "🚂" or tgt.process.cmdline contains "🚆" or tgt.process.cmdline contains "🚇" or tgt.process.cmdline contains "🚊" or tgt.process.cmdline contains "🚉" or tgt.process.cmdline contains "✈️" or tgt.process.cmdline contains "🛫" or tgt.process.cmdline contains "🛬" or tgt.process.cmdline contains "🛩" or tgt.process.cmdline contains "💺" or tgt.process.cmdline contains "🛰" or tgt.process.cmdline contains "🚀" or tgt.process.cmdline contains "🛸" or tgt.process.cmdline contains "🚁" or tgt.process.cmdline contains "🛶" or tgt.process.cmdline contains "⛵️" or tgt.process.cmdline contains "🚤" or tgt.process.cmdline contains "🛥" or tgt.process.cmdline contains "🛳" or tgt.process.cmdline contains "⛴" or tgt.process.cmdline contains "🚢" or tgt.process.cmdline contains "⚓️" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪝" or tgt.process.cmdline contains "⛽️" or tgt.process.cmdline contains "🚧" or tgt.process.cmdline contains "🚦" or tgt.process.cmdline contains "🚥" or tgt.process.cmdline contains "🚏" or tgt.process.cmdline contains "🗺" or tgt.process.cmdline contains "🗿" or tgt.process.cmdline contains "🗽" or tgt.process.cmdline contains "🗼" or tgt.process.cmdline contains "🏰" or tgt.process.cmdline contains "🏯" or tgt.process.cmdline contains "🏟" or tgt.process.cmdline contains "🎡" or tgt.process.cmdline contains "🎢" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🎠" or tgt.process.cmdline contains "⛲️" or tgt.process.cmdline contains "⛱" or tgt.process.cmdline contains "🏖" or tgt.process.cmdline contains "🏝" or tgt.process.cmdline contains "🏜" or tgt.process.cmdline contains "🌋" or tgt.process.cmdline contains "⛰" or tgt.process.cmdline contains "🏔" or tgt.process.cmdline contains "🗻" or tgt.process.cmdline contains "🏕" or tgt.process.cmdline contains "⛺️" or tgt.process.cmdline contains "🛖" or tgt.process.cmdline contains "🏠" or tgt.process.cmdline contains "🏡" or tgt.process.cmdline contains "🏘" or tgt.process.cmdline contains "🏚" or tgt.process.cmdline contains "🏗" or tgt.process.cmdline contains "🏭" or tgt.process.cmdline contains "🏢" or tgt.process.cmdline contains "🏬" or tgt.process.cmdline contains "🏣" or tgt.process.cmdline contains "🏤" or tgt.process.cmdline contains "🏥" or tgt.process.cmdline contains "🏦" or tgt.process.cmdline contains "🏨" or tgt.process.cmdline contains "🏪" or tgt.process.cmdline contains "🏫" or tgt.process.cmdline contains "🏩" or tgt.process.cmdline contains "💒" or tgt.process.cmdline contains "🏛" or tgt.process.cmdline contains "⛪️" or tgt.process.cmdline contains "🕌" or tgt.process.cmdline contains "🕍" or tgt.process.cmdline contains "🛕" or tgt.process.cmdline contains "🕋" or tgt.process.cmdline contains "⛩" or tgt.process.cmdline contains "🛤" or tgt.process.cmdline contains "🛣" or tgt.process.cmdline contains "🗾" or tgt.process.cmdline contains "🎑" or tgt.process.cmdline contains "🏞" or tgt.process.cmdline contains "🌅" or tgt.process.cmdline contains "🌄" or tgt.process.cmdline contains "🌠" or tgt.process.cmdline contains "🎇" or tgt.process.cmdline contains "🎆" or tgt.process.cmdline contains "🌇" or tgt.process.cmdline contains "🌆" or tgt.process.cmdline contains "🏙" or tgt.process.cmdline contains "🌃" or tgt.process.cmdline contains "🌌" or tgt.process.cmdline contains "🌉" or tgt.process.cmdline contains "🌁" or tgt.process.cmdline contains "⌚️" or tgt.process.cmdline contains "📱" or tgt.process.cmdline contains "📲" or tgt.process.cmdline contains "💻" or tgt.process.cmdline contains "⌨️" or tgt.process.cmdline contains "🖥" or tgt.process.cmdline contains "🖨" or tgt.process.cmdline contains "🖱" or tgt.process.cmdline contains "🖲" or tgt.process.cmdline contains "🕹" or tgt.process.cmdline contains "🗜" or tgt.process.cmdline contains "💽" or tgt.process.cmdline contains "💾" or tgt.process.cmdline contains "💿" or tgt.process.cmdline contains "📀" or tgt.process.cmdline contains "📼" or tgt.process.cmdline contains "📷" or tgt.process.cmdline contains "📸" or tgt.process.cmdline contains "📹" or tgt.process.cmdline contains "🎥" or tgt.process.cmdline contains "📽" or tgt.process.cmdline contains "🎞" or tgt.process.cmdline contains "📞" or tgt.process.cmdline contains "☎️" or tgt.process.cmdline contains "📟" or tgt.process.cmdline contains "📠" or tgt.process.cmdline contains "📺" or tgt.process.cmdline contains "📻" or tgt.process.cmdline contains "🎙" or tgt.process.cmdline contains "🎚" or tgt.process.cmdline contains "🎛" or tgt.process.cmdline contains "🧭" or tgt.process.cmdline contains "⏱" or tgt.process.cmdline contains "⏲" or tgt.process.cmdline contains "⏰" or tgt.process.cmdline contains "🕰" or tgt.process.cmdline contains "⌛️" or tgt.process.cmdline contains "⏳" or tgt.process.cmdline contains "📡" or tgt.process.cmdline contains "🔋" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🔌" or tgt.process.cmdline contains "💡" or tgt.process.cmdline contains "🔦" or tgt.process.cmdline contains "🕯" or tgt.process.cmdline contains "🪔" or tgt.process.cmdline contains "🧯" or tgt.process.cmdline contains "🛢" or tgt.process.cmdline contains "💸" or tgt.process.cmdline contains "💵" or tgt.process.cmdline contains "💴" or tgt.process.cmdline contains "💶" or tgt.process.cmdline contains "💷" or tgt.process.cmdline contains "🪙" or tgt.process.cmdline contains "💰" or tgt.process.cmdline contains "💳" or tgt.process.cmdline contains "💎" or tgt.process.cmdline contains "⚖️" or tgt.process.cmdline contains "🪜" or tgt.process.cmdline contains "🧰" or tgt.process.cmdline contains "🪛" or tgt.process.cmdline contains "🔧" or tgt.process.cmdline contains "🔨" or tgt.process.cmdline contains "⚒" or tgt.process.cmdline contains "🛠" or tgt.process.cmdline contains "⛏" or tgt.process.cmdline contains "🪚" or tgt.process.cmdline contains "🔩" or tgt.process.cmdline contains "⚙️" or tgt.process.cmdline contains "🪤" or tgt.process.cmdline contains "🧱" or tgt.process.cmdline contains "⛓" or tgt.process.cmdline contains "🧲" or tgt.process.cmdline contains "🔫" or tgt.process.cmdline contains "💣" or tgt.process.cmdline contains "🧨" or tgt.process.cmdline contains "🪓" or tgt.process.cmdline contains "🔪" or tgt.process.cmdline contains "🗡" or tgt.process.cmdline contains "⚔️" or tgt.process.cmdline contains "🛡" or tgt.process.cmdline contains "🚬" or tgt.process.cmdline contains "⚰️" or tgt.process.cmdline contains "🪦" or tgt.process.cmdline contains "⚱️" or tgt.process.cmdline contains "🏺" or tgt.process.cmdline contains "🔮" or tgt.process.cmdline contains "📿" or tgt.process.cmdline contains "🧿" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "💈" or tgt.process.cmdline contains "⚗️" or tgt.process.cmdline contains "🔭" or tgt.process.cmdline contains "🔬" or tgt.process.cmdline contains "🕳" or tgt.process.cmdline contains "🩹" or tgt.process.cmdline contains "🩺" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "💊" or tgt.process.cmdline contains "💉" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "🧬" or tgt.process.cmdline contains "🦠" or tgt.process.cmdline contains "🧫" or tgt.process.cmdline contains "🧪" or tgt.process.cmdline contains "🌡" or tgt.process.cmdline contains "🧹" or tgt.process.cmdline contains "🪠" or tgt.process.cmdline contains "🧺" or tgt.process.cmdline contains "🧻" or tgt.process.cmdline contains "🚽" or tgt.process.cmdline contains "🚰" or tgt.process.cmdline contains "🚿" or tgt.process.cmdline contains "🛁" or tgt.process.cmdline contains "🛀" or tgt.process.cmdline contains "🧼" or tgt.process.cmdline contains "🪥" or tgt.process.cmdline contains "🪒" or tgt.process.cmdline contains "🧽" or tgt.process.cmdline contains "🪣" or tgt.process.cmdline contains "🧴" or tgt.process.cmdline contains "🛎" or tgt.process.cmdline contains "🔑" or tgt.process.cmdline contains "🗝" or tgt.process.cmdline contains "🚪" or tgt.process.cmdline contains "🪑" or tgt.process.cmdline contains "🛋" or tgt.process.cmdline contains "🛏" or tgt.process.cmdline contains "🛌" or tgt.process.cmdline contains "🧸" or tgt.process.cmdline contains "🪆" or tgt.process.cmdline contains "🖼" or tgt.process.cmdline contains "🪞" or tgt.process.cmdline contains "🪟" or tgt.process.cmdline contains "🛍" or tgt.process.cmdline contains "🛒" or tgt.process.cmdline contains "🎁" or tgt.process.cmdline contains "🎈" or tgt.process.cmdline contains "🎏" or tgt.process.cmdline contains "🎀" or tgt.process.cmdline contains "🪄" or tgt.process.cmdline contains "🪅" or tgt.process.cmdline contains "🎊" or tgt.process.cmdline contains "🎉" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🎎" or tgt.process.cmdline contains "🏮" or tgt.process.cmdline contains "🎐" or tgt.process.cmdline contains "🧧" or tgt.process.cmdline contains "✉️" or tgt.process.cmdline contains "📩" or tgt.process.cmdline contains "📨" or tgt.process.cmdline contains "📧" or tgt.process.cmdline contains "💌" or tgt.process.cmdline contains "📥" or tgt.process.cmdline contains "📤" or tgt.process.cmdline contains "📦" or tgt.process.cmdline contains "🏷" or tgt.process.cmdline contains "🪧" or tgt.process.cmdline contains "📪" or tgt.process.cmdline contains "📫" or tgt.process.cmdline contains "📬" or tgt.process.cmdline contains "📭" or tgt.process.cmdline contains "📮" or tgt.process.cmdline contains "📯" or tgt.process.cmdline contains "📜" or tgt.process.cmdline contains "📃" or tgt.process.cmdline contains "📄" or tgt.process.cmdline contains "📑" or tgt.process.cmdline contains "🧾" or tgt.process.cmdline contains "📊" or tgt.process.cmdline contains "📈" or tgt.process.cmdline contains "📉" or tgt.process.cmdline contains "🗒" or tgt.process.cmdline contains "🗓" or tgt.process.cmdline contains "📆" or tgt.process.cmdline contains "📅" or tgt.process.cmdline contains "🗑" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "📇" or tgt.process.cmdline contains "🗃" or tgt.process.cmdline contains "🗳" or tgt.process.cmdline contains "🗄" or tgt.process.cmdline contains "📋" or tgt.process.cmdline contains "📁" or tgt.process.cmdline contains "📂" or tgt.process.cmdline contains "🗂" or tgt.process.cmdline contains "🗞" or tgt.process.cmdline contains "📰" or tgt.process.cmdline contains "📓" or tgt.process.cmdline contains "📔" or tgt.process.cmdline contains "📒" or tgt.process.cmdline contains "📕" or tgt.process.cmdline contains "📗" or tgt.process.cmdline contains "📘" or tgt.process.cmdline contains "📙" or tgt.process.cmdline contains "📚" or tgt.process.cmdline contains "📖" or tgt.process.cmdline contains "🔖" or tgt.process.cmdline contains "🧷" or tgt.process.cmdline contains "🔗" or tgt.process.cmdline contains "📎" or tgt.process.cmdline contains "🖇" or tgt.process.cmdline contains "📐" or tgt.process.cmdline contains "📏" or tgt.process.cmdline contains "🧮" or tgt.process.cmdline contains "📌" or tgt.process.cmdline contains "📍" or tgt.process.cmdline contains "✂️" or tgt.process.cmdline contains "🖊" or tgt.process.cmdline contains "🖋" or tgt.process.cmdline contains "✒️" or tgt.process.cmdline contains "🖌" or tgt.process.cmdline contains "🖍" or tgt.process.cmdline contains "📝" or tgt.process.cmdline contains "✏️" or tgt.process.cmdline contains "🔍" or tgt.process.cmdline contains "🔎" or tgt.process.cmdline contains "🔏" or tgt.process.cmdline contains "🔐" or tgt.process.cmdline contains "🔒" or tgt.process.cmdline contains "🔓❤️" or tgt.process.cmdline contains "🧡" or tgt.process.cmdline contains "💛" or tgt.process.cmdline contains "💚" or tgt.process.cmdline contains "💙" or tgt.process.cmdline contains "💜" or tgt.process.cmdline contains "🖤" or tgt.process.cmdline contains "🤍" or tgt.process.cmdline contains "🤎" or tgt.process.cmdline contains "❤️‍🔥" or tgt.process.cmdline contains "❤️‍🩹" or tgt.process.cmdline contains "💔" or tgt.process.cmdline contains "❣️" or tgt.process.cmdline contains "💕" or tgt.process.cmdline contains "💞" or tgt.process.cmdline contains "💓" or tgt.process.cmdline contains "💗" or tgt.process.cmdline contains "💖" or tgt.process.cmdline contains "💘" or tgt.process.cmdline contains "💝" or tgt.process.cmdline contains "💟" or tgt.process.cmdline contains "☮️" or tgt.process.cmdline contains "✝️" or tgt.process.cmdline contains "☪️" or tgt.process.cmdline contains "🕉" or tgt.process.cmdline contains "☸️" or tgt.process.cmdline contains "✡️" or tgt.process.cmdline contains "🔯" or tgt.process.cmdline contains "🕎" or tgt.process.cmdline contains "☯️" or tgt.process.cmdline contains "☦️" or tgt.process.cmdline contains "🛐" or tgt.process.cmdline contains "⛎" or tgt.process.cmdline contains "♈️" or tgt.process.cmdline contains "♉️" or tgt.process.cmdline contains "♊️" or tgt.process.cmdline contains "♋️" or tgt.process.cmdline contains "♌️" or tgt.process.cmdline contains "♍️" or tgt.process.cmdline contains "♎️" or tgt.process.cmdline contains "♏️" or tgt.process.cmdline contains "♐️" or tgt.process.cmdline contains "♑️" or tgt.process.cmdline contains "♒️" or tgt.process.cmdline contains "♓️" or tgt.process.cmdline contains "🆔" or tgt.process.cmdline contains "⚛️" or tgt.process.cmdline contains "🉑" or tgt.process.cmdline contains "☢️" or tgt.process.cmdline contains "☣️" or tgt.process.cmdline contains "📴" or tgt.process.cmdline contains "📳" or tgt.process.cmdline contains "🈶" or tgt.process.cmdline contains "🈚️" or tgt.process.cmdline contains "🈸" or tgt.process.cmdline contains "🈺" or tgt.process.cmdline contains "🈷️" or tgt.process.cmdline contains "✴️" or tgt.process.cmdline contains "🆚" or tgt.process.cmdline contains "💮" or tgt.process.cmdline contains "🉐" or tgt.process.cmdline contains "㊙️" or tgt.process.cmdline contains "㊗️" or tgt.process.cmdline contains "🈴" or tgt.process.cmdline contains "🈵" or tgt.process.cmdline contains "🈹" or tgt.process.cmdline contains "🈲" or tgt.process.cmdline contains "🅰️" or tgt.process.cmdline contains "🅱️" or