From 1106fe08304eea860071f7247919d0b411469cdd Mon Sep 17 00:00:00 2001 From: wikijm Date: Wed, 9 Oct 2024 01:18:51 +0000 Subject: [PATCH] Apply automatic changes --- .../proc_creation_win_addinutil_uncommon_child_process.md | 2 +- .../proc_creation_win_appvlp_uncommon_child_process.md | 2 +- .../proc_creation_win_aspnet_compiler_exectuion.md | 2 +- .../proc_creation_win_aspnet_compiler_susp_child_process.md | 2 +- .../proc_creation_win_aspnet_compiler_susp_paths.md | 2 +- .../proc_creation_win_at_interactive_execution.md | 2 +- .../proc_creation_win_auditpol_nt_resource_kit_usage.md | 2 +- .../proc_creation_win_bginfo_suspicious_child_process.md | 2 +- .../proc_creation_win_bginfo_uncommon_child_process.md | 2 +- .../proc_creation_win_bitlockertogo_execution.md | 2 +- .../proc_creation_win_browsers_chromium_headless_debugging.md | 2 +- .../proc_creation_win_browsers_chromium_headless_exec.md | 2 +- ...roc_creation_win_browsers_chromium_headless_file_download.md | 2 +- .../proc_creation_win_browsers_chromium_load_extension.md | 2 +- .../proc_creation_win_browsers_chromium_mockbin_abuse.md | 2 +- .../proc_creation_win_browsers_chromium_susp_load_extension.md | 2 +- .../proc_creation_win_browsers_inline_file_download.md | 2 +- .../proc_creation_win_browsers_remote_debugging.md | 2 +- .../proc_creation_win_browsers_tor_execution.md | 2 +- .../proc_creation_win_calc_uncommon_exec.md | 2 +- .../proc_creation_win_chcp_codepage_lookup.md | 2 +- .../proc_creation_win_chcp_codepage_switch.md | 2 +- .../proc_creation_win_cloudflared_portable_execution.md | 2 +- .../proc_creation_win_cloudflared_tunnel_cleanup.md | 2 +- .../proc_creation_win_cloudflared_tunnel_run.md | 2 +- .../proc_creation_win_cmd_curl_download_exec_combo.md | 2 +- .../proc_creation_win_cmd_dosfuscation.md | 2 +- .../proc_creation_win_cmd_http_appdata.md | 2 +- ...proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md | 2 +- .../proc_creation_win_cmd_no_space_execution.md | 2 +- .../proc_creation_win_cmd_ntdllpipe_redirect.md | 2 +- .../proc_creation_win_cmd_ping_del_combined_execution.md | 2 +- .../proc_creation_win_cmd_shadowcopy_access.md | 2 +- .../proc_creation_win_cmd_sticky_key_like_backdoor_execution.md | 2 +- .../proc_creation_win_cmd_sticky_keys_replace.md | 2 +- .../proc_creation_win_cmd_type_arbitrary_file_download.md | 2 +- .../proc_creation_win_cmd_unusual_parent.md | 2 +- .../proc_creation_win_cmstp_execution_by_creation.md | 2 +- .../proc_creation_win_conhost_legacy_option.md | 2 +- .../proc_creation_win_conhost_path_traversal.md | 2 +- .../proc_creation_win_conhost_uncommon_parent.md | 2 +- .../proc_creation_win_csc_susp_dynamic_compilation.md | 2 +- .../proc_creation_win_curl_susp_download.md | 2 +- .../proc_creation_win_defaultpack_uncommon_child_process.md | 2 +- .../proc_creation_win_desktopimgdownldr_remote_file_download.md | 2 +- .../proc_creation_win_desktopimgdownldr_susp_execution.md | 2 +- .../proc_creation_win_devinit_lolbin_usage.md | 2 +- .../proc_creation_win_dfsvc_suspicious_child_processes.md | 2 +- .../proc_creation_win_diskshadow_child_process_susp.md | 2 +- .../proc_creation_win_dism_remove.md | 2 +- .../proc_creation_win_dll_sideload_vmware_xfer.md | 2 +- .../proc_creation_win_dllhost_no_cli_execution.md | 2 +- .../proc_creation_win_dns_exfiltration_tools_execution.md | 2 +- .../proc_creation_win_dns_susp_child_process.md | 2 +- .../proc_creation_win_dnscmd_discovery.md | 2 +- ...c_creation_win_dnscmd_install_new_server_level_plugin_dll.md | 2 +- .../proc_creation_win_dnx_execute_csharp_code.md | 2 +- .../proc_creation_win_dtrace_kernel_dump.md | 2 +- .../proc_creation_win_esentutl_params.md | 2 +- .../proc_creation_win_eventvwr_susp_child_process.md | 2 +- .../proc_creation_win_expand_cabinet_files.md | 2 +- .../proc_creation_win_explorer_break_process_tree.md | 2 +- ...oc_creation_win_explorer_folder_shortcut_via_shell_binary.md | 2 +- .../proc_creation_win_explorer_nouaccheck.md | 2 +- .../proc_creation_win_findstr_recon_pipe_output.md | 2 +- .../proc_creation_win_forfiles_child_process_masquerading.md | 2 +- .../proc_creation_win_format_uncommon_filesystem_load.md | 2 +- ...c_creation_win_gfxdownloadwrapper_arbitrary_file_download.md | 2 +- .../proc_creation_win_googleupdate_susp_child_process.md | 2 +- .../proc_creation_win_gpg4win_decryption.md | 2 +- .../proc_creation_win_gpg4win_encryption.md | 2 +- .../proc_creation_win_gpg4win_susp_location.md | 2 +- .../proc_creation_win_gpresult_execution.md | 2 +- .../proc_creation_win_gup_arbitrary_binary_execution.md | 2 +- .../proc_creation_win_gup_suspicious_execution.md | 2 +- .../proc_creation_win_hh_html_help_susp_child_process.md | 2 +- .../proc_creation_win_hktl_adcspwn.md | 2 +- .../proc_creation_win_hktl_bloodhound_sharphound.md | 2 +- .../proc_creation_win_hktl_c3_rundll32_pattern.md | 2 +- .../proc_creation_win_hktl_cobaltstrike_process_patterns.md | 2 +- .../proc_creation_win_hktl_covenant.md | 2 +- .../proc_creation_win_hktl_crackmapexec_execution.md | 2 +- .../proc_creation_win_hktl_crackmapexec_execution_patterns.md | 2 +- .../proc_creation_win_hktl_crackmapexec_patterns.md | 2 +- .../proc_creation_win_hktl_dinjector.md | 2 +- .../proc_creation_win_hktl_empire_powershell_launch.md | 2 +- .../proc_creation_win_hktl_empire_powershell_uac_bypass.md | 2 +- .../proc_creation_win_hktl_evil_winrm.md | 2 +- .../proc_creation_win_hktl_execution_via_pe_metadata.md | 2 +- .../proc_creation_win_hktl_hashcat.md | 2 +- .../proc_creation_win_hktl_htran_or_natbypass.md | 2 +- .../proc_creation_win_hktl_hydra.md | 2 +- .../proc_creation_win_hktl_impacket_lateral_movement.md | 2 +- .../proc_creation_win_hktl_impacket_tools.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_clip.md | 2 +- ...on_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_stdin.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_var.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_compress.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_stdin.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_var.md | 2 +- .../proc_creation_win_hktl_jlaive_batch_execution.md | 2 +- .../proc_creation_win_hktl_lazagne.md | 2 +- .../proc_creation_win_hktl_meterpreter_getsystem.md | 2 +- .../proc_creation_win_hktl_mimikatz_command_line.md | 2 +- ...roc_creation_win_hktl_powersploit_empire_default_schtasks.md | 2 +- .../proc_creation_win_hktl_pypykatz.md | 2 +- .../proc_creation_win_hktl_quarks_pwdump.md | 2 +- .../proc_creation_win_hktl_redmimicry_winnti_playbook.md | 2 +- .../proc_creation_win_hktl_relay_attacks_tools.md | 2 +- .../proc_creation_win_hktl_sharp_chisel.md | 2 +- .../proc_creation_win_hktl_sharpersist.md | 2 +- .../proc_creation_win_hktl_sharpevtmute.md | 2 +- .../proc_creation_win_hktl_sharpup.md | 2 +- .../proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md | 2 +- .../proc_creation_win_hktl_silenttrinity_stager.md | 2 +- .../proc_creation_win_hktl_sliver_c2_execution_pattern.md | 2 +- .../proc_creation_win_hktl_soaphound_execution.md | 2 +- .../proc_creation_win_hktl_winpwn.md | 2 +- .../proc_creation_win_hktl_wmiexec_default_powershell.md | 2 +- .../proc_creation_win_hktl_xordump.md | 2 +- .../proc_creation_win_hktl_zipexec.md | 2 +- .../proc_creation_win_hostname_execution.md | 2 +- .../proc_creation_win_hwp_exploits.md | 2 +- .../proc_creation_win_hxtsr_masquerading.md | 2 +- .../proc_creation_win_iis_susp_module_registration.md | 2 +- .../proc_creation_win_imagingdevices_unusual_parents.md | 2 +- .../proc_creation_win_infdefaultinstall_execute_sct_scripts.md | 2 +- .../proc_creation_win_instalutil_no_log_execution.md | 2 +- .../proc_creation_win_java_keytool_susp_child_process.md | 2 +- .../proc_creation_win_java_manageengine_susp_child_process.md | 2 +- .../proc_creation_win_java_remote_debugging.md | 2 +- .../proc_creation_win_java_susp_child_process.md | 2 +- .../proc_creation_win_java_susp_child_process_2.md | 2 +- .../proc_creation_win_java_sysaidserver_susp_child_process.md | 2 +- .../proc_creation_win_kavremover_uncommon_execution.md | 2 +- .../proc_creation_win_link_uncommon_parent_process.md | 2 +- .../proc_creation_win_lolbin_customshellhost.md | 2 +- .../proc_creation_win_lolbin_device_credential_deployment.md | 2 +- .../proc_creation_win_lolbin_devtoolslauncher.md | 2 +- .../proc_creation_win_lolbin_diantz_ads.md | 2 +- .../proc_creation_win_lolbin_diantz_remote_cab.md | 2 +- .../proc_creation_win_lolbin_extrac32_ads.md | 2 +- .../proc_creation_win_lolbin_launch_vsdevshell.md | 2 +- .../proc_creation_win_lolbin_mavinject_process_injection.md | 2 +- .../proc_creation_win_lolbin_msdeploy.md | 2 +- .../proc_creation_win_lolbin_msdt_answer_file.md | 2 +- .../proc_creation_win_lolbin_openwith.md | 2 +- .../proc_creation_win_lolbin_pcalua.md | 2 +- .../proc_creation_win_lolbin_pcwrun.md | 2 +- .../proc_creation_win_lolbin_pcwrun_follina.md | 2 +- .../proc_creation_win_lolbin_pester.md | 2 +- .../proc_creation_win_lolbin_pester_1.md | 2 +- .../proc_creation_win_lolbin_printbrm.md | 2 +- .../proc_creation_win_lolbin_pubprn.md | 2 +- .../proc_creation_win_lolbin_register_app.md | 2 +- .../proc_creation_win_lolbin_replace.md | 2 +- .../proc_creation_win_lolbin_runexehelper.md | 2 +- .../proc_creation_win_lolbin_runscripthelper.md | 2 +- .../proc_creation_win_lolbin_settingsynchost.md | 2 +- .../proc_creation_win_lolbin_sftp.md | 2 +- ...proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md | 2 +- .../proc_creation_win_lolbin_susp_grpconv.md | 2 +- .../proc_creation_win_lolbin_susp_sqldumper_activity.md | 2 +- ...ation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md | 2 +- .../proc_creation_win_lolbin_tracker.md | 2 +- .../proc_creation_win_lolbin_tttracer_mod_load.md | 2 +- .../proc_creation_win_lolbin_utilityfunctions.md | 2 +- .../proc_creation_win_lolbin_visual_basic_compiler.md | 2 +- .../proc_creation_win_lsass_process_clone.md | 2 +- .../proc_creation_win_mftrace_child_process.md | 2 +- .../proc_creation_win_mmc_mmc20_lateral_movement.md | 2 +- .../proc_creation_win_mmc_susp_child_process.md | 2 +- .../proc_creation_win_mpcmdrun_dll_sideload_defender.md | 2 +- .../proc_creation_win_mshta_inline_vbscript.md | 2 +- .../proc_creation_win_mshta_lethalhta_technique.md | 2 +- .../proc_creation_win_mshta_susp_execution.md | 2 +- .../proc_creation_win_msiexec_embedding.md | 2 +- .../proc_creation_win_msiexec_execute_dll.md | 2 +- .../proc_creation_win_msiexec_web_install.md | 2 +- .../proc_creation_win_msra_process_injection.md | 2 +- .../proc_creation_win_mssql_susp_child_process.md | 2 +- .../proc_creation_win_mssql_veaam_susp_child_processes.md | 2 +- .../proc_creation_win_mstsc_rdp_hijack_shadowing.md | 2 +- .../proc_creation_win_msxsl_execution.md | 2 +- .../proc_creation_win_msxsl_remote_execution.md | 2 +- .../proc_creation_win_node_abuse.md | 2 +- .../proc_creation_win_node_adobe_creative_cloud_abuse.md | 2 +- .../proc_creation_win_nslookup_domain_discovery.md | 2 +- .../proc_creation_win_ntdsutil_usage.md | 2 +- .../proc_creation_win_odbcconf_uncommon_child_process.md | 2 +- ...roc_creation_win_office_onenote_embedded_script_execution.md | 2 +- ...eation_win_office_outlook_enable_unsafe_client_mail_rules.md | 2 +- .../proc_creation_win_office_outlook_execution_from_temp.md | 2 +- .../proc_creation_win_office_outlook_susp_child_processes.md | 2 +- ...c_creation_win_office_outlook_susp_child_processes_remote.md | 2 +- .../proc_creation_win_office_spawn_exe_from_users_directory.md | 2 +- .../proc_creation_win_pdqdeploy_runner_susp_children.md | 2 +- .../proc_creation_win_ping_hex_ip.md | 2 +- .../proc_creation_win_plink_port_forwarding.md | 2 +- .../proc_creation_win_plink_susp_tunneling.md | 2 +- .../proc_creation_win_powershell_amsi_init_failed_bypass.md | 2 +- .../proc_creation_win_powershell_amsi_null_bits_bypass.md | 2 +- .../proc_creation_win_powershell_audio_capture.md | 2 +- .../proc_creation_win_powershell_base64_encoded_obfusc.md | 2 +- .../proc_creation_win_powershell_base64_frombase64string.md | 2 +- .../proc_creation_win_powershell_base64_iex.md | 2 +- .../proc_creation_win_powershell_base64_mppreference.md | 2 +- ...c_creation_win_powershell_base64_reflection_assembly_load.md | 2 +- ...ion_win_powershell_base64_reflection_assembly_load_obfusc.md | 2 +- .../proc_creation_win_powershell_cl_invocation.md | 2 +- .../proc_creation_win_powershell_cl_loadassembly.md | 2 +- .../proc_creation_win_powershell_cl_mutexverifiers.md | 2 +- .../proc_creation_win_powershell_create_service.md | 2 +- .../proc_creation_win_powershell_decode_gzip.md | 2 +- .../proc_creation_win_powershell_defender_disable_feature.md | 2 +- .../proc_creation_win_powershell_defender_exclusion.md | 2 +- .../proc_creation_win_powershell_disable_ie_features.md | 2 +- .../proc_creation_win_powershell_downgrade_attack.md | 2 +- .../proc_creation_win_powershell_download_com_cradles.md | 2 +- .../proc_creation_win_powershell_download_cradle_obfuscated.md | 2 +- .../proc_creation_win_powershell_download_cradles.md | 2 +- .../proc_creation_win_powershell_download_dll.md | 2 +- .../proc_creation_win_powershell_download_iex.md | 2 +- .../proc_creation_win_powershell_dsinternals_cmdlets.md | 2 +- .../proc_creation_win_powershell_email_exfil.md | 2 +- ...ation_win_powershell_enable_susp_windows_optional_feature.md | 2 +- .../proc_creation_win_powershell_encode.md | 2 +- .../proc_creation_win_powershell_exec_data_file.md | 2 +- .../proc_creation_win_powershell_export_certificate.md | 2 +- .../proc_creation_win_powershell_frombase64string.md | 2 +- .../proc_creation_win_powershell_frombase64string_archive.md | 2 +- .../proc_creation_win_powershell_get_clipboard.md | 2 +- .../proc_creation_win_powershell_get_localgroup_member_recon.md | 2 +- .../proc_creation_win_powershell_getprocess_lsass.md | 2 +- .../proc_creation_win_powershell_iex_patterns.md | 2 +- .../proc_creation_win_powershell_import_cert_susp_locations.md | 2 +- .../proc_creation_win_powershell_import_module_susp_dirs.md | 2 +- .../proc_creation_win_powershell_invocation_specific.md | 2 +- .../proc_creation_win_powershell_mailboxexport_share.md | 2 +- .../proc_creation_win_powershell_malicious_cmdlets.md | 2 +- .../proc_creation_win_powershell_msexchange_transport_agent.md | 2 +- .../proc_creation_win_powershell_obfuscation_via_utf8.md | 2 +- .../proc_creation_win_powershell_public_folder.md | 2 +- ...roc_creation_win_powershell_remotefxvgpudisablement_abuse.md | 2 +- .../proc_creation_win_powershell_remove_mppreference.md | 2 +- .../proc_creation_win_powershell_run_script_from_ads.md | 2 +- ...proc_creation_win_powershell_run_script_from_input_stream.md | 2 +- .../proc_creation_win_powershell_sam_access.md | 2 +- .../proc_creation_win_powershell_script_engine_parent.md | 2 +- .../proc_creation_win_powershell_shadowcopy_deletion.md | 2 +- .../proc_creation_win_powershell_susp_download_patterns.md | 2 +- .../proc_creation_win_powershell_susp_parameter_variation.md | 2 +- .../proc_creation_win_powershell_susp_ps_appdata.md | 2 +- .../proc_creation_win_powershell_susp_ps_downloadfile.md | 2 +- .../proc_creation_win_powershell_token_obfuscation.md | 2 +- .../proc_creation_win_powershell_x509enrollment.md | 2 +- .../proc_creation_win_powershell_zip_compress.md | 2 +- .../proc_creation_win_pressanykey_lolbin_execution.md | 2 +- .../proc_creation_win_print_remote_file_copy.md | 2 +- .../proc_creation_win_provlaunch_potential_abuse.md | 2 +- .../proc_creation_win_provlaunch_susp_child_process.md | 2 +- .../proc_creation_win_psr_capture_screenshots.md | 2 +- .../proc_creation_win_pua_3proxy_execution.md | 2 +- .../proc_creation_win_pua_adfind_enumeration.md | 2 +- .../proc_creation_win_pua_adfind_susp_usage.md | 2 +- .../proc_creation_win_pua_advancedrun_priv_user.md | 2 +- .../proc_creation_win_pua_chisel.md | 2 +- .../proc_creation_win_pua_cleanwipe.md | 2 +- .../proc_creation_win_pua_csexec.md | 2 +- .../proc_creation_win_pua_defendercheck.md | 2 +- .../proc_creation_win_pua_ditsnap.md | 2 +- .../proc_creation_win_pua_mouselock_execution.md | 2 +- .../proc_creation_win_pua_netcat.md | 2 +- .../proc_creation_win_pua_netscan.md | 2 +- .../proc_creation_win_pua_ngrok.md | 2 +- .../proc_creation_win_pua_nircmd_as_system.md | 2 +- .../proc_creation_win_pua_rcedit_execution.md | 2 +- .../proc_creation_win_pua_rclone_execution.md | 2 +- .../proc_creation_win_pua_runxcmd.md | 2 +- .../proc_creation_win_pua_webbrowserpassview.md | 2 +- .../proc_creation_win_python_adidnsdump.md | 2 +- .../proc_creation_win_python_pty_spawn.md | 2 +- .../proc_creation_win_qemu_suspicious_execution.md | 2 +- .../proc_creation_win_query_session_exfil.md | 2 +- .../proc_creation_win_rar_compress_data.md | 2 +- .../proc_creation_win_rar_compression_with_password.md | 2 +- .../proc_creation_win_rar_susp_greedy_compression.md | 2 +- .../proc_creation_win_rasdial_execution.md | 2 +- .../proc_creation_win_reg_add_run_key.md | 2 +- .../proc_creation_win_reg_bitlocker.md | 2 +- ...oc_creation_win_reg_credential_access_via_password_filter.md | 2 +- .../proc_creation_win_reg_defender_exclusion.md | 2 +- ...c_creation_win_reg_direct_asep_registry_keys_modification.md | 2 +- .../proc_creation_win_reg_disable_sec_services.md | 2 +- ..._creation_win_reg_enumeration_for_credentials_in_registry.md | 2 +- .../proc_creation_win_reg_lsa_disable_restricted_admin.md | 2 +- .../proc_creation_win_reg_machineguid.md | 2 +- .../proc_creation_win_reg_nolmhash.md | 2 +- .../proc_creation_win_reg_open_command.md | 2 +- .../proc_creation_win_reg_screensaver.md | 2 +- .../proc_creation_win_reg_service_imagepath_change.md | 2 +- .../proc_creation_win_reg_software_discovery.md | 2 +- .../proc_creation_win_reg_volsnap_disable.md | 2 +- .../proc_creation_win_reg_write_protect_for_storage_disabled.md | 2 +- .../proc_creation_win_regedit_trustedinstaller.md | 2 +- .../proc_creation_win_registry_cimprovider_dll_load.md | 2 +- ...roc_creation_win_registry_enumeration_for_credentials_cli.md | 2 +- ...win_registry_ie_security_zone_protocol_defaults_downgrade.md | 2 +- .../proc_creation_win_registry_install_reg_debugger_backdoor.md | 2 +- .../proc_creation_win_registry_logon_script.md | 2 +- .../proc_creation_win_registry_new_network_provider.md | 2 +- ...tion_win_registry_office_disable_python_security_warnings.md | 2 +- ...reation_win_registry_privilege_escalation_via_service_key.md | 2 +- ...roc_creation_win_registry_provlaunch_provisioning_command.md | 2 +- ...proc_creation_win_registry_set_unsecure_powershell_policy.md | 2 +- .../proc_creation_win_registry_special_accounts_hide_user.md | 2 +- .../proc_creation_win_registry_typed_paths_persistence.md | 2 +- .../proc_creation_win_regsvr32_flags_anomaly.md | 2 +- .../proc_creation_win_regsvr32_susp_child_process.md | 2 +- .../proc_creation_win_regsvr32_susp_parent.md | 2 +- .../proc_creation_win_remote_access_tools_anydesk.md | 2 +- ...on_win_remote_access_tools_anydesk_piped_password_via_cli.md | 2 +- ...c_creation_win_remote_access_tools_anydesk_silent_install.md | 2 +- .../proc_creation_win_remote_access_tools_anydesk_susp_exec.md | 2 +- .../proc_creation_win_remote_access_tools_gotoopener.md | 2 +- .../proc_creation_win_remote_access_tools_logmein.md | 2 +- .../proc_creation_win_remote_access_tools_meshagent_exec.md | 2 +- ...eation_win_remote_access_tools_rurat_non_default_location.md | 2 +- .../proc_creation_win_remote_access_tools_screenconnect.md | 2 +- ..._remote_access_tools_screenconnect_installation_cli_param.md | 2 +- ...n_remote_access_tools_screenconnect_remote_execution_susp.md | 2 +- ...c_creation_win_remote_access_tools_screenconnect_webshell.md | 2 +- .../proc_creation_win_remote_access_tools_simple_help.md | 2 +- ...on_win_remote_access_tools_teamviewer_incoming_connection.md | 2 +- .../proc_creation_win_remote_time_discovery.md | 2 +- .../proc_creation_win_renamed_jusched.md | 2 +- .../proc_creation_win_renamed_rundll32_dllregisterserver.md | 2 +- .../proc_creation_win_renamed_rurat.md | 2 +- .../proc_creation_win_rpcping_credential_capture.md | 2 +- .../proc_creation_win_rundll32_inline_vbs.md | 2 +- .../proc_creation_win_rundll32_mshtml_runhtmlapplication.md | 2 +- .../proc_creation_win_rundll32_no_params.md | 2 +- .../proc_creation_win_rundll32_run_locations.md | 2 +- .../proc_creation_win_rundll32_setupapi_installhinfsection.md | 2 +- .../proc_creation_win_rundll32_spawn_explorer.md | 2 +- .../proc_creation_win_rundll32_susp_activity.md | 2 +- .../proc_creation_win_rundll32_susp_shellexec_execution.md | 2 +- .../proc_creation_win_rundll32_susp_shimcache_flush.md | 2 +- .../proc_creation_win_rundll32_sys.md | 2 +- .../proc_creation_win_rundll32_webdav_client_susp_execution.md | 2 +- .../proc_creation_win_rundll32_without_parameters.md | 2 +- .../proc_creation_win_runonce_execution.md | 2 +- ...roc_creation_win_sc_change_sevice_image_path_by_non_admin.md | 2 +- .../proc_creation_win_sc_create_service.md | 2 +- .../proc_creation_win_sc_new_kernel_driver.md | 2 +- .../proc_creation_win_sc_service_path_modification.md | 2 +- .../proc_creation_win_sc_service_tamper_for_persistence.md | 2 +- .../proc_creation_win_schtasks_appdata_local_system.md | 2 +- .../proc_creation_win_schtasks_change.md | 2 +- .../proc_creation_win_schtasks_creation.md | 2 +- .../proc_creation_win_schtasks_creation_temp_folder.md | 2 +- .../proc_creation_win_schtasks_delete.md | 2 +- .../proc_creation_win_schtasks_delete_all.md | 2 +- .../proc_creation_win_schtasks_disable.md | 2 +- .../proc_creation_win_schtasks_env_folder.md | 2 +- .../proc_creation_win_schtasks_guid_task_name.md | 2 +- .../proc_creation_win_schtasks_powershell_persistence.md | 2 +- .../proc_creation_win_schtasks_susp_pattern.md | 2 +- .../proc_creation_win_schtasks_system.md | 2 +- .../proc_creation_win_scrcons_susp_child_process.md | 2 +- .../proc_creation_win_sdclt_child_process.md | 2 +- .../proc_creation_win_sdiagnhost_susp_child.md | 2 +- .../proc_creation_win_servu_susp_child_process.md | 2 +- .../proc_creation_win_setres_uncommon_child_process.md | 2 +- .../proc_creation_win_shutdown_execution.md | 2 +- .../proc_creation_win_shutdown_logoff.md | 2 +- .../proc_creation_win_sigverif_uncommon_child_process.md | 2 +- .../proc_creation_win_sndvol_susp_child_processes.md | 2 +- .../proc_creation_win_soundrecorder_audio_capture.md | 2 +- .../proc_creation_win_splwow64_cli_anomaly.md | 2 +- .../proc_creation_win_sqlcmd_veeam_db_recon.md | 2 +- .../proc_creation_win_sqlcmd_veeam_dump.md | 2 +- .../proc_creation_win_sqlite_chromium_profile_data.md | 2 +- .../proc_creation_win_sqlite_firefox_gecko_profile_data.md | 2 +- .../proc_creation_win_squirrel_download.md | 2 +- .../proc_creation_win_squirrel_proxy_execution.md | 2 +- .../proc_creation_win_ssh_port_forward.md | 2 +- .../proc_creation_win_ssh_proxy_execution.md | 2 +- .../proc_creation_win_ssh_rdp_tunneling.md | 2 +- .../proc_creation_win_ssm_agent_abuse.md | 2 +- .../proc_creation_win_stordiag_susp_child_process.md | 2 +- .../proc_creation_win_susp_16bit_application.md | 2 +- .../proc_creation_win_susp_add_user_local_admin_group.md | 2 +- .../proc_creation_win_susp_add_user_privileged_group.md | 2 +- .../proc_creation_win_susp_add_user_remote_desktop_group.md | 2 +- .../proc_creation_win_susp_alternate_data_streams.md | 2 +- ...eation_win_susp_always_install_elevated_windows_installer.md | 2 +- .../proc_creation_win_susp_appx_execution.md | 2 +- ...ion_win_susp_arbitrary_shell_execution_via_settingcontent.md | 2 +- .../proc_creation_win_susp_archiver_iso_phishing.md | 2 +- .../proc_creation_win_susp_bad_opsec_sacrificial_processes.md | 2 +- ...tion_win_susp_browser_launch_from_document_reader_process.md | 2 +- .../proc_creation_win_susp_cli_obfuscation_escape_char.md | 2 +- ...proc_creation_win_susp_commandline_path_traversal_evasion.md | 2 +- .../proc_creation_win_susp_crypto_mining_monero.md | 2 +- .../proc_creation_win_susp_data_exfiltration_via_cli.md | 2 +- .../proc_creation_win_susp_disable_raccine.md | 2 +- .../proc_creation_win_susp_double_extension.md | 2 +- .../proc_creation_win_susp_double_extension_parent.md | 2 +- .../proc_creation_win_susp_download_office_domain.md | 2 +- .../proc_creation_win_susp_dumpstack_log_evasion.md | 2 +- .../proc_creation_win_susp_electron_app_children.md | 2 +- .../proc_creation_win_susp_embed_exe_lnk.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_1.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_2.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_3.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_4.md | 2 +- .../proc_creation_win_susp_etw_modification_cmdline.md | 2 +- .../proc_creation_win_susp_etw_trace_evasion.md | 2 +- .../proc_creation_win_susp_eventlog_clear.md | 2 +- ..._creation_win_susp_execution_from_public_folder_as_parent.md | 2 +- .../proc_creation_win_susp_execution_path.md | 2 +- .../proc_creation_win_susp_gather_network_info_execution.md | 2 +- .../proc_creation_win_susp_hidden_dir_index_allocation.md | 2 +- .../proc_creation_win_susp_hiding_malware_in_fonts_folder.md | 2 +- .../proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md | 2 +- .../proc_creation_win_susp_image_missing.md | 2 +- .../proc_creation_win_susp_inline_base64_mz_header.md | 2 +- .../proc_creation_win_susp_inline_win_api_access.md | 2 +- .../proc_creation_win_susp_jwt_token_search.md | 2 +- ...oc_creation_win_susp_local_system_owner_account_discovery.md | 2 +- .../proc_creation_win_susp_lsass_dmp_cli_keywords.md | 2 +- .../proc_creation_win_susp_ms_appinstaller_download.md | 2 +- .../proc_creation_win_susp_network_command.md | 2 +- .../proc_creation_win_susp_network_scan_loop.md | 2 +- .../proc_creation_win_susp_network_sniffing.md | 2 +- .../proc_creation_win_susp_no_image_name.md | 2 +- .../proc_creation_win_susp_non_exe_image.md | 2 +- .../proc_creation_win_susp_non_priv_reg_or_ps.md | 2 +- .../proc_creation_win_susp_ntds.md | 2 +- .../proc_creation_win_susp_nteventlogfile_usage.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_path_use_cli.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_path_use_image.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_cli.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_image.md | 2 +- .../proc_creation_win_susp_obfuscated_ip_download.md | 2 +- .../proc_creation_win_susp_obfuscated_ip_via_cli.md | 2 +- .../proc_creation_win_susp_parents.md | 2 +- .../proc_creation_win_susp_privilege_escalation_cli_patterns.md | 2 +- .../proc_creation_win_susp_proc_wrong_parent.md | 2 +- .../proc_creation_win_susp_progname.md | 2 +- .../proc_creation_win_susp_recycle_bin_fake_execution.md | 2 +- .../proc_creation_win_susp_redirect_local_admin_share.md | 2 +- .../proc_creation_win_susp_remote_desktop_tunneling.md | 2 +- .../proc_creation_win_susp_right_to_left_override.md | 2 +- .../proc_creation_win_susp_script_exec_from_temp.md | 2 +- .../proc_creation_win_susp_sensitive_file_access_shadowcopy.md | 2 +- .../proc_creation_win_susp_service_creation.md | 2 +- .../proc_creation_win_susp_service_dir.md | 2 +- .../proc_creation_win_susp_shell_spawn_susp_program.md | 2 +- .../proc_creation_win_susp_sysnative.md | 2 +- .../proc_creation_win_susp_system_exe_anomaly.md | 2 +- .../proc_creation_win_susp_system_user_anomaly.md | 2 +- .../proc_creation_win_susp_sysvol_access.md | 2 +- .../proc_creation_win_susp_task_folder_evasion.md | 2 +- .../proc_creation_win_susp_use_of_vsjitdebugger_bin.md | 2 +- .../proc_creation_win_susp_weak_or_abused_passwords.md | 2 +- .../proc_creation_win_susp_web_request_cmd_and_cmdlets.md | 2 +- .../proc_creation_win_susp_whoami_as_param.md | 2 +- .../proc_creation_win_susp_workfolders.md | 2 +- .../proc_creation_win_svchost_execution_with_no_cli_flags.md | 2 +- .../proc_creation_win_svchost_termserv_proc_spawn.md | 2 +- .../proc_creation_win_svchost_uncommon_parent_process.md | 2 +- .../proc_creation_win_sysinternals_eula_accepted.md | 2 +- .../proc_creation_win_sysinternals_procdump.md | 2 +- .../proc_creation_win_sysinternals_procdump_evasion.md | 2 +- .../proc_creation_win_sysinternals_procdump_lsass.md | 2 +- ...c_creation_win_sysinternals_psexec_paexec_escalate_system.md | 2 +- .../proc_creation_win_sysinternals_psexec_remote_execution.md | 2 +- .../proc_creation_win_sysinternals_psexesvc_as_system.md | 2 +- .../proc_creation_win_sysinternals_susp_psexec_paexec_flags.md | 2 +- .../proc_creation_win_sysinternals_sysmon_config_update.md | 2 +- .../proc_creation_win_sysinternals_sysmon_uninstall.md | 2 +- .../proc_creation_win_sysinternals_tools_masquerading.md | 2 +- .../proc_creation_win_sysprep_appdata.md | 2 +- .../proc_creation_win_takeown_recursive_own.md | 2 +- .../proc_creation_win_tapinstall_execution.md | 2 +- .../proc_creation_win_taskkill_sep.md | 2 +- .../proc_creation_win_taskmgr_localsystem.md | 2 +- .../proc_creation_win_taskmgr_susp_child_process.md | 2 +- ...oc_creation_win_teams_suspicious_command_line_cred_access.md | 2 +- .../proc_creation_win_tscon_localsystem.md | 2 +- .../proc_creation_win_tscon_rdp_redirect.md | 2 +- .../proc_creation_win_uac_bypass_changepk_slui.md | 2 +- .../proc_creation_win_uac_bypass_cleanmgr.md | 2 +- .../proc_creation_win_uac_bypass_cmstp_com_object_access.md | 2 +- .../proc_creation_win_uac_bypass_computerdefaults.md | 2 +- .../proc_creation_win_uac_bypass_consent_comctl32.md | 2 +- .../proc_creation_win_uac_bypass_dismhost.md | 2 +- .../proc_creation_win_uac_bypass_eventvwr_recentviews.md | 2 +- .../proc_creation_win_uac_bypass_fodhelper.md | 2 +- .../proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md | 2 +- .../proc_creation_win_uac_bypass_idiagnostic_profile.md | 2 +- .../proc_creation_win_uac_bypass_ieinstal.md | 2 +- .../proc_creation_win_uac_bypass_msconfig_gui.md | 2 +- .../proc_creation_win_uac_bypass_ntfs_reparse_point.md | 2 +- .../proc_creation_win_uac_bypass_pkgmgr_dism.md | 2 +- .../proc_creation_win_uac_bypass_sdclt.md | 2 +- .../proc_creation_win_uac_bypass_trustedpath.md | 2 +- .../proc_creation_win_uac_bypass_winsat.md | 2 +- .../proc_creation_win_uac_bypass_wmp.md | 2 +- .../proc_creation_win_uac_bypass_wsreset_integrity_level.md | 2 +- .../proc_creation_win_ultravnc_susp_execution.md | 2 +- .../proc_creation_win_uninstall_crowdstrike_falcon.md | 2 +- .../proc_creation_win_userinit_uncommon_child_processes.md | 2 +- .../proc_creation_win_virtualbox_execution.md | 2 +- .../proc_creation_win_virtualbox_vboxdrvinst_execution.md | 2 +- .../proc_creation_win_vscode_child_processes_anomalies.md | 2 +- .../proc_creation_win_vscode_tunnel_remote_shell_.md | 2 +- .../proc_creation_win_vscode_tunnel_service_install.md | 2 +- .../proc_creation_win_vslsagent_agentextensionpath_load.md | 2 +- ...proc_creation_win_wab_execution_from_non_default_location.md | 2 +- .../proc_creation_win_wab_unusual_parents.md | 2 +- .../proc_creation_win_webdav_lnk_execution.md | 2 +- .../proc_creation_win_webshell_chopper.md | 2 +- .../proc_creation_win_webshell_hacking.md | 2 +- ...creation_win_webshell_susp_process_spawned_from_webserver.md | 2 +- .../proc_creation_win_webshell_tool_recon.md | 2 +- .../proc_creation_win_wermgr_susp_child_process.md | 2 +- .../proc_creation_win_wermgr_susp_exec_location.md | 2 +- .../proc_creation_win_windows_terminal_susp_children.md | 2 +- .../proc_creation_win_winrar_exfil_dmp_files.md | 2 +- .../proc_creation_win_winrar_uncommon_folder_execution.md | 2 +- .../proc_creation_win_winrm_awl_bypass.md | 2 +- ...proc_creation_win_winrm_remote_powershell_session_process.md | 2 +- .../proc_creation_win_winrm_susp_child_process.md | 2 +- .../proc_creation_win_winzip_password_compression.md | 2 +- .../proc_creation_win_wmi_backdoor_exchange_transport_agent.md | 2 +- .../proc_creation_win_wmi_persistence_script_event_consumer.md | 2 +- .../proc_creation_win_wmic_eventconsumer_creation.md | 2 +- .../proc_creation_win_wmic_susp_process_creation.md | 2 +- .../proc_creation_win_wmic_uninstall_security_products.md | 2 +- .../proc_creation_win_wmic_xsl_script_processing.md | 2 +- .../proc_creation_win_wmiprvse_susp_child_processes.md | 2 +- .../proc_creation_win_wpbbin_potential_persistence.md | 2 +- .../proc_creation_win_wscript_cscript_dropper.md | 2 +- .../proc_creation_win_wscript_cscript_susp_child_processes.md | 2 +- .../proc_creation_win_wsl_child_processes_anomalies.md | 2 +- .../proc_creation_win_wsl_windows_binaries_execution.md | 2 +- ...oc_creation_win_wusa_cab_files_extraction_from_susp_paths.md | 2 +- .../proc_creation_win_wusa_susp_parent_execution.md | 2 +- .../proc_creation_win_xwizard_runwizard_com_object_exec.md | 2 +- sigma | 2 +- 556 files changed, 556 insertions(+), 556 deletions(-) diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md index 6ff114e2c..4be9404da 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\addinutil.exe" and (not (tgt.process.image.path contains ":\Windows\System32\conhost.exe" or tgt.process.image.path contains ":\Windows\System32\werfault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\werfault.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md index a45957a55..426394b2b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\appvlp.exe" and (not (tgt.process.image.path contains ":\Windows\SysWOW64\rundll32.exe" or tgt.process.image.path contains ":\Windows\System32\rundll32.exe")) and (not ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\msoasb.exe") or ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\SkypeSrv\") and tgt.process.image.path contains "\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\MSOUC.EXE"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md index a800a56d5..38807970b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md index 4e16e447a..ea97c3f73 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\aspnet_compiler.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\notepad.exe") or (tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\AppData\Local\Roaming\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md index bdf314557..f2bcbc50d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe" and (tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Local\Roaming\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains ":\Windows\System32\Tasks\" or tgt.process.cmdline contains ":\Windows\Tasks\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md index 474d26e9d..1ea718f7f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\at.exe" and tgt.process.cmdline contains "interactive")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md index 9307537d0..de7cc0ff9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md index f61a6fbf1..7c019005f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\" or tgt.process.image.path contains "\AppData\Roaming\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\PerfLogs\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md index 52d524e3b..83ed19c37 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md index dc3883a20..951891b9c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\BitLockerToGo.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md index 96a10a0b4..bef88b714 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--remote-debugging-" and tgt.process.cmdline contains "--user-data-dir" and tgt.process.cmdline contains "--headless")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md index bcead88a7..966ca69fa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md index 2e78e325d..0cf2626da 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and (tgt.process.cmdline contains "--headless" and tgt.process.cmdline contains "dump-dom" and tgt.process.cmdline contains "http"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md index 48603365c..d584f2e4c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md index b9029b1f8..9a7865290 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless" and (tgt.process.cmdline contains "://run.mocky" or tgt.process.cmdline contains "://mockbin"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md index e7b7585ab..23e9ff85f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\wscript.exe") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md index ea4784e7c..53f70b987 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "http" and (tgt.process.cmdline contains ".7z" or tgt.process.cmdline contains ".dat" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".ps1" or tgt.process.cmdline contains ".psm1" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md index addd81a9e..f0784a9b4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --remote-debugging-" or (tgt.process.image.path contains "\firefox.exe" and tgt.process.cmdline contains " -start-debugger-server"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md index dc5a186df..ae86da6f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tor.exe" or tgt.process.image.path contains "\Tor Browser\Browser\firefox.