Skip to content

Commit

Permalink
Apply automatic changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@wikijm @github-actions
wikijm authored and github-actions[bot] committed Oct 9, 2024
1 parent 58cc7cf commit 1106fe0
Show file tree
Hide file tree
Showing 556 changed files with 556 additions and 556 deletions.
2 changes: 1 addition & 1 deletion ... Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\addinutil.exe" and (not (tgt.process.image.path contains ":\Windows\System32\conhost.exe" or tgt.process.image.path contains ":\Windows\System32\werfault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\werfault.exe"))))
```

Expand Down
2 changes: 1 addition & 1 deletion ...Q - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\appvlp.exe" and (not (tgt.process.image.path contains ":\Windows\SysWOW64\rundll32.exe" or tgt.process.image.path contains ":\Windows\System32\rundll32.exe")) and (not ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\msoasb.exe") or ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\SkypeSrv\") and tgt.process.image.path contains "\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\MSOUC.EXE")))))
```

Expand Down
2 changes: 1 addition & 1 deletion ...ne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe"))
```

Expand Down
2 changes: 1 addition & 1 deletion ...indows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\aspnet_compiler.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\notepad.exe") or (tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\AppData\Local\Roaming\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\"))))
```

Expand Down
2 changes: 1 addition & 1 deletion ...e_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe" and (tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Local\Roaming\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains ":\Windows\System32\Tasks\" or tgt.process.cmdline contains ":\Windows\Tasks\")))
```

Expand Down
2 changes: 1 addition & 1 deletion ...One_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\at.exe" and tgt.process.cmdline contains "interactive"))
```

Expand Down
2 changes: 1 addition & 1 deletion ... - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none"))
```

Expand Down
2 changes: 1 addition & 1 deletion ...- Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\" or tgt.process.image.path contains "\AppData\Roaming\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\PerfLogs\"))))
```

Expand Down
2 changes: 1 addition & 1 deletion ...Q - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe"))
```

Expand Down
2 changes: 1 addition & 1 deletion ...lOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\BitLockerToGo.exe")
```

Expand Down
2 changes: 1 addition & 1 deletion ...dows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--remote-debugging-" and tgt.process.cmdline contains "--user-data-dir" and tgt.process.cmdline contains "--headless"))
```

Expand Down
2 changes: 1 addition & 1 deletion ...- Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless"))
```

Expand Down
2 changes: 1 addition & 1 deletion ... Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and (tgt.process.cmdline contains "--headless" and tgt.process.cmdline contains "dump-dom" and tgt.process.cmdline contains "http")))
```

Expand Down
2 changes: 1 addition & 1 deletion ... Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension="))
```

Expand Down
2 changes: 1 addition & 1 deletion ...- Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless" and (tgt.process.cmdline contains "://run.mocky" or tgt.process.cmdline contains "://mockbin")))
```

Expand Down
2 changes: 1 addition & 1 deletion ...ows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\wscript.exe") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension="))
```

Expand Down
2 changes: 1 addition & 1 deletion ...Q - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "http" and (tgt.process.cmdline contains ".7z" or tgt.process.cmdline contains ".dat" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".ps1" or tgt.process.cmdline contains ".psm1" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".zip")))
```

Expand Down
2 changes: 1 addition & 1 deletion ...ne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --remote-debugging-" or (tgt.process.image.path contains "\firefox.exe" and tgt.process.cmdline contains " -start-debugger-server")))
```

Expand Down
2 changes: 1 addition & 1 deletion ...elOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tor.exe" or tgt.process.image.path contains "\Tor Browser\Browser\firefox.exe"))
```

Expand Down
2 changes: 1 addition & 1 deletion SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\calc.exe " or (tgt.process.image.path contains "\calc.exe" and (not (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\" or tgt.process.image.path contains ":\Windows\WinSxS\")))))
```

Expand Down
2 changes: 1 addition & 1 deletion ...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\cmd.exe" and (src.process.cmdline contains " -c " or src.process.cmdline contains " /c " or src.process.cmdline contains " –c " or src.process.cmdline contains " —c " or src.process.cmdline contains " ―c " or src.process.cmdline contains " -r " or src.process.cmdline contains " /r " or src.process.cmdline contains " –r " or src.process.cmdline contains " —r " or src.process.cmdline contains " ―r " or src.process.cmdline contains " -k " or src.process.cmdline contains " /k " or src.process.cmdline contains " –k " or src.process.cmdline contains " —k " or src.process.cmdline contains " ―k ") and tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains "chcp" or tgt.process.cmdline contains "chcp " or tgt.process.cmdline contains "chcp ")))
```

Expand Down
2 changes: 1 addition & 1 deletion ...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains " 936" or tgt.process.cmdline contains " 1258"))) | columns src.process.cmdline
```