tgt.process.cmdline contains "🆎" or tgt.process.cmdline contains "🆑" or tgt.process.cmdline contains "🅾️" or tgt.process.cmdline contains "🆘" or tgt.process.cmdline contains "❌" or tgt.process.cmdline contains "⭕️" or tgt.process.cmdline contains "🛑" or tgt.process.cmdline contains "⛔️" or tgt.process.cmdline contains "📛" or tgt.process.cmdline contains "🚫" or tgt.process.cmdline contains "💯" or tgt.process.cmdline contains "💢" or tgt.process.cmdline contains "♨️" or tgt.process.cmdline contains "🚷" or tgt.process.cmdline contains "🚯" or tgt.process.cmdline contains "🚳" or tgt.process.cmdline contains "🚱" or tgt.process.cmdline contains "🔞" or tgt.process.cmdline contains "📵" or tgt.process.cmdline contains "🚭" or tgt.process.cmdline contains "❗️" or tgt.process.cmdline contains "❕" or tgt.process.cmdline contains "❓" or tgt.process.cmdline contains "❔" or tgt.process.cmdline contains "‼️" or tgt.process.cmdline contains "⁉️" or tgt.process.cmdline contains "🔅" or tgt.process.cmdline contains "🔆" or tgt.process.cmdline contains "〽️" or tgt.process.cmdline contains "⚠️" or tgt.process.cmdline contains "🚸" or tgt.process.cmdline contains "🔱" or tgt.process.cmdline contains "⚜️" or tgt.process.cmdline contains "🔰" or tgt.process.cmdline contains "♻️" or tgt.process.cmdline contains "✅" or tgt.process.cmdline contains "🈯️" or tgt.process.cmdline contains "💹" or tgt.process.cmdline contains "❇️" or tgt.process.cmdline contains "✳️" or tgt.process.cmdline contains "❎" or tgt.process.cmdline contains "🌐" or tgt.process.cmdline contains "💠" or tgt.process.cmdline contains "Ⓜ️" or tgt.process.cmdline contains "🌀" or tgt.process.cmdline contains "💤" or tgt.process.cmdline contains "🏧" or tgt.process.cmdline contains "🚾" or tgt.process.cmdline contains "♿️" or tgt.process.cmdline contains "🅿️" or tgt.process.cmdline contains "🛗" or tgt.process.cmdline contains "🈳" or tgt.process.cmdline contains "🈂️" or tgt.process.cmdline contains "🛂" or tgt.process.cmdline contains "🛃" or tgt.process.cmdline contains "🛄" or tgt.process.cmdline contains "🛅" or tgt.process.cmdline contains "🚹" or tgt.process.cmdline contains "🚺" or tgt.process.cmdline contains "🚼" or tgt.process.cmdline contains "⚧" or tgt.process.cmdline contains "🚻" or tgt.process.cmdline contains "🚮" or tgt.process.cmdline contains "🎦" or tgt.process.cmdline contains "📶" or tgt.process.cmdline contains "🈁" or tgt.process.cmdline contains "🔣" or tgt.process.cmdline contains "ℹ️" or tgt.process.cmdline contains "🔤" or tgt.process.cmdline contains "🔡" or tgt.process.cmdline contains "🔠" or tgt.process.cmdline contains "🆖" or tgt.process.cmdline contains "🆗" or tgt.process.cmdline contains "🆙" or tgt.process.cmdline contains "🆒" or tgt.process.cmdline contains "🆕" or tgt.process.cmdline contains "🆓" or tgt.process.cmdline contains "0️⃣" or tgt.process.cmdline contains "1️⃣" or tgt.process.cmdline contains "2️⃣" or tgt.process.cmdline contains "3️⃣" or tgt.process.cmdline contains "4️⃣" or tgt.process.cmdline contains "5️⃣" or tgt.process.cmdline contains "6️⃣" or tgt.process.cmdline contains "7️⃣" or tgt.process.cmdline contains "8️⃣" or tgt.process.cmdline contains "9️⃣" or tgt.process.cmdline contains "🔟" or tgt.process.cmdline contains "🔢" or tgt.process.cmdline contains "#️⃣" or tgt.process.cmdline contains "️⃣" or tgt.process.cmdline contains "⏏️" or tgt.process.cmdline contains "▶️" or tgt.process.cmdline contains "⏸" or tgt.process.cmdline contains "⏯" or tgt.process.cmdline contains "⏹" or tgt.process.cmdline contains "⏺" or tgt.process.cmdline contains "⏭" or tgt.process.cmdline contains "⏮" or tgt.process.cmdline contains "⏩" or tgt.process.cmdline contains "⏪" or tgt.process.cmdline contains "⏫" or tgt.process.cmdline contains "⏬" or tgt.process.cmdline contains "◀️" or tgt.process.cmdline contains "🔼" or tgt.process.cmdline contains "🔽" or tgt.process.cmdline contains "➡️" or tgt.process.cmdline contains "⬅️" or tgt.process.cmdline contains "⬆️" or tgt.process.cmdline contains "⬇️" or tgt.process.cmdline contains "↗️" or tgt.process.cmdline contains "↘️" or tgt.process.cmdline contains "↙️" or tgt.process.cmdline contains "↖️" or tgt.process.cmdline contains "↕️" or tgt.process.cmdline contains "↔️" or tgt.process.cmdline contains "↪️" or tgt.process.cmdline contains "↩️" or tgt.process.cmdline contains "⤴️" or tgt.process.cmdline contains "⤵️" or tgt.process.cmdline contains "🔀" or tgt.process.cmdline contains "🔁" or tgt.process.cmdline contains "🔂" or tgt.process.cmdline contains "🔄" or tgt.process.cmdline contains "🔃" or tgt.process.cmdline contains "🎵" or tgt.process.cmdline contains "🎶" or tgt.process.cmdline contains "➕" or tgt.process.cmdline contains "➖" or tgt.process.cmdline contains "➗" or tgt.process.cmdline contains "✖️" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "♾" or tgt.process.cmdline contains "💲" or tgt.process.cmdline contains "💱" or tgt.process.cmdline contains "™️" or tgt.process.cmdline contains "©️" or tgt.process.cmdline contains "®️" or tgt.process.cmdline contains "〰️" or tgt.process.cmdline contains "➰" or tgt.process.cmdline contains "➿" or tgt.process.cmdline contains "🔚" or tgt.process.cmdline contains "🔙" or tgt.process.cmdline contains "🔛" or tgt.process.cmdline contains "🔝" or tgt.process.cmdline contains "🔜" or tgt.process.cmdline contains "✔️" or tgt.process.cmdline contains "☑️" or tgt.process.cmdline contains "🔘" or tgt.process.cmdline contains "🔴" or tgt.process.cmdline contains "🟠" or tgt.process.cmdline contains "🟡" or tgt.process.cmdline contains "🟢" or tgt.process.cmdline contains "🔵" or tgt.process.cmdline contains "🟣" or tgt.process.cmdline contains "⚫️" or tgt.process.cmdline contains "⚪️" or tgt.process.cmdline contains "🟤" or tgt.process.cmdline contains "🔺" or tgt.process.cmdline contains "🔻")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md index 2ab7cb8e0..44c237518 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🔸" or tgt.process.cmdline contains "🔹" or tgt.process.cmdline contains "🔶" or tgt.process.cmdline contains "🔷" or tgt.process.cmdline contains "🔳" or tgt.process.cmdline contains "🔲" or tgt.process.cmdline contains "▪️" or tgt.process.cmdline contains "▫️" or tgt.process.cmdline contains "◾️" or tgt.process.cmdline contains "◽️" or tgt.process.cmdline contains "◼️" or tgt.process.cmdline contains "◻️" or tgt.process.cmdline contains "🟥" or tgt.process.cmdline contains "🟧" or tgt.process.cmdline contains "🟨" or tgt.process.cmdline contains "🟩" or tgt.process.cmdline contains "🟦" or tgt.process.cmdline contains "🟪" or tgt.process.cmdline contains "⬛️" or tgt.process.cmdline contains "⬜️" or tgt.process.cmdline contains "🟫" or tgt.process.cmdline contains "🔈" or tgt.process.cmdline contains "🔇" or tgt.process.cmdline contains "🔉" or tgt.process.cmdline contains "🔊" or tgt.process.cmdline contains "🔔" or tgt.process.cmdline contains "🔕" or tgt.process.cmdline contains "📣" or tgt.process.cmdline contains "📢" or tgt.process.cmdline contains "👁‍🗨" or tgt.process.cmdline contains "💬" or tgt.process.cmdline contains "💭" or tgt.process.cmdline contains "🗯" or tgt.process.cmdline contains "♠️" or tgt.process.cmdline contains "♣️" or tgt.process.cmdline contains "♥️" or tgt.process.cmdline contains "♦️" or tgt.process.cmdline contains "🃏" or tgt.process.cmdline contains "🎴" or tgt.process.cmdline contains "🀄️" or tgt.process.cmdline contains "🕐" or tgt.process.cmdline contains "🕑" or tgt.process.cmdline contains "🕒" or tgt.process.cmdline contains "🕓" or tgt.process.cmdline contains "🕔" or tgt.process.cmdline contains "🕕" or tgt.process.cmdline contains "🕖" or tgt.process.cmdline contains "🕗" or tgt.process.cmdline contains "🕘" or tgt.process.cmdline contains "🕙" or tgt.process.cmdline contains "🕚" or tgt.process.cmdline contains "🕛" or tgt.process.cmdline contains "🕜" or tgt.process.cmdline contains "🕝" or tgt.process.cmdline contains "🕞" or tgt.process.cmdline contains "🕟" or tgt.process.cmdline contains "🕠" or tgt.process.cmdline contains "🕡" or tgt.process.cmdline contains "🕢" or tgt.process.cmdline contains "🕣" or tgt.process.cmdline contains "🕤" or tgt.process.cmdline contains "🕥" or tgt.process.cmdline contains "🕦" or tgt.process.cmdline contains "🕧✢" or tgt.process.cmdline contains "✣" or tgt.process.cmdline contains "✤" or tgt.process.cmdline contains "✥" or tgt.process.cmdline contains "✦" or tgt.process.cmdline contains "✧" or tgt.process.cmdline contains "★" or tgt.process.cmdline contains "☆" or tgt.process.cmdline contains "✯" or tgt.process.cmdline contains "✡︎" or tgt.process.cmdline contains "✩" or tgt.process.cmdline contains "✪" or tgt.process.cmdline contains "✫" or tgt.process.cmdline contains "✬" or tgt.process.cmdline contains "✭" or tgt.process.cmdline contains "✮" or tgt.process.cmdline contains "✶" or tgt.process.cmdline contains "✷" or tgt.process.cmdline contains "✵" or tgt.process.cmdline contains "✸" or tgt.process.cmdline contains "✹" or tgt.process.cmdline contains "→" or tgt.process.cmdline contains "⇒" or tgt.process.cmdline contains "⟹" or tgt.process.cmdline contains "⇨" or tgt.process.cmdline contains "⇾" or tgt.process.cmdline contains "➾" or tgt.process.cmdline contains "⇢" or tgt.process.cmdline contains "☛" or tgt.process.cmdline contains "☞" or tgt.process.cmdline contains "➔" or tgt.process.cmdline contains "➜" or tgt.process.cmdline contains "➙" or tgt.process.cmdline contains "➛" or tgt.process.cmdline contains "➝" or tgt.process.cmdline contains "➞" or tgt.process.cmdline contains "♠︎" or tgt.process.cmdline contains "♣︎" or tgt.process.cmdline contains "♥︎" or tgt.process.cmdline contains "♦︎" or tgt.process.cmdline contains "♤" or tgt.process.cmdline contains "♧" or tgt.process.cmdline contains "♡" or tgt.process.cmdline contains "♢" or tgt.process.cmdline contains "♚" or tgt.process.cmdline contains "♛" or tgt.process.cmdline contains "♜" or tgt.process.cmdline contains "♝" or tgt.process.cmdline contains "♞" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "♔" or tgt.process.cmdline contains "♕" or tgt.process.cmdline contains "♖" or tgt.process.cmdline contains "♗" or tgt.process.cmdline contains "♘" or tgt.process.cmdline contains "♙" or tgt.process.cmdline contains "⚀" or tgt.process.cmdline contains "⚁" or tgt.process.cmdline contains "⚂" or tgt.process.cmdline contains "⚃" or tgt.process.cmdline contains "⚄" or tgt.process.cmdline contains "⚅" or tgt.process.cmdline contains "🂠" or tgt.process.cmdline contains "⚈" or tgt.process.cmdline contains "⚉" or tgt.process.cmdline contains "⚆" or tgt.process.cmdline contains "⚇" or tgt.process.cmdline contains "𓀀" or tgt.process.cmdline contains "𓀁" or tgt.process.cmdline contains "𓀂" or tgt.process.cmdline contains "𓀃" or tgt.process.cmdline contains "𓀄" or tgt.process.cmdline contains "𓀅" or tgt.process.cmdline contains "𓀆" or tgt.process.cmdline contains "𓀇" or tgt.process.cmdline contains "𓀈" or tgt.process.cmdline contains "𓀉" or tgt.process.cmdline contains "𓀊" or tgt.process.cmdline contains "𓀋" or tgt.process.cmdline contains "𓀌" or tgt.process.cmdline contains "𓀍" or tgt.process.cmdline contains "𓀎" or tgt.process.cmdline contains "𓀏" or tgt.process.cmdline contains "𓀐" or tgt.process.cmdline contains "𓀑" or tgt.process.cmdline contains "𓀒" or tgt.process.cmdline contains "𓀓" or tgt.process.cmdline contains "𓀔" or tgt.process.cmdline contains "𓀕" or tgt.process.cmdline contains "𓀖" or tgt.process.cmdline contains "𓀗" or tgt.process.cmdline contains "𓀘" or tgt.process.cmdline contains "𓀙" or tgt.process.cmdline contains "𓀚" or tgt.process.cmdline contains "𓀛" or tgt.process.cmdline contains "𓀜" or tgt.process.cmdline contains "𓀝🏳️" or tgt.process.cmdline contains "🏴" or tgt.process.cmdline contains "🏁" or tgt.process.cmdline contains "🚩" or tgt.process.cmdline contains "🏳️‍🌈" or tgt.process.cmdline contains "🏳️‍⚧️" or tgt.process.cmdline contains "🏴‍☠️" or tgt.process.cmdline contains "🇦🇫" or tgt.process.cmdline contains "🇦🇽" or tgt.process.cmdline contains "🇦🇱" or tgt.process.cmdline contains "🇩🇿" or tgt.process.cmdline contains "🇦🇸" or tgt.process.cmdline contains "🇦🇩" or tgt.process.cmdline contains "🇦🇴" or tgt.process.cmdline contains "🇦🇮" or tgt.process.cmdline contains "🇦🇶" or tgt.process.cmdline contains "🇦🇬" or tgt.process.cmdline contains "🇦🇷" or tgt.process.cmdline contains "🇦🇲" or tgt.process.cmdline contains "🇦🇼" or tgt.process.cmdline contains "🇦🇺" or tgt.process.cmdline contains "🇦🇹" or tgt.process.cmdline contains "🇦🇿" or tgt.process.cmdline contains "🇧🇸" or tgt.process.cmdline contains "🇧🇭" or tgt.process.cmdline contains "🇧🇩" or tgt.process.cmdline contains "🇧🇧" or tgt.process.cmdline contains "🇧🇾" or tgt.process.cmdline contains "🇧🇪" or tgt.process.cmdline contains "🇧🇿" or tgt.process.cmdline contains "🇧🇯" or tgt.process.cmdline contains "🇧🇲" or tgt.process.cmdline contains "🇧🇹" or tgt.process.cmdline contains "🇧🇴" or tgt.process.cmdline contains "🇧🇦" or tgt.process.cmdline contains "🇧🇼" or tgt.process.cmdline contains "🇧🇷" or tgt.process.cmdline contains "🇮🇴" or tgt.process.cmdline contains "🇻🇬" or tgt.process.cmdline contains "🇧🇳" or tgt.process.cmdline contains "🇧🇬" or tgt.process.cmdline contains "🇧🇫" or tgt.process.cmdline contains "🇧🇮" or tgt.process.cmdline contains "🇰🇭" or tgt.process.cmdline contains "🇨🇲" or tgt.process.cmdline contains "🇨🇦" or tgt.process.cmdline contains "🇮🇨" or tgt.process.cmdline contains "🇨🇻" or tgt.process.cmdline contains "🇧🇶" or tgt.process.cmdline contains "🇰🇾" or tgt.process.cmdline contains "🇨🇫" or tgt.process.cmdline contains "🇹🇩" or tgt.process.cmdline contains "🇨🇱" or tgt.process.cmdline contains "🇨🇳" or tgt.process.cmdline contains "🇨🇽" or tgt.process.cmdline