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md index 73362a2f6..aa0de0316 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\calc.exe " or (tgt.process.image.path contains "\calc.exe" and (not (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\" or tgt.process.image.path contains ":\Windows\WinSxS\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md index b2d4e8f14..3cab93a70 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\cmd.exe" and (src.process.cmdline contains " -c " or src.process.cmdline contains " /c " or src.process.cmdline contains " –c " or src.process.cmdline contains " —c " or src.process.cmdline contains " ―c " or src.process.cmdline contains " -r " or src.process.cmdline contains " /r " or src.process.cmdline contains " –r " or src.process.cmdline contains " —r " or src.process.cmdline contains " ―r " or src.process.cmdline contains " -k " or src.process.cmdline contains " /k " or src.process.cmdline contains " –k " or src.process.cmdline contains " —k " or src.process.cmdline contains " ―k ") and tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains "chcp" or tgt.process.cmdline contains "chcp " or tgt.process.cmdline contains "chcp "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md index 7f6e7a066..f1af810da 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains " 936" or tgt.process.cmdline contains " 1258"))) | columns src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md index 0ee939ce1..ad51af08d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cloudflared.exe" and (not (tgt.process.image.path contains ":\Program Files (x86)\cloudflared\" or tgt.process.image.path contains ":\Program Files\cloudflared\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md index 8ee02a2bc..91e0f0324 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains "cleanup ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-connector-id "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md index df2abe93c..73f2aa280 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains " run ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-credentials-contents " or tgt.process.cmdline contains "-credentials-file " or tgt.process.cmdline contains "-token "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md index 13c5d4645..d6e48ad2a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " –c " or tgt.process.cmdline contains " —c " or tgt.process.cmdline contains " ―c ") and (tgt.process.cmdline contains "curl " and tgt.process.cmdline contains "http" and tgt.process.cmdline contains "-o" and tgt.process.cmdline contains "&"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md index 14beb5a94..aa755e089 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "^^" or tgt.process.cmdline contains "^|^" or tgt.process.cmdline contains ",;," or tgt.process.cmdline contains ";;;;" or tgt.process.cmdline contains ";; ;;" or tgt.process.cmdline contains "(,(," or tgt.process.cmdline contains "%COMSPEC:~" or tgt.process.cmdline contains " c^m^d" or tgt.process.cmdline contains "^c^m^d" or tgt.process.cmdline contains " c^md" or tgt.process.cmdline contains " cm^d" or tgt.process.cmdline contains "^cm^d" or tgt.process.cmdline contains " s^et " or tgt.process.cmdline contains " s^e^t " or tgt.process.cmdline contains " se^t ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md index ed2cb7926..0d1bf050f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "://" and tgt.process.cmdline contains "%AppData%"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md index 408af7d42..93a748bb8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "mklink" and tgt.process.cmdline contains "HarddiskVolumeShadowCopy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md index dca84d2c9..79efaa03d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "cmd.exe/c" or tgt.process.cmdline contains "\cmd/c" or tgt.process.cmdline contains "\"cmd/c" or tgt.process.cmdline contains "cmd.exe/k" or tgt.process.cmdline contains "\cmd/k" or tgt.process.cmdline contains "\"cmd/k" or tgt.process.cmdline contains "cmd.exe/r" or tgt.process.cmdline contains "\cmd/r" or tgt.process.cmdline contains "\"cmd/r") or (tgt.process.cmdline contains "/cwhoami" or tgt.process.cmdline contains "/cpowershell" or tgt.process.cmdline contains "/cschtasks" or tgt.process.cmdline contains "/cbitsadmin" or tgt.process.cmdline contains "/ccertutil" or tgt.process.cmdline contains "/kwhoami" or tgt.process.cmdline contains "/kpowershell" or tgt.process.cmdline contains "/kschtasks" or tgt.process.cmdline contains "/kbitsadmin" or tgt.process.cmdline contains "/kcertutil") or (tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /r")) and (not ((tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /r ") or (tgt.process.cmdline contains "AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules" or tgt.process.cmdline contains "cmd.exe/c ." or tgt.process.cmdline="cmd.exe /c"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md index 55ba0125e..42d00e165 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "type %windir%\system32\ntdll.dll" or tgt.process.cmdline contains "type %systemroot%\system32\ntdll.dll" or tgt.process.cmdline contains "type c:\windows\system32\ntdll.dll" or tgt.process.cmdline contains "\ntdll.dll > \\.\pipe\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md index e31117817..cfa847a00 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ") and tgt.process.cmdline contains "Nul" and (tgt.process.cmdline contains " -f " or tgt.process.cmdline contains " /f " or tgt.process.cmdline contains " –f " or tgt.process.cmdline contains " —f " or tgt.process.cmdline contains " ―f " or tgt.process.cmdline contains " -q " or tgt.process.cmdline contains " /q " or tgt.process.cmdline contains " –q " or tgt.process.cmdline contains " —q " or tgt.process.cmdline contains " ―q ") and (tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "del "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md index 81618500a..134d19637 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md index e24a99e7e..9ee66c73b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\winlogon.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "Magnify.exe" or tgt.process.cmdline contains "Narrator.exe" or tgt.process.cmdline contains "DisplaySwitch.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md index 3958ce604..4ec0f000f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "/y " and tgt.process.cmdline contains "C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md index d8a6469d1..a36ea0d02 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > \\") or (tgt.process.cmdline contains "type \\" and tgt.process.cmdline contains " > "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md index 184eae383..8597f82f0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\ctfmon.exe" or src.process.image.path contains "\dllhost.exe" or src.process.image.path contains "\epad.exe" or src.process.image.path contains "\FlashPlayerUpdateService.exe" or src.process.image.path contains "\GoogleUpdate.exe" or src.process.image.path contains "\jucheck.exe" or src.process.image.path contains "\jusched.exe" or src.process.image.path contains "\LogonUI.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\SearchIndexer.exe" or src.process.image.path contains "\SearchProtocolHost.exe" or src.process.image.path contains "\SIHClient.exe" or src.process.image.path contains "\sihost.exe" or src.process.image.path contains "\slui.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\sppsvc.exe" or src.process.image.path contains "\taskhostw.exe" or src.process.image.path contains "\unsecapp.exe" or src.process.image.path contains "\WerFault.exe" or src.process.image.path contains "\wermgr.exe" or src.process.image.path contains "\wlanext.exe" or src.process.image.path contains "\WUDFHost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md index dc7956265..8500ba520 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\cmstp.exe") | columns tgt.process.cmdline,src.process.cmdline,Details ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md index 792f39c12..053898d58 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.integrityLevel="High" and (tgt.process.cmdline contains "conhost.exe" and tgt.process.cmdline contains "0xffffffff" and tgt.process.cmdline contains "-ForceV1"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md index e5034769a..ff877d937 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.cmdline contains "conhost" and tgt.process.cmdline contains "/../../")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md index a2b386e93..23163e5bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\conhost.exe" and (src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\smss.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\userinit.exe" or src.process.image.path contains "\wininit.exe" or src.process.image.path contains "\winlogon.exe")) and (not (src.process.cmdline contains "-k apphost -s AppHostSvc" or src.process.cmdline contains "-k imgsvc" or src.process.cmdline contains "-k localService -p -s RemoteRegistry" or src.process.cmdline contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or src.process.cmdline contains "-k NetSvcs -p -s NcaSvc" or src.process.cmdline contains "-k netsvcs -p -s NetSetupSvc" or src.process.cmdline contains "-k netsvcs -p -s wlidsvc" or src.process.cmdline contains "-k NetworkService -p -s DoSvc" or src.process.cmdline contains "-k wsappx -p -s AppXSvc" or src.process.cmdline contains "-k wsappx -p -s ClipSVC")) and (not (src.process.cmdline contains "C:\Program Files (x86)\Dropbox\Client\" or src.process.cmdline contains "C:\Program Files\Dropbox\Client\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md index 667c21f16..2d5839da3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csc.exe" and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\Windows\Temp\") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Pictures\")) or tgt.process.cmdline matches "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not ((src.process.image.path contains "C:\Program Files (x86)\" or src.process.image.path contains "C:\Program Files\") or src.process.image.path="C:\Windows\System32\sdiagnhost.exe" or src.process.image.path="C:\Windows\System32\inetsrv\w3wp.exe")) and (not ((src.process.image.path in ("C:\ProgramData\chocolatey\choco.exe","C:\ProgramData\chocolatey\tools\shimgen.exe")) or src.process.cmdline contains "\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" or (src.process.cmdline contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or src.process.cmdline contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or src.process.cmdline contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md index 36be421d9..414586038 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\curl.exe" or tgt.process.displayName="The curl executable") and ((tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "C:\PerfLogs\" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Windows\Temp\") or (tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".gif" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".temp" or tgt.process.cmdline contains ".tmp" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs")) and (not (src.process.image.path="C:\Program Files\Git\usr\bin\sh.exe" and tgt.process.image.path="C:\Program Files\Git\mingw64\bin\curl.exe" and (tgt.process.cmdline contains "--silent --show-error --output " and tgt.process.cmdline contains "gfw-httpget-" and tgt.process.cmdline contains "AppData"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md index 0f70c93c8..6e708c03a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\DefaultPack.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md index d95750415..28167c812 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\desktopimgdownldr.exe" and src.process.image.path contains "\desktopimgdownldr.exe" and tgt.process.cmdline contains "/lockscreenurl:http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md index dd626fa38..6cfe88078 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /lockscreenurl:" and (not (tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".png"))) or (tgt.process.cmdline contains "reg delete" and tgt.process.cmdline contains "\PersonalizationCSP"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md index 7695aefc3..a4c842a44 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -t msi-install " and tgt.process.cmdline contains " -i http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md index e9e61db72..1ed5c7032 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\AppData\Local\Apps\2.0\" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md index 993bc56f9..4db53e8d0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\diskshadow.exe" and (tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md index ec0928f29..ed0029d3d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\DismHost.exe" and (src.process.cmdline contains "/Online" and src.process.cmdline contains "/Disable-Feature")) or (tgt.process.image.path contains "\Dism.exe" and (tgt.process.cmdline contains "/Online" and tgt.process.cmdline contains "/Disable-Feature")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md index ba97efaa1..daf47d6ce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VMwareXferlogs.exe" and (not tgt.process.image.path contains "C:\Program Files\VMware\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md index 9824e3402..6d5c0da45 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dllhost.exe" and (tgt.process.cmdline in ("dllhost.exe","dllhost"))) and (not not (tgt.process.cmdline matches "\.*")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md index e3bf9a68c..8adba9e6b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\iodine.exe" or tgt.process.image.path contains "\dnscat2")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md index 512600aad..01f2595f8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\dns.exe" and (not tgt.process.image.path contains "\conhost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md index 29c2d26e9..6d365c5dd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/enumrecords" or tgt.process.cmdline contains "/enumzones" or tgt.process.cmdline contains "/ZonePrint" or tgt.process.cmdline contains "/info"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md index 52f6291bc..c4d983ec8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/config" and tgt.process.cmdline contains "/serverlevelplugindll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md index 38c35820d..ea5f51e0d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\dnx.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md index e4da18851..dca52d19a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dtrace.exe" and tgt.process.cmdline contains "lkd(0)") or (tgt.process.cmdline contains "syscall:::return" and tgt.process.cmdline contains "lkd("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md index 05e940be7..26e7d76ae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "esentutl" and tgt.process.cmdline contains " /p")) | columns tgt.process.user,tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md index 4d0f2ae84..c58fc20ac 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\eventvwr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\WerFault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\WerFault.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md index 532a1acab..3e5ad3a29 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\expand.exe" and (tgt.process.cmdline contains "-F:" or tgt.process.cmdline contains "/F:" or tgt.process.cmdline contains "–F:" or tgt.process.cmdline contains "—F:" or tgt.process.cmdline contains "―F:")) and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains ":\ProgramData" or tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\Temp" or tgt.process.cmdline contains ":\Windows\Temp") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\"))) and (not (src.process.image.path="C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" and tgt.process.cmdline contains "C:\ProgramData\Dell\UpdateService\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md index b0c04ab08..34a92e340 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or ((tgt.process.cmdline contains "explorer.exe") and (tgt.process.cmdline contains " -root," or tgt.process.cmdline contains " /root," or tgt.process.cmdline contains " –root," or tgt.process.cmdline contains " —root," or tgt.process.cmdline contains " ―root,")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md index cb71672d9..c232a24fb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "shell:mycomputerfolder")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md index da9173ab9..e907f4cac 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "/NOUACCHECK") and (not (src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" or src.process.image.path="C:\Windows\System32\svchost.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md index 56260b0f6..a85e6fa03 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ipconfig*|*find*" or tgt.process.cmdline="*net*|*find*" or tgt.process.cmdline="*netstat*|*find*" or tgt.process.cmdline="*ping*|*find*" or tgt.process.cmdline="*systeminfo*|*find*" or tgt.process.cmdline="*tasklist*|*find*" or tgt.process.cmdline="*whoami*|*find*")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md index 34adad54f..9ee1c643a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.cmdline contains ".exe" or src.process.cmdline contains ".exe\"") and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "/c echo \"") and (not ((src.process.image.path contains ":\Windows\System32\" or src.process.image.path contains ":\Windows\SysWOW64\") and src.process.image.path contains "\forfiles.exe" and (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\") and tgt.process.image.path contains "\cmd.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md index 959a74c95..1b413d845 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\format.com" and tgt.process.cmdline contains "/fs:") and (not (tgt.process.cmdline contains "/fs:exFAT" or tgt.process.cmdline contains "/fs:FAT" or tgt.process.cmdline contains "/fs:NTFS" or tgt.process.cmdline contains "/fs:ReFS" or tgt.process.cmdline contains "/fs:UDF")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md index 757378f71..550e6a2b0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\GfxDownloadWrapper.exe" and (tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://")) and (not tgt.process.cmdline contains "https://gameplayapi.intel.com/"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md index 1bd935438..33a25180e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\GoogleUpdate.exe" and (not ((tgt.process.image.path contains "\Google" or (tgt.process.image.path contains "\setup.exe" or tgt.process.image.path contains "chrome_updater.exe" or tgt.process.image.path contains "chrome_installer.exe")) or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md index 22ae60af5..fcba3b9b5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -d " and tgt.process.cmdline contains "passphrase"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md index a18445569..c490aa27c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "passphrase"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md index c09de9cd5..1e7b3e1d1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GNU Privacy Guard (GnuPG)" or tgt.process.displayName="GnuPG’s OpenPGP tool") and tgt.process.cmdline contains "-passphrase" and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Roaming\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md index b771aabc1..8e16f0063 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\gpresult.exe" and (tgt.process.cmdline contains "/z" or tgt.process.cmdline contains "/v"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md index c0d47b71a..be0a729cd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\gup.exe" and tgt.process.image.path contains "\explorer.exe") and (not ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "\Notepad++\notepad++.exe") or src.process.image.path contains "\Notepad++\updater\" or not (tgt.process.cmdline matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md index e256380ad..0288ad59a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\GUP.exe" and (not ((tgt.process.image.path contains "\Program Files\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\Program Files (x86)\Notepad++\updater\GUP.exe") or (tgt.process.image.path contains "\Users\" and (tgt.process.image.path contains "\AppData\Local\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\AppData\Roaming\Notepad++\updater\GUP.exe")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md index 8749a286c..a73d47f3e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\hh.exe" and (tgt.process.image.path contains "\CertReq.exe" or tgt.process.image.path contains "\CertUtil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\installutil.exe" or tgt.process.image.path contains "\MSbuild.exe" or tgt.process.image.path contains "\MSHTA.EXE" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md index b4816ba29..ce51e5b82 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --adcs " and tgt.process.cmdline contains " --port ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md index 20861158b..b90411f61 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName contains "SharpHound" or tgt.process.displayName contains "SharpHound" or (tgt.process.publisher contains "SpecterOps" or tgt.process.publisher contains "evil corp") or (tgt.process.image.path contains "\Bloodhound.exe" or tgt.process.image.path contains "\SharpHound.exe")) or (tgt.process.cmdline contains " -CollectionMethod All " or tgt.process.cmdline contains " --CollectionMethods Session " or tgt.process.cmdline contains " --Loop --Loopduration " or tgt.process.cmdline contains " --PortScanTimeout " or tgt.process.cmdline contains ".exe -c All -d " or tgt.process.cmdline contains "Invoke-Bloodhound" or tgt.process.cmdline contains "Get-BloodHoundData") or (tgt.process.cmdline contains " -JsonFolder " and tgt.process.cmdline contains " -ZipFileName ") or (tgt.process.cmdline contains " DCOnly " and tgt.process.cmdline contains " --NoSaveCache "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md index 00bb68dd9..802bd2a58 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains ".dll" and tgt.process.cmdline contains "StartNodeRelay")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md index 0f66ad736..7e593628a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd.exe /C whoami" and src.process.image.path contains "C:\Temp\") or ((src.process.image.path contains "\runonce.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.cmdline contains "cmd.exe /c echo" and tgt.process.cmdline contains "> \\.\pipe")) or ((src.process.cmdline contains "cmd.exe /C echo" and src.process.cmdline contains " > \\.\pipe") and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1") or (src.process.cmdline contains "/C whoami" and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md index 9132d3e4b..b0507c9bb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-Sta" and tgt.process.cmdline contains "-Nop" and tgt.process.cmdline contains "-Window" and tgt.process.cmdline contains "Hidden") and (tgt.process.cmdline contains "-Command" or tgt.process.cmdline contains "-EncodedCommand")) or (tgt.process.cmdline contains "sv o (New-Object IO.MemorySteam);sv d " or tgt.process.cmdline contains "mshta file.hta" or tgt.process.cmdline contains "GruntHTTP" or tgt.process.cmdline contains "-EncodedCommand cwB2ACAAbwAgA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md index 149d0ad1f..4a81c72e8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\crackmapexec.exe" or tgt.process.cmdline contains " -M pe_inject " or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -x ") or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -H 'NTHASH'") or (tgt.process.cmdline contains " mssql " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -d ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -H " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -o ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " --local-auth")) or ((tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p ") and (tgt.process.cmdline contains " 10." and tgt.process.cmdline contains " 192.168." and tgt.process.cmdline contains "/24 ")))) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md index dd7f82cb7..bf5a3788f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*cmd.exe /Q /c * 1> \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > *\Temp\* 2>&1*" or tgt.process.cmdline contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or tgt.process.cmdline contains "powershell.exe -noni -nop -w 1 -enc ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md index f9c07d902..5966ca24c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "tasklist /fi " and tgt.process.cmdline contains "Imagename eq lsass.exe") and (tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd /k ") and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) or (tgt.process.cmdline contains "do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump" and tgt.process.cmdline contains "\Windows\Temp\" and tgt.process.cmdline contains " full" and tgt.process.cmdline contains "%%B") or (tgt.process.cmdline contains "tasklist /v /fo csv" and tgt.process.cmdline contains "findstr /i \"lsass\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md index 9dd41f6af..689da0dd9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /am51" and tgt.process.cmdline contains " /password")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md index 2ddd59f24..409ab479f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -sta -NonI -W Hidden -Enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc " or tgt.process.cmdline contains " -NoP -NonI -W Hidden -enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc" or tgt.process.cmdline contains " -enc SQB" or tgt.process.cmdline contains " -nop -exec bypass -EncodedCommand ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md index 0721f5228..357b30962 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)" or tgt.process.cmdline contains " -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md index 19d613dc5..85ed5f36d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ruby.exe" and (tgt.process.cmdline contains "-i " and tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md index 6aa99bc35..f11606b70 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.publisher="Cube0x0") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md index 3d6a93bb5..21a474baf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hashcat.exe" or (tgt.process.cmdline contains "-a " and tgt.process.cmdline contains "-m 1000 " and tgt.process.cmdline contains "-r "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md index 0fb62681a..6c9abe852 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\htran.exe" or tgt.process.image.path contains "\lcx.exe") or (tgt.process.cmdline contains ".exe -tran " or tgt.process.cmdline contains ".exe -slave "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md index 289a2d5c7..35496bd7f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p ") and (tgt.process.cmdline contains "^USER^" or tgt.process.cmdline contains "^PASS^"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md index ba25c37cb..caa15f2f9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\mmc.exe" or src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\services.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/Q" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "\\127.0.0.1\" and tgt.process.cmdline contains "&1")) or ((src.process.cmdline contains "svchost.exe -k netsvcs" or src.process.cmdline contains "taskeng.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/C" and tgt.process.cmdline contains "Windows\Temp\" and tgt.process.cmdline contains "&1")))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md index 594712481..661f824e1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\goldenPac" or tgt.process.image.path contains "\karmaSMB" or tgt.process.image.path contains "\kintercept" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\rpcdump" or tgt.process.image.path contains "\samrdump" or tgt.process.image.path contains "\secretsdump" or tgt.process.image.path contains "\smbexec" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\wmiexec" or tgt.process.image.path contains "\wmipersist") or (tgt.process.image.path contains "\atexec_windows.exe" or tgt.process.image.path contains "\dcomexec_windows.exe" or tgt.process.image.path contains "\dpapi_windows.exe" or tgt.process.image.path contains "\findDelegation_windows.exe" or tgt.process.image.path contains "\GetADUsers_windows.exe" or tgt.process.image.path contains "\GetNPUsers_windows.exe" or tgt.process.image.path contains "\getPac_windows.exe" or tgt.process.image.path contains "\getST_windows.exe" or tgt.process.image.path contains "\getTGT_windows.exe" or tgt.process.image.path contains "\GetUserSPNs_windows.exe" or tgt.process.image.path contains "\ifmap_windows.exe" or tgt.process.image.path contains "\mimikatz_windows.exe" or tgt.process.image.path contains "\netview_windows.exe" or tgt.process.image.path contains "\nmapAnswerMachine_windows.exe" or tgt.process.image.path contains "\opdump_windows.exe" or tgt.process.image.path contains "\psexec_windows.exe" or tgt.process.image.path contains "\rdp_check_windows.exe" or tgt.process.image.path contains "\sambaPipe_windows.exe" or tgt.process.image.path contains "\smbclient_windows.exe" or tgt.process.image.path contains "\smbserver_windows.exe" or tgt.process.image.path contains "\sniff_windows.exe" or tgt.process.image.path contains "\sniffer_windows.exe" or tgt.process.image.path contains "\split_windows.exe" or tgt.process.image.path contains "\ticketer_windows.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md index d619b9659..c126f3959 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "clipboard]::" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "/r"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md index cea680f18..f6f1af926 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline matches "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or tgt.process.cmdline matches "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or tgt.process.cmdline matches "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or tgt.process.cmdline matches "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or tgt.process.cmdline matches "\\*mdr\\*\\W\\s*\\)\\.Name" or tgt.process.cmdline matches "\\$VerbosePreference\\.ToString\\(" or tgt.process.cmdline matches "\\[String\\]\\s*\\$VerbosePreference")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md index 69a25f378..5cd1fb877 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md index df96eb36d..f7cd83dae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md index 75222ce7c..5bd8226dc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "text.encoding]::ascii") and (tgt.process.cmdline contains "system.io.compression.deflatestream" or tgt.process.cmdline contains "system.io.streamreader" or tgt.process.cmdline contains "readtoend("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md index 33d7c43d1..e8864a8e9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md index ef06eeaa5..e0ebd0af7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md index fbbb8fd96..32f95f0a7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "set" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "vbscript:createobject" and tgt.process.cmdline contains ".run" and tgt.process.cmdline contains "(window.close)")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md index a5d331f4f..a0a6387c2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "&&set" and tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "{0}" or tgt.process.cmdline contains "{1}" or tgt.process.cmdline contains "{2}" or tgt.process.cmdline contains "{3}" or tgt.process.cmdline contains "{4}" or tgt.process.cmdline contains "{5}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md index 057723e03..64f692a79 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" and src.process.cmdline contains ".bat") and ((tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "powershell.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "pwsh.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\attrib.exe" and (tgt.process.cmdline contains "+s" and tgt.process.cmdline contains "+h" and tgt.process.cmdline contains ".bat.