Expand Down
2 changes: 1 addition & 1 deletion ... - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cloudflared.exe" and (not (tgt.process.image.path contains ":\Program Files (x86)\cloudflared\" or tgt.process.image.path contains ":\Program Files\cloudflared\"))))
```

Expand Down
2 changes: 1 addition & 1 deletion ...e_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains "cleanup ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-connector-id ")))
```

Expand Down
2 changes: 1 addition & 1 deletion ...elOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains " run ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-credentials-contents " or tgt.process.cmdline contains "-credentials-file " or tgt.process.cmdline contains "-token ")))
```

Expand Down
2 changes: 1 addition & 1 deletion ...PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " –c " or tgt.process.cmdline contains " —c " or tgt.process.cmdline contains " ―c ") and (tgt.process.cmdline contains "curl " and tgt.process.cmdline contains "http" and tgt.process.cmdline contains "-o" and tgt.process.cmdline contains "&")))
```

Expand Down
2 changes: 1 addition & 1 deletion SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "^^" or tgt.process.cmdline contains "^|^" or tgt.process.cmdline contains ",;," or tgt.process.cmdline contains ";;;;" or tgt.process.cmdline contains ";; ;;" or tgt.process.cmdline contains "(,(," or tgt.process.cmdline contains "%COMSPEC:~" or tgt.process.cmdline contains " c^m^d" or tgt.process.cmdline contains "^c^m^d" or tgt.process.cmdline contains " c^md" or tgt.process.cmdline contains " cm^d" or tgt.process.cmdline contains "^cm^d" or tgt.process.cmdline contains " s^et " or tgt.process.cmdline contains " s^e^t " or tgt.process.cmdline contains " se^t "))
```

Expand Down
2 changes: 1 addition & 1 deletion SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "://" and tgt.process.cmdline contains "%AppData%"))) | columns tgt.process.cmdline,src.process.cmdline
```

Expand Down
2 changes: 1 addition & 1 deletion ...s Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "mklink" and tgt.process.cmdline contains "HarddiskVolumeShadowCopy"))
```

Expand Down
2 changes: 1 addition & 1 deletion ...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "cmd.exe/c" or tgt.process.cmdline contains "\cmd/c" or tgt.process.cmdline contains "\"cmd/c" or tgt.process.cmdline contains "cmd.exe/k" or tgt.process.cmdline contains "\cmd/k" or tgt.process.cmdline contains "\"cmd/k" or tgt.process.cmdline contains "cmd.exe/r" or tgt.process.cmdline contains "\cmd/r" or tgt.process.cmdline contains "\"cmd/r") or (tgt.process.cmdline contains "/cwhoami" or tgt.process.cmdline contains "/cpowershell" or tgt.process.cmdline contains "/cschtasks" or tgt.process.cmdline contains "/cbitsadmin" or tgt.process.cmdline contains "/ccertutil" or tgt.process.cmdline contains "/kwhoami" or tgt.process.cmdline contains "/kpowershell" or tgt.process.cmdline contains "/kschtasks" or tgt.process.cmdline contains "/kbitsadmin" or tgt.process.cmdline contains "/kcertutil") or (tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /r")) and (not ((tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /r ") or (tgt.process.cmdline contains "AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules" or tgt.process.cmdline contains "cmd.exe/c ." or tgt.process.cmdline="cmd.exe /c")))))
```

Expand Down
2 changes: 1 addition & 1 deletion ...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "type %windir%\system32\ntdll.dll" or tgt.process.cmdline contains "type %systemroot%\system32\ntdll.dll" or tgt.process.cmdline contains "type c:\windows\system32\ntdll.dll" or tgt.process.cmdline contains "\ntdll.dll > \\.\pipe\"))
```

Expand Down
2 changes: 1 addition & 1 deletion ...- Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
```sql
// Translated content (automatically translated on 08-10-2024 01:19:09):
// Translated content (automatically translated on 09-10-2024 01:18:40):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ") and tgt.process.cmdline contains "Nul" and (tgt.process.cmdline contains " -f " or tgt.process.cmdline contains " /f " or tgt.process.cmdline contains " –f " or tgt.process.cmdline contains " —f " or tgt.process.cmdline contains " ―f " or tgt.process.cmdline contains " -q " or tgt.process.cmdline contains " /q " or tgt.process.cmdline contains " –q " or tgt.process.cmdline contains " —q " or tgt.process.cmdline contains " ―q ") and (tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "del ")))
```

Expand Down
Loading

0 comments on commit 1106fe0

Please sign in to comment.