contains "🇨🇨" or tgt.process.cmdline contains "🇨🇴" or tgt.process.cmdline contains "🇰🇲" or tgt.process.cmdline contains "🇨🇬" or tgt.process.cmdline contains "🇨🇩" or tgt.process.cmdline contains "🇨🇰" or tgt.process.cmdline contains "🇨🇷" or tgt.process.cmdline contains "🇨🇮" or tgt.process.cmdline contains "🇭🇷" or tgt.process.cmdline contains "🇨🇺" or tgt.process.cmdline contains "🇨🇼" or tgt.process.cmdline contains "🇨🇾" or tgt.process.cmdline contains "🇨🇿" or tgt.process.cmdline contains "🇩🇰" or tgt.process.cmdline contains "🇩🇯" or tgt.process.cmdline contains "🇩🇲" or tgt.process.cmdline contains "🇩🇴" or tgt.process.cmdline contains "🇪🇨" or tgt.process.cmdline contains "🇪🇬" or tgt.process.cmdline contains "🇸🇻" or tgt.process.cmdline contains "🇬🇶" or tgt.process.cmdline contains "🇪🇷" or tgt.process.cmdline contains "🇪🇪" or tgt.process.cmdline contains "🇪🇹" or tgt.process.cmdline contains "🇪🇺" or tgt.process.cmdline contains "🇫🇰" or tgt.process.cmdline contains "🇫🇴" or tgt.process.cmdline contains "🇫🇯" or tgt.process.cmdline contains "🇫🇮" or tgt.process.cmdline contains "🇫🇷" or tgt.process.cmdline contains "🇬🇫" or tgt.process.cmdline contains "🇵🇫" or tgt.process.cmdline contains "🇹🇫" or tgt.process.cmdline contains "🇬🇦" or tgt.process.cmdline contains "🇬🇲" or tgt.process.cmdline contains "🇬🇪" or tgt.process.cmdline contains "🇩🇪" or tgt.process.cmdline contains "🇬🇭" or tgt.process.cmdline contains "🇬🇮" or tgt.process.cmdline contains "🇬🇷" or tgt.process.cmdline contains "🇬🇱" or tgt.process.cmdline contains "🇬🇩" or tgt.process.cmdline contains "🇬🇵" or tgt.process.cmdline contains "🇬🇺" or tgt.process.cmdline contains "🇬🇹" or tgt.process.cmdline contains "🇬🇬" or tgt.process.cmdline contains "🇬🇳" or tgt.process.cmdline contains "🇬🇼" or tgt.process.cmdline contains "🇬🇾" or tgt.process.cmdline contains "🇭🇹" or tgt.process.cmdline contains "🇭🇳" or tgt.process.cmdline contains "🇭🇰" or tgt.process.cmdline contains "🇭🇺" or tgt.process.cmdline contains "🇮🇸" or tgt.process.cmdline contains "🇮🇳" or tgt.process.cmdline contains "🇮🇩" or tgt.process.cmdline contains "🇮🇷" or tgt.process.cmdline contains "🇮🇶" or tgt.process.cmdline contains "🇮🇪" or tgt.process.cmdline contains "🇮🇲" or tgt.process.cmdline contains "🇮🇱" or tgt.process.cmdline contains "🇮🇹" or tgt.process.cmdline contains "🇯🇲" or tgt.process.cmdline contains "🇯🇵" or tgt.process.cmdline contains "🎌" or tgt.process.cmdline contains "🇯🇪" or tgt.process.cmdline contains "🇯🇴" or tgt.process.cmdline contains "🇰🇿" or tgt.process.cmdline contains "🇰🇪" or tgt.process.cmdline contains "🇰🇮" or tgt.process.cmdline contains "🇽🇰" or tgt.process.cmdline contains "🇰🇼" or tgt.process.cmdline contains "🇰🇬" or tgt.process.cmdline contains "🇱🇦" or tgt.process.cmdline contains "🇱🇻" or tgt.process.cmdline contains "🇱🇧" or tgt.process.cmdline contains "🇱🇸" or tgt.process.cmdline contains "🇱🇷" or tgt.process.cmdline contains "🇱🇾" or tgt.process.cmdline contains "🇱🇮" or tgt.process.cmdline contains "🇱🇹" or tgt.process.cmdline contains "🇱🇺" or tgt.process.cmdline contains "🇲🇴" or tgt.process.cmdline contains "🇲🇰" or tgt.process.cmdline contains "🇲🇬" or tgt.process.cmdline contains "🇲🇼" or tgt.process.cmdline contains "🇲🇾" or tgt.process.cmdline contains "🇲🇻" or tgt.process.cmdline contains "🇲🇱" or tgt.process.cmdline contains "🇲🇹" or tgt.process.cmdline contains "🇲🇭" or tgt.process.cmdline contains "🇲🇶" or tgt.process.cmdline contains "🇲🇷" or tgt.process.cmdline contains "🇲🇺" or tgt.process.cmdline contains "🇾🇹" or tgt.process.cmdline contains "🇲🇽" or tgt.process.cmdline contains "🇫🇲" or tgt.process.cmdline contains "🇲🇩" or tgt.process.cmdline contains "🇲🇨" or tgt.process.cmdline contains "🇲🇳" or tgt.process.cmdline contains "🇲🇪" or tgt.process.cmdline contains "🇲🇸" or tgt.process.cmdline contains "🇲🇦" or tgt.process.cmdline contains "🇲🇿" or tgt.process.cmdline contains "🇲🇲" or tgt.process.cmdline contains "🇳🇦" or tgt.process.cmdline contains "🇳🇷" or tgt.process.cmdline contains "🇳🇵" or tgt.process.cmdline contains "🇳🇱" or tgt.process.cmdline contains "🇳🇨" or tgt.process.cmdline contains "🇳🇿" or tgt.process.cmdline contains "🇳🇮" or tgt.process.cmdline contains "🇳🇪" or tgt.process.cmdline contains "🇳🇬" or tgt.process.cmdline contains "🇳🇺" or tgt.process.cmdline contains "🇳🇫" or tgt.process.cmdline contains "🇰🇵" or tgt.process.cmdline contains "🇲🇵" or tgt.process.cmdline contains "🇳🇴" or tgt.process.cmdline contains "🇴🇲" or tgt.process.cmdline contains "🇵🇰" or tgt.process.cmdline contains "🇵🇼" or tgt.process.cmdline contains "🇵🇸" or tgt.process.cmdline contains "🇵🇦" or tgt.process.cmdline contains "🇵🇬" or tgt.process.cmdline contains "🇵🇾" or tgt.process.cmdline contains "🇵🇪" or tgt.process.cmdline contains "🇵🇭" or tgt.process.cmdline contains "🇵🇳" or tgt.process.cmdline contains "🇵🇱" or tgt.process.cmdline contains "🇵🇹" or tgt.process.cmdline contains "🇵🇷" or tgt.process.cmdline contains "🇶🇦" or tgt.process.cmdline contains "🇷🇪" or tgt.process.cmdline contains "🇷🇴" or tgt.process.cmdline contains "🇷🇺" or tgt.process.cmdline contains "🇷🇼" or tgt.process.cmdline contains "🇼🇸" or tgt.process.cmdline contains "🇸🇲" or tgt.process.cmdline contains "🇸🇦" or tgt.process.cmdline contains "🇸🇳" or tgt.process.cmdline contains "🇷🇸" or tgt.process.cmdline contains "🇸🇨" or tgt.process.cmdline contains "🇸🇱" or tgt.process.cmdline contains "🇸🇬" or tgt.process.cmdline contains "🇸🇽" or tgt.process.cmdline contains "🇸🇰" or tgt.process.cmdline contains "🇸🇮" or tgt.process.cmdline contains "🇬🇸" or tgt.process.cmdline contains "🇸🇧" or tgt.process.cmdline contains "🇸🇴" or tgt.process.cmdline contains "🇿🇦" or tgt.process.cmdline contains "🇰🇷" or tgt.process.cmdline contains "🇸🇸" or tgt.process.cmdline contains "🇪🇸" or tgt.process.cmdline contains "🇱🇰" or tgt.process.cmdline contains "🇧🇱" or tgt.process.cmdline contains "🇸🇭" or tgt.process.cmdline contains "🇰🇳" or tgt.process.cmdline contains "🇱🇨" or tgt.process.cmdline contains "🇵🇲" or tgt.process.cmdline contains "🇻🇨" or tgt.process.cmdline contains "🇸🇩" or tgt.process.cmdline contains "🇸🇷" or tgt.process.cmdline contains "🇸🇿" or tgt.process.cmdline contains "🇸🇪" or tgt.process.cmdline contains "🇨🇭" or tgt.process.cmdline contains "🇸🇾" or tgt.process.cmdline contains "🇹🇼" or tgt.process.cmdline contains "🇹🇯" or tgt.process.cmdline contains "🇹🇿" or tgt.process.cmdline contains "🇹🇭" or tgt.process.cmdline contains "🇹🇱" or tgt.process.cmdline contains "🇹🇬" or tgt.process.cmdline contains "🇹🇰" or tgt.process.cmdline contains "🇹🇴" or tgt.process.cmdline contains "🇹🇹" or tgt.process.cmdline contains "🇹🇳" or tgt.process.cmdline contains "🇹🇷" or tgt.process.cmdline contains "🇹🇲" or tgt.process.cmdline contains "🇹🇨" or tgt.process.cmdline contains "🇹🇻" or tgt.process.cmdline contains "🇻🇮" or tgt.process.cmdline contains "🇺🇬" or tgt.process.cmdline contains "🇺🇦" or tgt.process.cmdline contains "🇦🇪" or tgt.process.cmdline contains "🇬🇧" or tgt.process.cmdline contains "🏴󠁧󠁢󠁥󠁮󠁧󠁿" or tgt.process.cmdline contains "🏴󠁧󠁢󠁳󠁣󠁴󠁿" or tgt.process.cmdline contains "🏴󠁧󠁢󠁷󠁬󠁳󠁿" or tgt.process.cmdline contains "🇺🇳" or tgt.process.cmdline contains "🇺🇸" or tgt.process.cmdline contains "🇺🇾" or tgt.process.cmdline contains "🇺🇿" or tgt.process.cmdline contains "🇻🇺" or tgt.process.cmdline contains "🇻🇦" or tgt.process.cmdline contains "🇻🇪" or tgt.process.cmdline contains "🇻🇳" or tgt.process.cmdline contains "🇼🇫" or tgt.process.cmdline contains "🇪🇭" or tgt.process.cmdline contains "🇾🇪" or tgt.process.cmdline contains "🇿🇲" or tgt.process.cmdline contains "🇿🇼🫠" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🫤" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🤝🏻" or tgt.process.cmdline contains "🤝🏼" or tgt.process.cmdline contains "🤝🏽" or tgt.process.cmdline contains "🤝🏾" or tgt.process.cmdline contains "🤝🏿" or tgt.process.cmdline contains "🫱🏻‍🫲🏼" or tgt.process.cmdline contains "🫱🏻‍🫲🏽" or tgt.process.cmdline contains "🫱🏻‍🫲🏾" or tgt.process.cmdline contains "🫱🏻‍🫲🏿" or tgt.process.cmdline contains "🫱🏼‍🫲🏻" or tgt.process.cmdline contains "🫱🏼‍🫲🏽" or tgt.process.cmdline contains "🫱🏼‍🫲🏾" or tgt.process.cmdline contains "🫱🏼‍🫲🏿" or tgt.process.cmdline contains "🫱🏽‍🫲🏻" or tgt.process.cmdline contains "🫱🏽‍🫲🏼" or tgt.process.cmdline contains "🫱🏽‍🫲🏾" or tgt.process.cmdline contains "🫱🏽‍🫲🏿" or tgt.process.cmdline contains "🫱🏾‍🫲🏻" or tgt.process.cmdline contains "🫱🏾‍🫲🏼" or tgt.process.cmdline contains "🫱🏾‍🫲🏽" or tgt.process.cmdline contains "🫱🏾‍🫲🏿" or tgt.process.cmdline contains "🫱🏿‍🫲🏻" or tgt.process.cmdline contains "🫱🏿‍🫲🏼" or tgt.process.cmdline contains "🫱🏿‍🫲🏽" or tgt.process.cmdline contains "🫱🏿‍🫲🏾" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "😮‍💨" or tgt.process.cmdline contains "😵‍💫" or tgt.process.cmdline contains "😶‍🌫️" or tgt.process.cmdline contains "❤️‍🔥" or tgt.process.cmdline contains "❤️‍🩹" or tgt.process.cmdline contains "🧔‍♀️" or tgt.process.cmdline contains "🧔🏻‍♀️" or tgt.process.cmdline contains "🧔🏼‍♀️" or tgt.process.cmdline contains "🧔🏽‍♀️" or tgt.process.cmdline contains "🧔🏾‍♀️" or tgt.process.cmdline contains "🧔🏿‍♀️" or tgt.process.cmdline contains "🧔‍♂️" or tgt.process.cmdline contains "🧔🏻‍♂️" or tgt.process.cmdline contains "🧔🏼‍♂️" or tgt.process.cmdline contains "🧔🏽‍♂️" or tgt.process.cmdline contains "🧔🏾‍♂️" or tgt.process.cmdline contains "🧔🏿‍♂️" or tgt.process.cmdline contains "💑🏻" or tgt.process.cmdline contains "💑🏼" or tgt.process.cmdline contains "💑🏽" or tgt.process.cmdline contains "💑🏾" or tgt.process.cmdline contains "💑🏿" or tgt.process.cmdline contains "💏🏻" or tgt.process.cmdline contains "💏🏼" or tgt.process.cmdline contains "💏🏽" or tgt.process.cmdline contains "💏🏾" or tgt.process.cmdline contains "💏🏿" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏿" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏾")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md index c1ae97bee..1ad2ff35a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "COMPlus_ETWEnabled" or tgt.process.cmdline contains "COMPlus_ETWFlags")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md index 3dc6e1705..ac49c7e9a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cl" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "clear-log" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "sl" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "set-log" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "logman" and tgt.process.cmdline contains "update" and tgt.process.cmdline contains "trace" and tgt.process.cmdline contains "--p" and tgt.process.cmdline contains "-ets") or tgt.process.cmdline contains "Remove-EtwTraceProvider" or (tgt.process.cmdline contains "Set-EtwTraceProvider" and tgt.process.cmdline contains "0x11"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md index f1f68996c..94397b246 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\wevtutil.exe" and (tgt.process.cmdline contains "clear-log " or tgt.process.cmdline contains " cl " or tgt.process.cmdline contains "set-log " or tgt.process.cmdline contains " sl " or tgt.process.cmdline contains "lfn:")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Clear-EventLog " or tgt.process.cmdline contains "Remove-EventLog " or tgt.process.cmdline contains "Limit-EventLog " or tgt.process.cmdline contains "Clear-WinEvent ")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wmic.exe") and tgt.process.cmdline contains "ClearEventLog")) and (not ((src.process.image.path in ("C:\Windows\SysWOW64\msiexec.exe","C:\Windows\System32\msiexec.exe")) and tgt.process.cmdline contains " sl ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md index a57033e40..33ba5c495 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains ":\Users\Public\" and ((tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md index 5de8a04b7..0af4f2cc9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\Perflogs\" or tgt.process.image.path contains ":\Users\All Users\" or tgt.process.image.path contains ":\Users\Default\" or tgt.process.image.path contains ":\Users\NetworkService\" or tgt.process.image.path contains ":\Windows\addins\" or tgt.process.image.path contains ":\Windows\debug\" or tgt.process.image.path contains ":\Windows\Fonts\" or tgt.process.image.path contains ":\Windows\Help\" or tgt.process.image.path contains ":\Windows\IME\" or tgt.process.image.path contains ":\Windows\Media\" or tgt.process.image.path contains ":\Windows\repair\" or tgt.process.image.path contains ":\Windows\security\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\" or tgt.process.image.path contains "$Recycle.bin" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Intel\Logs\" or tgt.process.image.path contains "\RSA\MachineKeys\") and (not (tgt.process.image.path contains "C:\Users\Public\IBM\ClientSolutions\Start_Programs\" or (tgt.process.image.path contains "C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\" and tgt.process.image.path contains "\CitrixReceiverUpdater.