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md index 90a62b879..3f40b73dd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\lazagne.exe" or ((tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Tmp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Users\Public\") and (tgt.process.cmdline contains ".exe all" or tgt.process.cmdline contains ".exe browsers" or tgt.process.cmdline contains ".exe chats" or tgt.process.cmdline contains ".exe databases" or tgt.process.cmdline contains ".exe games" or tgt.process.cmdline contains ".exe git" or tgt.process.cmdline contains ".exe mails" or tgt.process.cmdline contains ".exe maven" or tgt.process.cmdline contains ".exe memory" or tgt.process.cmdline contains ".exe multimedia" or tgt.process.cmdline contains ".exe sysadmin" or tgt.process.cmdline contains ".exe unused" or tgt.process.cmdline contains ".exe wifi" or tgt.process.cmdline contains ".exe windows")) or ((tgt.process.cmdline contains "all " or tgt.process.cmdline contains "browsers " or tgt.process.cmdline contains "chats " or tgt.process.cmdline contains "databases " or tgt.process.cmdline contains "games " or tgt.process.cmdline contains "git " or tgt.process.cmdline contains "mails " or tgt.process.cmdline contains "maven " or tgt.process.cmdline contains "memory " or tgt.process.cmdline contains "multimedia " or tgt.process.cmdline contains "php " or tgt.process.cmdline contains "svn " or tgt.process.cmdline contains "sysadmin " or tgt.process.cmdline contains "unused " or tgt.process.cmdline contains "wifi " or tgt.process.cmdline contains "windows ") and (tgt.process.cmdline contains "-oA" or tgt.process.cmdline contains "-oJ" or tgt.process.cmdline contains "-oN" or tgt.process.cmdline contains "-output" or tgt.process.cmdline contains "-password" or tgt.process.cmdline contains "-1Password" or tgt.process.cmdline contains "-apachedirectorystudio" or tgt.process.cmdline contains "-autologon" or tgt.process.cmdline contains "-ChromiumBased" or tgt.process.cmdline contains "-composer" or tgt.process.cmdline contains "-coreftp" or tgt.process.cmdline contains "-credfiles" or tgt.process.cmdline contains "-credman" or tgt.process.cmdline contains "-cyberduck" or tgt.process.cmdline contains "-dbvis" or tgt.process.cmdline contains "-EyeCon" or tgt.process.cmdline contains "-filezilla" or tgt.process.cmdline contains "-filezillaserver" or tgt.process.cmdline contains "-ftpnavigator" or tgt.process.cmdline contains "-galconfusion" or tgt.process.cmdline contains "-gitforwindows" or tgt.process.cmdline contains "-hashdump" or tgt.process.cmdline contains "-iisapppool" or tgt.process.cmdline contains "-IISCentralCertP" or tgt.process.cmdline contains "-kalypsomedia" or tgt.process.cmdline contains "-keepass" or tgt.process.cmdline contains "-keepassconfig" or tgt.process.cmdline contains "-lsa_secrets" or tgt.process.cmdline contains "-mavenrepositories" or tgt.process.cmdline contains "-memory_dump" or tgt.process.cmdline contains "-Mozilla" or tgt.process.cmdline contains "-mRemoteNG" or tgt.process.cmdline contains "-mscache" or tgt.process.cmdline contains "-opensshforwindows" or tgt.process.cmdline contains "-openvpn" or tgt.process.cmdline contains "-outlook" or tgt.process.cmdline contains "-pidgin" or tgt.process.cmdline contains "-postgresql" or tgt.process.cmdline contains "-psi-im" or tgt.process.cmdline contains "-puttycm" or tgt.process.cmdline contains "-pypykatz" or tgt.process.cmdline contains "-Rclone" or tgt.process.cmdline contains "-rdpmanager" or tgt.process.cmdline contains "-robomongo" or tgt.process.cmdline contains "-roguestale" or tgt.process.cmdline contains "-skype" or tgt.process.cmdline contains "-SQLDeveloper" or tgt.process.cmdline contains "-squirrel" or tgt.process.cmdline contains "-tortoise" or tgt.process.cmdline contains "-turba" or tgt.process.cmdline contains "-UCBrowser" or tgt.process.cmdline contains "-unattended" or tgt.process.cmdline contains "-vault" or tgt.process.cmdline contains "-vaultfiles" or tgt.process.cmdline contains "-vnc" or tgt.process.cmdline contains "-windows" or tgt.process.cmdline contains "-winscp" or tgt.process.cmdline contains "-wsl")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md index 2fa0f4d7b..c0f433db5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\services.exe" and (((tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "echo" and tgt.process.cmdline contains "\pipe\") and (tgt.process.cmdline contains "cmd" or tgt.process.cmdline contains "%COMSPEC%")) or (tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains ".dll,a" and tgt.process.cmdline contains "/p:")) and (not tgt.process.cmdline contains "MpCmdRun"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md index 6e7b8b870..db47eeb23 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "DumpCreds" or tgt.process.cmdline contains "mimikatz") or (tgt.process.cmdline contains "::aadcookie" or tgt.process.cmdline contains "::detours" or tgt.process.cmdline contains "::memssp" or tgt.process.cmdline contains "::mflt" or tgt.process.cmdline contains "::ncroutemon" or tgt.process.cmdline contains "::ngcsign" or tgt.process.cmdline contains "::printnightmare" or tgt.process.cmdline contains "::skeleton" or tgt.process.cmdline contains "::preshutdown" or tgt.process.cmdline contains "::mstsc" or tgt.process.cmdline contains "::multirdp") or (tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "crypto::" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "process::" or tgt.process.cmdline contains "vault::"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md index 600dbe29e..e49ccc559 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "powershell.exe -NonI" and tgt.process.cmdline contains "/TN Updater /TR") and (tgt.process.cmdline contains "/SC ONLOGON" or tgt.process.cmdline contains "/SC DAILY /ST" or tgt.process.cmdline contains "/SC ONIDLE" or tgt.process.cmdline contains "/SC HOURLY"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md index 9f1faf9d9..b0bded723 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\pypykatz.exe" or tgt.process.image.path contains "\python.exe") and (tgt.process.cmdline contains "live" and tgt.process.cmdline contains "registry"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md index 30e2334a9..ac91fc66b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\QuarksPwDump.exe" or (tgt.process.cmdline in (" -dhl"," --dump-hash-local"," -dhdc"," --dump-hash-domain-cached"," --dump-bitlocker"," -dhd "," --dump-hash-domain ","--ntds-file")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md index 0f6eeb978..b8ad7a125 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "gthread-3.6.dll" or tgt.process.cmdline contains "\Windows\Temp\tmp.bat" or tgt.process.cmdline contains "sigcmm-2.4.dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md index 7f0ec6ae7..b132b0b5e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "PetitPotam" or tgt.process.image.path contains "RottenPotato" or tgt.process.image.path contains "HotPotato" or tgt.process.image.path contains "JuicyPotato" or tgt.process.image.path contains "\just_dce_" or tgt.process.image.path contains "Juicy Potato" or tgt.process.image.path contains "\temp\rot.exe" or tgt.process.image.path contains "\Potato.exe" or tgt.process.image.path contains "\SpoolSample.exe" or tgt.process.image.path contains "\Responder.exe" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\LocalPotato") or (tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains " smbrelay" or tgt.process.cmdline contains " ntlmrelay" or tgt.process.cmdline contains "cme smb " or tgt.process.cmdline contains " /ntlm:NTLMhash " or tgt.process.cmdline contains "Invoke-PetitPotam" or tgt.process.cmdline="*.exe -t * -p *") or (tgt.process.cmdline contains ".exe -c \"{" and tgt.process.cmdline contains "}\" -z")) and (not (tgt.process.image.path contains "HotPotatoes6" or tgt.process.image.path contains "HotPotatoes7" or tgt.process.image.path contains "HotPotatoes ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md index ca85704ab..4c75f1087 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpChisel.exe" or tgt.process.displayName="SharpChisel")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md index 8c4f90972..40219dfd4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\SharPersist.exe" or tgt.process.displayName="SharPersist") or (tgt.process.cmdline contains " -t schtask -c " or tgt.process.cmdline contains " -t startupfolder -c ") or (tgt.process.cmdline contains " -t reg -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t service -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t schtask -c " and tgt.process.cmdline contains " -m add"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md index 67adf267b..18297eb07 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpEvtMute.exe" or tgt.process.displayName="SharpEvtMute" or (tgt.process.cmdline contains "--Filter \"rule " or tgt.process.cmdline contains "--Encoded --Filter \\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md index ddc8c324d..cf2ee9926 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpUp.exe" or tgt.process.displayName="SharpUp" or (tgt.process.cmdline contains "HijackablePaths" or tgt.process.cmdline contains "UnquotedServicePath" or tgt.process.cmdline contains "ProcessDLLHijack" or tgt.process.cmdline contains "ModifiableServiceBinaries" or tgt.process.cmdline contains "ModifiableScheduledTask" or tgt.process.cmdline contains "DomainGPPPassword" or tgt.process.cmdline contains "CachedGPPPassword"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md index 8ff03e5b5..61bb7a6f9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -Inject " and (tgt.process.cmdline contains " -PayloadArgs " or tgt.process.cmdline contains " -PayloadFile ")) or ((tgt.process.cmdline contains " approve " or tgt.process.cmdline contains " create " or tgt.process.cmdline contains " check " or tgt.process.cmdline contains " delete ") and (tgt.process.cmdline contains " /payload:" or tgt.process.cmdline contains " /payload=" or tgt.process.cmdline contains " /updateid:" or tgt.process.cmdline contains " /updateid=")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md index f561e0ed9..2f0dbd259 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.displayName contains "st2stager") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md index f1570655f..39607411d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md index 9f99cc555..e48f17b7f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --buildcache " or tgt.process.cmdline contains " --bhdump " or tgt.process.cmdline contains " --certdump " or tgt.process.cmdline contains " --dnsdump ") and (tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " --cachefilename " or tgt.process.cmdline contains " -o " or tgt.process.cmdline contains " --outputdirectory"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md index 009ff51fa..88d24022d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Offline_Winpwn" or tgt.process.cmdline contains "WinPwn " or tgt.process.cmdline contains "WinPwn.exe" or tgt.process.cmdline contains "WinPwn.ps1")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md index f36984dc1..b0d01f132 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md index dc7cd54d1..0bcabb6ee 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\xordump.exe" or (tgt.process.cmdline contains " -process lsass.exe " or tgt.process.cmdline contains " -m comsvcs " or tgt.process.cmdline contains " -m dbghelp " or tgt.process.cmdline contains " -m dbgcore "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md index d919cefff..768f05f96 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip" and tgt.process.cmdline contains "/pass:" and tgt.process.cmdline contains "/user:") or (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md index b10789f8e..b9da5d408 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\HOSTNAME.EXE") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md index 3ed3317dc..c0bf6eb14 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Hwp.exe" and tgt.process.image.path contains "\gbb.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md index 09e8a8e99..660f26e82 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hxtsr.exe" and (not (tgt.process.image.path contains ":\program files\windowsapps\microsoft.windowscommunicationsapps_" and tgt.process.image.path contains "\hxtsr.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md index c56e678b1..7bac26dd2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\w3wp.exe" and (tgt.process.cmdline contains "appcmd.exe add module" or (tgt.process.cmdline contains " system.enterpriseservices.internal.publish" and tgt.process.image.path contains "\powershell.exe") or (tgt.process.cmdline contains "gacutil" and tgt.process.cmdline contains " /I")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md index 828366b29..bce5329d4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and tgt.process.image.path contains "\ImagingDevices.exe") or src.process.image.path contains "\ImagingDevices.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md index 9519b9616..35166b5ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "InfDefaultInstall.exe " and tgt.process.cmdline contains ".inf")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md index 5ab656deb..b42ba0c09 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\InstallUtil.exe" and tgt.process.image.path contains "Microsoft.NET\Framework" and (tgt.process.cmdline contains "/logfile= " and tgt.process.cmdline contains "/LogToConsole=false"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md index b5b1ee214..c0ad3702f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\keytool.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\query.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md index 5dfbb8ef4..e3e811451 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\ManageEngine\ServiceDesk\" and src.process.image.path contains "\java.exe") and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe")) and (not ((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains " stop")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md index 877972d84..fe89cf47f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "transport=dt_socket,address=" and (tgt.process.cmdline contains "jre1." or tgt.process.cmdline contains "jdk1.")) and (not (tgt.process.cmdline contains "address=127.0.0.1" or tgt.process.cmdline contains "address=localhost")))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md index c5d171bc2..9d81a3df1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md index 8cae25411..261031cd5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not (src.process.image.path contains "build" and tgt.process.cmdline contains "build")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md index 5bd5a1000..6827e486c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and src.process.cmdline contains "SysAidServer")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md index 1ba4af715..dbf00cc46 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " run run-cmd " and (not (src.process.image.path contains "\cleanapi.exe" or src.process.image.path contains "\kavremover.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md index 77b159a9b..d8ed45254 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\link.exe" and tgt.process.cmdline contains "LINK /") and (not ((src.process.image.path contains "C:\Program Files\Microsoft Visual Studio\" or src.process.image.path contains "C:\Program Files (x86)\Microsoft Visual Studio\") and (src.process.image.path contains "\VC\bin\" or src.process.image.path contains "\VC\Tools\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md index 34aa0ec9a..bbfbbd9e4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\CustomShellHost.exe" and (not tgt.process.image.path="C:\Windows\explorer.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md index 54634548f..2912339fe 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\DeviceCredentialDeployment.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md index 6e3bde93b..4de4c13e7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\devtoolslauncher.exe" and tgt.process.cmdline contains "LaunchForDeploy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md index df764c8b9..eb0792697 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md index ff54648df..b95e74498 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains " \\" and tgt.process.cmdline contains ".cab")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md index dc99bd616..57108eb1c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "extrac32.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md index d957a1dd9..4f1393ea6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Launch-VsDevShell.ps1" and (tgt.process.cmdline contains "VsWherePath " or tgt.process.cmdline contains "VsInstallationPath "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md index dd8d0f8f3..57ff77e52 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /INJECTRUNNING " and (not src.process.image.path="C:\Windows\System32\AppVClient.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md index 49a79b171..e0f7a744a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "verb:sync" and tgt.process.cmdline contains "-source:RunCommand" and tgt.process.cmdline contains "-dest:runCommand") and tgt.process.image.path contains "\msdeploy.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md index 3e8f66562..4c7d332dd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\msdt.exe" and tgt.process.cmdline contains "\WINDOWS\diagnostics\index\PCWDiagnostic.xml") and (tgt.process.cmdline contains " -af " or tgt.process.cmdline contains " /af ")) and (not src.process.image.path contains "\pcwrun.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md index 6d77482cf..da9545b5f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\OpenWith.exe" and tgt.process.cmdline contains "/c")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md index dd0871165..755f142b6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcalua.exe" and tgt.process.cmdline contains " -a")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md index 4ff0a1aed..f7f7b20e7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\pcwrun.exe") | columns ComputerName,tgt.process.user,src.process.cmdline,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md index a428dc7db..8005a196f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcwrun.exe" and tgt.process.cmdline contains "../")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md index 793cc54e6..292e8d609 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and src.process.cmdline contains "\WindowsPowerShell\Modules\Pester\") and (src.process.cmdline contains "{ Invoke-Pester -EnableExit ;" or src.process.cmdline contains "{ Get-Help \""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md index dbfdd2b2e..e41a47acd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Pester" and tgt.process.cmdline contains "Get-Help")) or ((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "pester" and tgt.process.cmdline contains ";")) and (tgt.process.cmdline contains "help" or tgt.process.cmdline contains "?")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md index f112c8795..706c55749 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\PrintBrm.exe" and (tgt.process.cmdline contains " -f" and tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md index b09ac4fb2..1766d3d13 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\pubprn.vbs" and tgt.process.cmdline contains "script:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md index 5d0469f67..bb17d3a84 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\register_app.vbs" and tgt.process.cmdline contains "-register")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md index bf067f6a1..7e0a5cf8f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\replace.exe" and (tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/a" or tgt.process.cmdline contains "–a" or tgt.process.cmdline contains "—a" or tgt.process.cmdline contains "―a"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md index 462927c78..15a9d4eab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\runexehelper.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md index 84620eb3b..16063785e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Runscripthelper.exe" and tgt.process.cmdline contains "surfacecheck")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md index 4dce4b1f7..9ddd13064 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\")) and (src.process.cmdline contains "cmd.exe /c" and src.process.cmdline contains "RoamDiag.cmd" and src.process.cmdline contains "-outputpath"))) | columns TargetFilename,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md index 47f0eb6cc..0d3e56edd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sftp.exe" and (tgt.process.cmdline contains " -D .." or tgt.process.cmdline contains " -D C:\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md index 135252c6c..a5c614cf8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-i" or tgt.process.cmdline contains "/install" or tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/add-driver" or tgt.process.cmdline contains ".inf") and tgt.process.image.path contains "\pnputil.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md index 781fb91f7..d15164f66 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "grpconv.exe -o" or tgt.process.cmdline contains "grpconv -o")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md index ee66bbb72..e9ea09360 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqldumper.exe" and (tgt.process.cmdline contains "0x0110" or tgt.process.cmdline contains "0x01100:40"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md index aa160d01c..d37812c0b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SyncAppvPublishingServer.vbs" and tgt.process.cmdline contains ";")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md index 1d3e5b5ee..bc77cba73 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\tracker.exe" or tgt.process.displayName="Tracker") and (tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " /c ")) and (not (tgt.process.cmdline contains " /ERRORREPORT:PROMPT " or (src.process.image.path contains "\Msbuild\Current\Bin\MSBuild.exe" or src.process.image.path contains "\Msbuild\Current\Bin\amd64\MSBuild.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md index 6d98c9584..fdc443576 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\tttracer.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md index 71c4c259d..9393444d2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "UtilityFunctions.ps1" or tgt.process.cmdline contains "RegSnapin ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md index cdd830ff2..64e1188cf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vbc.exe" and tgt.process.image.path contains "\cvtres.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md index 2ad94f009..c1581ef25 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Windows\System32\lsass.exe" and tgt.process.image.path contains "\Windows\System32\lsass.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md index 5b91c5772..9b70ea668 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\mftrace.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md index d6a0df717..2c1f567b6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mmc.exe" and tgt.process.cmdline contains "-Embedding")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md index 540cbaf8b..f49225600 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\mmc.exe" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe") or tgt.process.image.path contains "\BITSADMIN"))) | columns tgt.process.cmdline,tgt.process.image.path,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md index 10191b10e..2712f3ffb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\MpCmdRun.exe" or tgt.process.image.path contains "\NisSrv.exe") and (not (tgt.process.image.path contains "C:\Program Files (x86)\Windows Defender\" or tgt.process.image.path contains "C:\Program Files\Microsoft Security Client\" or tgt.process.image.path contains "C:\Program Files\Windows Defender\" or tgt.process.image.path contains "C:\ProgramData\Microsoft\Windows Defender\Platform\" or tgt.process.image.path contains "C:\Windows\WinSxS\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md index 27ff12c83..fb0551ba7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Wscript." and tgt.process.cmdline contains ".Shell" and tgt.process.cmdline contains ".Run")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md index 2c11eda64..fa7f4aeb0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mshta.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md index be846ff97..d82dd8cdb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\mshta.exe" and (tgt.process.cmdline contains "vbscript" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".lnk" or tgt.process.cmdline contains ".xls" or tgt.process.cmdline contains ".doc" or tgt.process.cmdline contains ".zip" or tgt.process.cmdline contains ".dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md index 7d7398b63..0df748fe7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (src.process.cmdline contains "MsiExec.exe" and src.process.cmdline contains "-Embedding ")) and (not ((tgt.process.image.path contains ":\Windows\System32\cmd.exe" and tgt.process.cmdline contains "C:\Program Files\SplunkUniversalForwarder\bin\") or (tgt.process.cmdline contains "\DismFoDInstall.cmd" or (src.process.cmdline contains "\MsiExec.exe -Embedding " and src.process.cmdline contains "Global\MSI0000")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md index 5a4ff919c..e92232208 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\msiexec.exe" and (tgt.process.cmdline contains " -y" or tgt.process.cmdline contains " /y" or tgt.process.cmdline contains " –y" or tgt.process.cmdline contains " —y" or tgt.process.cmdline contains " ―y")) and (not (tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" /Y C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y C:\Windows\CCM\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md index c922d6c3f..cbc4fc843 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " msiexec" and tgt.process.cmdline contains "://")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md index 885471184..ac838fc73 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\msra.exe" and src.process.cmdline contains "msra.exe" and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\route.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\whoami.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md index ffe675e4a..5ac81498e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\wsl.exe")) and (not (src.process.image.path contains "C:\Program Files\Microsoft SQL Server\" and src.process.image.path contains "DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\cmd.exe\" ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md index b3809f3de..6bb0ea9b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and src.process.cmdline contains "VEEAMSQL") and (((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "-ex " or tgt.process.cmdline contains "bypass" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "copy ")) or (tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\whoami.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md index df5081f6a..fcd4dd6cd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "noconsentprompt" and tgt.process.cmdline contains "shadow:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md index f24c474e9..827e0b83c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\msxsl.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md index a4ebf8145..0a10c9e00 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\msxsl.exe" and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md index c853f33c4..ffd250fb7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\node.exe" and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " --eval ")) and (tgt.process.cmdline contains ".exec(" and tgt.process.cmdline contains "net.socket" and tgt.process.cmdline contains ".connect" and tgt.process.cmdline contains "child_process"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md index c86625fb7..556c6329b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Adobe Creative Cloud Experience\libs\node.exe" and (not tgt.process.cmdline contains "Adobe Creative Cloud Experience\js"))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md index 1fe9e5688..f2dafc41b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "nslookup" and tgt.process.cmdline contains "_ldap._tcp.dc._msdcs.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md index d9729c1aa..3efbe847b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\ntdsutil.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md index 3e8fbf1c9..00a46337d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\odbcconf.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md index cc603d06e..844ad252e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\onenote.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and (tgt.process.cmdline contains "\exported\" or tgt.process.cmdline contains "\onenoteofflinecache_files\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md index 291c98bdb..53d3ef9cd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Outlook\Security\EnableUnsafeClientMailRules") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md index 7caf75676..20af8991a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\Temporary Internet Files\Content.Outlook\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md index 68ea86f09..d8610b0d3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\OUTLOOK.EXE" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\msbuild.exe" or tgt.process.image.path contains "\msdt.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md index 4faf39283..016148ed8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\outlook.exe" and tgt.process.image.path contains "\\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md index 4cd1442e7..89d38bb29 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WINWORD.EXE" or src.process.image.path contains "\EXCEL.EXE" or src.process.image.path contains "\POWERPNT.exe" or src.process.image.path contains "\MSPUB.exe" or src.process.image.path contains "\VISIO.exe" or src.process.image.path contains "\MSACCESS.exe" or src.process.image.path contains "\EQNEDT32.exe") and tgt.process.image.path contains "C:\users\" and tgt.process.image.path contains ".exe") and (not tgt.process.image.path contains "\Teams.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md index 1890103d1..90877f38b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\PDQDeployRunner-" and ((tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\TEMP\" or tgt.process.image.path contains "\AppData\Local\Temp") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -encodedcommand " or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "http" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md index c8fb76d41..67319efe4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ping.exe" and tgt.process.cmdline contains "0x")) | columns src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md index 0919b55f1..5953afd77 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Command-line SSH, Telnet, and Rlogin client" and tgt.process.cmdline contains " -R ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md index 6d43665ba..ed0793918 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":127.0.0.1:3389") or ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":3389") and (tgt.process.cmdline contains " -P 443" or tgt.process.cmdline contains " -P 22")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md index e1f92f97c..735a45310 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "System.Management.Automation.AmsiUtils" and tgt.process.cmdline contains "amsiInitFailed") or (tgt.process.cmdline contains "[Ref].Assembly.GetType" and tgt.process.cmdline contains "SetValue($null,$true)" and tgt.process.cmdline contains "NonPublic,Static"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md index f9ff96db2..7ecef5f33 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "if(0){{{0}}}' -f $(0 -as [char]) +" or tgt.process.cmdline contains "#")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md index 3b78d1fe2..8f0fc27b4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WindowsAudioDevice-Powershell-Cmdlet" or tgt.process.cmdline contains "Toggle-AudioDevice" or tgt.process.cmdline contains "Get-AudioDevice " or tgt.process.cmdline contains "Set-AudioDevice " or tgt.process.cmdline contains "Write-AudioDevice ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md index eda950e31..c9470126b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IAAtAGIAeABvAHIAIAAwAHgA" or tgt.process.cmdline contains "AALQBiAHgAbwByACAAMAB4A" or tgt.process.cmdline contains "gAC0AYgB4AG8AcgAgADAAeA" or tgt.process.cmdline contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or tgt.process.cmdline contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or tgt.process.cmdline contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md index 949e41995..f4f3588ee 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OjpGcm9tQmFzZTY0U3RyaW5n" or tgt.process.cmdline contains "o6RnJvbUJhc2U2NFN0cmluZ" or tgt.process.cmdline contains "6OkZyb21CYXNlNjRTdHJpbm" or (tgt.process.cmdline contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or tgt.process.cmdline contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or tgt.process.cmdline contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md index 739bd7e84..48abeac12 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "SUVYIChb" or tgt.process.cmdline contains "lFWCAoW" or tgt.process.cmdline contains "JRVggKF" or tgt.process.cmdline contains "aWV4IChb" or tgt.process.cmdline contains "lleCAoW" or tgt.process.cmdline contains "pZXggKF" or tgt.process.cmdline contains "aWV4IChOZX" or tgt.process.cmdline contains "lleCAoTmV3" or tgt.process.cmdline contains "pZXggKE5ld" or tgt.process.cmdline contains "SUVYIChOZX" or tgt.process.cmdline contains "lFWCAoTmV3" or tgt.process.cmdline contains "JRVggKE5ld" or tgt.process.cmdline contains "SUVYKF" or tgt.process.cmdline contains "lFWChb" or tgt.process.cmdline contains "JRVgoW" or tgt.process.cmdline contains "aWV4KF" or tgt.process.cmdline contains "lleChb" or tgt.process.cmdline contains "pZXgoW" or tgt.process.cmdline contains "aWV4KE5ld" or tgt.process.cmdline contains "lleChOZX" or tgt.process.cmdline contains "pZXgoTmV3" or tgt.process.cmdline contains "SUVYKE5ld" or tgt.process.cmdline contains "lFWChOZX" or tgt.process.cmdline contains "JRVgoTmV3" or tgt.process.cmdline contains "SUVYKCgn" or tgt.process.cmdline contains "lFWCgoJ" or tgt.process.cmdline contains "JRVgoKC" or tgt.process.cmdline contains "aWV4KCgn" or tgt.process.cmdline contains "lleCgoJ" or tgt.process.cmdline contains "pZXgoKC") or (tgt.process.cmdline contains "SQBFAFgAIAAoAFsA" or tgt.process.cmdline contains "kARQBYACAAKABbA" or tgt.process.cmdline contains "JAEUAWAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAFsA" or tgt.process.cmdline contains "kAZQB4ACAAKABbA" or tgt.process.cmdline contains "pAGUAeAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kAZQB4ACAAKABOAGUAdw" or tgt.process.cmdline contains "pAGUAeAAgACgATgBlAHcA" or tgt.process.cmdline contains "SQBFAFgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kARQBYACAAKABOAGUAdw" or tgt.process.cmdline contains "JAEUAWAAgACgATgBlAHcA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md index fb577071a..220ac7e6a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "QWRkLU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "BZGQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "U2V0LU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "TZXQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "YWRkLW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "hZGQtbXBwcmVmZXJlbmNlI" or tgt.process.cmdline contains "c2V0LW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "zZXQtbXBwcmVmZXJlbmNlI") or (tgt.process.cmdline contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md index 1c066cc75..64377c97b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or tgt.process.cmdline contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or tgt.process.cmdline contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or tgt.process.cmdline contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or tgt.process.cmdline contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md index b5b1e0b6d..d4309683c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md index 7974c1ae1..9c2a429f2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SyncInvoke ") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md index a22303d37..5ecffe802 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "LoadAssemblyFromPath " or tgt.process.cmdline contains "LoadAssemblyFromNS ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md index 7849ce888..73d19ad29 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\powershell.exe" and tgt.process.cmdline contains " -nologo -windowstyle minimized -file ") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Windows\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md index 39537fb6f..d988ce1d9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md index 5d1e79efb..0bdd7a455 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "GZipStream" and tgt.process.cmdline contains "::Decompress")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md index eac46990a..07d33fd6b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains "DisableArchiveScanning " or tgt.process.cmdline contains "DisableRealtimeMonitoring " or tgt.process.cmdline contains "DisableIOAVProtection " or tgt.process.cmdline contains "DisableBehaviorMonitoring " or tgt.process.cmdline contains "DisableBlockAtFirstSeen " or tgt.process.cmdline contains "DisableCatchupFullScan " or tgt.process.cmdline contains "DisableCatchupQuickScan ") and (tgt.process.cmdline contains "$true" or tgt.process.cmdline contains " 1 ")) or ((tgt.process.cmdline contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or tgt.process.cmdline contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or tgt.process.cmdline contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or tgt.process.cmdline contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or tgt.process.cmdline contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or tgt.process.cmdline contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or tgt.process.cmdline contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or tgt.process.cmdline contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or tgt.process.cmdline contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or tgt.process.cmdline contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or tgt.process.cmdline contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") or (tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md index 34f3e3e6a..c371b8f25 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains " -ExclusionPath " or tgt.process.cmdline contains " -ExclusionExtension " or tgt.process.cmdline contains " -ExclusionProcess " or tgt.process.cmdline contains " -ExclusionIpAddress "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md index 50719a2e3..c0f51c2a4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -name IEHarden " and tgt.process.cmdline contains " -value 0 ") or (tgt.process.cmdline contains " -name DEPOff " and tgt.process.cmdline contains " -value 1 ") or (tgt.process.cmdline contains " -name DisableFirstRunCustomize " and tgt.process.cmdline contains " -value 2 "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md index 930e6fa58..fb6abdb12 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains " -version 2 " or tgt.process.cmdline contains " -versio 2 " or tgt.process.cmdline contains " -versi 2 " or tgt.process.cmdline contains " -vers 2 " or tgt.process.cmdline contains " -ver 2 " or tgt.process.cmdline contains " -ve 2 " or tgt.process.cmdline contains " -v 2 "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md index 8c64d4940..f7aaa53e8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[Type]::GetTypeFromCLSID(" and (tgt.process.cmdline contains "0002DF01-0000-0000-C000-000000000046" or tgt.process.cmdline contains "F6D90F16-9C73-11D3-B32E-00C04F990BB4" or tgt.process.cmdline contains "F5078F35-C551-11D3-89B9-0000F81FE221" or tgt.process.cmdline contains "88d96a0a-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "AFBA6B42-5692-48EA-8141-DC517DCF0EF1" or tgt.process.cmdline contains "AFB40FFD-B609-40A3-9828-F88BBE11E4E3" or tgt.process.cmdline contains "88d96a0b-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "2087c2f4-2cef-4953-a8ab-66779b670495" or tgt.process.cmdline contains "000209FF-0000-0000-C000-000000000046" or tgt.process.cmdline contains "00024500-0000-0000-C000-000000000046"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md index 1cd0e4e88..17b44b452 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "http://127.0.0.1" and tgt.process.cmdline contains "%{(IRM $_)}" and tgt.process.cmdline contains ".SubString.ToString()[67,72,64]-Join" and tgt.process.cmdline contains "Import-Module"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md index aad4c5d9a..b0da296ba 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md index 01c42191e..b5ae4b8ba 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "IWR ") and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "OutFile" and tgt.process.cmdline contains ".dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md index eba3151a6..33e2f1bf1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ") and (tgt.process.cmdline contains ";iex $" or tgt.process.cmdline contains "| IEX" or tgt.process.cmdline contains "|IEX " or tgt.process.cmdline contains "I`E`X" or tgt.process.cmdline contains "I`EX" or tgt.process.cmdline contains "IE`X" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "IEX (" or tgt.process.cmdline contains "IEX(" or tgt.process.cmdline contains "Invoke-Expression"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md index ed7db7e54..89d84abde 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-ADDBSidHistory" or tgt.process.cmdline contains "Add-ADNgcKey" or tgt.process.cmdline contains "Add-ADReplNgcKey" or tgt.process.cmdline contains "ConvertFrom-ADManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-GPPrefPassword" or tgt.process.cmdline contains "ConvertFrom-ManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-UnattendXmlPassword" or tgt.process.cmdline contains "ConvertFrom-UnicodePassword" or tgt.process.cmdline contains "ConvertTo-AADHash" or tgt.process.cmdline contains "ConvertTo-GPPrefPassword" or tgt.process.cmdline contains "ConvertTo-KerberosKey" or tgt.process.cmdline contains "ConvertTo-LMHash" or tgt.process.cmdline contains "ConvertTo-MsoPasswordHash" or tgt.process.cmdline contains "ConvertTo-NTHash" or tgt.process.cmdline contains "ConvertTo-OrgIdHash" or tgt.process.cmdline contains "ConvertTo-UnicodePassword" or tgt.process.cmdline contains "Disable-ADDBAccount" or tgt.process.cmdline contains "Enable-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBBackupKey" or tgt.process.cmdline contains "Get-ADDBDomainController" or tgt.process.cmdline contains "Get-ADDBGroupManagedServiceAccount" or tgt.process.cmdline contains "Get-ADDBKdsRootKey" or tgt.process.cmdline contains "Get-ADDBSchemaAttribute" or tgt.process.cmdline contains "Get-ADDBServiceAccount" or tgt.process.cmdline contains "Get-ADDefaultPasswordPolicy" or tgt.process.cmdline contains "Get-ADKeyCredential" or tgt.process.cmdline contains "Get-ADPasswordPolicy" or tgt.process.cmdline contains "Get-ADReplAccount" or tgt.process.cmdline contains "Get-ADReplBackupKey" or tgt.process.cmdline contains "Get-ADReplicationAccount" or tgt.process.cmdline contains "Get-ADSIAccount" or tgt.process.cmdline contains "Get-AzureADUserEx" or tgt.process.cmdline contains "Get-BootKey" or tgt.process.cmdline contains "Get-KeyCredential" or tgt.process.cmdline contains "Get-LsaBackupKey" or tgt.process.cmdline contains "Get-LsaPolicy" or tgt.process.cmdline contains "Get-SamPasswordPolicy" or tgt.process.cmdline contains "Get-SysKey" or tgt.process.cmdline contains "Get-SystemKey" or tgt.process.cmdline contains "New-ADDBRestoreFromMediaScript" or tgt.process.cmdline contains "New-ADKeyCredential" or tgt.process.cmdline contains "New-ADNgcKey" or tgt.process.cmdline contains "New-NTHashSet" or tgt.process.cmdline contains "Remove-ADDBObject" or tgt.process.cmdline contains "Save-DPAPIBlob" or tgt.process.cmdline contains "Set-ADAccountPasswordHash" or tgt.process.cmdline contains "Set-ADDBAccountPassword" or tgt.process.cmdline contains "Set-ADDBBootKey" or tgt.process.cmdline contains "Set-ADDBDomainController" or tgt.process.cmdline contains "Set-ADDBPrimaryGroup" or tgt.process.cmdline contains "Set-ADDBSysKey" or tgt.process.cmdline contains "Set-AzureADUserEx" or tgt.process.cmdline contains "Set-LsaPolicy" or tgt.process.cmdline contains "Set-SamAccountPasswordHash" or tgt.process.cmdline contains "Set-WinUserPasswordHash" or tgt.process.cmdline contains "Test-ADDBPasswordQuality" or tgt.process.cmdline contains "Test-ADPasswordQuality" or tgt.process.cmdline contains "Test-ADReplPasswordQuality" or tgt.process.cmdline contains "Test-PasswordQuality" or tgt.process.cmdline contains "Unlock-ADDBAccount" or tgt.process.cmdline contains "Write-ADNgcKey" or tgt.process.cmdline contains "Write-ADReplNgcKey")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md index 087de9ab3..068d18b2f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Add-PSSnapin" and tgt.process.cmdline contains "Get-Recipient" and tgt.process.cmdline contains "-ExpandProperty" and tgt.process.cmdline contains "EmailAddresses" and tgt.process.cmdline contains "SmtpAddress" and tgt.process.cmdline contains "-hidetableheaders"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md index b07dd6467..c5e981173 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Enable-WindowsOptionalFeature" and tgt.process.cmdline contains "-Online" and tgt.process.cmdline contains "-FeatureName") and (tgt.process.cmdline contains "TelnetServer" or tgt.process.cmdline contains "Internet-Explorer-Optional-amd64" or tgt.process.cmdline contains "TFTP" or tgt.process.cmdline contains "SMB1Protocol" or tgt.process.cmdline contains "Client-ProjFS" or tgt.process.cmdline contains "Microsoft-Windows-Subsystem-Linux"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md index 134b43351..af0a247b9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -enco" or tgt.process.cmdline contains " -ec ")) and (not (tgt.process.cmdline contains " -Encoding " or (src.process.image.path contains "C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or src.process.image.path contains "\gc_worker.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md index e4bc9c889..d020fc6fa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-Expression " or tgt.process.cmdline contains "Invoke-Command " or tgt.process.cmdline contains "icm ") and (tgt.process.cmdline contains "cat " or tgt.process.cmdline contains "get-content " or tgt.process.cmdline contains "type ") and tgt.process.cmdline contains " -raw")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md index 7d273d2bc..ae3719f96 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Export-PfxCertificate " or tgt.process.cmdline contains "Export-Certificate ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md index e54fe5a81..6e27256a7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::FromBase64String(") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md index f9b398690..aeb899bae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "FromBase64String" and tgt.process.cmdline contains "MemoryStream" and tgt.process.cmdline contains "H4sI")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md index 9271c21f5..5c061457b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Get-Clipboard") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md index e84880c17..af07630b7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-LocalGroupMember " and (tgt.process.cmdline contains "domain admins" or tgt.process.cmdline contains " administrator" or tgt.process.cmdline contains " administrateur" or tgt.process.cmdline contains "enterprise admins" or tgt.process.cmdline contains "Exchange Trusted Subsystem" or tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md index b8a377eec..cc63516f6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-Process lsas" or tgt.process.cmdline contains "ps lsas" or tgt.process.cmdline contains "gps lsas")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md index 74b657345..ce2c81fa7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " | iex;" or tgt.process.cmdline contains " | iex " or tgt.process.cmdline contains " | iex}" or tgt.process.cmdline contains " | IEX ;" or tgt.process.cmdline contains " | IEX -Error" or tgt.process.cmdline contains " | IEX (new" or tgt.process.cmdline contains ");IEX ")) and (tgt.process.cmdline contains "::FromBase64String" or tgt.process.cmdline contains ".GetString([System.Convert]::")) or (tgt.process.cmdline contains ")|iex;$" or tgt.process.cmdline contains ");iex($" or tgt.process.cmdline contains ");iex $" or tgt.process.cmdline contains " | IEX | " or tgt.process.cmdline contains " | iex\\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md index e5a709f9c..fb5276c59 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Import-Certificate" and tgt.process.cmdline contains " -FilePath " and tgt.process.cmdline contains "Cert:\LocalMachine\Root") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains ":\Windows\TEMP\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md index 26c96fd50..4d618848d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Import-Module \"$Env:Temp\" or tgt.process.cmdline contains "Import-Module '$Env:Temp\" or tgt.process.cmdline contains "Import-Module $Env:Temp\" or tgt.process.cmdline contains "Import-Module \"$Env:Appdata\" or tgt.process.cmdline contains "Import-Module '$Env:Appdata\" or tgt.process.cmdline contains "Import-Module $Env:Appdata\" or tgt.process.cmdline contains "Import-Module C:\Users\Public\" or tgt.process.cmdline contains "ipmo \"$Env:Temp\" or tgt.process.cmdline contains "ipmo '$Env:Temp\" or tgt.process.cmdline contains "ipmo $Env:Temp\" or tgt.process.cmdline contains "ipmo \"$Env:Appdata\" or tgt.process.cmdline contains "ipmo '$Env:Appdata\" or tgt.process.cmdline contains "ipmo $Env:Appdata\" or tgt.process.cmdline contains "ipmo C:\Users\Public\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md index bb5225839..1390c9438 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "[Convert]::FromBase64String") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-noni" and tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-ep" and tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-Enc") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "\software\") or (tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-noprofile" and tgt.process.cmdline contains "-windowstyle" and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "system.net.webclient" and tgt.process.cmdline contains ".download") or (tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object" and tgt.process.cmdline contains "Net.WebClient" and tgt.process.cmdline contains ".Download")) and (not (tgt.process.cmdline contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or tgt.process.cmdline contains "Write-ChocolateyWarning")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md index bed323952..f435a92ac 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-MailboxExportRequest" and tgt.process.cmdline contains " -Mailbox " and tgt.process.cmdline contains " -FilePath \\")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md index c56268423..12e5ce96e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-Exfiltration" or tgt.process.cmdline contains "Add-Persistence" or tgt.process.cmdline contains "Add-RegBackdoor" or tgt.process.cmdline contains "Add-RemoteRegBackdoor" or tgt.process.cmdline contains "Add-ScrnSaveBackdoor" or tgt.process.cmdline contains "Check-VM" or tgt.process.cmdline contains "ConvertTo-Rc4ByteStream" or tgt.process.cmdline contains "Decrypt-Hash" or tgt.process.cmdline contains "Disable-ADIDNSNode" or tgt.process.cmdline contains "Disable-MachineAccount" or tgt.process.cmdline contains "Do-Exfiltration" or tgt.process.cmdline contains "Enable-ADIDNSNode" or tgt.process.cmdline contains "Enable-MachineAccount" or tgt.process.cmdline contains "Enabled-DuplicateToken" or tgt.process.cmdline contains "Exploit-Jboss" or tgt.process.cmdline contains "Export-ADR" or tgt.process.cmdline contains "Export-ADRCSV" or tgt.process.cmdline contains "Export-ADRExcel" or tgt.process.cmdline contains "Export-ADRHTML" or tgt.process.cmdline contains "Export-ADRJSON" or tgt.process.cmdline contains "Export-ADRXML" or tgt.process.cmdline contains "Find-Fruit" or tgt.process.cmdline contains "Find-GPOLocation" or tgt.process.cmdline contains "Find-TrustedDocuments" or tgt.process.cmdline contains "Get-ADIDNS" or tgt.process.cmdline contains "Get-ApplicationHost" or tgt.process.cmdline contains "Get-ChromeDump" or tgt.process.cmdline contains "Get-ClipboardContents" or tgt.process.cmdline contains "Get-FoxDump" or tgt.process.cmdline contains "Get-GPPPassword" or tgt.process.cmdline contains "Get-IndexedItem" or tgt.process.cmdline contains "Get-KerberosAESKey" or tgt.process.cmdline contains "Get-Keystrokes" or tgt.process.cmdline contains "Get-LSASecret" or tgt.process.cmdline contains "Get-MachineAccountAttribute" or tgt.process.cmdline contains "Get-MachineAccountCreator" or tgt.process.cmdline contains "Get-PassHashes" or tgt.process.cmdline contains "Get-RegAlwaysInstallElevated" or tgt.process.cmdline contains "Get-RegAutoLogon" or tgt.process.cmdline contains "Get-RemoteBootKey" or tgt.process.cmdline contains "Get-RemoteCachedCredential" or tgt.process.cmdline contains "Get-RemoteLocalAccountHash" or tgt.process.cmdline contains "Get-RemoteLSAKey" or tgt.process.cmdline contains "Get-RemoteMachineAccountHash" or tgt.process.cmdline contains "Get-RemoteNLKMKey" or tgt.process.cmdline contains "Get-RickAstley" or tgt.process.cmdline contains "Get-Screenshot" or tgt.process.cmdline contains "Get-SecurityPackages" or tgt.process.cmdline contains "Get-ServiceFilePermission" or tgt.process.cmdline contains "Get-ServicePermission" or tgt.process.cmdline contains "Get-ServiceUnquoted" or tgt.process.cmdline contains "Get-SiteListPassword" or tgt.process.cmdline contains "Get-System" or tgt.process.cmdline contains "Get-TimedScreenshot" or tgt.process.cmdline contains "Get-UnattendedInstallFile" or tgt.process.cmdline contains "Get-Unconstrained" or tgt.process.cmdline contains "Get-USBKeystrokes" or tgt.process.cmdline contains "Get-VaultCredential" or tgt.process.cmdline contains "Get-VulnAutoRun" or tgt.process.cmdline contains "Get-VulnSchTask" or tgt.process.cmdline contains "Grant-ADIDNSPermission" or tgt.process.cmdline contains "Gupt-Backdoor" or tgt.process.cmdline contains "HTTP-Login" or tgt.process.cmdline contains "Install-ServiceBinary" or tgt.process.cmdline contains "Install-SSP" or tgt.process.cmdline contains "Invoke-ACLScanner" or tgt.process.cmdline contains "Invoke-ADRecon" or tgt.process.cmdline contains "Invoke-ADSBackdoor" or tgt.process.cmdline contains "Invoke-AgentSmith" or tgt.process.cmdline contains "Invoke-AllChecks" or tgt.process.cmdline contains "Invoke-ARPScan" or tgt.process.cmdline contains "Invoke-AzureHound" or tgt.process.cmdline contains "Invoke-BackdoorLNK" or tgt.process.cmdline contains "Invoke-BadPotato" or tgt.process.cmdline contains "Invoke-BetterSafetyKatz" or tgt.process.cmdline contains "Invoke-BypassUAC" or tgt.process.cmdline contains "Invoke-Carbuncle" or tgt.process.cmdline contains "Invoke-Certify" or tgt.process.cmdline contains "Invoke-ConPtyShell" or tgt.process.cmdline contains "Invoke-CredentialInjection" or tgt.process.cmdline contains "Invoke-DAFT" or tgt.process.cmdline contains "Invoke-DCSync" or tgt.process.cmdline contains "Invoke-DinvokeKatz" or tgt.process.cmdline contains "Invoke-DllInjection" or tgt.process.cmdline contains "Invoke-DNSUpdate" or tgt.process.cmdline contains "Invoke-DomainPasswordSpray" or tgt.process.cmdline contains "Invoke-DowngradeAccount" or tgt.process.cmdline contains "Invoke-EgressCheck" or tgt.process.cmdline contains "Invoke-Eyewitness" or tgt.process.cmdline contains "Invoke-FakeLogonScreen" or tgt.process.cmdline contains "Invoke-Farmer" or tgt.process.cmdline contains "Invoke-Get-RBCD-Threaded" or tgt.process.cmdline contains "Invoke-Gopher" or tgt.process.cmdline contains "Invoke-Grouper" or tgt.process.cmdline contains "Invoke-HandleKatz" or tgt.process.cmdline contains "Invoke-ImpersonatedProcess" or tgt.process.cmdline contains "Invoke-ImpersonateSystem" or tgt.process.cmdline contains "Invoke-InteractiveSystemPowerShell" or tgt.process.cmdline contains "Invoke-Internalmonologue" or tgt.process.cmdline contains "Invoke-Inveigh" or tgt.process.cmdline contains "Invoke-InveighRelay" or tgt.process.cmdline contains "Invoke-KrbRelay" or tgt.process.cmdline contains "Invoke-LdapSignCheck" or tgt.process.cmdline contains "Invoke-Lockless" or tgt.process.cmdline contains "Invoke-MalSCCM" or tgt.process.cmdline contains "Invoke-Mimikatz" or tgt.process.cmdline contains "Invoke-Mimikittenz" or tgt.process.cmdline contains "Invoke-MITM6" or tgt.process.cmdline contains "Invoke-NanoDump" or tgt.process.cmdline contains "Invoke-NetRipper" or tgt.process.cmdline contains "Invoke-Nightmare" or tgt.process.cmdline contains "Invoke-NinjaCopy" or tgt.process.cmdline contains "Invoke-OfficeScrape" or tgt.process.cmdline contains "Invoke-OxidResolver" or tgt.process.cmdline contains "Invoke-P0wnedshell" or tgt.process.cmdline contains "Invoke-Paranoia" or tgt.process.cmdline contains "Invoke-PortScan" or tgt.process.cmdline contains "Invoke-PoshRatHttp" or tgt.process.cmdline contains "Invoke-PostExfil" or tgt.process.cmdline contains "Invoke-PowerDump" or tgt.process.cmdline contains "Invoke-PowerShellTCP" or tgt.process.cmdline contains "Invoke-PowerShellWMI" or tgt.process.cmdline contains "Invoke-PPLDump" or tgt.process.cmdline contains "Invoke-PsExec" or tgt.process.cmdline contains "Invoke-PSInject" or tgt.process.cmdline contains "Invoke-PsUaCme" or tgt.process.cmdline contains "Invoke-ReflectivePEInjection" or tgt.process.cmdline contains "Invoke-ReverseDNSLookup" or tgt.process.cmdline contains "Invoke-Rubeus" or tgt.process.cmdline contains "Invoke-RunAs" or tgt.process.cmdline contains "Invoke-SafetyKatz" or tgt.process.cmdline contains "Invoke-SauronEye" or tgt.process.cmdline contains "Invoke-SCShell" or tgt.process.cmdline contains "Invoke-Seatbelt" or tgt.process.cmdline contains "Invoke-ServiceAbuse" or tgt.process.cmdline contains "Invoke-ShadowSpray" or tgt.process.cmdline contains "Invoke-Sharp" or tgt.process.cmdline contains "Invoke-Shellcode" or tgt.process.cmdline contains "Invoke-SMBScanner" or tgt.process.cmdline contains "Invoke-Snaffler" or tgt.process.cmdline contains "Invoke-Spoolsample" or tgt.process.cmdline contains "Invoke-SpraySinglePassword" or tgt.process.cmdline contains "Invoke-SSHCommand" or tgt.process.cmdline contains "Invoke-StandIn" or tgt.process.cmdline contains "Invoke-StickyNotesExtract" or tgt.process.cmdline contains "Invoke-SystemCommand" or tgt.process.cmdline contains "Invoke-Tasksbackdoor" or tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains "Invoke-Thunderfox" or tgt.process.cmdline contains "Invoke-ThunderStruck" or tgt.process.cmdline contains "Invoke-TokenManipulation" or tgt.process.cmdline contains "Invoke-Tokenvator" or tgt.process.cmdline contains "Invoke-TotalExec" or tgt.process.cmdline contains "Invoke-UrbanBishop" or tgt.process.cmdline contains "Invoke-UserHunter" or tgt.process.cmdline contains "Invoke-VoiceTroll" or tgt.process.cmdline contains "Invoke-Whisker" or tgt.process.cmdline contains "Invoke-WinEnum" or tgt.process.cmdline contains "Invoke-winPEAS" or tgt.process.cmdline contains "Invoke-WireTap" or tgt.process.cmdline contains "Invoke-WmiCommand" or tgt.process.cmdline contains "Invoke-WMIExec" or tgt.process.cmdline contains "Invoke-WScriptBypassUAC" or tgt.process.cmdline contains "Invoke-Zerologon" or tgt.process.cmdline contains "MailRaider" or tgt.process.cmdline contains "New-ADIDNSNode" or tgt.process.cmdline contains "New-DNSRecordArray" or tgt.process.cmdline contains "New-HoneyHash" or tgt.process.cmdline contains "New-InMemoryModule" or tgt.process.cmdline contains "New-MachineAccount" or tgt.process.cmdline contains "New-SOASerialNumberArray" or tgt.process.cmdline contains "Out-Minidump" or tgt.process.cmdline contains "Port-Scan" or tgt.process.cmdline contains "PowerBreach" or tgt.process.cmdline contains "powercat " or tgt.process.cmdline contains "PowerUp" or tgt.process.cmdline contains "PowerView" or tgt.process.cmdline contains "Remove-ADIDNSNode" or tgt.process.cmdline contains "Remove-MachineAccount" or tgt.process.cmdline contains "Remove-Update" or tgt.process.cmdline contains "Rename-ADIDNSNode" or tgt.process.cmdline contains "Revoke-ADIDNSPermission" or tgt.process.cmdline contains "Set-ADIDNSNode" or tgt.process.cmdline contains "Set-MacAttribute" or tgt.process.cmdline contains "Set-MachineAccountAttribute" or tgt.process.cmdline contains "Set-Wallpaper" or tgt.process.cmdline contains "Show-TargetScreen" or tgt.process.cmdline contains "Start-CaptureServer" or tgt.process.cmdline contains "Start-Dnscat2" or tgt.process.cmdline contains "Start-WebcamRecorder" or tgt.process.cmdline contains "VolumeShadowCopyTools")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md index 52302e55d..bc33967a2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Install-TransportAgent") | columns AssemblyPath ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md index c7d43c3c5..712762eea 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "(WCHAR)0x") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md index 9c67923e3..a0ffb0e2c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "-f C:\Users\Public" or tgt.process.cmdline contains "-f \"C:\Users\Public" or tgt.process.cmdline contains "-f %Public%" or tgt.process.cmdline contains "-fi C:\Users\Public" or tgt.process.cmdline contains "-fi \"C:\Users\Public" or tgt.process.cmdline contains "-fi %Public%" or tgt.process.cmdline contains "-fil C:\Users\Public" or tgt.process.cmdline contains "-fil \"C:\Users\Public" or tgt.process.cmdline contains "-fil %Public%" or tgt.process.cmdline contains "-file C:\Users\Public" or tgt.process.cmdline contains "-file \"C:\Users\Public" or tgt.process.cmdline contains "-file %Public%"))) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md index 8ad1b97ca..5681225c1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisableme")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md index 97f597e63..322c14b8f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Remove-MpPreference" and (tgt.process.cmdline contains "-ControlledFolderAccessProtectedFolders " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Ids " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Actions " or tgt.process.cmdline contains "-CheckForSignaturesBeforeRunningScan "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md index 2478eb83b..2640f0a07 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Get-Content" and tgt.process.cmdline contains "-Stream"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md index 02f9d8d49..07851bb1c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline matches "\\s-\\s*<")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md index e2b8c20d8..31352ef5b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\HarddiskVolumeShadowCopy" and tgt.process.cmdline contains "System32\config\sam") and (tgt.process.cmdline contains "Copy-Item" or tgt.process.cmdline contains "cp $_." or tgt.process.cmdline contains "cpi $_." or tgt.process.cmdline contains "copy $_." or tgt.process.cmdline contains ".File]::Copy("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md index 85657fbb0..98e1b42c4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not tgt.process.image.path contains "\Health Service State\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md index a19e1b9a6..70e980c14 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Get-WmiObject" or tgt.process.cmdline contains "gwmi" or tgt.process.cmdline contains "Get-CimInstance" or tgt.process.cmdline contains "gcim") and tgt.process.cmdline contains "Win32_ShadowCopy" and (tgt.process.cmdline contains ".Delete()" or tgt.process.cmdline contains "Remove-WmiObject" or tgt.process.cmdline contains "rwmi" or tgt.process.cmdline contains "Remove-CimInstance" or tgt.process.cmdline contains "rcim"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md index 3b76699a3..009371ac7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IEX ((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX (New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX(New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains " -command (New-Object System.Net.WebClient).DownloadFile(" or tgt.process.cmdline contains " -c (New-Object System.Net.WebClient).DownloadFile(")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md index ebcf10985..f9bcf084b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -windowstyle h " or tgt.process.cmdline contains " -windowstyl h" or tgt.process.cmdline contains " -windowsty h" or tgt.process.cmdline contains " -windowst h" or tgt.process.cmdline contains " -windows h" or tgt.process.cmdline contains " -windo h" or tgt.process.cmdline contains " -wind h" or tgt.process.cmdline contains " -win h" or tgt.process.cmdline contains " -wi h" or tgt.process.cmdline contains " -win h " or tgt.process.cmdline contains " -win hi " or tgt.process.cmdline contains " -win hid " or tgt.process.cmdline contains " -win hidd " or tgt.process.cmdline contains " -win hidde " or tgt.process.cmdline contains " -NoPr " or tgt.process.cmdline contains " -NoPro " or tgt.process.cmdline contains " -NoProf " or tgt.process.cmdline contains " -NoProfi " or tgt.process.cmdline contains " -NoProfil " or tgt.process.cmdline contains " -nonin " or tgt.process.cmdline contains " -nonint " or tgt.process.cmdline contains " -noninte " or tgt.process.cmdline contains " -noninter " or tgt.process.cmdline contains " -nonintera " or tgt.process.cmdline contains " -noninterac " or tgt.process.cmdline contains " -noninteract " or tgt.process.cmdline contains " -noninteracti " or tgt.process.cmdline contains " -noninteractiv " or tgt.process.cmdline contains " -ec " or tgt.process.cmdline contains " -encodedComman " or tgt.process.cmdline contains " -encodedComma " or tgt.process.cmdline contains " -encodedComm " or tgt.process.cmdline contains " -encodedCom " or tgt.process.cmdline contains " -encodedCo " or tgt.process.cmdline contains " -encodedC " or tgt.process.cmdline contains " -encoded " or tgt.process.cmdline contains " -encode " or tgt.process.cmdline contains " -encod " or tgt.process.cmdline contains " -enco " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -executionpolic " or tgt.process.cmdline contains " -executionpoli " or tgt.process.cmdline contains " -executionpol " or tgt.process.cmdline contains " -executionpo " or tgt.process.cmdline contains " -executionp " or tgt.process.cmdline contains " -execution bypass" or tgt.process.cmdline contains " -executio bypass" or tgt.process.cmdline contains " -executi bypass" or tgt.process.cmdline contains " -execut bypass" or tgt.process.cmdline contains " -execu bypass" or tgt.process.cmdline contains " -exec bypass" or tgt.process.cmdline contains " -exe bypass" or tgt.process.cmdline contains " -ex bypass" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " /windowstyle h " or tgt.process.cmdline contains " /windowstyl h" or tgt.process.cmdline contains " /windowsty h" or tgt.process.cmdline contains " /windowst h" or tgt.process.cmdline contains " /windows h" or tgt.process.cmdline contains " /windo h" or tgt.process.cmdline contains " /wind h" or tgt.process.cmdline contains " /win h" or tgt.process.cmdline contains " /wi h" or tgt.process.cmdline contains " /win h " or tgt.process.cmdline contains " /win hi " or tgt.process.cmdline contains " /win hid " or tgt.process.cmdline contains " /win hidd " or tgt.process.cmdline contains " /win hidde " or tgt.process.cmdline contains " /NoPr " or tgt.process.cmdline contains " /NoPro " or tgt.process.cmdline contains " /NoProf " or tgt.process.cmdline contains " /NoProfi " or tgt.process.cmdline contains " /NoProfil " or tgt.process.cmdline contains " /nonin " or tgt.process.cmdline contains " /nonint " or tgt.process.cmdline contains " /noninte " or tgt.process.cmdline contains " /noninter " or tgt.process.cmdline contains " /nonintera " or tgt.process.cmdline contains " /noninterac " or tgt.process.cmdline contains " /noninteract " or tgt.process.cmdline contains " /noninteracti " or tgt.process.cmdline contains " /noninteractiv " or tgt.process.cmdline contains " /ec " or tgt.process.cmdline contains " /encodedComman " or tgt.process.cmdline contains " /encodedComma " or tgt.process.cmdline contains " /encodedComm " or tgt.process.cmdline contains " /encodedCom " or tgt.process.cmdline contains " /encodedCo " or tgt.process.cmdline contains " /encodedC " or tgt.process.cmdline contains " /encoded " or tgt.process.cmdline contains " /encode " or tgt.process.cmdline contains " /encod " or tgt.process.cmdline contains " /enco " or tgt.process.cmdline contains " /en " or tgt.process.cmdline contains " /executionpolic " or tgt.process.cmdline contains " /executionpoli " or tgt.process.cmdline contains " /executionpol " or tgt.process.cmdline contains " /executionpo " or tgt.process.cmdline contains " /executionp " or tgt.process.cmdline contains " /execution bypass" or tgt.process.cmdline contains " /executio bypass" or tgt.process.cmdline contains " /executi bypass" or tgt.process.cmdline contains " /execut bypass" or tgt.process.cmdline contains " /execu bypass" or tgt.process.cmdline contains " /exec bypass" or tgt.process.cmdline contains " /exe bypass" or tgt.process.cmdline contains " /ex bypass" or tgt.process.cmdline contains " /ep bypass"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md index 20ec232c6..17c078ddf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "powershell.exe" or tgt.process.cmdline contains "\powershell" or tgt.process.cmdline contains "\pwsh" or tgt.process.cmdline contains "pwsh.exe") and ((tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "\AppData\") and (tgt.process.cmdline contains "Local\" or tgt.process.cmdline contains "Roaming\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md index 523fbb518..8d75246af 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".DownloadFile" and tgt.process.cmdline contains "System.Net.WebClient")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md index cff21212d..2ab787a4f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline matches "\\w+`(\\w+|-|.)`[\\w+|\\s]" or tgt.process.cmdline matches ""(\\{\\d\\})+"\\s*-f" or tgt.process.cmdline matches "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not tgt.process.cmdline contains "${env:path}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md index 0194ae18b..1b94f9064 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "X509Enrollment.CBinaryConverter" or tgt.process.cmdline contains "884e2002-217d-11da-b2a4-000e7bbb2b09")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md index f3f5aaecc..78f2e5718 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath $env:TEMP*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*:\Windows\Temp\*")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md index ec7679e92..d6f79519a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\Microsoft.NodejsTools.PressAnyKey.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md index 0c1cff499..846902141 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\print.exe" and tgt.process.cmdline contains "print" and (tgt.process.cmdline contains "/D" and tgt.process.cmdline contains ".exe")) and (not tgt.process.cmdline contains "print.