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md index ddc75d0f2..f4f3af937 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "gatherNetworkInfo.vbs" and (not (tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md index c045de33b..fbae24a86 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::$index_allocation") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md index b9ba30a60..17548c2c4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "type" or tgt.process.cmdline contains "file createnew" or tgt.process.cmdline contains "cacls") and tgt.process.cmdline contains "C:\Windows\Fonts\" and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh" or tgt.process.cmdline contains ".reg" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl" or tgt.process.cmdline contains ".inf" or tgt.process.cmdline contains ".cpl" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".msi" or tgt.process.cmdline contains ".vbs"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md index 5accd0b22..8cd3f7b1f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "А" or tgt.process.cmdline contains "В" or tgt.process.cmdline contains "Е" or tgt.process.cmdline contains "К" or tgt.process.cmdline contains "М" or tgt.process.cmdline contains "Н" or tgt.process.cmdline contains "О" or tgt.process.cmdline contains "Р" or tgt.process.cmdline contains "С" or tgt.process.cmdline contains "Т" or tgt.process.cmdline contains "Х" or tgt.process.cmdline contains "Ѕ" or tgt.process.cmdline contains "І" or tgt.process.cmdline contains "Ј" or tgt.process.cmdline contains "Ү" or tgt.process.cmdline contains "Ӏ" or tgt.process.cmdline contains "Ԍ" or tgt.process.cmdline contains "Ԛ" or tgt.process.cmdline contains "Ԝ" or tgt.process.cmdline contains "Α" or tgt.process.cmdline contains "Β" or tgt.process.cmdline contains "Ε" or tgt.process.cmdline contains "Ζ" or tgt.process.cmdline contains "Η" or tgt.process.cmdline contains "Ι" or tgt.process.cmdline contains "Κ" or tgt.process.cmdline contains "Μ" or tgt.process.cmdline contains "Ν" or tgt.process.cmdline contains "Ο" or tgt.process.cmdline contains "Ρ" or tgt.process.cmdline contains "Τ" or tgt.process.cmdline contains "Υ" or tgt.process.cmdline contains "Χ") or (tgt.process.cmdline contains "а" or tgt.process.cmdline contains "е" or tgt.process.cmdline contains "о" or tgt.process.cmdline contains "р" or tgt.process.cmdline contains "с" or tgt.process.cmdline contains "х" or tgt.process.cmdline contains "ѕ" or tgt.process.cmdline contains "і" or tgt.process.cmdline contains "ӏ" or tgt.process.cmdline contains "ј" or tgt.process.cmdline contains "һ" or tgt.process.cmdline contains "ԁ" or tgt.process.cmdline contains "ԛ" or tgt.process.cmdline contains "ԝ" or tgt.process.cmdline contains "ο"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md index 8006d7771..22fe5d9e6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((not tgt.process.image.path contains "\") and (not (not (tgt.process.image.path matches "\.*") or (tgt.process.image.path in ("-","")) or ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or (tgt.process.cmdline in ("Registry","MemCompression","vmmem"))))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md index 3e3de3642..58136ab02 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "TVqQAAMAAAAEAAAA" or tgt.process.cmdline contains "TVpQAAIAAAAEAA8A" or tgt.process.cmdline contains "TVqAAAEAAAAEABAA" or tgt.process.cmdline contains "TVoAAAAAAAAAAAAA" or tgt.process.cmdline contains "TVpTAQEAAAAEAAAA")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md index 129725b47..e9e54a366 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "AddSecurityPackage" or tgt.process.cmdline contains "AdjustTokenPrivileges" or tgt.process.cmdline contains "Advapi32" or tgt.process.cmdline contains "CloseHandle" or tgt.process.cmdline contains "CreateProcessWithToken" or tgt.process.cmdline contains "CreatePseudoConsole" or tgt.process.cmdline contains "CreateRemoteThread" or tgt.process.cmdline contains "CreateThread" or tgt.process.cmdline contains "CreateUserThread" or tgt.process.cmdline contains "DangerousGetHandle" or tgt.process.cmdline contains "DuplicateTokenEx" or tgt.process.cmdline contains "EnumerateSecurityPackages" or tgt.process.cmdline contains "FreeHGlobal" or tgt.process.cmdline contains "FreeLibrary" or tgt.process.cmdline contains "GetDelegateForFunctionPointer" or tgt.process.cmdline contains "GetLogonSessionData" or tgt.process.cmdline contains "GetModuleHandle" or tgt.process.cmdline contains "GetProcAddress" or tgt.process.cmdline contains "GetProcessHandle" or tgt.process.cmdline contains "GetTokenInformation" or tgt.process.cmdline contains "ImpersonateLoggedOnUser" or tgt.process.cmdline contains "kernel32" or tgt.process.cmdline contains "LoadLibrary" or tgt.process.cmdline contains "memcpy" or tgt.process.cmdline contains "MiniDumpWriteDump" or tgt.process.cmdline contains "ntdll" or tgt.process.cmdline contains "OpenDesktop" or tgt.process.cmdline contains "OpenProcess" or tgt.process.cmdline contains "OpenProcessToken" or tgt.process.cmdline contains "OpenThreadToken" or tgt.process.cmdline contains "OpenWindowStation" or tgt.process.cmdline contains "PtrToString" or tgt.process.cmdline contains "QueueUserApc" or tgt.process.cmdline contains "ReadProcessMemory" or tgt.process.cmdline contains "RevertToSelf" or tgt.process.cmdline contains "RtlCreateUserThread" or tgt.process.cmdline contains "secur32" or tgt.process.cmdline contains "SetThreadToken" or tgt.process.cmdline contains "VirtualAlloc" or tgt.process.cmdline contains "VirtualFree" or tgt.process.cmdline contains "VirtualProtect" or tgt.process.cmdline contains "WaitForSingleObject" or tgt.process.cmdline contains "WriteInt32" or tgt.process.cmdline contains "WriteProcessMemory" or tgt.process.cmdline contains "ZeroFreeGlobalAllocUnicode") and (not (tgt.process.image.path contains "\MpCmdRun.exe" and tgt.process.cmdline contains "GetLoadLibraryWAddress32")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md index 40e0bc7cc..471d6127f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "eyJ0eXAiOi" or tgt.process.cmdline contains "eyJhbGciOi" or tgt.process.cmdline contains " eyJ0eX" or tgt.process.cmdline contains " \"eyJ0eX\"" or tgt.process.cmdline contains " 'eyJ0eX'" or tgt.process.cmdline contains " eyJhbG" or tgt.process.cmdline contains " \"eyJhbG\"" or tgt.process.cmdline contains " 'eyJhbG'")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md index e96480158..4d136c6a5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains " /c" and tgt.process.cmdline contains "dir " and tgt.process.cmdline contains "\Users\")) and (not tgt.process.cmdline contains " rmdir ")) or (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "user") and (not (tgt.process.cmdline contains "/domain" or tgt.process.cmdline contains "/add" or tgt.process.cmdline contains "/delete" or tgt.process.cmdline contains "/active" or tgt.process.cmdline contains "/expires" or tgt.process.cmdline contains "/passwordreq" or tgt.process.cmdline contains "/scriptpath" or tgt.process.cmdline contains "/times" or tgt.process.cmdline contains "/workstations"))) or ((tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\quser.exe" or tgt.process.image.path contains "\qwinsta.exe") or (tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "useraccount" and tgt.process.cmdline contains "get")) or (tgt.process.image.path contains "\cmdkey.exe" and tgt.process.cmdline contains " /l")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md index c7c56ce12..51ceb147b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lsass.dmp" or tgt.process.cmdline contains "lsass.zip" or tgt.process.cmdline contains "lsass.rar" or tgt.process.cmdline contains "Andrew.dmp" or tgt.process.cmdline contains "Coredump.dmp" or tgt.process.cmdline contains "NotLSASS.zip" or tgt.process.cmdline contains "lsass_2" or tgt.process.cmdline contains "lsassdump" or tgt.process.cmdline contains "lsassdmp") or (tgt.process.cmdline contains "lsass" and tgt.process.cmdline contains ".dmp") or (tgt.process.cmdline contains "SQLDmpr" and tgt.process.cmdline contains ".mdmp") or (tgt.process.cmdline contains "nanodump" and tgt.process.cmdline contains ".dmp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md index 55124a169..1ecfa63a4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ms-appinstaller://*source=*" and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md index 8502cd9cd..e41da848e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ipconfig /all" or tgt.process.cmdline contains "netsh interface show interface" or tgt.process.cmdline contains "arp -a" or tgt.process.cmdline contains "nbtstat -n" or tgt.process.cmdline contains "net config" or tgt.process.cmdline contains "route print")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md index 16d13fca2..66194f69e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "for " or tgt.process.cmdline contains "foreach ") and (tgt.process.cmdline contains "nslookup" or tgt.process.cmdline contains "ping"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md index 3f252cbee..e267e7119 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\tshark.exe" and tgt.process.cmdline contains "-i") or tgt.process.image.path contains "\windump.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md index 326757926..13a30cceb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md index 8b6eb4787..39353507e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains ".bin" or tgt.process.image.path contains ".cgi" or tgt.process.image.path contains ".com" or tgt.process.image.path contains ".exe" or tgt.process.image.path contains ".scr" or tgt.process.image.path contains ".tmp")) and (not ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or tgt.process.image.path contains ":\Windows\Installer\MSI" or tgt.process.image.path contains ":\Windows\System32\DriverStore\FileRepository\" or (tgt.process.image.path contains ":\Config.Msi\" and (tgt.process.image.path contains ".rbf" or tgt.process.image.path contains ".rbs")) or (src.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\Temp\") or tgt.process.image.path contains ":\$Extend\$Deleted\" or (tgt.process.image.path in ("-","")) or not (tgt.process.image.path matches "\.*"))) and (not (src.process.image.path contains ":\ProgramData\Avira\" or (tgt.process.image.path contains "NVIDIA\NvBackend\" and tgt.process.image.path contains ".dat") or ((tgt.process.image.path contains ":\Program Files (x86)\WINPAKPRO\" or tgt.process.image.path contains ":\Program Files\WINPAKPRO\") and tgt.process.image.path contains ".ngn") or (tgt.process.image.path contains ":\Program Files (x86)\MyQ\Server\pcltool.dll" or tgt.process.image.path contains ":\Program Files\MyQ\Server\pcltool.dll") or (tgt.process.image.path contains "\AppData\Local\Packages\" and tgt.process.image.path contains "\LocalState\rootfs\") or tgt.process.image.path contains "\LZMA_EXE" or tgt.process.image.path contains ":\Program Files\Mozilla Firefox\" or (src.process.image.path="C:\Windows\System32\services.exe" and tgt.process.image.path contains "com.docker.service"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md index 4bae0d7bb..961147cd8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add") or (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "set-itemproperty" or tgt.process.cmdline contains " sp " or tgt.process.cmdline contains "new-itemproperty")) and ((tgt.process.integrityLevel in ("Medium","S-1-16-8192")) and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "Services") and (tgt.process.cmdline contains "ImagePath" or tgt.process.cmdline contains "FailureCommand" or tgt.process.cmdline contains "ServiceDLL")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md index 15676e24f..7488325a5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\NTDSDump.exe" or tgt.process.image.path contains "\NTDSDumpEx.exe") or (tgt.process.cmdline contains "ntds.dit" and tgt.process.cmdline contains "system.hiv") or tgt.process.cmdline contains "NTDSgrab.ps1") or (tgt.process.cmdline contains "ac i ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "/c copy " and tgt.process.cmdline contains "\windows\ntds\ntds.dit") or (tgt.process.cmdline contains "activate instance ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "ntds.dit")) or (tgt.process.cmdline contains "ntds.dit" and ((src.process.image.path contains "\apache" or src.process.image.path contains "\tomcat" or src.process.image.path contains "\AppData\" or src.process.image.path contains "\Temp\" or src.process.image.path contains "\Public\" or src.process.image.path contains "\PerfLogs\") or (tgt.process.image.path contains "\apache" or tgt.process.image.path contains "\tomcat" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Temp\" or tgt.process.image.path contains "\Public\" or tgt.process.image.path contains "\PerfLogs\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md index 30e003822..4c13a91b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Win32_NTEventlogFile" and (tgt.process.cmdline contains ".BackupEventlog(" or tgt.process.cmdline contains ".ChangeSecurityPermissions(" or tgt.process.cmdline contains ".ChangeSecurityPermissionsEx(" or tgt.process.cmdline contains ".ClearEventLog(" or tgt.process.cmdline contains ".Delete(" or tgt.process.cmdline contains ".DeleteEx(" or tgt.process.cmdline contains ".Rename(" or tgt.process.cmdline contains ".TakeOwnerShip(" or tgt.process.cmdline contains ".TakeOwnerShipEx("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md index 19a691178..85a2a523d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1\" or tgt.process.cmdline contains "~2\") and (not ((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe","C:\Program Files\GPSoftware\Directory Opus\dopus.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or src.process.image.path contains "\veam.backup.shell.exe" or src.process.image.path contains "\winget.exe" or src.process.image.path contains "\Everything\Everything.exe") or src.process.image.path contains "\AppData\Local\Temp\WinGet\" or (tgt.process.cmdline contains "\appdata\local\webex\webex64\meetings\wbxreport.exe" or tgt.process.cmdline contains "C:\Program Files\Git\post-install.bat" or tgt.process.cmdline contains "C:\Program Files\Git\cmd\scalar.