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md index 1595ff50b..e649aa197 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and (not ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md index be2af10d1..1ceb19c89 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md index 2b0528222..acf27aa30 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Psr.exe" and (tgt.process.cmdline contains "/start" or tgt.process.cmdline contains "-start"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md index 562b74f6e..6524d7b1c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\3proxy.exe" or tgt.process.displayName="3proxy - tiny proxy server" or tgt.process.cmdline contains ".exe -i127.0.0.1 -p")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md index 68a049db0..c9fe9732b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lockoutduration" or tgt.process.cmdline contains "lockoutthreshold" or tgt.process.cmdline contains "lockoutobservationwindow" or tgt.process.cmdline contains "maxpwdage" or tgt.process.cmdline contains "minpwdage" or tgt.process.cmdline contains "minpwdlength" or tgt.process.cmdline contains "pwdhistorylength" or tgt.process.cmdline contains "pwdproperties") or tgt.process.cmdline contains "-sc admincountdmp" or tgt.process.cmdline contains "-sc exchaddresses")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md index e250eb1fd..a32f2bf0f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "domainlist" or tgt.process.cmdline contains "trustdmp" or tgt.process.cmdline contains "dcmodes" or tgt.process.cmdline contains "adinfo" or tgt.process.cmdline contains " dclist " or tgt.process.cmdline contains "computer_pwdnotreqd" or tgt.process.cmdline contains "objectcategory=" or tgt.process.cmdline contains "-subnets -f" or tgt.process.cmdline contains "name=\"Domain Admins\"" or tgt.process.cmdline contains "-sc u:" or tgt.process.cmdline contains "domainncs" or tgt.process.cmdline contains "dompol" or tgt.process.cmdline contains " oudmp " or tgt.process.cmdline contains "subnetdmp" or tgt.process.cmdline contains "gpodmp" or tgt.process.cmdline contains "fspdmp" or tgt.process.cmdline contains "users_noexpire" or tgt.process.cmdline contains "computers_active" or tgt.process.cmdline contains "computers_pwdnotreqd")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md index 3bd183f5a..b6a6ba443 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/EXEFilename" or tgt.process.cmdline contains "/CommandLine") and ((tgt.process.cmdline contains " /RunAs 8 " or tgt.process.cmdline contains " /RunAs 4 " or tgt.process.cmdline contains " /RunAs 10 " or tgt.process.cmdline contains " /RunAs 11 ") or (tgt.process.cmdline contains "/RunAs 8" or tgt.process.cmdline contains "/RunAs 4" or tgt.process.cmdline contains "/RunAs 10" or tgt.process.cmdline contains "/RunAs 11")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md index 61bf7a8ce..c132e28e2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chisel.exe" or ((tgt.process.cmdline contains "exe client " or tgt.process.cmdline contains "exe server ") and (tgt.process.cmdline contains "-socks5" or tgt.process.cmdline contains "-reverse" or tgt.process.cmdline contains " r:" or tgt.process.cmdline contains ":127.0.0.1:" or tgt.process.cmdline contains "-tls-skip-verify " or tgt.process.cmdline contains ":socks")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md index ee1101f32..ddc56c0ac 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SepRemovalToolNative_x64.exe" or (tgt.process.image.path contains "\CATClean.exe" and tgt.process.cmdline contains "--uninstall") or (tgt.process.image.path contains "\NetInstaller.exe" and tgt.process.cmdline contains "-r") or (tgt.process.image.path contains "\WFPUnins.exe" and (tgt.process.cmdline contains "/uninstall" and tgt.process.cmdline contains "/enterprise")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md index d3b01ed77..2e59e2e43 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csexec.exe" or tgt.process.displayName="csexec")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md index 4c53141fa..df3694621 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DefenderCheck.exe" or tgt.process.displayName="DefenderCheck")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md index 78ccf755e..c9eec1bc5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ditsnap.exe" or tgt.process.cmdline contains "ditsnap.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md index bed6972f3..726d785b6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName contains "Mouse Lock" or tgt.process.publisher contains "Misc314" or tgt.process.cmdline contains "Mouse Lock_")) | columns tgt.process.displayName,tgt.process.publisher,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md index 1f2b71ad3..bb73b1d7e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\nc.exe" or tgt.process.image.path contains "\ncat.exe" or tgt.process.image.path contains "\netcat.exe") or (tgt.process.cmdline contains " -lvp " or tgt.process.cmdline contains " -lvnp" or tgt.process.cmdline contains " -l -v -p " or tgt.process.cmdline contains " -lv -p " or tgt.process.cmdline contains " -l --proxy-type http " or tgt.process.cmdline contains " -vnl --exec " or tgt.process.cmdline contains " -vnl -e " or tgt.process.cmdline contains " --lua-exec " or tgt.process.cmdline contains " --sh-exec "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md index 4e9926b66..1862459ea 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\netscan.exe" or tgt.process.displayName="Network Scanner" or tgt.process.displayName="Application for scanning networks")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md index 4ff61853e..5ca96b013 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tcp 139" or tgt.process.cmdline contains " tcp 445" or tgt.process.cmdline contains " tcp 3389" or tgt.process.cmdline contains " tcp 5985" or tgt.process.cmdline contains " tcp 5986") or (tgt.process.cmdline contains " start " and tgt.process.cmdline contains "--all" and tgt.process.cmdline contains "--config" and tgt.process.cmdline contains ".yml") or (tgt.process.image.path contains "ngrok.exe" and (tgt.process.cmdline contains " tcp " or tgt.process.cmdline contains " http " or tgt.process.cmdline contains " authtoken ")) or (tgt.process.cmdline contains ".exe authtoken " or tgt.process.cmdline contains ".exe start --all"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md index 5a1025080..a018a96ec 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " runassystem ") | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md index cd73ae7ba..a29f0acc5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rcedit-x64.exe" or tgt.process.image.path contains "\rcedit-x86.exe") or tgt.process.displayName="Edit resources of exe" or tgt.process.displayName="rcedit") and tgt.process.cmdline contains "--set-" and (tgt.process.cmdline contains "OriginalFileName" or tgt.process.cmdline contains "CompanyName" or tgt.process.cmdline contains "FileDescription" or tgt.process.cmdline contains "ProductName" or tgt.process.cmdline contains "ProductVersion" or tgt.process.cmdline contains "LegalCopyright"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md index 1d650a6be..f4098f657 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "--config " and tgt.process.cmdline contains "--no-check-certificate " and tgt.process.cmdline contains " copy ") or ((tgt.process.image.path contains "\rclone.exe" or tgt.process.displayName="Rsync for cloud storage") and (tgt.process.cmdline contains "pass" or tgt.process.cmdline contains "user" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "sync" or tgt.process.cmdline contains "config" or tgt.process.cmdline contains "lsd" or tgt.process.cmdline contains "remote" or tgt.process.cmdline contains "ls" or tgt.process.cmdline contains "mega" or tgt.process.cmdline contains "pcloud" or tgt.process.cmdline contains "ftp" or tgt.process.cmdline contains "ignore-existing" or tgt.process.cmdline contains "auto-confirm" or tgt.process.cmdline contains "transfers" or tgt.process.cmdline contains "multi-thread-streams" or tgt.process.cmdline contains "no-check-certificate ")))) | columns tgt.process.cmdline,src.process.cmdline,Details ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md index 4afa2f127..47d817a9b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /account=system " or tgt.process.cmdline contains " /account=ti ") and tgt.process.cmdline contains "/exec=")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md index adb1c1f93..3f2a37eed 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Web Browser Password Viewer" or tgt.process.image.path contains "\WebBrowserPassView.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md index f4fb299fb..028d457e1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\python.exe" and tgt.process.cmdline contains "adidnsdump")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md index b3e28f90b..e3835e568 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "python.exe" or tgt.process.image.path contains "python3.exe" or tgt.process.image.path contains "python2.exe") and ((tgt.process.cmdline contains "import pty" and tgt.process.cmdline contains ".spawn(") or tgt.process.cmdline contains "from pty import spawn"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md index 4c21e9173..b6a8446af 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-m 1M" or tgt.process.cmdline contains "-m 2M" or tgt.process.cmdline contains "-m 3M") and (tgt.process.cmdline contains "restrict=off" and tgt.process.cmdline contains "-netdev " and tgt.process.cmdline contains "connect=" and tgt.process.cmdline contains "-nographic")) and (not (tgt.process.cmdline contains " -cdrom " or tgt.process.cmdline contains " type=virt " or tgt.process.cmdline contains " -blockdev ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md index dbc887b35..322111bc6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains ":\Windows\System32\query.exe" and (tgt.process.cmdline contains "session >" or tgt.process.cmdline contains "process >"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md index bf7f28e94..4fe0ef018 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rar.exe" and tgt.process.cmdline contains " a ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md index 1a9e6c08b..b50d7fbd3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -hp" and (tgt.process.cmdline contains " -m" or tgt.process.cmdline contains " a "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md index 6793d6276..b44ef3713 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.displayName="Command line RAR") or (tgt.process.cmdline contains ".exe a " or tgt.process.cmdline contains " a -m")) and ((tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " -r ") and (tgt.process.cmdline="* *:\\*.*" or tgt.process.cmdline="* *:\\\*.*" or tgt.process.cmdline="* *:\$Recycle.bin\*" or tgt.process.cmdline="* *:\PerfLogs\*" or tgt.process.cmdline="* *:\Temp*" or tgt.process.cmdline="* *:\Users\Public\*" or tgt.process.cmdline="* *:\Windows\*" or tgt.process.cmdline contains " %public%")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md index f9e432fd4..fb0e484ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "rasdial.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md index 1e5d8ce7a..053766e40 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains " ADD " and tgt.process.cmdline contains "Software\Microsoft\Windows\CurrentVersion\Run")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md index 271627a2e..907d13b33 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "REG" and tgt.process.cmdline contains "ADD" and tgt.process.cmdline contains "\SOFTWARE\Policies\Microsoft\FVE" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/f") and (tgt.process.cmdline contains "EnableBDEWithNoTPM" or tgt.process.cmdline contains "UseAdvancedStartup" or tgt.process.cmdline contains "UseTPM" or tgt.process.cmdline contains "UseTPMKey" or tgt.process.cmdline contains "UseTPMKeyPIN" or tgt.process.cmdline contains "RecoveryKeyMessageSource" or tgt.process.cmdline contains "UseTPMPIN" or tgt.process.cmdline contains "RecoveryKeyMessage"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md index 680d98341..04d5c1d66 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "scecli\0" and tgt.process.cmdline contains "reg add")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md index de2c9faa1..74b09ef68 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" or tgt.process.cmdline contains "SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths") and (tgt.process.cmdline contains "ADD " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_DWORD " and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "0"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md index 589378164..faaf05262 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and tgt.process.cmdline contains "add") and (tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Windows" or tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" or tgt.process.cmdline contains "\system\CurrentControlSet\Control\SafeBoot\AlternateShell"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md index c35a49280..bb2ba468d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add") and ((tgt.process.cmdline contains "d 4" and tgt.process.cmdline contains "v Start") and (tgt.process.cmdline contains "\AppIDSvc" or tgt.process.cmdline contains "\MsMpSvc" or tgt.process.cmdline contains "\NisSrv" or tgt.process.cmdline contains "\SecurityHealthService" or tgt.process.cmdline contains "\Sense" or tgt.process.cmdline contains "\UsoSvc" or tgt.process.cmdline contains "\WdBoot" or tgt.process.cmdline contains "\WdFilter" or tgt.process.cmdline contains "\WdNisDrv" or tgt.process.cmdline contains "\WdNisSvc" or tgt.process.cmdline contains "\WinDefend" or tgt.process.cmdline contains "\wscsvc" or tgt.process.cmdline contains "\wuauserv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md index 0d851b970..06a12d7b1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains " query " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_SZ" and tgt.process.cmdline contains "/s")) and ((tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKLM") or (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKCU") or tgt.process.cmdline contains "HKCU\Software\SimonTatham\PuTTY\Sessions"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md index 3e4bba21c..c30861ae0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa\" and tgt.process.cmdline contains "DisableRestrictedAdmin")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md index ea146d2e7..e39d99993 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Cryptography" and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "MachineGuid"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md index 5854e4f4a..66c499763 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "NoLMHash" and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md index 8f3307928..18206fbda 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/ve " and tgt.process.cmdline contains "/d") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "DelegateExecute") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md index fc5d9ae85..0572f8f05 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "HKEY_CURRENT_USER\Control Panel\Desktop" or tgt.process.cmdline contains "HKCU\Control Panel\Desktop")) and ((tgt.process.cmdline contains "/v ScreenSaveActive" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 1" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaveTimeout" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaverIsSecure" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 0" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v SCRNSAVE.EXE" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains ".scr" and tgt.process.cmdline contains "/f")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md index 24f0d9912..56d636453 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "add " and tgt.process.cmdline contains "SYSTEM\CurrentControlSet\Services\" and tgt.process.cmdline contains " ImagePath ")) and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " –d " or tgt.process.cmdline contains " —d " or tgt.process.cmdline contains " ―d "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md index 9f9146b8d..fa4c7c4a8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "query" and tgt.process.cmdline contains "\software\" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "svcversion"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md index 34f24cbf9..6835f9f8a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Services\VSS\Diag" and tgt.process.cmdline contains "/d Disabled")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md index 1e7edbd3f..707ee1117 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control" and tgt.process.cmdline contains "Write Protection" and tgt.process.cmdline contains "0" and tgt.process.cmdline contains "storage")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md index fd997669c..773ba50b4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\regedit.exe" and (src.process.image.path contains "\TrustedInstaller.exe" or src.process.image.path contains "\ProcessHacker.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md index 758a7a20f..bc4c4672b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\register-cimprovider.exe" and (tgt.process.cmdline contains "-path" and tgt.process.cmdline contains "dll"))) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md index c41fa9821..58b3a964a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\Sessions" or tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\SshHostKeys\" or tgt.process.cmdline contains "\Software\Mobatek\MobaXterm\" or tgt.process.cmdline contains "\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin" or tgt.process.cmdline contains "\Software\Aerofox\FoxmailPreview" or tgt.process.cmdline contains "\Software\Aerofox\Foxmail\V3.1" or tgt.process.cmdline contains "\Software\IncrediMail\Identities" or tgt.process.cmdline contains "\Software\Qualcomm\Eudora\CommandLine" or tgt.process.cmdline contains "\Software\RimArts\B2\Settings" or tgt.process.cmdline contains "\Software\OpenVPN-GUI\configs" or tgt.process.cmdline contains "\Software\Martin Prikryl\WinSCP 2\Sessions" or tgt.process.cmdline contains "\Software\FTPWare\COREFTP\Sites" or tgt.process.cmdline contains "\Software\DownloadManager\Passwords" or tgt.process.cmdline contains "\Software\OpenSSH\Agent\Keys" or tgt.process.cmdline contains "\Software\TightVNC\Server" or tgt.process.cmdline contains "\Software\ORL\WinVNC3\Password" or tgt.process.cmdline contains "\Software\RealVNC\WinVNC4")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md index b2c566cac..48d5c93f1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" and tgt.process.cmdline contains "http" and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md index 019e4f51d..637aa7ddf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\CurrentVersion\Image File Execution Options\" and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "magnify.exe" or tgt.process.cmdline contains "narrator.exe" or tgt.process.cmdline contains "displayswitch.exe" or tgt.process.cmdline contains "atbroker.exe" or tgt.process.cmdline contains "HelpPane.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md index 5532822a4..93ab0799f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "UserInitMprLogonScript") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md index 461ed082a..c41bf7439 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Services\" and tgt.process.cmdline contains "\NetworkProvider")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md index 41e653cc8..3a6a3f320 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Office\" and tgt.process.cmdline contains "\Excel\Security" and tgt.process.cmdline contains "PythonFunctionWarnings") and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md index dab3a434c..cf6efee56 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.integrityLevel="Medium" and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "services") and (tgt.process.cmdline contains "\ImagePath" or tgt.process.cmdline contains "\FailureCommand" or tgt.process.cmdline contains "\ServiceDll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md index 71ee08c7f..e42fcec2c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SOFTWARE\Microsoft\Provisioning\Commands\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md index 4ba2ca16f..fd6d038fa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\ShellIds\Microsoft.PowerShell\ExecutionPolicy" or tgt.process.cmdline contains "\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy") and (tgt.process.cmdline contains "Bypass" or tgt.process.cmdline contains "RemoteSigned" or tgt.process.cmdline contains "Unrestricted"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md index 6a2b303cf..c15e78ae4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/d 0"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md index d359094d8..603eff2a1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md index 6fcc66691..4b33b8a72 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\regsvr32.exe" and (tgt.process.cmdline contains " -i:" or tgt.process.cmdline contains " /i:" or tgt.process.cmdline contains " –i:" or tgt.process.cmdline contains " —i:" or tgt.process.cmdline contains " ―i:")) and (not tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md index 5a2f471d1..24b2a075a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\regsvr32.exe" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\werfault.exe" and tgt.process.cmdline contains " -u -p ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md index 828afff80..ad60708db 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell_ise.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\wscript.exe") and tgt.process.image.path contains "\regsvr32.exe") and (not (src.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains " /s C:\Windows\System32\RpcProxy\RpcProxy.dll")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md index 6986b1c6c..84b363b4a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md index 50b7415f2..9bd9205a6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "echo " and tgt.process.cmdline contains ".exe --set-password")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md index fd3d7f60c..5c441332e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--install" and tgt.process.cmdline contains "--start-with-win" and tgt.process.cmdline contains "--silent")) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md index e6e3b42b2..529ff0cbd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH") and (not (tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "Program Files (x86)\AnyDesk" or tgt.process.image.path contains "Program Files\AnyDesk")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md index b3b1f2478..5e3ab63d6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="GoTo Opener" or tgt.process.displayName="GoTo Opener" or tgt.process.publisher="LogMeIn, Inc.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md index 19256bada..c26f0b7b5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="LMIGuardianSvc" or tgt.process.displayName="LMIGuardianSvc" or tgt.process.publisher="LogMeIn, Inc.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md index f2b1d431c..8984d5672 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\meshagent.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md index f457f01c9..cb3aef275 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe") or tgt.process.displayName="Remote Utilities") and (not (tgt.process.image.path contains "C:\Program Files\Remote Utilities" or tgt.process.image.path contains "C:\Program Files (x86)\Remote Utilities")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md index 57b0ae620..b4098c34c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="ScreenConnect Service" or tgt.process.displayName="ScreenConnect" or tgt.process.publisher="ScreenConnect Software")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md index 144514748..b96a857d7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "e=Access&" and tgt.process.cmdline contains "y=Guest&" and tgt.process.cmdline contains "&p=" and tgt.process.cmdline contains "&c=" and tgt.process.cmdline contains "&k=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md index 1f5f93167..166c9080a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains ":\Windows\TEMP\ScreenConnect\" and src.process.cmdline contains "run.cmd") and (tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wevtutil.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md index ffa89b713..9f7466940 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\ScreenConnect.Service.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md index 70bbfa2b2..4013ba36f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\JWrapper-Remote Access\" or tgt.process.image.path contains "\JWrapper-Remote Support\") and tgt.process.image.path contains "\SimpleService.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md index 8149ec6c1..182534e77 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="TeamViewer_Desktop.exe" and src.process.image.path="TeamViewer_Service.exe" and tgt.process.cmdline contains "TeamViewer_Desktop.exe --IPCport 5939 --Module 1")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md index e8ae8e3ff..26bfc90e4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "time") or (tgt.process.image.path contains "\w32tm.exe" and tgt.process.cmdline contains "tz"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md index cb8c1989a..8a9732233 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName in ("Java Update Scheduler","Java(TM) Update Scheduler")) and (not tgt.process.image.path contains "\jusched.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md index ded65b474..76be955aa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "DllRegisterServer" and (not tgt.process.image.path contains "\rundll32.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md index b2a73da13..c5815de53 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Remote Utilities" and (not (tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md index 8a1589ce9..5a391053d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rpcping.exe" and (tgt.process.cmdline contains "-s" or tgt.process.cmdline contains "/s" or tgt.process.cmdline contains "–s" or tgt.process.cmdline contains "—s" or tgt.process.cmdline contains "―s") and (((tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u") and (tgt.process.cmdline contains "NTLM")) or ((tgt.process.cmdline contains "-t" or tgt.process.cmdline contains "/t" or tgt.process.cmdline contains "–t" or tgt.process.cmdline contains "—t" or tgt.process.cmdline contains "―t") and (tgt.process.cmdline contains "ncacn_np"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md index 60de5c7b8..4f75014c1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains "Execute" and tgt.process.cmdline contains "RegRead" and tgt.process.cmdline contains "window.close")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md index dcb7ad7fe..05c58b575 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\..\" and tgt.process.cmdline contains "mshtml") and (tgt.process.cmdline contains "#135" or tgt.process.cmdline contains "RunHTMLApplication"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md index 131c59256..aec7bd406 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\rundll32.exe" or tgt.process.cmdline contains "\rundll32.exe\"" or tgt.process.cmdline contains "\rundll32") and (not (src.process.image.path contains "\AppData\Local\" or src.process.image.path contains "\Microsoft\Edge\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md index 592ab83bf..2abecebdc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\RECYCLER\" or tgt.process.image.path contains ":\SystemVolumeInformation\") or (tgt.process.image.path contains "C:\Windows\Tasks\" or tgt.process.image.path contains "C:\Windows\debug\" or tgt.process.image.path contains "C:\Windows\fonts\" or tgt.process.image.path contains "C:\Windows\help\" or tgt.process.image.path contains "C:\Windows\drivers\" or tgt.process.image.path contains "C:\Windows\addins\" or tgt.process.image.path contains "C:\Windows\cursors\" or tgt.process.image.path contains "C:\Windows\system32\tasks\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md index 2cc719db6..99e5367c7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\runonce.exe" and src.process.image.path contains "\rundll32.exe" and (src.process.cmdline contains "setupapi.dll" and src.process.cmdline contains "InstallHinfSection"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md index 11e9371f4..6e4b68d59 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\rundll32.exe" and tgt.process.image.path contains "\explorer.exe") and (not src.process.cmdline contains "\shell32.dll,Control_RunDLL"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md index 361502691..5e315cc8a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "javascript:" and tgt.process.cmdline contains ".RegisterXLL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURLA") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "FileProtocolHandler") or (tgt.process.cmdline contains "zipfldr.dll" and tgt.process.cmdline contains "RouteTheCall") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "Control_RunDLL") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "ShellExec_RunDLL") or (tgt.process.cmdline contains "mshtml.dll" and tgt.process.cmdline contains "PrintHTML") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieframe.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "shdocvw.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "syssetup.dll" and tgt.process.cmdline contains "SetupInfObjectInstallAction") or (tgt.process.cmdline contains "setupapi.dll" and tgt.process.cmdline contains "InstallHinfSection") or (tgt.process.cmdline contains "pcwutl.dll" and tgt.process.cmdline contains "LaunchApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbShortcut") or (tgt.process.cmdline contains "scrobj.dll" and tgt.process.cmdline contains "GenerateTypeLib" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "shimgvw.dll" and tgt.process.cmdline contains "ImageView_Fullscreen" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "comsvcs.dll" and tgt.process.cmdline contains "MiniDump")) and (not (tgt.process.cmdline contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (src.process.image.path="C:\Windows\System32\control.exe" and src.process.cmdline contains ".cpl" and (tgt.process.cmdline contains "Shell32.dll" and tgt.process.cmdline contains "Control_RunDLL" and tgt.process.cmdline contains ".cpl")) or (src.process.image.path="C:\Windows\System32\control.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\Windows\System32\" and tgt.process.cmdline contains ".cpl\","))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md index ee395edfd..0474a97c1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ShellExec_RunDLL" and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "odbcconf" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "iex" or tgt.process.cmdline contains "comspec"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md index eefc22f88..caa1a90e1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "apphelp.dll") and (tgt.process.cmdline contains "ShimFlushCache" or tgt.process.cmdline contains "#250")) or ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "kernel32.dll") and (tgt.process.cmdline contains "BaseFlushAppcompatCache" or tgt.process.cmdline contains "#46")))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md index 01d9d61e7..590aebff7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and (tgt.process.cmdline contains ".sys," or tgt.process.cmdline contains ".sys "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md index 9859a5337..ac3817688 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\svchost.exe" and src.process.cmdline contains "-s WebClient" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "C:\windows\system32\davclnt.dll,DavSetCookie" and tgt.process.cmdline matches "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") and (not (tgt.process.cmdline contains "://10." or tgt.process.cmdline contains "://192.168." or tgt.process.cmdline contains "://172.16." or tgt.process.cmdline contains "://172.17." or tgt.process.cmdline contains "://172.18." or tgt.process.cmdline contains "://172.19." or tgt.process.cmdline contains "://172.20." or tgt.process.cmdline contains "://172.21." or tgt.process.cmdline contains "://172.22." or tgt.process.cmdline contains "://172.23." or tgt.process.cmdline contains "://172.24." or tgt.process.cmdline contains "://172.25." or tgt.process.cmdline contains "://172.26." or tgt.process.cmdline contains "://172.27." or tgt.process.cmdline contains "://172.28." or tgt.process.cmdline contains "://172.29." or tgt.process.cmdline contains "://172.30." or tgt.process.cmdline contains "://172.31." or tgt.process.cmdline contains "://127." or tgt.process.cmdline contains "://169.254.")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md index b9e998f72..ab3f56d64 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline in ("rundll32.exe","rundll32"))) | columns ComputerName,SubjectUserName,tgt.process.cmdline,tgt.process.image.path,src.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md index ce214c4c5..3665ac351 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\runonce.exe" or tgt.process.displayName="Run Once Wrapper") and (tgt.process.cmdline contains "/AlternateShellStartup" or tgt.process.cmdline contains "/r"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md index fdcc8aebf..1241c8a0a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sc.exe" and tgt.process.integrityLevel="Medium") and ((tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") or (tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md index f940a374c..4a0e64ed9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md index f8123950e..ca642a16c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" or tgt.process.cmdline contains "config") and (tgt.process.cmdline contains "binPath" and tgt.process.cmdline contains "type" and tgt.process.cmdline contains "kernel"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md index 9cf72cad1..dbf5e615c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md index 6b90e3809..f5e772c4d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "config " and tgt.process.cmdline contains "binpath=") or (tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command=")) or (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "FailureCommand") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "ImagePath")) and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin$" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh$" or tgt.process.cmdline contains ".reg$" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md index 83608635f..1d258bd4d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "/RU" and tgt.process.cmdline contains "/TR" and tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\") and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "TeamViewer_.exe") and tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/TN TVInstallRestore")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md index 63ce92259..b6d1d8d19 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /Change " and tgt.process.cmdline contains " /TN ")) and (tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\WINDOWS\Temp\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Perflogs\" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%") and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "bash.exe" or tgt.process.cmdline contains "bash " or tgt.process.cmdline contains "scrcons" or tgt.process.cmdline contains "wmic " or tgt.process.cmdline contains "wmic.exe" or tgt.process.cmdline contains "forfiles" or tgt.process.cmdline contains "scriptrunner" or tgt.process.cmdline contains "hh.exe" or tgt.process.cmdline contains "hh "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md index 091f7abf8..42d2d5c7f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (not (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md index 3985896cc..38e67e076 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /create " and tgt.process.cmdline contains " /sc once " and tgt.process.cmdline contains "\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md index 2e1747a0d..7c38753f8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "/tn") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md index ad6f61e69..ce99e1931 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /delete " and tgt.process.cmdline contains "/tn \*" and tgt.process.cmdline contains " /f"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md index bce6d6d4f..90da71bb2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Change" and tgt.process.cmdline contains "/TN" and tgt.process.cmdline contains "/disable") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md index 023aa184f..33583aeb8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\Users\Public" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%")) or (src.process.cmdline contains "\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\Users\Public" or tgt.process.cmdline contains "%Public%"))) and (not (((tgt.process.cmdline contains "update_task.xml" or tgt.process.cmdline contains "/Create /TN TVInstallRestore /TR") or src.process.cmdline contains "unattended.ini") or (tgt.process.cmdline contains "/Create /Xml \"C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\.CR." and tgt.process.cmdline contains "Avira_Security_Installation.xml") or ((tgt.process.cmdline contains "/Create /F /TN" and tgt.process.cmdline contains "/Xml " and tgt.process.cmdline contains "\AppData\Local\Temp\is-" and tgt.process.cmdline contains "Avira_") and (tgt.process.cmdline contains ".tmp\UpdateFallbackTask.xml" or tgt.process.cmdline contains ".tmp\WatchdogServiceControlManagerTimeout.xml" or tgt.process.cmdline contains ".tmp\SystrayAutostart.xml" or tgt.process.cmdline contains ".tmp\MaintenanceTask.xml")) or (tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "/Create /TN \"klcp_update\" /XML " and tgt.process.cmdline contains "\klcp_update_task.xml"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md index dc1dedf54..9eeed69e6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (tgt.process.cmdline contains "/TN \"{" or tgt.process.cmdline contains "/TN '{" or tgt.process.cmdline contains "/TN {") and (tgt.process.cmdline contains "}\"" or tgt.process.cmdline contains "}'" or tgt.process.cmdline contains "} "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md index 31e6ef36d..5f2972c92 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\WINDOWS\System32\svchost.exe" and (src.process.cmdline contains "-k netsvcs" and src.process.cmdline contains "-s Schedule") and (tgt.process.cmdline contains " -windowstyle hidden" or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " -noni"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md index fda151438..f42a0bcae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (((tgt.process.cmdline contains "/sc minute " or tgt.process.cmdline contains "/ru system ") and (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r ")) or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -w hidden " or tgt.process.cmdline contains " bypass " or tgt.process.cmdline contains " IEX" or tgt.process.cmdline contains ".DownloadData" or tgt.process.cmdline contains ".DownloadFile" or tgt.process.cmdline contains ".DownloadString" or tgt.process.cmdline contains "/c start /min " or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "mshta http" or tgt.process.cmdline contains "mshta.exe http") or ((tgt.process.cmdline contains ":\ProgramData\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%") and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "curl" or tgt.process.cmdline contains "wscript"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md index c26d7a06e..8323caae5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /change " or tgt.process.cmdline contains " /create ")) and tgt.process.cmdline contains "/ru " and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/TN TVInstallRestore" and tgt.process.cmdline contains "\TeamViewer_.exe")) or (tgt.process.cmdline contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or tgt.process.cmdline contains ":\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe" or tgt.process.cmdline contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md index d87a63263..bb71b60ee 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\scrcons.exe" and (tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\msbuild.