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md index 4522af019..81ca0c931 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1\" or tgt.process.image.path contains "~2\") and (not (((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.displayName="InstallShield (R)" or tgt.process.displayName="InstallShield (R) Setup Engine" or tgt.process.publisher="InstallShield Software Corporation") or ((tgt.process.image.path contains "\AppData\" and tgt.process.image.path contains "\Temp\") or (tgt.process.image.path contains "~1\unzip.exe" or tgt.process.image.path contains "~1\7zG.exe")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md index 078352a13..d24b14c44 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1.exe" or tgt.process.cmdline contains "~1.bat" or tgt.process.cmdline contains "~1.msi" or tgt.process.cmdline contains "~1.vbe" or tgt.process.cmdline contains "~1.vbs" or tgt.process.cmdline contains "~1.dll" or tgt.process.cmdline contains "~1.ps1" or tgt.process.cmdline contains "~1.js" or tgt.process.cmdline contains "~1.hta" or tgt.process.cmdline contains "~2.exe" or tgt.process.cmdline contains "~2.bat" or tgt.process.cmdline contains "~2.msi" or tgt.process.cmdline contains "~2.vbe" or tgt.process.cmdline contains "~2.vbs" or tgt.process.cmdline contains "~2.dll" or tgt.process.cmdline contains "~2.ps1" or tgt.process.cmdline contains "~2.js" or tgt.process.cmdline contains "~2.hta") and (not ((src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.cmdline contains "C:\xampp\vcredist\VCREDI~1.EXE")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md index f21c30834..88e616fff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1.bat" or tgt.process.image.path contains "~1.dll" or tgt.process.image.path contains "~1.exe" or tgt.process.image.path contains "~1.hta" or tgt.process.image.path contains "~1.js" or tgt.process.image.path contains "~1.msi" or tgt.process.image.path contains "~1.ps1" or tgt.process.image.path contains "~1.tmp" or tgt.process.image.path contains "~1.vbe" or tgt.process.image.path contains "~1.vbs" or tgt.process.image.path contains "~2.bat" or tgt.process.image.path contains "~2.dll" or tgt.process.image.path contains "~2.exe" or tgt.process.image.path contains "~2.hta" or tgt.process.image.path contains "~2.js" or tgt.process.image.path contains "~2.msi" or tgt.process.image.path contains "~2.ps1" or tgt.process.image.path contains "~2.tmp" or tgt.process.image.path contains "~2.vbe" or tgt.process.image.path contains "~2.vbs") and (not src.process.image.path="C:\Windows\explorer.exe") and (not (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or tgt.process.image.path="C:\PROGRA~1\WinZip\WZPREL~1.EXE" or tgt.process.image.path contains "\VCREDI~1.EXE")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md index b3f1be496..58544c0a7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "DownloadFile" or tgt.process.cmdline contains "DownloadString") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md index 2bf2a09ee..710aedc5e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\arp.exe") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md index 830f4a8e7..5e13ab0cf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\minesweeper.exe" or src.process.image.path contains "\winver.exe" or src.process.image.path contains "\bitsadmin.exe") or ((src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\certutil.exe" or src.process.image.path contains "\eventvwr.exe" or src.process.image.path contains "\calc.exe" or src.process.image.path contains "\notepad.exe") and (not ((tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\wermgr.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\mmc.exe" or tgt.process.image.path contains "\win32calc.exe" or tgt.process.image.path contains "\notepad.exe") or not (tgt.process.image.path matches "\.*")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md index 962ce5d31..063f02562 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -u system " or tgt.process.cmdline contains " --user system " or tgt.process.cmdline contains " -u NT" or tgt.process.cmdline contains " -u \"NT" or tgt.process.cmdline contains " -u 'NT" or tgt.process.cmdline contains " --system " or tgt.process.cmdline contains " -u administrator ") and (tgt.process.cmdline contains " -c cmd" or tgt.process.cmdline contains " -c \"cmd" or tgt.process.cmdline contains " -c powershell" or tgt.process.cmdline contains " -c \"powershell" or tgt.process.cmdline contains " --command cmd" or tgt.process.cmdline contains " --command powershell" or tgt.process.cmdline contains " -c whoami" or tgt.process.cmdline contains " -c wscript" or tgt.process.cmdline contains " -c cscript"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md index 9f8381310..1df7aae68 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\lsaiso.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe") and (not (((src.process.image.path contains "\SavService.exe" or src.process.image.path contains "\ngen.exe") or (src.process.image.path contains "\System32\" or src.process.image.path contains "\SysWOW64\")) or ((src.process.image.path contains "\Windows Defender\" or src.process.image.path contains "\Microsoft Security Client\") and src.process.image.path contains "\MsMpEng.exe") or (not (src.process.image.path matches "\.*") or src.process.image.path="-"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md index 6a3b3e84c..7b8f7a018 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\CVE-202" or tgt.process.image.path contains "\CVE202") or (tgt.process.image.path contains "\poc.exe" or tgt.process.image.path contains "\artifact.exe" or tgt.process.image.path contains "\artifact64.exe" or tgt.process.image.path contains "\artifact_protected.exe" or tgt.process.image.path contains "\artifact32.exe" or tgt.process.image.path contains "\artifact32big.exe" or tgt.process.image.path contains "obfuscated.exe" or tgt.process.image.path contains "obfusc.exe" or tgt.process.image.path contains "\meterpreter")) or (tgt.process.cmdline contains "inject.ps1" or tgt.process.cmdline contains "Invoke-CVE" or tgt.process.cmdline contains "pupy.ps1" or tgt.process.cmdline contains "payload.ps1" or tgt.process.cmdline contains "beacon.ps1" or tgt.process.cmdline contains "PowerView.ps1" or tgt.process.cmdline contains "bypass.ps1" or tgt.process.cmdline contains "obfuscated.ps1" or tgt.process.cmdline contains "obfusc.ps1" or tgt.process.cmdline contains "obfus.ps1" or tgt.process.cmdline contains "obfs.ps1" or tgt.process.cmdline contains "evil.ps1" or tgt.process.cmdline contains "MiniDogz.ps1" or tgt.process.cmdline contains "_enc.ps1" or tgt.process.cmdline contains "\shell.ps1" or tgt.process.cmdline contains "\rshell.ps1" or tgt.process.cmdline contains "revshell.ps1" or tgt.process.cmdline contains "\av.ps1" or tgt.process.cmdline contains "\av_test.ps1" or tgt.process.cmdline contains "adrecon.ps1" or tgt.process.cmdline contains "mimikatz.ps1" or tgt.process.cmdline contains "\PowerUp_" or tgt.process.cmdline contains "powerup.ps1" or tgt.process.cmdline contains "\Temp\a.ps1" or tgt.process.cmdline contains "\Temp\p.ps1" or tgt.process.cmdline contains "\Temp\1.ps1" or tgt.process.cmdline contains "Hound.ps1" or tgt.process.cmdline contains "encode.ps1" or tgt.process.cmdline contains "powercat.ps1"))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md index 921bf3713..7b2079936 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "RECYCLERS.BIN\" or tgt.process.image.path contains "RECYCLER.BIN\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md index cc5929a55..5adabf119 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ">" and (tgt.process.cmdline contains "\\127.0.0.1\admin$\" or tgt.process.cmdline contains "\\localhost\admin$\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md index 51d385492..5b0929a3e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":3389" and (tgt.process.cmdline contains " -L " or tgt.process.cmdline contains " -P " or tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " -pw " or tgt.process.cmdline contains " -ssh "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md index 894900962..f0da6562c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "‮") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md index 28ab0872a..85fc3ef16 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains "\Windows\Temp" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\Temp" or tgt.process.cmdline contains "%TEMP%" or tgt.process.cmdline contains "%TMP%" or tgt.process.cmdline contains "%LocalAppData%\Temp")) and (not (tgt.process.cmdline contains " >" or tgt.process.cmdline contains "Out-File" or tgt.process.cmdline contains "ConvertTo-Json" or tgt.process.cmdline contains "-WindowStyle hidden -Verb runAs" or tgt.process.cmdline contains "\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md index 667091020..0f9432dda 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" and (tgt.process.cmdline contains "\NTDS.dit" or tgt.process.cmdline contains "\SYSTEM" or tgt.process.cmdline contains "\SECURITY"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md index 7f25b148a..288670f74 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath=")) or (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md index afb887673..25668dfd7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\$Recycle.bin" or tgt.process.image.path contains "\Users\All Users\" or tgt.process.image.path contains "\Users\Default\" or tgt.process.image.path contains "\Users\Contacts\" or tgt.process.image.path contains "\Users\Searches\" or tgt.process.image.path contains "C:\Perflogs\" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Windows\Fonts\" or tgt.process.image.path contains "\Windows\IME\" or tgt.process.image.path contains "\Windows\addins\") and (src.process.image.path contains "\services.exe" or src.process.image.path contains "\svchost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md index 4039f5388..248a98839 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\regsvr32.exe") and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\mshta.exe")) and (not (tgt.process.image.path contains "\ccmcache\" or (src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1" or src.process.cmdline contains "\nessus_") or tgt.process.cmdline contains "\nessus_" or (src.process.image.path contains "\mshta.exe" and tgt.process.image.path contains "\mshta.exe" and (src.process.cmdline contains "C:\MEM_Configmgr_" and src.process.cmdline contains "\splash.hta" and src.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}") and (tgt.process.cmdline contains "C:\MEM_Configmgr_" and tgt.process.cmdline contains "\SMSSETUP\BIN\" and tgt.process.cmdline contains "\autorun.hta" and tgt.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}")))))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path,tgt.process.image.path,src.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md index 7dcdc439d..789ae11fb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":\Windows\Sysnative\" or tgt.process.image.path contains ":\Windows\Sysnative\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md index 572f5f58f..914e5b973 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\atbroker.exe" or tgt.process.image.path contains "\audiodg.exe" or tgt.process.image.path contains "\bcdedit.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certreq.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmstp.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\consent.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\dashost.exe" or tgt.process.image.path contains "\defrag.exe" or tgt.process.image.path contains "\dfrgui.exe" or tgt.process.image.path contains "\dism.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\dllhst3g.exe" or tgt.process.image.path contains "\dwm.exe" or tgt.process.image.path contains "\eventvwr.exe" or tgt.process.image.path contains "\logonui.exe" or tgt.process.image.path contains "\LsaIso.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\ntoskrnl.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\runonce.exe" or tgt.process.image.path contains "\RuntimeBroker.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\sihost.exe" or tgt.process.image.path contains "\smartscreen.exe" or tgt.process.image.path contains "\smss.exe" or tgt.process.image.path contains "\spoolsv.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\Taskmgr.exe" or tgt.process.image.path contains "\userinit.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe" or tgt.process.image.path contains "\winver.exe" or tgt.process.image.path contains "\wlanext.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wsmprovhost.exe") and (not ((tgt.process.image.path contains "C:\$WINDOWS.