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md index ea539cb9c..5a350f1da 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\sdclt.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md index fd2cfb84a..80a5c9374 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sdiagnhost.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\taskkill.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\calc.exe")) and (not ((tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "bits") or (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "-noprofile -" or tgt.process.cmdline contains "-noprofile")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md index fcc4a7550..62e737866 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Serv-U.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md index 6771f8d95..45a9dcab2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\setres.exe" and tgt.process.image.path contains "\choice") and (not (tgt.process.image.path contains "C:\Windows\System32\choice.exe" or tgt.process.image.path contains "C:\Windows\SysWOW64\choice.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md index cf6d35fbc..13554e42e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and (tgt.process.cmdline contains "/r " or tgt.process.cmdline contains "/s "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md index 9d5b5d2dc..abc5dc402 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and tgt.process.cmdline contains "/l")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md index 5f24ff65e..6e92a50ad 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\sigverif.exe" and (not (tgt.process.image.path in ("C:\Windows\System32\WerFault.exe","C:\Windows\SysWOW64\WerFault.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md index 2a91109d8..908f8c189 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\SndVol.exe" and (not (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains " shell32.dll,Control_RunDLL ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md index 13468f5f6..ff4d2347d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SoundRecorder.exe" and tgt.process.cmdline contains "/FILE")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md index 717447319..52fcf5207 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\splwow64.exe" and tgt.process.cmdline contains "splwow64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md index af8800c2b..9e765579a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "VeeamBackup" and tgt.process.cmdline contains "From ")) and (tgt.process.cmdline contains "BackupRepositories" or tgt.process.cmdline contains "Backups" or tgt.process.cmdline contains "Credentials" or tgt.process.cmdline contains "HostCreds" or tgt.process.cmdline contains "SmbFileShares" or tgt.process.cmdline contains "Ssh_creds" or tgt.process.cmdline contains "VSphereInfo"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md index 5c6569036..c8ea6e81d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "SELECT" and tgt.process.cmdline contains "TOP" and tgt.process.cmdline contains "[VeeamBackup].[dbo].[Credentials]"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md index 14bfd635c..9f4a0b105 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "\User Data\" or tgt.process.cmdline contains "\Opera Software\" or tgt.process.cmdline contains "\ChromiumViewer\") and (tgt.process.cmdline contains "Login Data" or tgt.process.cmdline contains "Cookies" or tgt.process.cmdline contains "Web Data" or tgt.process.cmdline contains "History" or tgt.process.cmdline contains "Bookmarks"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md index de4ed14f4..8bd6d665b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "cookies.sqlite" or tgt.process.cmdline contains "places.sqlite"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md index 7054297c6..48215de72 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains " --download " or tgt.process.cmdline contains " --update " or tgt.process.cmdline contains " --updateRollback=") and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md index 93449bd33..e4c8a563b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--processStartAndWait" or tgt.process.cmdline contains "--createShortcut")) and (not ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Discord\Update.exe" and tgt.process.cmdline contains " --processStart" and tgt.process.cmdline contains "Discord.exe") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\GitHubDesktop\Update.exe" and tgt.process.cmdline contains "GitHubDesktop.exe") and (tgt.process.cmdline contains "--createShortcut" or tgt.process.cmdline contains "--processStartAndWait")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Microsoft\Teams\Update.exe" and tgt.process.cmdline contains "Teams.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\yammerdesktop\Update.exe" and tgt.process.cmdline contains "Yammer.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md index c871aa240..d7cb27cfb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " /R " or tgt.process.cmdline contains " –R " or tgt.process.cmdline contains " —R " or tgt.process.cmdline contains " ―R "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md index c23c2a8dc..698dc3b34 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\System32\OpenSSH\sshd.exe" or (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains "ProxyCommand=" or (tgt.process.cmdline contains "PermitLocalCommand" and tgt.process.cmdline contains "LocalCommand"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md index f2e7bb7f8..5d4ad0b5f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and tgt.process.cmdline contains ":3389")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md index a6a46a813..10479dd8d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\amazon-ssm-agent.exe" and (tgt.process.cmdline contains "-register " and tgt.process.cmdline contains "-code " and tgt.process.cmdline contains "-id " and tgt.process.cmdline contains "-region "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md index 903091e29..a71976031 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\stordiag.exe" and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\fltmc.exe")) and (not (src.process.image.path contains "c:\windows\system32\" or src.process.image.path contains "c:\windows\syswow64\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md index 7be5fa30c..27716770f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ntvdm.exe" or tgt.process.image.path contains "\csrstub.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md index e01faa00e..bfe93dc0f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains " administrators " or tgt.process.cmdline contains " administrateur"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md index fd5f8fdda..a3ce3eac5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Group Policy Creator Owners" or tgt.process.cmdline contains "Schema Admins"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md index b6813cbcd..bf2de8790 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md index 6bda0dd63..4e084dda1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "txt:" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > ") or (tgt.process.cmdline contains "makecab " and tgt.process.cmdline contains ".cab") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains " export ") or (tgt.process.cmdline contains "regedit " and tgt.process.cmdline contains " /E ") or (tgt.process.cmdline contains "esentutl " and tgt.process.cmdline contains " /y " and tgt.process.cmdline contains " /d " and tgt.process.cmdline contains " /o ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md index 52f18231d..8178326a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\Windows\Installer\" and tgt.process.image.path contains "msi") and tgt.process.image.path contains "tmp") or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.integrityLevel="System")) and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and (not (src.process.image.path="C:\Windows\System32\services.exe" or (tgt.process.cmdline contains "\system32\msiexec.exe /V" or src.process.cmdline contains "\system32\msiexec.exe /V") or src.process.image.path contains "C:\ProgramData\Sophos\" or src.process.image.path contains "C:\ProgramData\Avira\" or (src.process.image.path contains "C:\Program Files\Avast Software\" or src.process.image.path contains "C:\Program Files (x86)\Avast Software\") or (src.process.image.path contains "C:\Program Files\Google\Update\" or src.process.image.path contains "C:\Program Files (x86)\Google\Update\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md index 773eb6af0..e33c3e214 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "C:\Program Files\WindowsApps\" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Base64")) and (not (src.process.image.path contains ":\Program Files\WindowsApps\Microsoft.WindowsTerminal" and src.process.image.path contains "\WindowsTerminal.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\pwsh.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md index d7f1c901c..de5641b94 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".SettingContent-ms" and (not tgt.process.cmdline contains "immersivecontrolpanel"))) | columns ParentProcess,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md index e11a35485..c90fceb15 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\Winrar.exe" or src.process.image.path contains "\7zFM.exe" or src.process.image.path contains "\peazip.exe") and (tgt.process.image.path contains "\isoburn.exe" or tgt.process.image.path contains "\PowerISO.exe" or tgt.process.image.path contains "\ImgBurn.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md index 7cb837a9b..fa5708686 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\WerFault.exe" and tgt.process.cmdline contains "WerFault.exe") or (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or (tgt.process.image.path contains "\regsvcs.exe" and tgt.process.cmdline contains "regsvcs.exe") or (tgt.process.image.path contains "\regasm.exe" and tgt.process.cmdline contains "regasm.exe") or (tgt.process.image.path contains "\regsvr32.exe" and tgt.process.cmdline contains "regsvr32.exe")) and (not ((src.process.image.path contains "\AppData\Local\Microsoft\EdgeUpdate\Install\{" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or ((src.process.image.path contains "\AppData\Local\BraveSoftware\Brave-Browser\Application\" or src.process.image.path contains "\AppData\Local\Google\Chrome\Application\") and src.process.image.path contains "\Installer\setup.exe" and src.process.cmdline contains "--uninstall " and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md index 01789677c..8177e7eaf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "Acrobat Reader" or src.process.image.path contains "Microsoft Office" or src.process.image.path contains "PDF Reader") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\firefox.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\maxthon.exe" or tgt.process.image.path contains "\seamonkey.exe" or tgt.process.image.path contains "\vivaldi.exe" or tgt.process.image.path contains "") and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md index 03637ebc0..2cde86c84 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "h^t^t^p" or tgt.process.cmdline contains "h\"t\"t\"p")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md index a2a40b116..736a05d46 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Windows\" and (tgt.process.cmdline contains "\..\Windows\" or tgt.process.cmdline contains "\..\System32\" or tgt.process.cmdline contains "\..\..\")) or tgt.process.cmdline contains ".exe\..\") and (not (tgt.process.cmdline contains "\Google\Drive\googledrivesync.exe\..\" or tgt.process.cmdline contains "\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md index 9b1cafab1..5e46ad212 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --cpu-priority=" or tgt.process.cmdline contains "--donate-level=0" or tgt.process.cmdline contains " -o pool." or tgt.process.cmdline contains " --nicehash" or tgt.process.cmdline contains " --algo=rx/0 " or tgt.process.cmdline contains "stratum+tcp://" or tgt.process.cmdline contains "stratum+udp://" or tgt.process.cmdline contains "LS1kb25hdGUtbGV2ZWw9" or tgt.process.cmdline contains "0tZG9uYXRlLWxldmVsP" or tgt.process.cmdline contains "tLWRvbmF0ZS1sZXZlbD" or tgt.process.cmdline contains "c3RyYXR1bSt0Y3A6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdGNwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3RjcDovL" or tgt.process.cmdline contains "c3RyYXR1bSt1ZHA6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdWRwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3VkcDovL") and (not (tgt.process.cmdline contains " pool.c " or tgt.process.cmdline contains " pool.o " or tgt.process.cmdline contains "gcc -")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md index 6a77852a5..f3fe0ee54 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl ") and (tgt.process.cmdline contains " -ur" and tgt.process.cmdline contains " -me" and tgt.process.cmdline contains " -b" and tgt.process.cmdline contains " POST ")) or ((tgt.process.image.path contains "\curl.exe" and tgt.process.cmdline contains "--ur") and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " --data ")) or (tgt.process.image.path contains "\wget.exe" and (tgt.process.cmdline contains "--post-data" or tgt.process.cmdline contains "--post-file"))) and ((tgt.process.cmdline contains "Get-Content" or tgt.process.cmdline contains "GetBytes" or tgt.process.cmdline contains "hostname" or tgt.process.cmdline contains "ifconfig" or tgt.process.cmdline contains "ipconfig" or tgt.process.cmdline contains "net view" or tgt.process.cmdline contains "netstat" or tgt.process.cmdline contains "nltest" or tgt.process.cmdline contains "qprocess" or tgt.process.cmdline contains "sc query" or tgt.process.cmdline contains "systeminfo" or tgt.process.cmdline contains "tasklist" or tgt.process.cmdline contains "ToBase64String" or tgt.process.cmdline contains "whoami") or (tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > " and tgt.process.cmdline contains " C:\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md index 9c8443029..db80f555e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "taskkill " and tgt.process.cmdline contains "RaccineSettings.exe") or (tgt.process.cmdline contains "reg.exe" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "Raccine Tray") or (tgt.process.cmdline contains "schtasks" and tgt.process.cmdline contains "/DELETE" and tgt.process.cmdline contains "Raccine Rules Updater"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md index 97f86a1e5..522def86c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ".doc.exe" or tgt.process.image.path contains ".docx.exe" or tgt.process.image.path contains ".xls.exe" or tgt.process.image.path contains ".xlsx.exe" or tgt.process.image.path contains ".ppt.exe" or tgt.process.image.path contains ".pptx.exe" or tgt.process.image.path contains ".rtf.exe" or tgt.process.image.path contains ".pdf.exe" or tgt.process.image.path contains ".txt.exe" or tgt.process.image.path contains " .exe" or tgt.process.image.path contains "______.exe" or tgt.process.image.path contains ".doc.js" or tgt.process.image.path contains ".docx.js" or tgt.process.image.path contains ".xls.js" or tgt.process.image.path contains ".xlsx.js" or tgt.process.image.path contains ".ppt.js" or tgt.process.image.path contains ".pptx.js" or tgt.process.image.path contains ".rtf.js" or tgt.process.image.path contains ".pdf.js" or tgt.process.image.path contains ".txt.js") and (tgt.process.cmdline contains ".doc.exe" or tgt.process.cmdline contains ".docx.exe" or tgt.process.cmdline contains ".xls.exe" or tgt.process.cmdline contains ".xlsx.exe" or tgt.process.cmdline contains ".ppt.exe" or tgt.process.cmdline contains ".pptx.exe" or tgt.process.cmdline contains ".rtf.exe" or tgt.process.cmdline contains ".pdf.exe" or tgt.process.cmdline contains ".txt.exe" or tgt.process.cmdline contains " .exe" or tgt.process.cmdline contains "______.exe" or tgt.process.cmdline contains ".doc.js" or tgt.process.cmdline contains ".docx.js" or tgt.process.cmdline contains ".xls.js" or tgt.process.cmdline contains ".xlsx.js" or tgt.process.cmdline contains ".ppt.js" or tgt.process.cmdline contains ".pptx.js" or tgt.process.cmdline contains ".rtf.js" or tgt.process.cmdline contains ".pdf.js" or tgt.process.cmdline contains ".txt.js"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md index f33e53380..098d04897 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains ".doc.lnk" or src.process.image.path contains ".docx.lnk" or src.process.image.path contains ".xls.lnk" or src.process.image.path contains ".xlsx.lnk" or src.process.image.path contains ".ppt.lnk" or src.process.image.path contains ".pptx.lnk" or src.process.image.path contains ".rtf.lnk" or src.process.image.path contains ".pdf.lnk" or src.process.image.path contains ".txt.lnk" or src.process.image.path contains ".doc.js" or src.process.image.path contains ".docx.js" or src.process.image.path contains ".xls.js" or src.process.image.path contains ".xlsx.js" or src.process.image.path contains ".ppt.js" or src.process.image.path contains ".pptx.js" or src.process.image.path contains ".rtf.js" or src.process.image.path contains ".pdf.js" or src.process.image.path contains ".txt.js") or (src.process.cmdline contains ".doc.lnk" or src.process.cmdline contains ".docx.lnk" or src.process.cmdline contains ".xls.lnk" or src.process.cmdline contains ".xlsx.lnk" or src.process.cmdline contains ".ppt.lnk" or src.process.cmdline contains ".pptx.lnk" or src.process.cmdline contains ".rtf.lnk" or src.process.cmdline contains ".pdf.lnk" or src.process.cmdline contains ".txt.lnk" or src.process.cmdline contains ".doc.js" or src.process.cmdline contains ".docx.js" or src.process.cmdline contains ".xls.js" or src.process.cmdline contains ".xlsx.js" or src.process.cmdline contains ".ppt.js" or src.process.cmdline contains ".pptx.js" or src.process.cmdline contains ".rtf.js" or src.process.cmdline contains ".pdf.js" or src.process.cmdline contains ".txt.js"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md index 7c4c424b0..7e09c2bdb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\wget.exe") or (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains ".DownloadString(")) and (tgt.process.cmdline contains "https://attachment.outlook.live.net/owa/" or tgt.process.cmdline contains "https://onenoteonlinesync.onenote.com/onenoteonlinesync/"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md index 3fd0012a5..f3d61080a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DumpStack.log" or tgt.process.cmdline contains " -o DumpStack.log")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md index 0daba5d20..9698d8343 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\chrome.exe" or src.process.image.path contains "\discord.exe" or src.process.image.path contains "\GitHubDesktop.exe" or src.process.image.path contains "\keybase.exe" or src.process.image.path contains "\msedge.exe" or src.process.image.path contains "\msedgewebview2.exe" or src.process.image.path contains "\msteams.exe" or src.process.image.path contains "\slack.exe" or src.process.image.path contains "\teams.exe") and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\Windows\Temp\")) and (not (src.process.image.path contains "\Discord.exe" and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "\NVSMI\nvidia-smi.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md index dbfca6988..3784a9750 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\explorer.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".lnk"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md index 178438f36..95411be79 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "😀" or tgt.process.cmdline contains "😃" or tgt.process.cmdline contains "😄" or tgt.process.cmdline contains "😁" or tgt.process.cmdline contains "😆" or tgt.process.cmdline contains "😅" or tgt.process.cmdline contains "😂" or tgt.process.cmdline contains "🤣" or tgt.process.cmdline contains "🥲" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "☺️" or tgt.process.cmdline contains "😊" or tgt.process.cmdline contains "😇" or tgt.process.cmdline contains "🙂" or tgt.process.cmdline contains "🙃" or tgt.process.cmdline contains "😉" or tgt.process.cmdline contains "😌" or tgt.process.cmdline contains "😍" or tgt.process.cmdline contains "🥰" or tgt.process.cmdline contains "😘" or tgt.process.cmdline contains "😗" or tgt.process.cmdline contains "😙" or tgt.process.cmdline contains "😚" or tgt.process.cmdline contains "😋" or tgt.process.cmdline contains "😛" or tgt.process.cmdline contains "😝" or tgt.process.cmdline contains "😜" or tgt.process.cmdline contains "🤪" or tgt.process.cmdline contains "🤨" or tgt.process.cmdline contains "🧐" or tgt.process.cmdline contains "🤓" or tgt.process.cmdline contains "😎" or tgt.process.cmdline contains "🥸" or tgt.process.cmdline contains "🤩" or tgt.process.cmdline contains "🥳" or tgt.process.cmdline contains "😏" or tgt.process.cmdline contains "😒" or tgt.process.cmdline contains "😞" or tgt.process.cmdline contains "😔" or tgt.process.cmdline contains "😟" or tgt.process.cmdline contains "😕" or tgt.process.cmdline contains "🙁" or tgt.process.cmdline contains "☹️" or tgt.process.cmdline contains "😣" or tgt.process.cmdline contains "😖" or tgt.process.cmdline contains "😫" or tgt.process.cmdline contains "😩" or tgt.process.cmdline contains "🥺" or tgt.process.cmdline contains "😢" or tgt.process.cmdline contains "😭" or tgt.process.cmdline contains "😮‍💨" or tgt.process.cmdline contains "😤" or tgt.process.cmdline contains "😠" or tgt.process.cmdline contains "😡" or tgt.process.cmdline contains "🤬" or tgt.process.cmdline contains "🤯" or tgt.process.cmdline contains "😳" or tgt.process.cmdline contains "🥵" or tgt.process.cmdline contains "🥶" or tgt.process.cmdline contains "😱" or tgt.process.cmdline contains "😨" or tgt.process.cmdline contains "😰" or tgt.process.cmdline contains "😥" or tgt.process.cmdline contains "😓" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🤗" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🤔" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🤭" or tgt.process.cmdline contains "🤫" or tgt.process.cmdline contains "🤥" or tgt.process.cmdline contains "😶" or tgt.process.cmdline contains "😶‍🌫️" or tgt.process.cmdline contains "😐" or tgt.process.cmdline contains "😑" or tgt.process.cmdline contains "😬" or tgt.process.cmdline contains "🫠" or tgt.process.cmdline contains "🙄" or tgt.process.cmdline contains "😯" or tgt.process.cmdline contains "😦" or tgt.process.cmdline contains "😧" or tgt.process.cmdline contains "😮" or tgt.process.cmdline contains "😲" or tgt.process.cmdline contains "🥱" or tgt.process.cmdline contains "😴" or tgt.process.cmdline contains "🤤" or tgt.process.cmdline contains "😪" or tgt.process.cmdline contains "😵" or tgt.process.cmdline contains "😵‍💫" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🤐" or tgt.process.cmdline contains "🥴" or tgt.process.cmdline contains "🤢" or tgt.process.cmdline contains "🤮" or tgt.process.cmdline contains "🤧" or tgt.process.cmdline contains "😷" or tgt.process.cmdline contains "🤒" or tgt.process.cmdline contains "🤕" or tgt.process.cmdline contains "🤑" or tgt.process.cmdline contains "🤠" or tgt.process.cmdline contains "😈" or tgt.process.cmdline contains "👿" or tgt.process.cmdline contains "👹" or tgt.process.cmdline contains "👺" or tgt.process.cmdline contains "🤡" or tgt.process.cmdline contains "💩" or tgt.process.cmdline contains "👻" or tgt.process.cmdline contains "💀" or tgt.process.cmdline contains "☠️" or tgt.process.cmdline contains "👽" or tgt.process.cmdline contains "👾" or tgt.process.cmdline contains "🤖" or tgt.process.cmdline contains "🎃" or tgt.process.cmdline contains "😺" or tgt.process.cmdline contains "😸" or tgt.process.cmdline contains "😹" or tgt.process.cmdline contains "😻" or tgt.process.cmdline contains "😼" or tgt.process.cmdline contains "😽" or tgt.process.cmdline contains "🙀" or tgt.process.cmdline contains "😿" or tgt.process.cmdline contains "😾" or tgt.process.cmdline contains "👋" or tgt.process.cmdline contains "🤚" or tgt.process.cmdline contains "🖐" or tgt.process.cmdline contains "✋" or tgt.process.cmdline contains "🖖" or tgt.process.cmdline contains "👌" or tgt.process.cmdline contains "🤌" or tgt.process.cmdline contains "🤏" or tgt.process.cmdline contains "✌️" or tgt.process.cmdline contains "🤞" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🤟" or tgt.process.cmdline contains "🤘" or tgt.process.cmdline contains "🤙" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "👈" or tgt.process.cmdline contains "👉" or tgt.process.cmdline contains "👆" or tgt.process.cmdline contains "🖕" or tgt.process.cmdline contains "👇" or tgt.process.cmdline contains "☝️" or tgt.process.cmdline contains "👍" or tgt.process.cmdline contains "👎" or tgt.process.cmdline contains "✊" or tgt.process.cmdline contains "👊" or tgt.process.cmdline contains "🤛" or tgt.process.cmdline contains "🤜" or tgt.process.cmdline contains "👏" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🙌" or tgt.process.cmdline contains "👐" or tgt.process.cmdline contains "🤲" or tgt.process.cmdline contains "🤝" or tgt.process.cmdline contains "🙏" or tgt.process.cmdline contains "✍️" or tgt.process.cmdline contains "💪" or tgt.process.cmdline contains "🦾" or tgt.process.cmdline contains "🦵" or tgt.process.cmdline contains "🦿" or tgt.process.cmdline contains "🦶" or tgt.process.cmdline contains "👣" or tgt.process.cmdline contains "👂" or tgt.process.cmdline contains "🦻" or tgt.process.cmdline contains "👃" or tgt.process.cmdline contains "🫀" or tgt.process.cmdline contains "🫁" or tgt.process.cmdline contains "🧠" or tgt.process.cmdline contains "🦷" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "👀" or tgt.process.cmdline contains "👁" or tgt.process.cmdline contains "👅" or tgt.process.cmdline contains "👄" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "💋" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "👶" or tgt.process.cmdline contains "👧" or tgt.process.cmdline contains "🧒" or tgt.process.cmdline contains "👦" or tgt.process.cmdline contains "👩" or tgt.process.cmdline contains "🧑" or tgt.process.cmdline contains "👨" or tgt.process.cmdline contains "👩‍🦱" or tgt.process.cmdline contains "🧑‍🦱" or tgt.process.cmdline contains "👨‍🦱" or tgt.process.cmdline contains "👩‍🦰" or tgt.process.cmdline contains "🧑‍🦰" or tgt.process.cmdline contains "👨‍🦰" or tgt.process.cmdline contains "👱‍♀️" or tgt.process.cmdline contains "👱" or tgt.process.cmdline contains "👱‍♂️" or tgt.process.cmdline contains "👩‍🦳" or tgt.process.cmdline contains "🧑‍🦳" or tgt.process.cmdline contains "👨‍🦳" or tgt.process.cmdline contains "👩‍🦲" or tgt.process.cmdline contains "🧑‍🦲" or tgt.process.cmdline contains "👨‍🦲" or tgt.process.cmdline contains "🧔‍♀️" or tgt.process.cmdline contains "🧔" or tgt.process.cmdline contains "🧔‍♂️" or tgt.process.cmdline contains "👵" or tgt.process.cmdline contains "🧓" or tgt.process.cmdline contains "👴" or tgt.process.cmdline contains "👲" or tgt.process.cmdline contains "👳‍♀️" or tgt.process.cmdline contains "👳" or tgt.process.cmdline contains "👳‍♂️" or tgt.process.cmdline contains "🧕" or tgt.process.cmdline contains "👮‍♀️" or tgt.process.cmdline contains "👮" or tgt.process.cmdline contains "👮‍♂️" or tgt.process.cmdline contains "👷‍♀️" or tgt.process.cmdline contains "👷" or tgt.process.cmdline contains "👷‍♂️" or tgt.process.cmdline contains "💂‍♀️" or tgt.process.cmdline contains "💂" or tgt.process.cmdline contains "💂‍♂️" or tgt.process.cmdline contains "🕵️‍♀️" or tgt.process.cmdline contains "🕵️" or tgt.process.cmdline contains "🕵️‍♂️" or tgt.process.cmdline contains "👩‍⚕️" or tgt.process.cmdline contains "🧑‍⚕️" or tgt.process.cmdline contains "👨‍⚕️" or tgt.process.cmdline contains "👩‍🌾" or tgt.process.cmdline contains "🧑‍🌾" or tgt.process.cmdline contains "👨‍🌾" or tgt.process.cmdline contains "👩‍🍳" or tgt.process.cmdline contains "🧑‍🍳" or tgt.process.cmdline contains "👨‍🍳" or tgt.process.cmdline contains "👩‍🎓" or tgt.process.cmdline contains "🧑‍🎓" or tgt.process.cmdline contains "👨‍🎓" or tgt.process.cmdline contains "👩‍🎤" or tgt.process.cmdline contains "🧑‍🎤" or tgt.process.cmdline contains "👨‍🎤" or tgt.process.cmdline contains "👩‍🏫" or tgt.process.cmdline contains "🧑‍🏫" or tgt.process.cmdline contains "👨‍🏫" or tgt.process.cmdline contains "👩‍🏭" or tgt.process.cmdline contains "🧑‍🏭" or tgt.process.cmdline contains "👨‍🏭" or tgt.process.cmdline contains "👩‍💻" or tgt.process.cmdline contains "🧑‍💻" or tgt.process.cmdline contains "👨‍💻" or tgt.process.cmdline contains "👩‍💼" or tgt.process.cmdline contains "🧑‍💼" or tgt.process.cmdline contains "👨‍💼" or tgt.process.cmdline contains "👩‍🔧" or tgt.process.cmdline contains "🧑‍🔧" or tgt.process.cmdline contains "👨‍🔧" or tgt.process.cmdline contains "👩‍🔬" or tgt.process.cmdline contains "🧑‍🔬" or tgt.process.cmdline contains "👨‍🔬" or tgt.process.cmdline contains "👩‍🎨" or tgt.process.cmdline contains "🧑‍🎨" or tgt.process.cmdline contains "👨‍🎨" or tgt.process.cmdline contains "👩‍🚒" or tgt.process.cmdline contains "🧑‍🚒" or tgt.process.cmdline contains "👨‍🚒" or tgt.process.cmdline contains "👩‍✈️" or tgt.process.cmdline contains "🧑‍✈️" or tgt.process.cmdline contains "👨‍✈️" or tgt.process.cmdline contains "👩‍🚀" or tgt.process.cmdline contains "🧑‍🚀" or tgt.process.cmdline contains "👨‍🚀" or tgt.process.cmdline contains "👩‍⚖️" or tgt.process.cmdline contains "🧑‍⚖️" or tgt.process.cmdline contains "👨‍⚖️" or tgt.process.cmdline contains "👰‍♀️" or tgt.process.cmdline contains "👰" or tgt.process.cmdline contains "👰‍♂️" or tgt.process.cmdline contains "🤵‍♀️" or tgt.process.cmdline contains "🤵" or tgt.process.cmdline contains "🤵‍♂️" or tgt.process.cmdline contains "👸" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🤴" or tgt.process.cmdline contains "🥷" or tgt.process.cmdline contains "🦸‍♀️" or tgt.process.cmdline contains "🦸" or tgt.process.cmdline contains "🦸‍♂️" or tgt.process.cmdline contains "🦹‍♀️" or tgt.process.cmdline contains "🦹" or tgt.process.cmdline contains "🦹‍♂️" or tgt.process.cmdline contains "🤶" or tgt.process.cmdline contains "🧑‍🎄" or tgt.process.cmdline contains "🎅" or tgt.process.cmdline contains "🧙‍♀️" or tgt.process.cmdline contains "🧙" or tgt.process.cmdline contains "🧙‍♂️" or tgt.process.cmdline contains "🧝‍♀️" or tgt.process.cmdline contains "🧝" or tgt.process.cmdline contains "🧝‍♂️" or tgt.process.cmdline contains "🧛‍♀️" or tgt.process.cmdline contains "🧛" or tgt.process.cmdline contains "🧛‍♂️" or tgt.process.cmdline contains "🧟‍♀️" or tgt.process.cmdline contains "🧟" or tgt.process.cmdline contains "🧟‍♂️" or tgt.process.cmdline contains "🧞‍♀️" or tgt.process.cmdline contains "🧞" or tgt.process.cmdline contains "🧞‍♂️" or tgt.process.cmdline contains "🧜‍♀️" or tgt.process.cmdline contains "🧜" or tgt.process.cmdline contains "🧜‍♂️" or tgt.process.cmdline contains "🧚‍♀️" or tgt.process.cmdline contains "🧚" or tgt.process.cmdline contains "🧚‍♂️" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "👼" or tgt.process.cmdline contains "🤰" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🤱" or tgt.process.cmdline contains "👩‍🍼" or tgt.process.cmdline contains "🧑‍🍼" or tgt.process.cmdline contains "👨‍🍼" or tgt.process.cmdline contains "🙇‍♀️" or tgt.process.cmdline contains "🙇" or tgt.process.cmdline contains "🙇‍♂️" or tgt.process.cmdline contains "💁‍♀️" or tgt.process.cmdline contains "💁" or tgt.process.cmdline contains "💁‍♂️" or tgt.process.cmdline contains "🙅‍♀️" or tgt.process.cmdline contains "🙅" or tgt.process.cmdline contains "🙅‍♂️" or tgt.process.cmdline contains "🙆‍♀️" or tgt.process.cmdline contains "🙆" or tgt.process.cmdline contains "🙆‍♂️" or tgt.process.cmdline contains "🙋‍♀️" or tgt.process.cmdline contains "🙋" or tgt.process.cmdline contains "🙋‍♂️" or tgt.process.cmdline contains "🧏‍♀️" or tgt.process.cmdline contains "🧏" or tgt.process.cmdline contains "🧏‍♂️" or tgt.process.cmdline contains "🤦‍♀️" or tgt.process.cmdline contains "🤦" or tgt.process.cmdline contains "🤦‍♂️" or tgt.process.cmdline contains "🤷‍♀️" or tgt.process.cmdline contains "🤷" or tgt.process.cmdline contains "🤷‍♂️" or tgt.process.cmdline contains "🙎‍♀️" or tgt.process.cmdline contains "🙎" or