~BT\" or tgt.process.image.path contains "C:\$WinREAgent\" or tgt.process.image.path contains "C:\Windows\SoftwareDistribution\" or tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SystemTemp\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\uus\" or tgt.process.image.path contains "C:\Windows\WinSxS\") or (tgt.process.image.path in ("C:\Program Files\PowerShell\7\pwsh.exe","C:\Program Files\PowerShell\7-preview\pwsh.exe")) or (tgt.process.image.path contains "C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux" and tgt.process.image.path contains "\wsl.exe"))) and (not tgt.process.image.path contains "\SystemRoot\System32\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md index d063c924d..212d9581b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.integrityLevel in ("System","S-1-16-16384")) and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /urlcache " or tgt.process.cmdline contains " -urlcache " or tgt.process.cmdline="* -e* JAB*" or tgt.process.cmdline="* -e* SUVYI*" or tgt.process.cmdline="* -e* SQBFAFgA*" or tgt.process.cmdline="* -e* aWV4I*" or tgt.process.cmdline="* -e* IAB*" or tgt.process.cmdline="* -e* PAA*" or tgt.process.cmdline="* -e* aQBlAHgA*" or tgt.process.cmdline contains "vssadmin delete shadows" or tgt.process.cmdline contains "reg SAVE HKLM" or tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains "Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "event::clear" or tgt.process.cmdline contains "event::drop" or tgt.process.cmdline contains "id::modify" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "misc::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "sid::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "vault::cred" or tgt.process.cmdline contains "vault::list" or tgt.process.cmdline contains " p::d " or tgt.process.cmdline contains ";iex(" or tgt.process.cmdline contains "MiniDump" or tgt.process.cmdline contains "net user "))) and (not ((tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "127.0.0.1" and tgt.process.cmdline contains " -n ") or (tgt.process.image.path contains "\PING.EXE" and src.process.cmdline contains "\DismFoDInstall.cmd") or src.process.image.path contains ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or ((src.process.image.path contains ":\Program Files (x86)\Java\" or src.process.image.path contains ":\Program Files\Java\") and src.process.image.path contains "\bin\javaws.exe" and (tgt.process.image.path contains ":\Program Files (x86)\Java\" or tgt.process.image.path contains ":\Program Files\Java\") and tgt.process.image.path contains "\bin\jp2launcher.exe" and tgt.process.cmdline contains " -ma "))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md index 856bcac05..4a7d16e2f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SYSVOL\" and tgt.process.cmdline contains "\policies\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md index 3e41131ef..54a298b7d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo " or tgt.process.cmdline contains "copy " or tgt.process.cmdline contains "type " or tgt.process.cmdline contains "file createnew") and (tgt.process.cmdline contains " C:\Windows\System32\Tasks\" or tgt.process.cmdline contains " C:\Windows\SysWow64\Tasks\"))) | columns tgt.process.cmdline,ParentProcess ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md index 271783816..dc2c7cc40 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vsjitdebugger.exe" and (not (tgt.process.image.path="*\vsimmersiveactivatehelper*.exe" or tgt.process.image.path contains "\devenv.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md index ad80e3402..a1d32b0af 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "123456789" or tgt.process.cmdline contains "123123qwE" or tgt.process.cmdline contains "Asd123.aaaa" or tgt.process.cmdline contains "Decryptme" or tgt.process.cmdline contains "P@ssw0rd!" or tgt.process.cmdline contains "Pass8080" or tgt.process.cmdline contains "password123" or tgt.process.cmdline contains "test@202")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md index eca2005df..abb536d31 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[System.Net.WebRequest]::create" or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "Invoke-RestMethod" or tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "Net.WebClient" or tgt.process.cmdline contains "Resume-BitsTransfer" or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "WinHttp.WinHttpRequest")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md index a3a1667ef..1dba0bf0a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains ".exe whoami") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md index 33528a1dd..6ad249b64 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\control.exe" and src.process.image.path contains "\WorkFolders.exe") and (not tgt.process.image.path="C:\Windows\System32\control.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md index 24310c307..f732562aa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "svchost.exe" and tgt.process.image.path contains "\svchost.exe") and (not ((src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\rpcnetp.exe") or not (tgt.process.cmdline matches "\.*"))))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md index 7e9cdfbc8..750401f7c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains "\svchost.exe" and src.process.cmdline contains "termsvcs") and (not ((tgt.process.image.path contains "\rdpclip.exe" or tgt.process.image.path contains ":\Windows\System32\csrss.exe" or tgt.process.image.path contains ":\Windows\System32\wininit.exe" or tgt.process.image.path contains ":\Windows\System32\winlogon.exe") or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md index 1589c0fb1..09a9108d9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\svchost.exe" and (not ((src.process.image.path contains "\Mrt.exe" or src.process.image.path contains "\MsMpEng.exe" or src.process.image.path contains "\ngen.exe" or src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\TiWorker.exe") or not (src.process.image.path matches "\.*") or (src.process.image.path in ("-","")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md index a50047e22..bcfa74a1a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -accepteula" or tgt.process.cmdline contains " /accepteula" or tgt.process.cmdline contains " –accepteula" or tgt.process.cmdline contains " —accepteula" or tgt.process.cmdline contains " ―accepteula")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md index 70ea82912..8aaa5737e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md index 5292c14e2..8739bc403 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "copy procdump" or tgt.process.cmdline contains "move procdump") or ((tgt.process.cmdline contains "copy " and tgt.process.cmdline contains ".dmp ") and (tgt.process.cmdline contains "2.dmp" or tgt.process.cmdline contains "lsass" or tgt.process.cmdline contains "out.dmp")) or (tgt.process.cmdline contains "copy lsass.exe_" or tgt.process.cmdline contains "move lsass.exe_"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md index 3330ac482..e9260ce30 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains " /ma " or tgt.process.cmdline contains " –ma " or tgt.process.cmdline contains " —ma " or tgt.process.cmdline contains " ―ma ") and tgt.process.cmdline contains " ls")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md index e79180c3a..ae342f70e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (tgt.process.cmdline contains "psexec" or tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "accepteula"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md index 6a1736a46..f76ed8a32 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "accepteula" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " \\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md index f65d89837..06e489e32 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\PSEXESVC.exe" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md index 8b84368c8..81ae3d70e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (not (tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "PsExec" or tgt.process.cmdline contains "accepteula")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md index 586df133f..2f0bf73bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-c" or tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "–c" or tgt.process.cmdline contains "—c" or tgt.process.cmdline contains "―c"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md index c4349f4da..11b3d5097 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md index f655a809e..389c1b651 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\accesschk.exe" or tgt.process.image.path contains "\accesschk64.exe" or tgt.process.image.path contains "\AccessEnum.exe" or tgt.process.image.path contains "\ADExplorer.exe" or tgt.process.image.path contains "\ADExplorer64.exe" or tgt.process.image.path contains "\ADInsight.exe" or tgt.process.image.path contains "\ADInsight64.exe" or tgt.process.image.path contains "\adrestore.exe" or tgt.process.image.path contains "\adrestore64.exe" or tgt.process.image.path contains "\Autologon.exe" or tgt.process.image.path contains "\Autologon64.exe" or tgt.process.image.path contains "\Autoruns.exe" or tgt.process.image.path contains "\Autoruns64.exe" or tgt.process.image.path contains "\autorunsc.exe" or tgt.process.image.path contains "\autorunsc64.exe" or tgt.process.image.path contains "\Bginfo.exe" or tgt.process.image.path contains "\Bginfo64.exe" or tgt.process.image.path contains "\Cacheset.exe" or tgt.process.image.path contains "\Cacheset64.exe" or tgt.process.image.path contains "\Clockres.exe" or tgt.process.image.path contains "\Clockres64.exe" or tgt.process.image.path contains "\Contig.exe" or tgt.process.image.path contains "\Contig64.exe" or tgt.process.image.path contains "\Coreinfo.exe" or tgt.process.image.path contains "\Coreinfo64.exe" or tgt.process.image.path contains "\CPUSTRES.EXE" or tgt.process.image.path contains "\CPUSTRES64.EXE" or tgt.process.image.path contains "\ctrl2cap.exe" or tgt.process.image.path contains "\Dbgview.exe" or tgt.process.image.path contains "\dbgview64.exe" or tgt.process.image.path contains "\Desktops.exe" or tgt.process.image.path contains "\Desktops64.exe" or tgt.process.image.path contains "\disk2vhd.exe" or tgt.process.image.path contains "\disk2vhd64.exe" or tgt.process.image.path contains "\diskext.exe" or tgt.process.image.path contains "\diskext64.exe" or tgt.process.image.path contains "\Diskmon.exe" or tgt.process.image.path contains "\Diskmon64.exe" or tgt.process.image.path contains "\DiskView.exe" or tgt.process.image.path contains "\DiskView64.exe" or tgt.process.image.path contains "\du.exe" or tgt.process.image.path contains "\du64.exe" or tgt.process.image.path contains "\efsdump.exe" or tgt.process.image.path contains "\FindLinks.exe" or tgt.process.image.path contains "\FindLinks64.exe" or tgt.process.image.path contains "\handle.exe" or tgt.process.image.path contains "\handle64.exe" or tgt.process.image.path contains "\hex2dec.exe" or tgt.process.image.path contains "\hex2dec64.exe" or tgt.process.image.path contains "\junction.exe" or tgt.process.image.path contains "\junction64.exe" or tgt.process.image.path contains "\ldmdump.exe" or tgt.process.image.path contains "\listdlls.exe" or tgt.process.image.path contains "\listdlls64.exe" or tgt.process.image.path contains "\livekd.exe" or tgt.process.image.path contains "\livekd64.exe" or tgt.process.image.path contains "\loadOrd.exe" or tgt.process.image.path contains "\loadOrd64.exe" or tgt.process.image.path contains "\loadOrdC.exe" or tgt.process.image.path contains "\loadOrdC64.exe" or tgt.process.image.path contains "\logonsessions.exe" or tgt.process.image.path contains "\logonsessions64.exe" or tgt.process.image.path contains "\movefile.exe" or tgt.process.image.path contains "\movefile64.exe" or tgt.process.image.path contains "\notmyfault.exe" or tgt.process.image.path contains "\notmyfault64.exe" or tgt.process.image.path contains "\notmyfaultc.exe" or tgt.process.image.path contains "\notmyfaultc64.exe" or tgt.process.image.path contains "\ntfsinfo.exe" or tgt.process.image.path contains "\ntfsinfo64.exe" or tgt.process.image.path contains "\pendmoves.exe" or tgt.process.image.path contains "\pendmoves64.exe" or tgt.process.image.path contains "\pipelist.exe" or tgt.process.image.path contains "\pipelist64.exe" or tgt.process.image.path contains "\portmon.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe" or tgt.process.image.path contains "\procexp.exe" or tgt.process.image.path contains "\procexp64.exe" or tgt.process.image.path contains "\Procmon.exe" or tgt.process.image.path contains "\Procmon64.exe" or tgt.process.image.path contains "\psExec.exe" or tgt.process.image.path contains "\psExec64.exe" or tgt.process.image.path contains "\psfile.exe" or tgt.process.image.path contains "\psfile64.exe" or tgt.process.image.path contains "\psGetsid.exe" or tgt.process.image.path contains "\psGetsid64.exe" or tgt.process.image.path contains "\psInfo.exe" or tgt.process.image.path contains "\psInfo64.exe" or tgt.process.image.path contains "\pskill.exe" or tgt.process.image.path contains "\pskill64.exe" or tgt.process.image.path contains "\pslist.exe" or tgt.process.image.path contains "\pslist64.exe" or tgt.process.image.path contains "\psLoggedon.exe" or tgt.process.image.path contains "\psLoggedon64.exe" or tgt.process.image.path contains "\psloglist.exe" or tgt.process.image.path contains "\psloglist64.exe" or tgt.process.image.path contains "\pspasswd.exe" or tgt.process.image.path contains "\pspasswd64.exe" or tgt.process.image.path contains "\psping.exe" or tgt.process.image.path contains "\psping64.exe" or tgt.process.image.path contains "\psService.exe" or tgt.process.image.path contains "\psService64.exe" or tgt.process.image.path contains "\psshutdown.exe" or tgt.process.image.path contains "\psshutdown64.exe" or tgt.process.image.path contains "\pssuspend.exe" or tgt.process.image.path contains "\pssuspend64.exe" or tgt.process.image.path contains "\RAMMap.exe" or tgt.process.image.path contains "\RDCMan.exe" or tgt.process.image.path contains "\RegDelNull.exe" or tgt.process.image.path contains "\RegDelNull64.exe" or tgt.process.image.path contains "\regjump.exe" or tgt.process.image.path contains "\ru.exe" or tgt.process.image.path contains "\ru64.exe" or tgt.process.image.path contains "\sdelete.exe" or tgt.process.image.path contains "\sdelete64.exe" or tgt.process.image.path contains "\ShareEnum.exe" or tgt.process.image.path contains "\ShareEnum64.exe" or tgt.process.image.path contains "\shellRunas.exe" or tgt.process.image.path contains "\sigcheck.exe" or tgt.process.image.path contains "\sigcheck64.exe" or tgt.process.image.path contains "\streams.exe" or tgt.process.image.path contains "\streams64.exe" or tgt.process.image.path contains "\strings.exe" or tgt.process.image.path contains "\strings64.exe" or tgt.process.image.path contains "\sync.exe" or tgt.process.image.path contains "\sync64.exe" or tgt.process.image.path contains "\Sysmon.exe" or tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\tcpvcon.exe" or tgt.process.image.path contains "\tcpvcon64.exe" or tgt.process.image.path contains "\tcpview.exe" or tgt.process.image.path contains "\tcpview64.exe" or tgt.process.image.path contains "\Testlimit.exe" or tgt.process.image.path contains "\Testlimit64.exe" or tgt.process.image.path contains "\vmmap.exe" or tgt.process.image.path contains "\vmmap64.exe" or tgt.process.image.path contains "\Volumeid.exe" or tgt.process.image.path contains "\Volumeid64.exe" or tgt.process.image.path contains "\whois.exe" or tgt.process.image.path contains "\whois64.exe" or tgt.process.image.path contains "\Winobj.exe" or tgt.process.image.path contains "\Winobj64.exe" or tgt.process.image.path contains "\ZoomIt.exe" or tgt.process.image.path contains "\ZoomIt64.exe") and (not ((tgt.process.publisher in ("Sysinternals - www.sysinternals.com","Sysinternals")) or not (tgt.process.publisher matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md index 264e1aa07..372b42bba 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sysprep.exe" and tgt.process.cmdline contains "\AppData\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md index 0dd8f90c1..a7afd421e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\takeown.exe" and (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "/r"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md index 0bf4a3e37..d0cd68145 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tapinstall.exe" and (not ((tgt.process.image.path contains ":\Program Files\Avast Software\SecureLine VPN\" or tgt.process.image.path contains ":\Program Files (x86)\Avast Software\SecureLine VPN\") or tgt.process.image.path contains ":\Program Files\OpenVPN Connect\drivers\tap\" or tgt.process.image.path contains ":\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md index ef9716b01..2a660fd8e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "taskkill" and tgt.process.cmdline contains " /F " and tgt.process.cmdline contains " /IM " and tgt.process.cmdline contains "ccSvcHst.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md index 85df1c53d..249306ef0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\taskmgr.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md index 56275e020..89f0afee4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\taskmgr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\resmon.exe" or tgt.process.image.path contains ":\Windows\System32\Taskmgr.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md index 8050d34d7..385ce95e3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Teams\Cookies" or tgt.process.cmdline contains "\Microsoft\Teams\Local Storage\leveldb") and (not tgt.process.image.path contains "\Microsoft\Teams\current\Teams.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md index eaaa81def..afffd6610 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\tscon.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md index f1ccc64cc..ed9641e41 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " /dest:rdp-tcp#") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md index c2a764280..eeeb7d86a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\changepk.exe" and src.process.image.path contains "\slui.exe" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md index 89a4db953..f22d4e2f8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\"\system32\cleanmgr.exe /autoclean /d C:" and src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md index 746eeea7a..5b993e31d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and (src.process.cmdline contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or src.process.cmdline contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or src.process.cmdline contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or src.process.cmdline contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or src.process.cmdline contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md index 6a686610f..13d776898 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")) and tgt.process.image.path="C:\Windows\System32\ComputerDefaults.exe") and (not (src.process.image.path contains ":\Windows\System32" or src.process.image.path contains ":\Program Files")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md index 33beffda0..87ae87bb9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\consent.exe" and tgt.process.image.path contains "\werfault.exe" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md index 77f598050..bc4548f64 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "C:\Users\" and src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "\DismHost.exe") and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md index 043647a94..43f9bde6f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Event Viewer\RecentViews" or tgt.process.cmdline contains "\EventV~1\RecentViews") and tgt.process.cmdline contains ">")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md index 070d52134..bbe300058 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\fodhelper.exe") | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md index da747578e..7288ea73a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\mmc.exe" and src.process.cmdline contains "WF.msc") and (not tgt.process.image.path contains "\WerFault.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md index 1db103824..8ec7bcf82 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and src.process.cmdline contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md index 00562fac7..eb1a03950 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")) and src.process.image.path contains "\ieinstal.exe" and tgt.process.image.path contains "\AppData\Local\Temp\" and tgt.process.image.path contains "consent.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md index 9051ee9cc..f9152f949 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")) and src.process.image.path contains "\AppData\Local\Temp\pkgmgr.exe" and tgt.process.cmdline="\"C:\Windows\system32\msconfig.exe\" -5")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md index 48a334e3e..0057e4874 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\"C:\Windows\system32\wusa.exe\" /quiet C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\update.msu" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))) or (src.process.cmdline="\"C:\Windows\system32\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\Windows\system32\pe386\" /ignorecheck" and (tgt.process.integrityLevel in ("High","System")) and (tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "\dismhost.exe {") and tgt.process.image.path contains "\DismHost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md index c9c3914fa..3e788ed02 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\pkgmgr.exe" and tgt.process.image.path contains "\dism.exe" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md index 364197421..ba594b950 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "sdclt.exe" and (tgt.process.integrityLevel in ("High","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md index 17a4509ae..9a749a3bf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "C:\Windows \System32\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md index 80ad1b1f9..bce123635 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")) and src.process.image.path contains "\AppData\Local\Temp\system32\winsat.exe" and src.process.cmdline contains "C:\Windows \system32\winsat.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md index 494e133f1..2ea519ee6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path="C:\Program Files\Windows Media Player\osk.exe" or (tgt.process.image.path="C:\Windows\System32\cmd.exe" and src.process.cmdline="\"C:\Windows\system32\mmc.exe\" \"C:\Windows\system32\eventvwr.msc\" /s")) and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md index 16f63010f..1fa279e11 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsreset.exe" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md index d8a3545aa..6c7820707 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "-autoreconnect " and tgt.process.cmdline contains "-connect " and tgt.process.cmdline contains "-id:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md index 1d9de4661..49f76d1c9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\WindowsSensor.exe" and tgt.process.cmdline contains " /uninstall" and tgt.process.cmdline contains " /quiet")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md index 8c39a540f..167d1d76d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\userinit.exe" and (not tgt.process.image.path contains ":\WINDOWS\explorer.exe") and (not ((tgt.process.cmdline contains "netlogon.bat" or tgt.process.cmdline contains "UsrLogon.cmd") or tgt.process.cmdline="PowerShell.exe" or (tgt.process.image.path contains ":\Windows\System32\proquota.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\proquota.exe") or (tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\System32\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\System32\icast.exe") or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md index 27e576934..ecc4a554a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "VBoxRT.dll,RTR3Init" or tgt.process.cmdline contains "VBoxC.dll" or tgt.process.cmdline contains "VBoxDrv.sys") or (tgt.process.cmdline contains "startvm" or tgt.process.cmdline contains "controlvm"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md index f8673e65e..d94fea058 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VBoxDrvInst.exe" and (tgt.process.cmdline contains "driver" and tgt.process.cmdline contains "executeinf"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md index c17e385a8..9ccb3a2f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\code.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe") or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-Expressions" or tgt.process.cmdline contains "IEX" or tgt.process.cmdline contains "Invoke-Command" or tgt.process.cmdline contains "ICM" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript")) or (tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md index e24f70d9b..edbf3b616 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\servers\Stable-" and src.process.image.path contains "\server\node.exe" and src.process.cmdline contains ".vscode-server") and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline contains "\terminal\browser\media\shellIntegration.ps1") or (tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\bash.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md index fb2c5bf9c..34ff88235 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "tunnel " and tgt.process.cmdline contains "service" and tgt.process.cmdline contains "internal-run" and tgt.process.cmdline contains "tunnel-service.log")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md index 81f739e85..5e6689965 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\vsls-agent.exe" and tgt.process.cmdline contains "--agentExtensionPath") and (not tgt.process.cmdline contains "Microsoft.VisualStudio.LiveShare.Agent."))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md index f72db9f58..0a14a4f64 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe") and (not (tgt.process.image.path contains "C:\Windows\WinSxS\" or tgt.process.image.path contains "C:\Program Files\Windows Mail\" or tgt.process.image.path contains "C:\Program Files (x86)\Windows Mail\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md index 81a532196..23dd1dd96 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe")) or (src.process.image.path contains "\wab.exe" or src.process.image.path contains "\wabmig.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md index 7d2af5225..ff1f63f10 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\explorer.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and tgt.process.cmdline contains "\DavWWWRoot\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md index c75ac9841..2cff8d853 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\w3wp.exe") and (tgt.process.cmdline contains "&ipconfig&echo" or tgt.process.cmdline contains "&quser&echo" or tgt.process.cmdline contains "&whoami&echo" or tgt.process.cmdline contains "&c:&echo" or tgt.process.cmdline contains "&cd&echo" or tgt.process.cmdline contains "&dir&echo" or tgt.process.cmdline contains "&echo [E]" or tgt.process.cmdline contains "&echo [S]"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md index f5fec4f70..3c9aee4e6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "catalina.jar" or tgt.process.cmdline contains "CATALINA_HOME"))) and ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "comsvcs") or (tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " a " and tgt.process.cmdline contains " -m") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " user " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " localgroup " and tgt.process.cmdline contains " administrators " and tgt.process.cmdline contains "/add") or (tgt.process.image.path contains "\ntdsutil.exe" or tgt.process.image.path contains "\ldifde.exe" or tgt.process.image.path contains "\adfind.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\Nanodump.exe" or tgt.process.image.path contains "\vssadmin.exe" or tgt.process.image.path contains "\fsutil.exe") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains " sekurlsa" or tgt.process.cmdline contains ".dmp full" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "process call create" or tgt.process.cmdline contains "reg save " or tgt.process.cmdline contains "whoami /priv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md index ea2933752..408a094c0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\php.exe" or src.process.image.path contains "\tomcat.exe" or src.process.image.path contains "\UMWorkerProcess.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_TomcatService.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.cmdline contains "CATALINA_HOME" or src.process.cmdline contains "catalina.home" or src.process.cmdline contains "catalina.jar"))) and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\at.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dsget.exe" or tgt.process.image.path contains "\hostname.exe" or tgt.process.image.path contains "\nbtstat.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netdom.exe" or tgt.process.image.path contains "\netsh.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ntdsutil.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\qprocess.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\qwinsta.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sc.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wusa.exe") and (not ((src.process.image.path contains "\java.exe" and tgt.process.cmdline contains "Windows\system32\cmd.exe /c C:\ManageEngine\ADManager \"Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") or (src.process.image.path contains "\java.exe" and (tgt.process.cmdline contains "sc query" and tgt.process.cmdline contains "ADManager Plus")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md index 11175e48b..8eff1c027 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "CATALINA_HOME" or tgt.process.cmdline contains "catalina.jar"))) and (tgt.process.cmdline contains "perl --help" or tgt.process.cmdline contains "perl -h" or tgt.process.cmdline contains "python --help" or tgt.process.cmdline contains "python -h" or tgt.process.cmdline contains "python3 --help" or tgt.process.cmdline contains "python3 -h" or tgt.process.cmdline contains "wget --help"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md index 967e50a01..34c5df082 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wermgr.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\ipconfig.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "C:\Windows\system32\WerConCpl.dll" and tgt.process.cmdline contains "LaunchErcApp ") and (tgt.process.cmdline contains "-queuereporting" or tgt.process.cmdline contains "-responsepester"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md index 2dd71a24c..ecbd29202 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wermgr.exe" and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\WinSxS\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md index f3b9bbbec..bddb9f2d1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WindowsTerminal.exe" or src.process.image.path contains "\wt.exe") and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\csc.exe") or (tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Windows\TEMP\") or (tgt.process.cmdline contains " iex " or tgt.process.cmdline contains " icm" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Import-Module " or tgt.process.cmdline contains "ipmo " or tgt.process.cmdline contains "DownloadString(" or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " /k " or tgt.process.cmdline contains " /r "))) and (not ((tgt.process.cmdline contains "Import-Module" and tgt.process.cmdline contains "Microsoft.VisualStudio.DevShell.dll" and tgt.process.cmdline contains "Enter-VsDevShell") or (tgt.process.cmdline contains "\AppData\Local\Packages\Microsoft.WindowsTerminal_" and tgt.process.cmdline contains "\LocalState\settings.json") or (tgt.process.cmdline contains "C:\Program Files\Microsoft Visual Studio\" and tgt.process.cmdline contains "\Common7\Tools\VsDevCmd.bat"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md index 18958641a..99178cdbd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (tgt.process.cmdline contains ".dmp" or tgt.process.cmdline contains ".dump" or tgt.process.cmdline contains ".hdmp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md index 58246dddb..d9c7dfc34 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (not (tgt.process.image.path contains "\UnRAR.exe" or (tgt.process.image.path contains ":\Program Files (x86)\WinRAR\" or tgt.process.image.path contains ":\Program Files\WinRAR\"))) and (not tgt.process.image.path contains ":\Windows\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md index 8e9187669..a1eb39cff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "winrm" and ((tgt.process.cmdline contains "format:pretty" or tgt.process.cmdline contains "format:\"pretty\"" or tgt.process.cmdline contains "format:\"text\"" or tgt.process.cmdline contains "format:text") and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md index f6c0ceeee..e6303a5f5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsmprovhost.exe" or src.process.image.path contains "\wsmprovhost.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md index bf399529c..69f817493 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wsmprovhost.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md index 957261f44..0dc909bad 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "winzip.exe" or tgt.process.cmdline contains "winzip64.exe") and tgt.process.cmdline contains "-s\"" and (tgt.process.cmdline contains " -min " or tgt.process.cmdline contains " -a "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md index 55670f402..e593ebddf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\EdgeTransport.exe" and (not (tgt.process.image.path="C:\Windows\System32\conhost.exe" or (tgt.process.image.path contains "C:\Program Files\Microsoft\Exchange Server\" and tgt.process.image.path contains "\Bin\OleConverter.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md index 2c2b5804f..c44bd369d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="C:\WINDOWS\system32\wbem\scrcons.exe" and src.process.image.path="C:\Windows\System32\svchost.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md index 92dd3c24d..41233a4f2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ActiveScriptEventConsumer" and tgt.process.cmdline contains " CREATE ")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md index 20d2d29bb..66d1b24fc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "process " and tgt.process.cmdline contains "call " and tgt.process.cmdline contains "create ") and (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "%temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md index e29612b4e..b319f0628 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "product where " and tgt.process.cmdline contains "call" and tgt.process.cmdline contains "uninstall" and tgt.process.cmdline contains "/nointeractive") or ((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "caption like ") and (tgt.process.cmdline contains "call delete" or tgt.process.cmdline contains "call terminate")) or (tgt.process.cmdline contains "process " and tgt.process.cmdline contains "where " and tgt.process.cmdline contains "delete")) and (tgt.process.cmdline contains "%carbon%" or tgt.process.cmdline contains "%cylance%" or tgt.process.cmdline contains "%endpoint%" or tgt.process.cmdline contains "%eset%" or tgt.process.cmdline contains "%malware%" or tgt.process.cmdline contains "%Sophos%" or tgt.process.cmdline contains "%symantec%" or tgt.process.cmdline contains "Antivirus" or tgt.process.cmdline contains "AVG " or tgt.process.cmdline contains "Carbon Black" or tgt.process.cmdline contains "CarbonBlack" or tgt.process.cmdline contains "Cb Defense Sensor 64-bit" or tgt.process.cmdline contains "Crowdstrike Sensor" or tgt.process.cmdline contains "Cylance " or tgt.process.cmdline contains "Dell Threat Defense" or tgt.process.cmdline contains "DLP Endpoint" or tgt.process.cmdline contains "Endpoint Detection" or tgt.process.cmdline contains "Endpoint Protection" or tgt.process.cmdline contains "Endpoint Security" or tgt.process.cmdline contains "Endpoint Sensor" or tgt.process.cmdline contains "ESET File Security" or tgt.process.cmdline contains "LogRhythm System Monitor Service" or tgt.process.cmdline contains "Malwarebytes" or tgt.process.cmdline contains "McAfee Agent" or tgt.process.cmdline contains "Microsoft Security Client" or tgt.process.cmdline contains "Sophos Anti-Virus" or tgt.process.cmdline contains "Sophos AutoUpdate" or tgt.process.cmdline contains "Sophos Credential Store" or tgt.process.cmdline contains "Sophos Management Console" or tgt.process.cmdline contains "Sophos Management Database" or tgt.process.cmdline contains "Sophos Management Server" or tgt.process.cmdline contains "Sophos Remote Management System" or tgt.process.cmdline contains "Sophos Update Manager" or tgt.process.cmdline contains "Threat Protection" or tgt.process.cmdline contains "VirusScan" or tgt.process.cmdline contains "Webroot SecureAnywhere" or tgt.process.cmdline contains "Windows Defender"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md index 22a9b154e..d712744c4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "-format" or tgt.process.cmdline contains "/format" or tgt.process.cmdline contains "–format" or tgt.process.cmdline contains "—format" or tgt.process.cmdline contains "―format")) and (not (tgt.process.cmdline contains "Format:List" or tgt.process.cmdline contains "Format:htable" or tgt.process.cmdline contains "Format:hform" or tgt.process.cmdline contains "Format:table" or tgt.process.cmdline contains "Format:mof" or tgt.process.cmdline contains "Format:value" or tgt.process.cmdline contains "Format:rawxml" or tgt.process.cmdline contains "Format:xml" or tgt.process.cmdline contains "Format:csv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md index e33bbc5e8..0d8c9f018 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wbem\WmiPrvSE.exe" and ((tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\verclsid.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript"))) and (not (tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\WmiPrvSE.exe" or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.cmdline contains "/i "))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md index c51308a30..ee4e28f09 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path="C:\Windows\System32\wpbbin.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md index db985e2ea..666989770 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\") and (tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".jse" or tgt.process.cmdline contains ".vba" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".wsf"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md index 502bc85cd..6c39ff385 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\rundll32.exe" or ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and ((tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec")))) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "UpdatePerUserSystemParameters" or tgt.process.cmdline contains "PrintUIEntry" or tgt.process.cmdline contains "ClearMyTracksByProcess"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md index 98ad0a389..a4ae74b17 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wsl.exe" or src.process.image.path contains "\wslhost.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "C:\Windows\Temp\" or tgt.process.image.path contains "C:\Temp\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md index 983f0df23..02aa8440b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path matches "[a-zA-Z]:\\\\" and tgt.process.image.path contains "\\wsl.localhost")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md index bbe03478a..029936cee 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wusa.exe" and tgt.process.cmdline contains "/extract:") and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\Appdata\Local\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md index 96228ea2e..7213c338d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wusa.exe" and ((src.process.image.path contains ":\Perflogs\" or src.process.image.path contains ":\Users\Public\" or src.process.image.path contains ":\Windows\Temp\" or src.process.image.path contains "\Appdata\Local\Temp\" or src.process.image.path contains "\Temporary Internet") or ((src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favorites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favourites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Contacts\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Pictures\"))) and (not tgt.process.cmdline contains ".msu"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md index 372039eaa..0d8740463 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 03-01-2025 01:19:47): +// Translated content (automatically translated on 04-01-2025 01:18:14): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="RunWizard" and tgt.process.cmdline matches "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}")) ```