tgt.process.cmdline contains "🙎‍♂️" or tgt.process.cmdline contains "🙍‍♀️" or tgt.process.cmdline contains "🙍" or tgt.process.cmdline contains "🙍‍♂️" or tgt.process.cmdline contains "💇‍♀️" or tgt.process.cmdline contains "💇" or tgt.process.cmdline contains "💇‍♂️" or tgt.process.cmdline contains "💆‍♀️" or tgt.process.cmdline contains "💆" or tgt.process.cmdline contains "💆‍♂️" or tgt.process.cmdline contains "🧖‍♀️" or tgt.process.cmdline contains "🧖" or tgt.process.cmdline contains "🧖‍♂️" or tgt.process.cmdline contains "💅" or tgt.process.cmdline contains "💃" or tgt.process.cmdline contains "🕺" or tgt.process.cmdline contains "👯‍♀️" or tgt.process.cmdline contains "👯" or tgt.process.cmdline contains "👯‍♂️" or tgt.process.cmdline contains "🕴" or tgt.process.cmdline contains "👩‍🦽" or tgt.process.cmdline contains "🧑‍🦽" or tgt.process.cmdline contains "👨‍🦽" or tgt.process.cmdline contains "👩‍🦼" or tgt.process.cmdline contains "🧑‍🦼" or tgt.process.cmdline contains "👨‍🦼" or tgt.process.cmdline contains "🚶‍♀️" or tgt.process.cmdline contains "🚶" or tgt.process.cmdline contains "🚶‍♂️" or tgt.process.cmdline contains "👩‍🦯" or tgt.process.cmdline contains "🧑‍🦯" or tgt.process.cmdline contains "👨‍🦯" or tgt.process.cmdline contains "🧎‍♀️" or tgt.process.cmdline contains "🧎" or tgt.process.cmdline contains "🧎‍♂️" or tgt.process.cmdline contains "🏃‍♀️" or tgt.process.cmdline contains "🏃" or tgt.process.cmdline contains "🏃‍♂️" or tgt.process.cmdline contains "🧍‍♀️" or tgt.process.cmdline contains "🧍" or tgt.process.cmdline contains "🧍‍♂️" or tgt.process.cmdline contains "👭" or tgt.process.cmdline contains "🧑‍🤝‍🧑" or tgt.process.cmdline contains "👬" or tgt.process.cmdline contains "👫" or tgt.process.cmdline contains "👩‍❤️‍👩" or tgt.process.cmdline contains "💑" or tgt.process.cmdline contains "👨‍❤️‍👨" or tgt.process.cmdline contains "👩‍❤️‍👨" or tgt.process.cmdline contains "👩‍❤️‍💋‍👩" or tgt.process.cmdline contains "💏" or tgt.process.cmdline contains "👨‍❤️‍💋‍👨" or tgt.process.cmdline contains "👩‍❤️‍💋‍👨" or tgt.process.cmdline contains "👪" or tgt.process.cmdline contains "👨‍👩‍👦" or tgt.process.cmdline contains "👨‍👩‍👧" or tgt.process.cmdline contains "👨‍👩‍👧‍👦" or tgt.process.cmdline contains "👨‍👩‍👦‍👦" or tgt.process.cmdline contains "👨‍👩‍👧‍👧" or tgt.process.cmdline contains "👨‍👨‍👦" or tgt.process.cmdline contains "👨‍👨‍👧" or tgt.process.cmdline contains "👨‍👨‍👧‍👦" or tgt.process.cmdline contains "👨‍👨‍👦‍👦" or tgt.process.cmdline contains "👨‍👨‍👧‍👧" or tgt.process.cmdline contains "👩‍👩‍👦" or tgt.process.cmdline contains "👩‍👩‍👧" or tgt.process.cmdline contains "👩‍👩‍👧‍👦" or tgt.process.cmdline contains "👩‍👩‍👦‍👦" or tgt.process.cmdline contains "👩‍👩‍👧‍👧" or tgt.process.cmdline contains "👨‍👦" or tgt.process.cmdline contains "👨‍👦‍👦" or tgt.process.cmdline contains "👨‍👧" or tgt.process.cmdline contains "👨‍👧‍👦" or tgt.process.cmdline contains "👨‍👧‍👧" or tgt.process.cmdline contains "👩‍👦" or tgt.process.cmdline contains "👩‍👦‍👦" or tgt.process.cmdline contains "👩‍👧" or tgt.process.cmdline contains "👩‍👧‍👦" or tgt.process.cmdline contains "👩‍👧‍👧" or tgt.process.cmdline contains "🗣" or tgt.process.cmdline contains "👤" or tgt.process.cmdline contains "👥" or tgt.process.cmdline contains "🫂" or tgt.process.cmdline contains "🧳" or tgt.process.cmdline contains "🌂" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🧵" or tgt.process.cmdline contains "🪡" or tgt.process.cmdline contains "🪢" or tgt.process.cmdline contains "🧶" or tgt.process.cmdline contains "👓" or tgt.process.cmdline contains "🕶" or tgt.process.cmdline contains "🥽" or tgt.process.cmdline contains "🥼" or tgt.process.cmdline contains "🦺" or tgt.process.cmdline contains "👔" or tgt.process.cmdline contains "👕" or tgt.process.cmdline contains "👖" or tgt.process.cmdline contains "🧣" or tgt.process.cmdline contains "🧤" or tgt.process.cmdline contains "🧥" or tgt.process.cmdline contains "🧦" or tgt.process.cmdline contains "👗" or tgt.process.cmdline contains "👘" or tgt.process.cmdline contains "🥻" or tgt.process.cmdline contains "🩴" or tgt.process.cmdline contains "🩱" or tgt.process.cmdline contains "🩲" or tgt.process.cmdline contains "🩳" or tgt.process.cmdline contains "👙" or tgt.process.cmdline contains "👚" or tgt.process.cmdline contains "👛" or tgt.process.cmdline contains "👜" or tgt.process.cmdline contains "👝" or tgt.process.cmdline contains "🎒" or tgt.process.cmdline contains "👞" or tgt.process.cmdline contains "👟" or tgt.process.cmdline contains "🥾" or tgt.process.cmdline contains "🥿" or tgt.process.cmdline contains "👠" or tgt.process.cmdline contains "👡" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "👢" or tgt.process.cmdline contains "👑" or tgt.process.cmdline contains "👒" or tgt.process.cmdline contains "🎩" or tgt.process.cmdline contains "🎓" or tgt.process.cmdline contains "🧢" or tgt.process.cmdline contains "⛑" or tgt.process.cmdline contains "🪖" or tgt.process.cmdline contains "💄" or tgt.process.cmdline contains "💍" or tgt.process.cmdline contains "💼" or tgt.process.cmdline contains "👋🏻" or tgt.process.cmdline contains "🤚🏻" or tgt.process.cmdline contains "🖐🏻" or tgt.process.cmdline contains "✋🏻" or tgt.process.cmdline contains "🖖🏻" or tgt.process.cmdline contains "👌🏻" or tgt.process.cmdline contains "🤌🏻" or tgt.process.cmdline contains "🤏🏻" or tgt.process.cmdline contains "✌🏻" or tgt.process.cmdline contains "🤞🏻" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🤟🏻" or tgt.process.cmdline contains "🤘🏻" or tgt.process.cmdline contains "🤙🏻" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "👈🏻" or tgt.process.cmdline contains "👉🏻" or tgt.process.cmdline contains "👆🏻" or tgt.process.cmdline contains "🖕🏻" or tgt.process.cmdline contains "👇🏻" or tgt.process.cmdline contains "☝🏻" or tgt.process.cmdline contains "👍🏻" or tgt.process.cmdline contains "👎🏻" or tgt.process.cmdline contains "✊🏻" or tgt.process.cmdline contains "👊🏻" or tgt.process.cmdline contains "🤛🏻" or tgt.process.cmdline contains "🤜🏻" or tgt.process.cmdline contains "👏🏻" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🙌🏻" or tgt.process.cmdline contains "👐🏻" or tgt.process.cmdline contains "🤲🏻" or tgt.process.cmdline contains "🙏🏻" or tgt.process.cmdline contains "✍🏻" or tgt.process.cmdline contains "💪🏻" or tgt.process.cmdline contains "🦵🏻" or tgt.process.cmdline contains "🦶🏻" or tgt.process.cmdline contains "👂🏻" or tgt.process.cmdline contains "🦻🏻" or tgt.process.cmdline contains "👃🏻" or tgt.process.cmdline contains "👶🏻" or tgt.process.cmdline contains "👧🏻" or tgt.process.cmdline contains "🧒🏻" or tgt.process.cmdline contains "👦🏻" or tgt.process.cmdline contains "👩🏻" or tgt.process.cmdline contains "🧑🏻" or tgt.process.cmdline contains "👨🏻" or tgt.process.cmdline contains "👩🏻‍🦱" or tgt.process.cmdline contains "🧑🏻‍🦱" or tgt.process.cmdline contains "👨🏻‍🦱" or tgt.process.cmdline contains "👩🏻‍🦰" or tgt.process.cmdline contains "🧑🏻‍🦰" or tgt.process.cmdline contains "👨🏻‍🦰" or tgt.process.cmdline contains "👱🏻‍♀️" or tgt.process.cmdline contains "👱🏻" or tgt.process.cmdline contains "👱🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍🦳" or tgt.process.cmdline contains "🧑🏻‍🦳" or tgt.process.cmdline contains "👨🏻‍🦳" or tgt.process.cmdline contains "👩🏻‍🦲" or tgt.process.cmdline contains "🧑🏻‍🦲" or tgt.process.cmdline contains "👨🏻‍🦲" or tgt.process.cmdline contains "🧔🏻‍♀️" or tgt.process.cmdline contains "🧔🏻" or tgt.process.cmdline contains "🧔🏻‍♂️" or tgt.process.cmdline contains "👵🏻" or tgt.process.cmdline contains "🧓🏻" or tgt.process.cmdline contains "👴🏻" or tgt.process.cmdline contains "👲🏻" or tgt.process.cmdline contains "👳🏻‍♀️" or tgt.process.cmdline contains "👳🏻" or tgt.process.cmdline contains "👳🏻‍♂️" or tgt.process.cmdline contains "🧕🏻" or tgt.process.cmdline contains "👮🏻‍♀️" or tgt.process.cmdline contains "👮🏻" or tgt.process.cmdline contains "👮🏻‍♂️" or tgt.process.cmdline contains "👷🏻‍♀️" or tgt.process.cmdline contains "👷🏻" or tgt.process.cmdline contains "👷🏻‍♂️" or tgt.process.cmdline contains "💂🏻‍♀️" or tgt.process.cmdline contains "💂🏻" or tgt.process.cmdline contains "💂🏻‍♂️" or tgt.process.cmdline contains "🕵🏻‍♀️" or tgt.process.cmdline contains "🕵🏻" or tgt.process.cmdline contains "🕵🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍⚕️" or tgt.process.cmdline contains "🧑🏻‍⚕️" or tgt.process.cmdline contains "👨🏻‍⚕️" or tgt.process.cmdline contains "👩🏻‍🌾" or tgt.process.cmdline contains "🧑🏻‍🌾" or tgt.process.cmdline contains "👨🏻‍🌾" or tgt.process.cmdline contains "👩🏻‍🍳" or tgt.process.cmdline contains "🧑🏻‍🍳" or tgt.process.cmdline contains "👨🏻‍🍳" or tgt.process.cmdline contains "👩🏻‍🎓" or tgt.process.cmdline contains "🧑🏻‍🎓" or tgt.process.cmdline contains "👨🏻‍🎓" or tgt.process.cmdline contains "👩🏻‍🎤" or tgt.process.cmdline contains "🧑🏻‍🎤" or tgt.process.cmdline contains "👨🏻‍🎤" or tgt.process.cmdline contains "👩🏻‍🏫" or tgt.process.cmdline contains "🧑🏻‍🏫" or tgt.process.cmdline contains "👨🏻‍🏫" or tgt.process.cmdline contains "👩🏻‍🏭" or tgt.process.cmdline contains "🧑🏻‍🏭" or tgt.process.cmdline contains "👨🏻‍🏭" or tgt.process.cmdline contains "👩🏻‍💻" or tgt.process.cmdline contains "🧑🏻‍💻" or tgt.process.cmdline contains "👨🏻‍💻" or tgt.process.cmdline contains "👩🏻‍💼" or tgt.process.cmdline contains "🧑🏻‍💼" or tgt.process.cmdline contains "👨🏻‍💼" or tgt.process.cmdline contains "👩🏻‍🔧" or tgt.process.cmdline contains "🧑🏻‍🔧" or tgt.process.cmdline contains "👨🏻‍🔧" or tgt.process.cmdline contains "👩🏻‍🔬" or tgt.process.cmdline contains "🧑🏻‍🔬" or tgt.process.cmdline contains "👨🏻‍🔬" or tgt.process.cmdline contains "👩🏻‍🎨" or tgt.process.cmdline contains "🧑🏻‍🎨" or tgt.process.cmdline contains "👨🏻‍🎨" or tgt.process.cmdline contains "👩🏻‍🚒" or tgt.process.cmdline contains "🧑🏻‍🚒" or tgt.process.cmdline contains "👨🏻‍🚒" or tgt.process.cmdline contains "👩🏻‍✈️" or tgt.process.cmdline contains "🧑🏻‍✈️" or tgt.process.cmdline contains "👨🏻‍✈️" or tgt.process.cmdline contains "👩🏻‍🚀" or tgt.process.cmdline contains "🧑🏻‍🚀" or tgt.process.cmdline contains "👨🏻‍🚀" or tgt.process.cmdline contains "👩🏻‍⚖️" or tgt.process.cmdline contains "🧑🏻‍⚖️" or tgt.process.cmdline contains "👨🏻‍⚖️" or tgt.process.cmdline contains "👰🏻‍♀️" or tgt.process.cmdline contains "👰🏻" or tgt.process.cmdline contains "👰🏻‍♂️" or tgt.process.cmdline contains "🤵🏻‍♀️" or tgt.process.cmdline contains "🤵🏻" or tgt.process.cmdline contains "🤵🏻‍♂️" or tgt.process.cmdline contains "👸🏻" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🤴🏻" or tgt.process.cmdline contains "🥷🏻" or tgt.process.cmdline contains "🦸🏻‍♀️" or tgt.process.cmdline contains "🦸🏻" or tgt.process.cmdline contains "🦸🏻‍♂️" or tgt.process.cmdline contains "🦹🏻‍♀️" or tgt.process.cmdline contains "🦹🏻" or tgt.process.cmdline contains "🦹🏻‍♂️" or tgt.process.cmdline contains "🤶🏻" or tgt.process.cmdline contains "🧑🏻‍🎄" or tgt.process.cmdline contains "🎅🏻" or tgt.process.cmdline contains "🧙🏻‍♀️" or tgt.process.cmdline contains "🧙🏻" or tgt.process.cmdline contains "🧙🏻‍♂️" or tgt.process.cmdline contains "🧝🏻‍♀️" or tgt.process.cmdline contains "🧝🏻" or tgt.process.cmdline contains "🧝🏻‍♂️" or tgt.process.cmdline contains "🧛🏻‍♀️" or tgt.process.cmdline contains "🧛🏻" or tgt.process.cmdline contains "🧛🏻‍♂️" or tgt.process.cmdline contains "🧜🏻‍♀️" or tgt.process.cmdline contains "🧜🏻" or tgt.process.cmdline contains "🧜🏻‍♂️" or tgt.process.cmdline contains "🧚🏻‍♀️" or tgt.process.cmdline contains "🧚🏻" or tgt.process.cmdline contains "🧚🏻‍♂️" or tgt.process.cmdline contains "👼🏻" or tgt.process.cmdline contains "🤰🏻" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🤱🏻" or tgt.process.cmdline contains "👩🏻‍🍼" or tgt.process.cmdline contains "🧑🏻‍🍼" or tgt.process.cmdline contains "👨🏻‍🍼" or tgt.process.cmdline contains "🙇🏻‍♀️" or tgt.process.cmdline contains "🙇🏻" or tgt.process.cmdline contains "🙇🏻‍♂️" or tgt.process.cmdline contains "💁🏻‍♀️" or tgt.process.cmdline contains "💁🏻" or tgt.process.cmdline contains "💁🏻‍♂️" or tgt.process.cmdline contains "🙅🏻‍♀️" or tgt.process.cmdline contains "🙅🏻" or tgt.process.cmdline contains "🙅🏻‍♂️" or tgt.process.cmdline contains "🙆🏻‍♀️" or tgt.process.cmdline contains "🙆🏻" or tgt.process.cmdline contains "🙆🏻‍♂️" or tgt.process.cmdline contains "🙋🏻‍♀️" or tgt.process.cmdline contains "🙋🏻" or tgt.process.cmdline contains "🙋🏻‍♂️" or tgt.process.cmdline contains "🧏🏻‍♀️" or tgt.process.cmdline contains "🧏🏻" or tgt.process.cmdline contains "🧏🏻‍♂️" or tgt.process.cmdline contains "🤦🏻‍♀️" or tgt.process.cmdline contains "🤦🏻" or tgt.process.cmdline contains "🤦🏻‍♂️" or tgt.process.cmdline contains "🤷🏻‍♀️" or tgt.process.cmdline contains "🤷🏻" or tgt.process.cmdline contains "🤷🏻‍♂️" or tgt.process.cmdline contains "🙎🏻‍♀️" or tgt.process.cmdline contains "🙎🏻" or tgt.process.cmdline contains "🙎🏻‍♂️" or tgt.process.cmdline contains "🙍🏻‍♀️" or tgt.process.cmdline contains "🙍🏻" or tgt.process.cmdline contains "🙍🏻‍♂️" or tgt.process.cmdline contains "💇🏻‍♀️" or tgt.process.cmdline contains "💇🏻" or tgt.process.cmdline contains "💇🏻‍♂️" or tgt.process.cmdline contains "💆🏻‍♀️" or tgt.process.cmdline contains "💆🏻" or tgt.process.cmdline contains "💆🏻‍♂️" or tgt.process.cmdline contains "🧖🏻‍♀️" or tgt.process.cmdline contains "🧖🏻" or tgt.process.cmdline contains "🧖🏻‍♂️" or tgt.process.cmdline contains "💃🏻" or tgt.process.cmdline contains "🕺🏻" or tgt.process.cmdline contains "🕴🏻" or tgt.process.cmdline contains "👩🏻‍🦽" or tgt.process.cmdline contains "🧑🏻‍🦽" or tgt.process.cmdline contains "👨🏻‍🦽" or tgt.process.cmdline contains "👩🏻‍🦼" or tgt.process.cmdline contains "🧑🏻‍🦼" or tgt.process.cmdline contains "👨🏻‍🦼" or tgt.process.cmdline contains "🚶🏻‍♀️" or tgt.process.cmdline contains "🚶🏻" or tgt.process.cmdline contains "🚶🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍🦯" or tgt.process.cmdline contains "🧑🏻‍🦯" or tgt.process.cmdline contains "👨🏻‍🦯" or tgt.process.cmdline contains "🧎🏻‍♀️" or tgt.process.cmdline contains "🧎🏻" or tgt.process.cmdline contains "🧎🏻‍♂️" or tgt.process.cmdline contains "🏃🏻‍♀️" or tgt.process.cmdline contains "🏃🏻" or tgt.process.cmdline contains "🏃🏻‍♂️" or tgt.process.cmdline contains "🧍🏻‍♀️" or tgt.process.cmdline contains "🧍🏻" or tgt.process.cmdline contains "🧍🏻‍♂️" or tgt.process.cmdline contains "👭🏻" or tgt.process.cmdline contains "🧑🏻‍🤝‍🧑🏻" or tgt.process.cmdline contains "👬🏻" or tgt.process.cmdline contains "👫🏻" or tgt.process.cmdline contains "🧗🏻‍♀️" or tgt.process.cmdline contains "🧗🏻" or tgt.process.cmdline contains "🧗🏻‍♂️" or tgt.process.cmdline contains "🏇🏻" or tgt.process.cmdline contains "🏂🏻" or tgt.process.cmdline contains "🏌🏻‍♀️" or tgt.process.cmdline contains "🏌🏻" or tgt.process.cmdline contains "🏌🏻‍♂️" or tgt.process.cmdline contains "🏄🏻‍♀️" or tgt.process.cmdline contains "🏄🏻" or tgt.process.cmdline contains "🏄🏻‍♂️" or tgt.process.cmdline contains "🚣🏻‍♀️" or tgt.process.cmdline contains "🚣🏻" or tgt.process.cmdline contains "🚣🏻‍♂️" or tgt.process.cmdline contains "🏊🏻‍♀️" or tgt.process.cmdline contains "🏊🏻" or tgt.process.cmdline contains "🏊🏻‍♂️" or tgt.process.cmdline contains "⛹🏻‍♀️" or tgt.process.cmdline contains "⛹🏻" or tgt.process.cmdline contains "⛹🏻‍♂️" or tgt.process.cmdline contains "🏋🏻‍♀️" or tgt.process.cmdline contains "🏋🏻" or tgt.process.cmdline contains "🏋🏻‍♂️" or tgt.process.cmdline contains "🚴🏻‍♀️" or tgt.process.cmdline contains "🚴🏻" or tgt.process.cmdline contains "🚴🏻‍♂️" or tgt.process.cmdline contains "🚵🏻‍♀️" or tgt.process.cmdline contains "🚵🏻" or tgt.process.cmdline contains "🚵🏻‍♂️" or tgt.process.cmdline contains "🤸🏻‍♀️" or tgt.process.cmdline contains "🤸🏻" or tgt.process.cmdline contains "🤸🏻‍♂️" or tgt.process.cmdline contains "🤽🏻‍♀️" or tgt.process.cmdline contains "🤽🏻" or tgt.process.cmdline contains "🤽🏻‍♂️" or tgt.process.cmdline contains "🤾🏻‍♀️" or tgt.process.cmdline contains "🤾🏻" or tgt.process.cmdline contains "🤾🏻‍♂️" or tgt.process.cmdline contains "🤹🏻‍♀️" or tgt.process.cmdline contains "🤹🏻" or tgt.process.cmdline contains "🤹🏻‍♂️" or tgt.process.cmdline contains "🧘🏻‍♀️" or tgt.process.cmdline contains "🧘🏻" or tgt.process.cmdline contains "🧘🏻‍♂️" or tgt.process.cmdline contains "🛀🏻" or tgt.process.cmdline contains "🛌🏻" or tgt.process.cmdline contains "👋🏼" or tgt.process.cmdline contains "🤚🏼" or tgt.process.cmdline contains "🖐🏼" or tgt.process.cmdline contains "✋🏼" or tgt.process.cmdline contains "🖖🏼" or tgt.process.cmdline contains "👌🏼" or tgt.process.cmdline contains "🤌🏼" or tgt.process.cmdline contains "🤏🏼" or tgt.process.cmdline contains "✌🏼" or tgt.process.cmdline contains "🤞🏼" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🤟🏼" or tgt.process.cmdline contains "🤘🏼" or tgt.process.cmdline contains "🤙🏼" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "👈🏼" or tgt.process.cmdline contains "👉🏼" or tgt.process.cmdline contains "👆🏼" or tgt.process.cmdline contains "🖕🏼" or tgt.process.cmdline contains "👇🏼" or tgt.process.cmdline contains "☝🏼" or tgt.process.cmdline contains "👍🏼" or tgt.process.cmdline contains "👎🏼" or tgt.process.cmdline contains "✊🏼" or tgt.process.cmdline contains "👊🏼" or tgt.process.cmdline contains "🤛🏼" or tgt.process.cmdline contains "🤜🏼" or tgt.process.cmdline contains "👏🏼" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🙌🏼" or tgt.process.cmdline contains "👐🏼" or tgt.process.cmdline contains "🤲🏼" or tgt.process.cmdline contains "🙏🏼" or tgt.process.cmdline contains "✍🏼" or tgt.process.cmdline contains "💪🏼" or tgt.process.cmdline contains "🦵🏼" or tgt.process.cmdline contains "🦶🏼" or tgt.process.cmdline contains "👂🏼" or tgt.process.cmdline contains "🦻🏼" or tgt.process.cmdline contains "👃🏼" or tgt.process.cmdline contains "👶🏼" or tgt.process.cmdline contains "👧🏼" or tgt.process.cmdline contains "🧒🏼" or tgt.process.cmdline contains "👦🏼" or tgt.process.cmdline contains "👩🏼" or tgt.process.cmdline contains "🧑🏼" or tgt.process.cmdline contains "👨🏼" or tgt.process.cmdline contains "👩🏼‍🦱" or tgt.process.cmdline contains "🧑🏼‍🦱" or tgt.process.cmdline contains "👨🏼‍🦱" or tgt.process.cmdline contains "👩🏼‍🦰" or tgt.process.cmdline contains "🧑🏼‍🦰" or tgt.process.cmdline contains "👨🏼‍🦰" or tgt.process.cmdline contains "👱🏼‍♀️" or tgt.process.cmdline contains "👱🏼" or tgt.process.cmdline contains "👱🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍🦳" or tgt.process.cmdline contains "🧑🏼‍🦳" or tgt.process.cmdline contains "👨🏼‍🦳" or tgt.process.cmdline contains "👩🏼‍🦲" or tgt.process.cmdline contains "🧑🏼‍🦲" or tgt.process.cmdline contains "👨🏼‍🦲" or tgt.process.cmdline contains "🧔🏼‍♀️" or tgt.process.cmdline contains "🧔🏼" or tgt.process.cmdline contains "🧔🏼‍♂️" or tgt.process.cmdline contains "👵🏼" or tgt.process.cmdline contains "🧓🏼" or tgt.process.cmdline contains "👴🏼" or tgt.process.cmdline contains "👲🏼" or tgt.process.cmdline contains "👳🏼‍♀️" or tgt.process.cmdline contains "👳🏼" or tgt.process.cmdline contains "👳🏼‍♂️" or tgt.process.cmdline contains "🧕🏼" or tgt.process.cmdline contains "👮🏼‍♀️" or tgt.process.cmdline contains "👮🏼" or tgt.process.cmdline contains "👮🏼‍♂️" or tgt.process.cmdline contains "👷🏼‍♀️" or tgt.process.cmdline contains "👷🏼" or tgt.process.cmdline contains "👷🏼‍♂️" or tgt.process.cmdline contains "💂🏼‍♀️" or tgt.process.cmdline contains "💂🏼" or tgt.process.cmdline contains "💂🏼‍♂️" or tgt.process.cmdline contains "🕵🏼‍♀️" or tgt.process.cmdline contains "🕵🏼" or tgt.process.cmdline contains "🕵🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍⚕️" or tgt.process.cmdline contains "🧑🏼‍⚕️" or tgt.process.cmdline contains "👨🏼‍⚕️" or tgt.process.cmdline contains "👩🏼‍🌾" or tgt.process.cmdline contains "🧑🏼‍🌾" or tgt.process.cmdline contains "👨🏼‍🌾" or tgt.process.cmdline contains "👩🏼‍🍳" or tgt.process.cmdline contains "🧑🏼‍🍳" or tgt.process.cmdline contains "👨🏼‍🍳" or tgt.process.cmdline contains "👩🏼‍🎓" or tgt.process.cmdline contains "🧑🏼‍🎓" or tgt.process.cmdline contains "👨🏼‍🎓" or tgt.process.cmdline contains "👩🏼‍🎤" or tgt.process.cmdline contains "🧑🏼‍🎤" or tgt.process.cmdline contains "👨🏼‍🎤" or tgt.process.cmdline contains "👩🏼‍🏫" or tgt.process.cmdline contains "🧑🏼‍🏫" or tgt.process.cmdline contains "👨🏼‍🏫" or tgt.process.cmdline contains "👩🏼‍🏭" or tgt.process.cmdline contains "🧑🏼‍🏭" or tgt.process.cmdline contains "👨🏼‍🏭" or tgt.process.cmdline contains "👩🏼‍💻" or tgt.process.cmdline contains "🧑🏼‍💻" or tgt.process.cmdline contains "👨🏼‍💻" or tgt.process.cmdline contains "👩🏼‍💼" or tgt.process.cmdline contains "🧑🏼‍💼" or tgt.process.cmdline contains "👨🏼‍💼" or tgt.process.cmdline contains "👩🏼‍🔧" or tgt.process.cmdline contains "🧑🏼‍🔧" or tgt.process.cmdline contains "👨🏼‍🔧" or tgt.process.cmdline contains "👩🏼‍🔬" or tgt.process.cmdline contains "🧑🏼‍🔬" or tgt.process.cmdline contains "👨🏼‍🔬" or tgt.process.cmdline contains "👩🏼‍🎨" or tgt.process.cmdline contains "🧑🏼‍🎨" or tgt.process.cmdline contains "👨🏼‍🎨" or tgt.process.cmdline contains "👩🏼‍🚒" or tgt.process.cmdline contains "🧑🏼‍🚒" or tgt.process.cmdline contains "👨🏼‍🚒" or tgt.process.cmdline contains "👩🏼‍✈️" or tgt.process.cmdline contains "🧑🏼‍✈️" or tgt.process.cmdline contains "👨🏼‍✈️" or tgt.process.cmdline contains "👩🏼‍🚀" or tgt.process.cmdline contains "🧑🏼‍🚀" or tgt.process.cmdline contains "👨🏼‍🚀" or tgt.process.cmdline contains "👩🏼‍⚖️" or tgt.process.cmdline contains "🧑🏼‍⚖️" or tgt.process.cmdline contains "👨🏼‍⚖️" or tgt.process.cmdline contains "👰🏼‍♀️" or tgt.process.cmdline contains "👰🏼" or tgt.process.cmdline contains "👰🏼‍♂️" or tgt.process.cmdline contains "🤵🏼‍♀️" or tgt.process.cmdline contains "🤵🏼" or tgt.process.cmdline contains "🤵🏼‍♂️" or tgt.process.cmdline contains "👸🏼" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🤴🏼" or tgt.process.cmdline contains "🥷🏼" or tgt.process.cmdline contains "🦸🏼‍♀️" or tgt.process.cmdline contains "🦸🏼" or tgt.process.cmdline contains "🦸🏼‍♂️" or tgt.process.cmdline contains "🦹🏼‍♀️" or tgt.process.cmdline contains "🦹🏼" or tgt.process.cmdline contains "🦹🏼‍♂️" or tgt.process.cmdline contains "🤶🏼" or tgt.process.cmdline contains "🧑🏼‍🎄" or tgt.process.cmdline contains "🎅🏼" or tgt.process.cmdline contains "🧙🏼‍♀️" or tgt.process.cmdline contains "🧙🏼" or tgt.process.cmdline contains "🧙🏼‍♂️" or tgt.process.cmdline contains "🧝🏼‍♀️" or tgt.process.cmdline contains "🧝🏼" or tgt.process.cmdline contains "🧝🏼‍♂️" or tgt.process.cmdline contains "🧛🏼‍♀️" or tgt.process.cmdline contains "🧛🏼" or tgt.process.cmdline contains "🧛🏼‍♂️" or tgt.process.cmdline contains "🧜🏼‍♀️" or tgt.process.cmdline contains "🧜🏼" or tgt.process.cmdline contains "🧜🏼‍♂️" or tgt.process.cmdline contains "🧚🏼‍♀️" or tgt.process.cmdline contains "🧚🏼" or tgt.process.cmdline contains "🧚🏼‍♂️" or tgt.process.cmdline contains "👼🏼" or tgt.process.cmdline contains "🤰🏼" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🤱🏼" or tgt.process.cmdline contains "👩🏼‍🍼" or tgt.process.cmdline contains "🧑🏼‍🍼" or tgt.process.cmdline contains "👨🏼‍🍼" or tgt.process.cmdline contains "🙇🏼‍♀️" or tgt.process.cmdline contains "🙇🏼" or tgt.process.cmdline contains "🙇🏼‍♂️" or tgt.process.cmdline contains "💁🏼‍♀️" or tgt.process.cmdline contains "💁🏼" or tgt.process.cmdline contains "💁🏼‍♂️" or tgt.process.cmdline contains "🙅🏼‍♀️" or tgt.process.cmdline contains "🙅🏼" or tgt.process.cmdline contains "🙅🏼‍♂️" or tgt.process.cmdline contains "🙆🏼‍♀️" or tgt.process.cmdline contains "🙆🏼" or tgt.process.cmdline contains "🙆🏼‍♂️" or tgt.process.cmdline contains "🙋🏼‍♀️" or tgt.process.cmdline contains "🙋🏼" or tgt.process.cmdline contains "🙋🏼‍♂️" or tgt.process.cmdline contains "🧏🏼‍♀️" or tgt.process.cmdline contains "🧏🏼" or tgt.process.cmdline contains "🧏🏼‍♂️" or tgt.process.cmdline contains "🤦🏼‍♀️" or tgt.process.cmdline contains "🤦🏼" or tgt.process.cmdline contains "🤦🏼‍♂️" or tgt.process.cmdline contains "🤷🏼‍♀️")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md index dc530b60d..62b9d0659 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🤷🏼" or tgt.process.cmdline contains "🤷🏼‍♂️" or tgt.process.cmdline contains "🙎🏼‍♀️" or tgt.process.cmdline contains "🙎🏼" or tgt.process.cmdline contains "🙎🏼‍♂️" or tgt.process.cmdline contains "🙍🏼‍♀️" or tgt.process.cmdline contains "🙍🏼" or tgt.process.cmdline contains "🙍🏼‍♂️" or tgt.process.cmdline contains "💇🏼‍♀️" or tgt.process.cmdline contains "💇🏼" or tgt.process.cmdline contains "💇🏼‍♂️" or tgt.process.cmdline contains "💆🏼‍♀️" or tgt.process.cmdline contains "💆🏼" or tgt.process.cmdline contains "💆🏼‍♂️" or tgt.process.cmdline contains "🧖🏼‍♀️" or tgt.process.cmdline contains "🧖🏼" or tgt.process.cmdline contains "🧖🏼‍♂️" or tgt.process.cmdline contains "💃🏼" or tgt.process.cmdline contains "🕺🏼" or tgt.process.cmdline contains "🕴🏼" or tgt.process.cmdline contains "👩🏼‍🦽" or tgt.process.cmdline contains "🧑🏼‍🦽" or tgt.process.cmdline contains "👨🏼‍🦽" or tgt.process.cmdline contains "👩🏼‍🦼" or tgt.process.cmdline contains "🧑🏼‍🦼" or tgt.process.cmdline contains "👨🏼‍🦼" or tgt.process.cmdline contains "🚶🏼‍♀️" or tgt.process.cmdline contains "🚶🏼" or tgt.process.cmdline contains "🚶🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍🦯" or tgt.process.cmdline contains "🧑🏼‍🦯" or tgt.process.cmdline contains "👨🏼‍🦯" or tgt.process.cmdline contains "🧎🏼‍♀️" or tgt.process.cmdline contains "🧎🏼" or tgt.process.cmdline contains "🧎🏼‍♂️" or tgt.process.cmdline contains "🏃🏼‍♀️" or tgt.process.cmdline contains "🏃🏼" or tgt.process.cmdline contains "🏃🏼‍♂️" or tgt.process.cmdline contains "🧍🏼‍♀️" or tgt.process.cmdline contains "🧍🏼" or tgt.process.cmdline contains "🧍🏼‍♂️" or tgt.process.cmdline contains "👭🏼" or tgt.process.cmdline contains "🧑🏼‍🤝‍🧑🏼" or tgt.process.cmdline contains "👬🏼" or tgt.process.cmdline contains "👫🏼" or tgt.process.cmdline contains "🧗🏼‍♀️" or tgt.process.cmdline contains "🧗🏼" or tgt.process.cmdline contains "🧗🏼‍♂️" or tgt.process.cmdline contains "🏇🏼" or tgt.process.cmdline contains "🏂🏼" or tgt.process.cmdline contains "🏌🏼‍♀️" or tgt.process.cmdline contains "🏌🏼" or tgt.process.cmdline contains "🏌🏼‍♂️" or tgt.process.cmdline contains "🏄🏼‍♀️" or tgt.process.cmdline contains "🏄🏼" or tgt.process.cmdline contains "🏄🏼‍♂️" or tgt.process.cmdline contains "🚣🏼‍♀️" or tgt.process.cmdline contains "🚣🏼" or tgt.process.cmdline contains "🚣🏼‍♂️" or tgt.process.cmdline contains "🏊🏼‍♀️" or tgt.process.cmdline contains "🏊🏼" or tgt.process.cmdline contains "🏊🏼‍♂️" or tgt.process.cmdline contains "⛹🏼‍♀️" or tgt.process.cmdline contains "⛹🏼" or tgt.process.cmdline contains "⛹🏼‍♂️" or tgt.process.cmdline contains "🏋🏼‍♀️" or tgt.process.cmdline contains "🏋🏼" or tgt.process.cmdline contains "🏋🏼‍♂️" or tgt.process.cmdline contains "🚴🏼‍♀️" or tgt.process.cmdline contains "🚴🏼" or tgt.process.cmdline contains "🚴🏼‍♂️" or tgt.process.cmdline contains "🚵🏼‍♀️" or tgt.process.cmdline contains "🚵🏼" or tgt.process.cmdline contains "🚵🏼‍♂️" or tgt.process.cmdline contains "🤸🏼‍♀️" or tgt.process.cmdline contains "🤸🏼" or tgt.process.cmdline contains "🤸🏼‍♂️" or tgt.process.cmdline contains "🤽🏼‍♀️" or tgt.process.cmdline contains "🤽🏼" or tgt.process.cmdline contains "🤽🏼‍♂️" or tgt.process.cmdline contains "🤾🏼‍♀️" or tgt.process.cmdline contains "🤾🏼" or tgt.process.cmdline contains "🤾🏼‍♂️" or tgt.process.cmdline contains "🤹🏼‍♀️" or tgt.process.cmdline contains "🤹🏼" or tgt.process.cmdline contains "🤹🏼‍♂️" or tgt.process.cmdline contains "🧘🏼‍♀️" or tgt.process.cmdline contains "🧘🏼" or tgt.process.cmdline contains "🧘🏼‍♂️" or tgt.process.cmdline contains "🛀🏼" or tgt.process.cmdline contains "🛌🏼" or tgt.process.cmdline contains "👋🏽" or tgt.process.cmdline contains "🤚🏽" or tgt.process.cmdline contains "🖐🏽" or tgt.process.cmdline contains "✋🏽" or tgt.process.cmdline contains "🖖🏽" or tgt.process.cmdline contains "👌🏽" or tgt.process.cmdline contains "🤌🏽" or tgt.process.cmdline contains "🤏🏽" or tgt.process.cmdline contains "✌🏽" or tgt.process.cmdline contains "🤞🏽" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🤟🏽" or tgt.process.cmdline contains "🤘🏽" or tgt.process.cmdline contains "🤙🏽" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "👈🏽" or tgt.process.cmdline contains "👉🏽" or tgt.process.cmdline contains "👆🏽" or tgt.process.cmdline contains "🖕🏽" or tgt.process.cmdline contains "👇🏽" or tgt.process.cmdline contains "☝🏽" or tgt.process.cmdline contains "👍🏽" or tgt.process.cmdline contains "👎🏽" or tgt.process.cmdline contains "✊🏽" or tgt.process.cmdline contains "👊🏽" or tgt.process.cmdline contains "🤛🏽" or tgt.process.cmdline contains "🤜🏽" or tgt.process.cmdline contains "👏🏽" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🙌🏽" or tgt.process.cmdline contains "👐🏽" or tgt.process.cmdline contains "🤲🏽" or tgt.process.cmdline contains "🙏🏽" or tgt.process.cmdline contains "✍🏽" or tgt.process.cmdline contains "💪🏽" or tgt.process.cmdline contains "🦵🏽" or tgt.process.cmdline contains "🦶🏽" or tgt.process.cmdline contains "👂🏽" or tgt.process.cmdline contains "🦻🏽" or tgt.process.cmdline contains "👃🏽" or tgt.process.cmdline contains "👶🏽" or tgt.process.cmdline contains "👧🏽" or tgt.process.cmdline contains "🧒🏽" or tgt.process.cmdline contains "👦🏽" or tgt.process.cmdline contains "👩🏽" or tgt.process.cmdline contains "🧑🏽" or tgt.process.cmdline contains "👨🏽" or tgt.process.cmdline contains "👩🏽‍🦱" or tgt.process.cmdline contains "🧑🏽‍🦱" or tgt.process.cmdline contains "👨🏽‍🦱" or tgt.process.cmdline contains "👩🏽‍🦰" or tgt.process.cmdline contains "🧑🏽‍🦰" or tgt.process.cmdline contains "👨🏽‍🦰" or tgt.process.cmdline contains "👱🏽‍♀️" or tgt.process.cmdline contains "👱🏽" or tgt.process.cmdline contains "👱🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍🦳" or tgt.process.cmdline contains "🧑🏽‍🦳" or tgt.process.cmdline contains "👨🏽‍🦳" or tgt.process.cmdline contains "👩🏽‍🦲" or tgt.process.cmdline contains "🧑🏽‍🦲" or tgt.process.cmdline contains "👨🏽‍🦲" or tgt.process.cmdline contains "🧔🏽‍♀️" or tgt.process.cmdline contains "🧔🏽" or tgt.process.cmdline contains "🧔🏽‍♂️" or tgt.process.cmdline contains "👵🏽" or tgt.process.cmdline contains "🧓🏽" or tgt.process.cmdline contains "👴🏽" or tgt.process.cmdline contains "👲🏽" or tgt.process.cmdline contains "👳🏽‍♀️" or tgt.process.cmdline contains "👳🏽" or tgt.process.cmdline contains "👳🏽‍♂️" or tgt.process.cmdline contains "🧕🏽" or tgt.process.cmdline contains "👮🏽‍♀️" or tgt.process.cmdline contains "👮🏽" or tgt.process.cmdline contains "👮🏽‍♂️" or tgt.process.cmdline contains "👷🏽‍♀️" or tgt.process.cmdline contains "👷🏽" or tgt.process.cmdline contains "👷🏽‍♂️" or tgt.process.cmdline contains "💂🏽‍♀️" or tgt.process.cmdline contains "💂🏽" or tgt.process.cmdline contains "💂🏽‍♂️" or tgt.process.cmdline contains "🕵🏽‍♀️" or tgt.process.cmdline contains "🕵🏽" or tgt.process.cmdline contains "🕵🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍⚕️" or tgt.process.cmdline contains "🧑🏽‍⚕️" or tgt.process.cmdline contains "👨🏽‍⚕️" or tgt.process.cmdline contains "👩🏽‍🌾" or tgt.process.cmdline contains "🧑🏽‍🌾" or tgt.process.cmdline contains "👨🏽‍🌾" or tgt.process.cmdline contains "👩🏽‍🍳" or tgt.process.cmdline contains "🧑🏽‍🍳" or tgt.process.cmdline contains "👨🏽‍🍳" or tgt.process.cmdline contains "👩🏽‍🎓" or tgt.process.cmdline contains "🧑🏽‍🎓" or tgt.process.cmdline contains "👨🏽‍🎓" or tgt.process.cmdline contains "👩🏽‍🎤" or tgt.process.cmdline contains "🧑🏽‍🎤" or tgt.process.cmdline contains "👨🏽‍🎤" or tgt.process.cmdline contains "👩🏽‍🏫" or tgt.process.cmdline contains "🧑🏽‍🏫" or tgt.process.cmdline contains "👨🏽‍🏫" or tgt.process.cmdline contains "👩🏽‍🏭" or tgt.process.cmdline contains "🧑🏽‍🏭" or tgt.process.cmdline contains "👨🏽‍🏭" or tgt.process.cmdline contains "👩🏽‍💻" or tgt.process.cmdline contains "🧑🏽‍💻" or tgt.process.cmdline contains "👨🏽‍💻" or tgt.process.cmdline contains "👩🏽‍💼" or tgt.process.cmdline contains "🧑🏽‍💼" or tgt.process.cmdline contains "👨🏽‍💼" or tgt.process.cmdline contains "👩🏽‍🔧" or tgt.process.cmdline contains "🧑🏽‍🔧" or tgt.process.cmdline contains "👨🏽‍🔧" or tgt.process.cmdline contains "👩🏽‍🔬" or tgt.process.cmdline contains "🧑🏽‍🔬" or tgt.process.cmdline contains "👨🏽‍🔬" or tgt.process.cmdline contains "👩🏽‍🎨" or tgt.process.cmdline contains "🧑🏽‍🎨" or tgt.process.cmdline contains "👨🏽‍🎨" or tgt.process.cmdline contains "👩🏽‍🚒" or tgt.process.cmdline contains "🧑🏽‍🚒" or tgt.process.cmdline contains "👨🏽‍🚒" or tgt.process.cmdline contains "👩🏽‍✈️" or tgt.process.cmdline contains "🧑🏽‍✈️" or tgt.process.cmdline contains "👨🏽‍✈️" or tgt.process.cmdline contains "👩🏽‍🚀" or tgt.process.cmdline contains "🧑🏽‍🚀" or tgt.process.cmdline contains "👨🏽‍🚀" or tgt.process.cmdline contains "👩🏽‍⚖️" or tgt.process.cmdline contains "🧑🏽‍⚖️" or tgt.process.cmdline contains "👨🏽‍⚖️" or tgt.process.cmdline contains "👰🏽‍♀️" or tgt.process.cmdline contains "👰🏽" or tgt.process.cmdline contains "👰🏽‍♂️" or tgt.process.cmdline contains "🤵🏽‍♀️" or tgt.process.cmdline contains "🤵🏽" or tgt.process.cmdline contains "🤵🏽‍♂️" or tgt.process.cmdline contains "👸🏽" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🤴🏽" or tgt.process.cmdline contains "🥷🏽" or tgt.process.cmdline contains "🦸🏽‍♀️" or tgt.process.cmdline contains "🦸🏽" or tgt.process.cmdline contains "🦸🏽‍♂️" or tgt.process.cmdline contains "🦹🏽‍♀️" or tgt.process.cmdline contains "🦹🏽" or tgt.process.cmdline contains "🦹🏽‍♂️" or tgt.process.cmdline contains "🤶🏽" or tgt.process.cmdline contains "🧑🏽‍🎄" or tgt.process.cmdline contains "🎅🏽" or tgt.process.cmdline contains "🧙🏽‍♀️" or tgt.process.cmdline contains "🧙🏽" or tgt.process.cmdline contains "🧙🏽‍♂️" or tgt.process.cmdline contains "🧝🏽‍♀️" or tgt.process.cmdline contains "🧝🏽" or tgt.process.cmdline contains "🧝🏽‍♂️" or tgt.process.cmdline contains "🧛🏽‍♀️" or tgt.process.cmdline contains "🧛🏽" or tgt.process.cmdline contains "🧛🏽‍♂️" or tgt.process.cmdline contains "🧜🏽‍♀️" or tgt.process.cmdline contains "🧜🏽" or tgt.process.cmdline contains "🧜🏽‍♂️" or tgt.process.cmdline contains "🧚🏽‍♀️" or tgt.process.cmdline contains "🧚🏽" or tgt.process.cmdline contains "🧚🏽‍♂️" or tgt.process.cmdline contains "👼🏽" or tgt.process.cmdline contains "🤰🏽" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🤱🏽" or tgt.process.cmdline contains "👩🏽‍🍼" or tgt.process.cmdline contains "🧑🏽‍🍼" or tgt.process.cmdline contains "👨🏽‍🍼" or tgt.process.cmdline contains "🙇🏽‍♀️" or tgt.process.cmdline contains "🙇🏽" or tgt.process.cmdline contains "🙇🏽‍♂️" or tgt.process.cmdline contains "💁🏽‍♀️" or tgt.process.cmdline contains "💁🏽" or tgt.process.cmdline contains "💁🏽‍♂️" or tgt.process.cmdline contains "🙅🏽‍♀️" or tgt.process.cmdline contains "🙅🏽" or tgt.process.cmdline contains "🙅🏽‍♂️" or tgt.process.cmdline contains "🙆🏽‍♀️" or tgt.process.cmdline contains "🙆🏽" or tgt.process.cmdline contains "🙆🏽‍♂️" or tgt.process.cmdline contains "🙋🏽‍♀️" or tgt.process.cmdline contains "🙋🏽" or tgt.process.cmdline contains "🙋🏽‍♂️" or tgt.process.cmdline contains "🧏🏽‍♀️" or tgt.process.cmdline contains "🧏🏽" or tgt.process.cmdline contains "🧏🏽‍♂️" or tgt.process.cmdline contains "🤦🏽‍♀️" or tgt.process.cmdline contains "🤦🏽" or tgt.process.cmdline contains "🤦🏽‍♂️" or tgt.process.cmdline contains "🤷🏽‍♀️" or tgt.process.cmdline contains "🤷🏽" or tgt.process.cmdline contains "🤷🏽‍♂️" or tgt.process.cmdline contains "🙎🏽‍♀️" or tgt.process.cmdline contains "🙎🏽" or tgt.process.cmdline contains "🙎🏽‍♂️" or tgt.process.cmdline contains "🙍🏽‍♀️" or tgt.process.cmdline contains "🙍🏽" or tgt.process.cmdline contains "🙍🏽‍♂️" or tgt.process.cmdline contains "💇🏽‍♀️" or tgt.process.cmdline contains "💇🏽" or tgt.process.cmdline contains "💇🏽‍♂️" or tgt.process.cmdline contains "💆🏽‍♀️" or tgt.process.cmdline contains "💆🏽" or tgt.process.cmdline contains "💆🏽‍♂️" or tgt.process.cmdline contains "🧖🏽‍♀️" or tgt.process.cmdline contains "🧖🏽" or tgt.process.cmdline contains "🧖🏽‍♂️" or tgt.process.cmdline contains "💃🏽" or tgt.process.cmdline contains "🕺🏽" or tgt.process.cmdline contains "🕴🏽" or tgt.process.cmdline contains "👩🏽‍🦽" or tgt.process.cmdline contains "🧑🏽‍🦽" or tgt.process.cmdline contains "👨🏽‍🦽" or tgt.process.cmdline contains "👩🏽‍🦼" or tgt.process.cmdline contains "🧑🏽‍🦼" or tgt.process.cmdline contains "👨🏽‍🦼" or tgt.process.cmdline contains "🚶🏽‍♀️" or tgt.process.cmdline contains "🚶🏽" or tgt.process.cmdline contains "🚶🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍🦯" or tgt.process.cmdline contains "🧑🏽‍🦯" or tgt.process.cmdline contains "👨🏽‍🦯" or tgt.process.cmdline contains "🧎🏽‍♀️" or tgt.process.cmdline contains "🧎🏽" or tgt.process.cmdline contains "🧎🏽‍♂️" or tgt.process.cmdline contains "🏃🏽‍♀️" or tgt.process.cmdline contains "🏃🏽" or tgt.process.cmdline contains "🏃🏽‍♂️" or tgt.process.cmdline contains "🧍🏽‍♀️" or tgt.process.cmdline contains "🧍🏽" or tgt.process.cmdline contains "🧍🏽‍♂️" or tgt.process.cmdline contains "👭🏽" or tgt.process.cmdline contains "🧑🏽‍🤝‍🧑🏽" or tgt.process.cmdline contains "👬🏽" or tgt.process.cmdline contains "👫🏽" or tgt.process.cmdline contains "🧗🏽‍♀️" or tgt.process.cmdline contains "🧗🏽" or tgt.process.cmdline contains "🧗🏽‍♂️" or tgt.process.cmdline contains "🏇🏽" or tgt.process.cmdline contains "🏂🏽" or tgt.process.cmdline contains "🏌🏽‍♀️" or tgt.process.cmdline contains "🏌🏽" or tgt.process.cmdline contains "🏌🏽‍♂️" or tgt.process.cmdline contains "🏄🏽‍♀️" or tgt.process.cmdline contains "🏄🏽" or tgt.process.cmdline contains "🏄🏽‍♂️" or tgt.process.cmdline contains "🚣🏽‍♀️" or tgt.process.cmdline contains "🚣🏽" or tgt.process.cmdline contains "🚣🏽‍♂️" or tgt.process.cmdline contains "🏊🏽‍♀️" or tgt.process.cmdline contains "🏊🏽" or tgt.process.cmdline contains "🏊🏽‍♂️" or tgt.process.cmdline contains "⛹🏽‍♀️" or tgt.process.cmdline contains "⛹🏽" or tgt.process.cmdline contains "⛹🏽‍♂️" or tgt.process.cmdline contains "🏋🏽‍♀️" or tgt.process.cmdline contains "🏋🏽" or tgt.process.cmdline contains "🏋🏽‍♂️" or tgt.process.cmdline contains "🚴🏽‍♀️" or tgt.process.cmdline contains "🚴🏽" or tgt.process.cmdline contains "🚴🏽‍♂️" or tgt.process.cmdline contains "🚵🏽‍♀️" or tgt.process.cmdline contains "🚵🏽" or tgt.process.cmdline contains "🚵🏽‍♂️" or tgt.process.cmdline contains "🤸🏽‍♀️" or tgt.process.cmdline contains "🤸🏽" or tgt.process.cmdline contains "🤸🏽‍♂️" or tgt.process.cmdline contains "🤽🏽‍♀️" or tgt.process.cmdline contains "🤽🏽" or tgt.process.cmdline contains "🤽🏽‍♂️" or tgt.process.cmdline contains "🤾🏽‍♀️" or tgt.process.cmdline contains "🤾🏽" or tgt.process.cmdline contains "🤾🏽‍♂️" or tgt.process.cmdline contains "🤹🏽‍♀️" or tgt.process.cmdline contains "🤹🏽" or tgt.process.cmdline contains "🤹🏽‍♂️" or tgt.process.cmdline contains "🧘🏽‍♀️" or tgt.process.cmdline contains "🧘🏽" or tgt.process.cmdline contains "🧘🏽‍♂️" or tgt.process.cmdline contains "🛀🏽" or tgt.process.cmdline contains "🛌🏽" or tgt.process.cmdline contains "👋🏾" or tgt.process.cmdline contains "🤚🏾" or tgt.process.cmdline contains "🖐🏾" or tgt.process.cmdline contains "✋🏾" or tgt.process.cmdline contains "🖖🏾" or tgt.process.cmdline contains "👌🏾" or tgt.process.cmdline contains "🤌🏾" or tgt.process.cmdline contains "🤏🏾" or tgt.process.cmdline contains "✌🏾" or tgt.process.cmdline contains "🤞🏾" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🤟🏾" or tgt.process.cmdline contains "🤘🏾" or tgt.process.cmdline contains "🤙🏾" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "👈🏾" or tgt.process.cmdline contains "👉🏾" or tgt.process.cmdline contains "👆🏾" or tgt.process.cmdline contains "🖕🏾" or tgt.process.cmdline contains "👇🏾" or tgt.process.cmdline contains "☝🏾" or tgt.process.cmdline contains "👍🏾" or tgt.process.cmdline contains "👎🏾" or tgt.process.cmdline contains "✊🏾" or tgt.process.cmdline contains "👊🏾" or tgt.process.cmdline contains "🤛🏾" or tgt.process.cmdline contains "🤜🏾" or tgt.process.cmdline contains "👏🏾" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🙌🏾" or tgt.process.cmdline contains "👐🏾" or tgt.process.cmdline contains "🤲🏾" or tgt.process.cmdline contains "🙏🏾" or tgt.process.cmdline contains "✍🏾" or tgt.process.cmdline contains "💪🏾" or tgt.process.cmdline contains "🦵🏾" or tgt.process.cmdline contains "🦶🏾" or tgt.process.cmdline contains "👂🏾" or tgt.process.cmdline contains "🦻🏾" or tgt.process.cmdline contains "👃🏾" or tgt.process.cmdline contains "👶🏾" or tgt.process.cmdline contains "👧🏾" or tgt.process.cmdline contains "🧒🏾" or tgt.process.cmdline contains "👦🏾" or tgt.process.cmdline contains "👩🏾" or tgt.process.cmdline contains "🧑🏾" or tgt.process.cmdline contains "👨🏾" or tgt.process.cmdline contains "👩🏾‍🦱" or tgt.process.cmdline contains "🧑🏾‍🦱" or tgt.process.cmdline contains "👨🏾‍🦱" or tgt.process.cmdline contains "👩🏾‍🦰" or tgt.process.cmdline contains "🧑🏾‍🦰" or tgt.process.cmdline contains "👨🏾‍🦰" or tgt.process.cmdline contains "👱🏾‍♀️" or tgt.process.cmdline contains "👱🏾" or tgt.process.cmdline contains "👱🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍🦳" or tgt.process.cmdline contains "🧑🏾‍🦳" or tgt.process.cmdline contains "👨🏾‍🦳" or tgt.process.cmdline contains "👩🏾‍🦲" or tgt.process.cmdline contains "🧑🏾‍🦲" or tgt.process.cmdline contains "👨🏾‍🦲" or tgt.process.cmdline contains "🧔🏾‍♀️" or tgt.process.cmdline contains "🧔🏾" or tgt.process.cmdline contains "🧔🏾‍♂️" or tgt.process.cmdline contains "👵🏾" or tgt.process.cmdline contains "🧓🏾" or tgt.process.cmdline contains "👴🏾" or tgt.process.cmdline contains "👲🏾" or tgt.process.cmdline contains "👳🏾‍♀️" or tgt.process.cmdline contains "👳🏾" or tgt.process.cmdline contains "👳🏾‍♂️" or tgt.process.cmdline contains "🧕🏾" or tgt.process.cmdline contains "👮🏾‍♀️" or tgt.process.cmdline contains "👮🏾" or tgt.process.cmdline contains "👮🏾‍♂️" or tgt.process.cmdline contains "👷🏾‍♀️" or tgt.process.cmdline contains "👷🏾" or tgt.process.cmdline contains "👷🏾‍♂️" or tgt.process.cmdline contains "💂🏾‍♀️" or tgt.process.cmdline contains "💂🏾" or tgt.process.cmdline contains "💂🏾‍♂️" or tgt.process.cmdline contains "🕵🏾‍♀️" or tgt.process.cmdline contains "🕵🏾" or tgt.process.cmdline contains "🕵🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍⚕️" or tgt.process.cmdline contains "🧑🏾‍⚕️" or tgt.process.cmdline contains "👨🏾‍⚕️" or tgt.process.cmdline contains "👩🏾‍🌾" or tgt.process.cmdline contains "🧑🏾‍🌾" or tgt.process.cmdline contains "👨🏾‍🌾" or tgt.process.cmdline contains "👩🏾‍🍳" or tgt.process.cmdline contains "🧑🏾‍🍳" or tgt.process.cmdline contains "👨🏾‍🍳" or tgt.process.cmdline contains "👩🏾‍🎓" or tgt.process.cmdline contains "🧑🏾‍🎓" or tgt.process.cmdline contains "👨🏾‍🎓" or tgt.process.cmdline contains "👩🏾‍🎤" or tgt.process.cmdline contains "🧑🏾‍🎤" or tgt.process.cmdline contains "👨🏾‍🎤" or tgt.process.cmdline contains "👩🏾‍🏫" or tgt.process.cmdline contains "🧑🏾‍🏫" or tgt.process.cmdline contains "👨🏾‍🏫" or tgt.process.cmdline contains "👩🏾‍🏭" or tgt.process.cmdline contains "🧑🏾‍🏭" or tgt.process.cmdline contains "👨🏾‍🏭" or tgt.process.cmdline contains "👩🏾‍💻" or tgt.process.cmdline contains "🧑🏾‍💻" or tgt.process.cmdline contains "👨🏾‍💻" or tgt.process.cmdline contains "👩🏾‍💼" or tgt.process.cmdline contains "🧑🏾‍💼" or tgt.process.cmdline contains "👨🏾‍💼" or tgt.process.cmdline contains "👩🏾‍🔧" or tgt.process.cmdline contains "🧑🏾‍🔧" or tgt.process.cmdline contains "👨🏾‍🔧" or tgt.process.cmdline contains "👩🏾‍🔬" or tgt.process.cmdline contains "🧑🏾‍🔬" or tgt.process.cmdline contains "👨🏾‍🔬" or tgt.process.cmdline contains "👩🏾‍🎨" or tgt.process.cmdline contains "🧑🏾‍🎨" or tgt.process.cmdline contains "👨🏾‍🎨" or tgt.process.cmdline contains "👩🏾‍🚒" or tgt.process.cmdline contains "🧑🏾‍🚒" or tgt.process.cmdline contains "👨🏾‍🚒" or tgt.process.cmdline contains "👩🏾‍✈️" or tgt.process.cmdline contains "🧑🏾‍✈️" or tgt.process.cmdline contains "👨🏾‍✈️" or tgt.process.cmdline contains "👩🏾‍🚀" or tgt.process.cmdline contains "🧑🏾‍🚀" or tgt.process.cmdline contains "👨🏾‍🚀" or tgt.process.cmdline contains "👩🏾‍⚖️" or tgt.process.cmdline contains "🧑🏾‍⚖️" or tgt.process.cmdline contains "👨🏾‍⚖️" or tgt.process.cmdline contains "👰🏾‍♀️" or tgt.process.cmdline contains "👰🏾" or tgt.process.cmdline contains "👰🏾‍♂️" or tgt.process.cmdline contains "🤵🏾‍♀️" or tgt.process.cmdline contains "🤵🏾" or tgt.process.cmdline contains "🤵🏾‍♂️" or tgt.process.cmdline contains "👸🏾" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🤴🏾" or tgt.process.cmdline contains "🥷🏾" or tgt.process.cmdline contains "🦸🏾‍♀️" or tgt.process.cmdline contains "🦸🏾" or tgt.process.cmdline contains "🦸🏾‍♂️" or tgt.process.cmdline contains "🦹🏾‍♀️" or tgt.process.cmdline contains "🦹🏾" or tgt.process.cmdline contains "🦹🏾‍♂️" or tgt.process.cmdline contains "🤶🏾" or tgt.process.cmdline contains "🧑🏾‍🎄" or tgt.process.cmdline contains "🎅🏾" or tgt.process.cmdline contains "🧙🏾‍♀️" or tgt.process.cmdline contains "🧙🏾" or tgt.process.cmdline contains "🧙🏾‍♂️" or tgt.process.cmdline contains "🧝🏾‍♀️" or tgt.process.cmdline contains "🧝🏾" or tgt.process.cmdline contains "🧝🏾‍♂️" or tgt.process.cmdline contains "🧛🏾‍♀️" or tgt.process.cmdline contains "🧛🏾" or tgt.process.cmdline contains "🧛🏾‍♂️" or tgt.process.cmdline contains "🧜🏾‍♀️" or tgt.process.cmdline contains "🧜🏾" or tgt.process.cmdline contains "🧜🏾‍♂️" or tgt.process.cmdline contains "🧚🏾‍♀️" or tgt.process.cmdline contains "🧚🏾" or tgt.process.cmdline contains "🧚🏾‍♂️" or tgt.process.cmdline contains "👼🏾" or tgt.process.cmdline contains "🤰🏾" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🤱🏾" or tgt.process.cmdline contains "👩🏾‍🍼" or tgt.process.cmdline contains "🧑🏾‍🍼" or tgt.process.cmdline contains "👨🏾‍🍼" or tgt.process.cmdline contains "🙇🏾‍♀️" or tgt.process.cmdline contains "🙇🏾" or tgt.process.cmdline contains "🙇🏾‍♂️" or tgt.process.cmdline contains "💁🏾‍♀️" or tgt.process.cmdline contains "💁🏾" or tgt.process.cmdline contains "💁🏾‍♂️" or tgt.process.cmdline contains "🙅🏾‍♀️" or tgt.process.cmdline contains "🙅🏾" or tgt.process.cmdline contains "🙅🏾‍♂️" or tgt.process.cmdline contains "🙆🏾‍♀️" or tgt.process.cmdline contains "🙆🏾" or tgt.process.cmdline contains "🙆🏾‍♂️" or tgt.process.cmdline contains "🙋🏾‍♀️" or tgt.process.cmdline contains "🙋🏾" or tgt.process.cmdline contains "🙋🏾‍♂️" or tgt.process.cmdline contains "🧏🏾‍♀️" or tgt.process.cmdline contains "🧏🏾" or tgt.process.cmdline contains "🧏🏾‍♂️" or tgt.process.cmdline contains "🤦🏾‍♀️" or tgt.process.cmdline contains "🤦🏾" or tgt.process.cmdline contains "🤦🏾‍♂️" or tgt.process.cmdline contains "🤷🏾‍♀️" or tgt.process.cmdline contains "🤷🏾" or tgt.process.cmdline contains "🤷🏾‍♂️" or tgt.process.cmdline contains "🙎🏾‍♀️" or tgt.process.cmdline contains "🙎🏾" or tgt.process.cmdline contains "🙎🏾‍♂️" or tgt.process.cmdline contains "🙍🏾‍♀️" or tgt.process.cmdline contains "🙍🏾" or tgt.process.cmdline contains "🙍🏾‍♂️" or tgt.process.cmdline contains "💇🏾‍♀️" or tgt.process.cmdline contains "💇🏾" or tgt.process.cmdline contains "💇🏾‍♂️" or tgt.process.cmdline contains "💆🏾‍♀️" or tgt.process.cmdline contains "💆🏾" or tgt.process.cmdline contains "💆🏾‍♂️" or tgt.process.cmdline contains "🧖🏾‍♀️" or tgt.process.cmdline contains "🧖🏾" or tgt.process.cmdline contains "🧖🏾‍♂️" or tgt.process.cmdline contains "💃🏾" or tgt.process.cmdline contains "🕺🏾" or tgt.process.cmdline contains "👩🏾‍🦽" or tgt.process.cmdline contains "🧑🏾‍🦽" or tgt.process.cmdline contains "👨🏾‍🦽" or tgt.process.cmdline contains "👩🏾‍🦼" or tgt.process.cmdline contains "🧑🏾‍🦼" or tgt.process.cmdline contains "👨🏾‍🦼" or tgt.process.cmdline contains "🚶🏾‍♀️" or tgt.process.cmdline contains "🚶🏾" or tgt.process.cmdline contains "🚶🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍🦯" or tgt.process.cmdline contains "🧑🏾‍🦯" or tgt.process.cmdline contains "👨🏾‍🦯" or tgt.process.cmdline contains "🧎🏾‍♀️" or tgt.process.cmdline contains "🧎🏾" or tgt.process.cmdline contains "🧎🏾‍♂️" or tgt.process.cmdline contains "🏃🏾‍♀️" or tgt.process.cmdline contains "🏃🏾" or tgt.process.cmdline contains "🏃🏾‍♂️" or tgt.process.cmdline contains "🧍🏾‍♀️" or tgt.process.cmdline contains "🧍🏾" or tgt.process.cmdline contains "🧍🏾‍♂️" or tgt.process.cmdline contains "👭🏾" or tgt.process.cmdline contains "🧑🏾‍🤝‍🧑🏾" or tgt.process.cmdline contains "👬🏾" or tgt.process.cmdline contains "👫🏾" or tgt.process.cmdline contains "🧗🏾‍♀️" or tgt.process.cmdline contains "🧗🏾" or tgt.process.cmdline contains "🧗🏾‍♂️" or tgt.process.cmdline contains "🏇🏾" or tgt.process.cmdline contains "🏂🏾" or tgt.process.cmdline contains "🏌🏾‍♀️" or tgt.process.cmdline contains "🏌🏾" or tgt.process.cmdline contains "🏌🏾‍♂️" or tgt.process.cmdline contains "🏄🏾‍♀️" or tgt.process.cmdline contains "🏄🏾" or tgt.process.cmdline contains "🏄🏾‍♂️" or tgt.process.cmdline contains "🚣🏾‍♀️" or tgt.process.cmdline contains "🚣🏾" or tgt.process.cmdline contains "🚣🏾‍♂️" or tgt.process.cmdline contains "🏊🏾‍♀️" or tgt.process.cmdline contains "🏊🏾" or tgt.process.cmdline contains "🏊🏾‍♂️" or tgt.process.cmdline contains "⛹🏾‍♀️" or tgt.process.cmdline contains "⛹🏾" or tgt.process.cmdline contains "⛹🏾‍♂️" or tgt.process.cmdline contains "🏋🏾‍♀️" or tgt.process.cmdline contains "🏋🏾" or tgt.process.cmdline contains "🏋🏾‍♂️" or tgt.process.cmdline contains "🚴🏾‍♀️" or tgt.process.cmdline contains "🚴🏾" or tgt.process.cmdline contains "🚴🏾‍♂️" or tgt.process.cmdline contains "🚵🏾‍♀️" or tgt.process.cmdline contains "🚵🏾" or tgt.process.cmdline contains "🚵🏾‍♂️" or tgt.process.cmdline contains "🤸🏾‍♀️" or tgt.process.cmdline contains "🤸🏾" or tgt.process.cmdline contains "🤸🏾‍♂️" or tgt.process.cmdline contains "🤽🏾‍♀️" or tgt.process.cmdline contains "🤽🏾" or tgt.process.cmdline contains "🤽🏾‍♂️" or tgt.process.cmdline contains "🤾🏾‍♀️" or tgt.process.cmdline contains "🤾🏾" or tgt.process.cmdline contains "🤾🏾‍♂️" or tgt.process.cmdline contains "🤹🏾‍♀️" or tgt.process.cmdline contains "🤹🏾" or tgt.process.cmdline contains "🤹🏾‍♂️" or tgt.process.cmdline contains "🧘🏾‍♀️" or tgt.process.cmdline contains "🧘🏾" or tgt.process.cmdline contains "🧘🏾‍♂️" or tgt.process.cmdline contains "🛀🏾" or tgt.process.cmdline contains "🛌🏾" or tgt.process.cmdline contains "👋🏿" or tgt.process.cmdline contains "🤚🏿" or tgt.process.cmdline contains "🖐🏿" or tgt.process.cmdline contains "✋🏿" or tgt.process.cmdline contains "🖖🏿" or tgt.process.cmdline contains "👌🏿" or tgt.process.cmdline contains "🤌🏿" or tgt.process.cmdline contains "🤏🏿" or tgt.process.cmdline contains "✌🏿" or tgt.process.cmdline contains "🤞🏿" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🤟🏿" or tgt.process.cmdline contains "🤘🏿" or tgt.process.cmdline contains "🤙🏿" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "👈🏿" or tgt.process.cmdline contains "👉🏿" or tgt.process.cmdline contains "👆🏿" or tgt.process.cmdline contains "🖕🏿" or tgt.process.cmdline contains "👇🏿" or tgt.process.cmdline contains "☝🏿" or tgt.process.cmdline contains "👍🏿" or tgt.process.cmdline contains "👎🏿" or tgt.process.cmdline contains "✊🏿" or tgt.process.cmdline contains "👊🏿" or tgt.process.cmdline contains "🤛🏿" or tgt.process.cmdline contains "🤜🏿" or tgt.process.cmdline contains "👏🏿" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🙌🏿" or tgt.process.cmdline contains "👐🏿" or tgt.process.cmdline contains "🤲🏿" or tgt.process.cmdline contains "🙏🏿" or tgt.process.cmdline contains "✍🏿" or tgt.process.cmdline contains "🤳🏿" or tgt.process.cmdline contains "💪🏿" or tgt.process.cmdline contains "🦵🏿" or tgt.process.cmdline contains "🦶🏿" or tgt.process.cmdline contains "👂🏿" or tgt.process.cmdline contains "🦻🏿" or tgt.process.cmdline contains "👃🏿" or tgt.process.cmdline contains "👶🏿" or tgt.process.cmdline contains "👧🏿" or tgt.process.cmdline contains "🧒🏿" or tgt.process.cmdline contains "👦🏿" or tgt.process.cmdline contains "👩🏿" or tgt.process.cmdline contains "🧑🏿" or tgt.process.cmdline contains "👨🏿" or tgt.process.cmdline contains "👩🏿‍🦱" or tgt.process.cmdline contains "🧑🏿‍🦱" or tgt.process.cmdline contains "👨🏿‍🦱" or tgt.process.cmdline contains "👩🏿‍🦰" or tgt.process.cmdline contains "🧑🏿‍🦰" or tgt.process.cmdline contains "👨🏿‍🦰" or tgt.process.cmdline contains "👱🏿‍♀️" or tgt.process.cmdline contains "👱🏿" or tgt.process.cmdline contains "👱🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍🦳" or tgt.process.cmdline contains "🧑🏿‍🦳" or tgt.process.cmdline contains "👨🏿‍🦳" or tgt.process.cmdline contains "👩🏿‍🦲" or tgt.process.cmdline contains "🧑🏿‍🦲" or tgt.process.cmdline contains "👨🏿‍🦲" or tgt.process.cmdline contains "🧔🏿‍♀️" or tgt.process.cmdline contains "🧔🏿" or tgt.process.cmdline contains "🧔🏿‍♂️" or tgt.process.cmdline contains "👵🏿" or tgt.process.cmdline contains "🧓🏿" or tgt.process.cmdline contains "👴🏿" or tgt.process.cmdline contains "👲🏿" or tgt.process.cmdline contains "👳🏿‍♀️" or tgt.process.cmdline contains "👳🏿" or tgt.process.cmdline contains "👳🏿‍♂️" or tgt.process.cmdline contains "🧕🏿" or tgt.process.cmdline contains "👮🏿‍♀️" or tgt.process.cmdline contains "👮🏿" or tgt.process.cmdline contains "👮🏿‍♂️" or tgt.process.cmdline contains "👷🏿‍♀️" or tgt.process.cmdline contains "👷🏿" or tgt.process.cmdline contains "👷🏿‍♂️" or tgt.process.cmdline contains "💂🏿‍♀️" or tgt.process.cmdline contains "💂🏿" or tgt.process.cmdline contains "💂🏿‍♂️" or tgt.process.cmdline contains "🕵🏿‍♀️" or tgt.process.cmdline contains "🕵🏿" or tgt.process.cmdline contains "🕵🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍⚕️" or tgt.process.cmdline contains "🧑🏿‍⚕️" or tgt.process.cmdline contains "👨🏿‍⚕️" or tgt.process.cmdline contains "👩🏿‍🌾" or tgt.process.cmdline contains "🧑🏿‍🌾" or tgt.process.cmdline contains "👨🏿‍🌾" or tgt.process.cmdline contains "👩🏿‍🍳" or tgt.process.cmdline contains "🧑🏿‍🍳" or tgt.process.cmdline contains "👨🏿‍🍳" or tgt.process.cmdline contains "👩🏿‍🎓" or tgt.process.cmdline contains "🧑🏿‍🎓" or tgt.process.cmdline contains "👨🏿‍🎓" or tgt.process.cmdline contains "👩🏿‍🎤" or tgt.process.cmdline contains "🧑🏿‍🎤" or tgt.process.cmdline contains "👨🏿‍🎤" or tgt.process.cmdline contains "👩🏿‍🏫" or tgt.process.cmdline contains "🧑🏿‍🏫" or tgt.process.cmdline contains "👨🏿‍🏫" or tgt.process.cmdline contains "👩🏿‍🏭" or tgt.process.cmdline contains "🧑🏿‍🏭" or tgt.process.cmdline contains "👨🏿‍🏭" or tgt.process.cmdline contains "👩🏿‍💻" or tgt.process.cmdline contains "🧑🏿‍💻" or tgt.process.cmdline contains "👨🏿‍💻" or tgt.process.cmdline contains "👩🏿‍💼" or tgt.process.cmdline contains "🧑🏿‍💼" or tgt.process.cmdline contains "👨🏿‍💼" or tgt.process.cmdline contains "👩🏿‍🔧" or tgt.process.cmdline contains "🧑🏿‍🔧" or tgt.process.cmdline contains "👨🏿‍🔧" or tgt.process.cmdline contains "👩🏿‍🔬" or tgt.process.cmdline contains "🧑🏿‍🔬" or tgt.process.cmdline contains "👨🏿‍🔬" or tgt.process.cmdline contains "👩🏿‍🎨" or tgt.process.cmdline contains "🧑🏿‍🎨" or tgt.process.cmdline contains "👨🏿‍🎨" or tgt.process.cmdline contains "👩🏿‍🚒" or tgt.process.cmdline contains "🧑🏿‍🚒" or tgt.process.cmdline contains "👨🏿‍🚒" or tgt.process.cmdline contains "👩🏿‍✈️" or tgt.process.cmdline contains "🧑🏿‍✈️" or tgt.process.cmdline contains "👨🏿‍✈️" or tgt.process.cmdline contains "👩🏿‍🚀" or tgt.process.cmdline contains "🧑🏿‍🚀" or tgt.process.cmdline contains "👨🏿‍🚀" or tgt.process.cmdline contains "👩🏿‍⚖️" or tgt.process.cmdline contains "🧑🏿‍⚖️" or tgt.process.cmdline contains "👨🏿‍⚖️" or tgt.process.cmdline contains "👰🏿‍♀️" or tgt.process.cmdline contains "👰🏿" or tgt.process.cmdline contains "👰🏿‍♂️" or tgt.process.cmdline contains "🤵🏿‍♀️" or tgt.process.cmdline contains "🤵🏿" or tgt.process.cmdline contains "🤵🏿‍♂️" or tgt.process.cmdline contains "👸🏿" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🤴🏿" or tgt.process.cmdline contains "🥷🏿" or tgt.process.cmdline contains "🦸🏿‍♀️" or tgt.process.cmdline contains "🦸🏿" or tgt.process.cmdline contains "🦸🏿‍♂️" or tgt.process.cmdline contains "🦹🏿‍♀️" or tgt.process.cmdline contains "🦹🏿" or tgt.process.cmdline contains "🦹🏿‍♂️" or tgt.process.cmdline contains "🤶🏿" or tgt.process.cmdline contains "🧑🏿‍🎄" or tgt.process.cmdline contains "🎅🏿" or tgt.process.cmdline contains "🧙🏿‍♀️" or tgt.process.cmdline contains "🧙🏿" or tgt.process.cmdline contains "🧙🏿‍♂️" or tgt.process.cmdline contains "🧝🏿‍♀️" or tgt.process.cmdline contains "🧝🏿" or tgt.process.cmdline contains "🧝🏿‍♂️" or tgt.process.cmdline contains "🧛🏿‍♀️" or tgt.process.cmdline contains "🧛🏿" or tgt.process.cmdline contains "🧛🏿‍♂️" or tgt.process.cmdline contains "🧜🏿‍♀️" or tgt.process.cmdline contains "🧜🏿" or tgt.process.cmdline contains "🧜🏿‍♂️" or tgt.process.cmdline contains "🧚🏿‍♀️" or tgt.process.cmdline contains "🧚🏿" or tgt.process.cmdline contains "🧚🏿‍♂️" or tgt.process.cmdline contains "👼🏿" or tgt.process.cmdline contains "🤰🏿" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🤱🏿" or tgt.process.cmdline contains "👩🏿‍🍼" or tgt.process.cmdline contains "🧑🏿‍🍼" or tgt.process.cmdline contains "👨🏿‍🍼" or tgt.process.cmdline contains "🙇🏿‍♀️" or tgt.process.cmdline contains "🙇🏿" or tgt.process.cmdline contains "🙇🏿‍♂️" or tgt.process.cmdline contains "💁🏿‍♀️" or tgt.process.cmdline contains "💁🏿" or tgt.process.cmdline contains "💁🏿‍♂️" or tgt.process.cmdline contains "🙅🏿‍♀️" or tgt.process.cmdline contains "🙅🏿" or tgt.process.cmdline contains "🙅🏿‍♂️" or tgt.process.cmdline contains "🙆🏿‍♀️" or tgt.process.cmdline contains "🙆🏿" or tgt.process.cmdline contains "🙆🏿‍♂️" or tgt.process.cmdline contains "🙋🏿‍♀️" or tgt.process.cmdline contains "🙋🏿" or tgt.process.cmdline contains "🙋🏿‍♂️" or tgt.process.cmdline contains "🧏🏿‍♀️" or tgt.process.cmdline contains "🧏🏿" or tgt.process.cmdline contains "🧏🏿‍♂️" or tgt.process.cmdline contains "🤦🏿‍♀️" or tgt.process.cmdline contains "🤦🏿" or tgt.process.cmdline contains "🤦🏿‍♂️" or tgt.process.cmdline contains "🤷🏿‍♀️" or tgt.process.cmdline contains "🤷🏿" or tgt.process.cmdline contains "🤷🏿‍♂️" or tgt.process.cmdline contains "🙎🏿‍♀️" or tgt.process.cmdline contains "🙎🏿" or tgt.process.cmdline contains "🙎🏿‍♂️" or tgt.process.cmdline contains "🙍🏿‍♀️" or tgt.process.cmdline contains "🙍🏿" or tgt.process.cmdline contains "🙍🏿‍♂️" or tgt.process.cmdline contains "💇🏿‍♀️" or tgt.process.cmdline contains "💇🏿" or tgt.process.cmdline contains "💇🏿‍♂️" or tgt.process.cmdline contains "💆🏿‍♀️" or tgt.process.cmdline contains "💆🏿" or tgt.process.cmdline contains "💆🏿‍♂️" or tgt.process.cmdline contains "🧖🏿‍♀️" or tgt.process.cmdline contains "🧖🏿" or tgt.process.cmdline contains "🧖🏿‍♂️" or tgt.process.cmdline contains "💃🏿" or tgt.process.cmdline contains "🕺🏿" or tgt.process.cmdline contains "🕴🏿" or tgt.process.cmdline contains "👩🏿‍🦽" or tgt.process.cmdline contains "🧑🏿‍🦽" or tgt.process.cmdline contains "👨🏿‍🦽" or tgt.process.cmdline contains "👩🏿‍🦼" or tgt.process.cmdline contains "🧑🏿‍🦼" or tgt.process.cmdline contains "👨🏿‍🦼" or tgt.process.cmdline contains "🚶🏿‍♀️" or tgt.process.cmdline contains "🚶🏿" or tgt.process.cmdline contains "🚶🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍🦯" or tgt.process.cmdline contains "🧑🏿‍🦯" or tgt.process.cmdline contains "👨🏿‍🦯" or tgt.process.cmdline contains "🧎🏿‍♀️" or tgt.process.cmdline contains "🧎🏿" or tgt.process.cmdline contains "🧎🏿‍♂️" or tgt.process.cmdline contains "🏃🏿‍♀️" or tgt.process.cmdline contains "🏃🏿" or tgt.process.cmdline contains "🏃🏿‍♂️" or tgt.process.cmdline contains "🧍🏿‍♀️" or tgt.process.cmdline contains "🧍🏿" or tgt.process.cmdline contains "🧍🏿‍♂️" or tgt.process.cmdline contains "👭🏿" or tgt.process.cmdline contains "🧑🏿‍🤝‍🧑🏿" or tgt.process.cmdline contains "👬🏿" or tgt.process.cmdline contains "👫🏿" or tgt.process.cmdline contains "🧗🏿‍♀️" or tgt.process.cmdline contains "🧗🏿" or tgt.process.cmdline contains "🧗🏿‍♂️" or tgt.process.cmdline contains "🏇🏿" or tgt.process.cmdline contains "🏂🏿" or tgt.process.cmdline contains "🏌🏿‍♀️" or tgt.process.cmdline contains "🏌🏿" or tgt.process.cmdline contains "🏌🏿‍♂️" or tgt.process.cmdline contains "🏄🏿‍♀️" or tgt.process.cmdline contains "🏄🏿" or tgt.process.cmdline contains "🏄🏿‍♂️" or tgt.process.cmdline contains "🚣🏿‍♀️" or tgt.process.cmdline contains "🚣🏿" or tgt.process.cmdline contains "🚣🏿‍♂️" or tgt.process.cmdline contains "🏊🏿‍♀️" or tgt.process.cmdline contains "🏊🏿" or tgt.process.cmdline contains "🏊🏿‍♂️" or tgt.process.cmdline contains "⛹🏿‍♀️" or tgt.process.cmdline contains "⛹🏿" or tgt.process.cmdline contains "⛹🏿‍♂️" or tgt.process.cmdline contains "🏋🏿‍♀️" or tgt.process.cmdline contains "🏋🏿" or tgt.process.cmdline contains "🏋🏿‍♂️" or tgt.process.cmdline contains "🚴🏿‍♀️" or tgt.process.cmdline contains "🚴🏿" or tgt.process.cmdline contains "🚴🏿‍♂️" or tgt.process.cmdline contains "🚵🏿‍♀️" or tgt.process.cmdline contains "🚵🏿" or tgt.process.cmdline contains "🚵🏿‍♂️" or tgt.process.cmdline contains "🤸🏿‍♀️" or tgt.process.cmdline contains "🤸🏿" or tgt.process.cmdline contains "🤸🏿‍♂️" or tgt.process.cmdline contains "🤽🏿‍♀️" or tgt.process.cmdline contains "🤽🏿" or tgt.process.cmdline contains "🤽🏿‍♂️" or tgt.process.cmdline contains "🤾🏿‍♀️" or tgt.process.cmdline contains "🤾🏿" or tgt.process.cmdline contains "🤾🏿‍♂️" or tgt.process.cmdline contains "🤹🏿‍♀️" or tgt.process.cmdline contains "🤹🏿" or tgt.process.cmdline contains "🤹🏿‍♂️" or tgt.process.cmdline contains "🧘🏿‍♀️" or tgt.process.cmdline contains "🧘🏿" or tgt.process.cmdline contains "🧘🏿‍♂️" or tgt.process.cmdline contains "🛀🏿" or tgt.process.cmdline contains "🛌🏿" or tgt.process.cmdline contains "🐶" or tgt.process.cmdline contains "🐱" or tgt.process.cmdline contains "🐭" or tgt.process.cmdline contains "🐹" or tgt.process.cmdline contains "🐰" or tgt.process.cmdline contains "🦊" or tgt.process.cmdline contains "🐻" or tgt.process.cmdline contains "🐼" or tgt.process.cmdline contains "🐻‍❄️" or tgt.process.cmdline contains "🐨" or tgt.process.cmdline contains "🐯" or tgt.process.cmdline contains "🦁" or tgt.process.cmdline contains "🐮" or tgt.process.cmdline contains "🐷" or tgt.process.cmdline contains "🐽" or tgt.process.cmdline contains "🐸" or tgt.process.cmdline contains "🐵" or tgt.process.cmdline contains "🙈" or tgt.process.cmdline contains "🙉" or tgt.process.cmdline contains "🙊" or tgt.process.cmdline contains "🐒" or tgt.process.cmdline contains "🐔" or tgt.process.cmdline contains "🐧" or tgt.process.cmdline contains "🐦" or tgt.process.cmdline contains "🐤" or tgt.process.cmdline contains "🐣" or tgt.process.cmdline contains "🐥")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md index bc731df9b..1df824b88 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🦆" or tgt.process.cmdline contains "🦅" or tgt.process.cmdline contains "🦉" or tgt.process.cmdline contains "🦇" or tgt.process.cmdline contains "🐺" or tgt.process.cmdline contains "🐗" or tgt.process.cmdline contains "🐴" or tgt.process.cmdline contains "🦄" or tgt.process.cmdline contains "🐝" or tgt.process.cmdline contains "🪱" or tgt.process.cmdline contains "🐛" or tgt.process.cmdline contains "🦋" or tgt.process.cmdline contains "🐌" or tgt.process.cmdline contains "🐞" or tgt.process.cmdline contains "🐜" or tgt.process.cmdline contains "🪰" or tgt.process.cmdline contains "🪲" or tgt.process.cmdline contains "🪳" or tgt.process.cmdline contains "🦟" or tgt.process.cmdline contains "🦗" or tgt.process.cmdline contains "🕷" or tgt.process.cmdline contains "🕸" or tgt.process.cmdline contains "🦂" or tgt.process.cmdline contains "🐢" or tgt.process.cmdline contains "🐍" or tgt.process.cmdline contains "🦎" or tgt.process.cmdline contains "🦖" or tgt.process.cmdline contains "🦕" or tgt.process.cmdline contains "🐙" or tgt.process.cmdline contains "🦑" or tgt.process.cmdline contains "🦐" or tgt.process.cmdline contains "🦞" or tgt.process.cmdline contains "🦀" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🐡" or tgt.process.cmdline contains "🐠" or tgt.process.cmdline contains "🐟" or tgt.process.cmdline contains "🐬" or tgt.process.cmdline contains "🐳" or tgt.process.cmdline contains "🐋" or tgt.process.cmdline contains "🦈" or tgt.process.cmdline contains "🐊" or tgt.process.cmdline contains "🐅" or tgt.process.cmdline contains "🐆" or tgt.process.cmdline contains "🦓" or tgt.process.cmdline contains "🦍" or tgt.process.cmdline contains "🦧" or tgt.process.cmdline contains "🦣" or tgt.process.cmdline contains "🐘" or tgt.process.cmdline contains "🦛" or tgt.process.cmdline contains "🦏" or tgt.process.cmdline contains "🐪" or tgt.process.cmdline contains "🐫" or tgt.process.cmdline contains "🦒" or tgt.process.cmdline contains "🦘" or tgt.process.cmdline contains "🦬" or tgt.process.cmdline contains "🐃" or tgt.process.cmdline contains "🐂" or tgt.process.cmdline contains "🐄" or tgt.process.cmdline contains "🐎" or tgt.process.cmdline contains "🐖" or tgt.process.cmdline contains "🐏" or tgt.process.cmdline contains "🐑" or tgt.process.cmdline contains "🦙" or tgt.process.cmdline contains "🐐" or tgt.process.cmdline contains "🦌" or tgt.process.cmdline contains "🐕" or tgt.process.cmdline contains "🐩" or tgt.process.cmdline contains "🦮" or tgt.process.cmdline contains "🐕‍🦺" or tgt.process.cmdline contains "🐈" or tgt.process.cmdline contains "🐈‍⬛" or tgt.process.cmdline contains "🪶" or tgt.process.cmdline contains "🐓" or tgt.process.cmdline contains "🦃" or tgt.process.cmdline contains "🦤" or tgt.process.cmdline contains "🦚" or tgt.process.cmdline contains "🦜" or tgt.process.cmdline contains "🦢" or tgt.process.cmdline contains "🦩" or tgt.process.cmdline contains "🕊" or tgt.process.cmdline contains "🐇" or tgt.process.cmdline contains "🦝" or tgt.process.cmdline contains "🦨" or tgt.process.cmdline contains "🦡" or tgt.process.cmdline contains "🦫" or tgt.process.cmdline contains "🦦" or tgt.process.cmdline contains "🦥" or tgt.process.cmdline contains "🐁" or tgt.process.cmdline contains "🐀" or tgt.process.cmdline contains "🐿" or tgt.process.cmdline contains "🦔" or tgt.process.cmdline contains "🐾" or tgt.process.cmdline contains "🐉" or tgt.process.cmdline contains "🐲" or tgt.process.cmdline contains "🌵" or tgt.process.cmdline contains "🎄" or tgt.process.cmdline contains "🌲" or tgt.process.cmdline contains "🌳" or tgt.process.cmdline contains "🌴" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🪵" or tgt.process.cmdline contains "🌱" or tgt.process.cmdline contains "🌿" or tgt.process.cmdline contains "☘️" or tgt.process.cmdline contains "🍀" or tgt.process.cmdline contains "🎍" or tgt.process.cmdline contains "🪴" or tgt.process.cmdline contains "🎋" or tgt.process.cmdline contains "🍃" or tgt.process.cmdline contains "🍂" or tgt.process.cmdline contains "🍁" or tgt.process.cmdline contains "🍄" or tgt.process.cmdline contains "🐚" or tgt.process.cmdline contains "🪨" or tgt.process.cmdline contains "🌾" or tgt.process.cmdline contains "💐" or tgt.process.cmdline contains "🌷" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🌹" or tgt.process.cmdline contains "🥀" or tgt.process.cmdline contains "🌺" or tgt.process.cmdline contains "🌸" or tgt.process.cmdline contains "🌼" or tgt.process.cmdline contains "🌻" or tgt.process.cmdline contains "🌞" or tgt.process.cmdline contains "🌝" or tgt.process.cmdline contains "🌛" or tgt.process.cmdline contains "🌜" or tgt.process.cmdline contains "🌚" or tgt.process.cmdline contains "🌕" or tgt.process.cmdline contains "🌖" or tgt.process.cmdline contains "🌗" or tgt.process.cmdline contains "🌘" or tgt.process.cmdline contains "🌑" or tgt.process.cmdline contains "🌒" or tgt.process.cmdline contains "🌓" or tgt.process.cmdline contains "🌔" or tgt.process.cmdline contains "🌙" or tgt.process.cmdline contains "🌎" or tgt.process.cmdline contains "🌍" or tgt.process.cmdline contains "🌏" or tgt.process.cmdline contains "🪐" or tgt.process.cmdline contains "💫" or tgt.process.cmdline contains "⭐️" or tgt.process.cmdline contains "🌟" or tgt.process.cmdline contains "✨" or tgt.process.cmdline contains "⚡️" or tgt.process.cmdline contains "☄️" or tgt.process.cmdline contains "💥" or tgt.process.cmdline contains "🔥" or tgt.process.cmdline contains "🌪" or tgt.process.cmdline contains "🌈" or tgt.process.cmdline contains "☀️" or tgt.process.cmdline contains "🌤" or tgt.process.cmdline contains "⛅️" or tgt.process.cmdline contains "🌥" or tgt.process.cmdline contains "☁️" or tgt.process.cmdline contains "🌦" or tgt.process.cmdline contains "🌧" or tgt.process.cmdline contains "⛈" or tgt.process.cmdline contains "🌩" or tgt.process.cmdline contains "🌨" or tgt.process.cmdline contains "❄️" or tgt.process.cmdline contains "☃️" or tgt.process.cmdline contains "⛄️" or tgt.process.cmdline contains "🌬" or tgt.process.cmdline contains "💨" or tgt.process.cmdline contains "💧" or tgt.process.cmdline contains "💦" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "☔️" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🌊" or tgt.process.cmdline contains "🌫🍏" or tgt.process.cmdline contains "🍎" or tgt.process.cmdline contains "🍐" or tgt.process.cmdline contains "🍊" or tgt.process.cmdline contains "🍋" or tgt.process.cmdline contains "🍌" or tgt.process.cmdline contains "🍉" or tgt.process.cmdline contains "🍇" or tgt.process.cmdline contains "🍓" or tgt.process.cmdline contains "🫐" or tgt.process.cmdline contains "🍈" or tgt.process.cmdline contains "🍒" or tgt.process.cmdline contains "🍑" or tgt.process.cmdline contains "🥭" or tgt.process.cmdline contains "🍍" or tgt.process.cmdline contains "🥥" or tgt.process.cmdline contains "🥝" or tgt.process.cmdline contains "🍅" or tgt.process.cmdline contains "🍆" or tgt.process.cmdline contains "🥑" or tgt.process.cmdline contains "🥦" or tgt.process.cmdline contains "🥬" or tgt.process.cmdline contains "🥒" or tgt.process.cmdline contains "🌶" or tgt.process.cmdline contains "🫑" or tgt.process.cmdline contains "🌽" or tgt.process.cmdline contains "🥕" or tgt.process.cmdline contains "🫒" or tgt.process.cmdline contains "🧄" or tgt.process.cmdline contains "🧅" or tgt.process.cmdline contains "🥔" or tgt.process.cmdline contains "🍠" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🥐" or tgt.process.cmdline contains "🥯" or tgt.process.cmdline contains "🍞" or tgt.process.cmdline contains "🥖" or tgt.process.cmdline contains "🥨" or tgt.process.cmdline contains "🧀" or tgt.process.cmdline contains "🥚" or tgt.process.cmdline contains "🍳" or tgt.process.cmdline contains "🧈" or tgt.process.cmdline contains "🥞" or tgt.process.cmdline contains "🧇" or tgt.process.cmdline contains "🥓" or tgt.process.cmdline contains "🥩" or tgt.process.cmdline contains "🍗" or tgt.process.cmdline contains "🍖" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "🌭" or tgt.process.cmdline contains "🍔" or tgt.process.cmdline contains "🍟" or tgt.process.cmdline contains "🍕" or tgt.process.cmdline contains "🫓" or tgt.process.cmdline contains "🥪" or tgt.process.cmdline contains "🥙" or tgt.process.cmdline contains "🧆" or tgt.process.cmdline contains "🌮" or tgt.process.cmdline contains "🌯" or tgt.process.cmdline contains "🫔" or tgt.process.cmdline contains "🥗" or tgt.process.cmdline contains "🥘" or tgt.process.cmdline contains "🫕" or tgt.process.cmdline contains "🥫" or tgt.process.cmdline contains "🍝" or tgt.process.cmdline contains "🍜" or tgt.process.cmdline contains "🍲" or tgt.process.cmdline contains "🍛" or tgt.process.cmdline contains "🍣" or tgt.process.cmdline contains "🍱" or tgt.process.cmdline contains "🥟" or tgt.process.cmdline contains "🦪" or tgt.process.cmdline contains "🍤" or tgt.process.cmdline contains "🍙" or tgt.process.cmdline contains "🍚" or tgt.process.cmdline contains "🍘" or tgt.process.cmdline contains "🍥" or tgt.process.cmdline contains "🥠" or tgt.process.cmdline contains "🥮" or tgt.process.cmdline contains "🍢" or tgt.process.cmdline contains "🍡" or tgt.process.cmdline contains "🍧" or tgt.process.cmdline contains "🍨" or tgt.process.cmdline contains "🍦" or tgt.process.cmdline contains "🥧" or tgt.process.cmdline contains "🧁" or tgt.process.cmdline contains "🍰" or tgt.process.cmdline contains "🎂" or tgt.process.cmdline contains "🍮" or tgt.process.cmdline contains "🍭" or tgt.process.cmdline contains "🍬" or tgt.process.cmdline contains "🍫" or tgt.process.cmdline contains "🍿" or tgt.process.cmdline contains "🍩" or tgt.process.cmdline contains "🍪" or tgt.process.cmdline contains "🌰" or tgt.process.cmdline contains "🥜" or tgt.process.cmdline contains "🍯" or tgt.process.cmdline contains "🥛" or tgt.process.cmdline contains "🍼" or tgt.process.cmdline contains "🫖" or tgt.process.cmdline contains "☕️" or tgt.process.cmdline contains "🍵" or tgt.process.cmdline contains "🧃" or tgt.process.cmdline contains "🥤" or tgt.process.cmdline contains "🧋" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🍶" or tgt.process.cmdline contains "🍺" or tgt.process.cmdline contains "🍻" or tgt.process.cmdline contains "🥂" or tgt.process.cmdline contains "🍷" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🥃" or tgt.process.cmdline contains "🍸" or tgt.process.cmdline contains "🍹" or tgt.process.cmdline contains "🧉" or tgt.process.cmdline contains "🍾" or tgt.process.cmdline contains "🧊" or tgt.process.cmdline contains "🥄" or tgt.process.cmdline contains "🍴" or tgt.process.cmdline contains "🍽" or tgt.process.cmdline contains "🥣" or tgt.process.cmdline contains "🥡" or tgt.process.cmdline contains "🥢" or tgt.process.cmdline contains "🧂" or tgt.process.cmdline contains "⚽️" or tgt.process.cmdline contains "🏀" or tgt.process.cmdline contains "🏈" or tgt.process.cmdline contains "⚾️" or tgt.process.cmdline contains "🥎" or tgt.process.cmdline contains "🎾" or tgt.process.cmdline contains "🏐" or tgt.process.cmdline contains "🏉" or tgt.process.cmdline contains "🥏" or tgt.process.cmdline contains "🎱" or tgt.process.cmdline contains "🪀" or tgt.process.cmdline contains "🏓" or tgt.process.cmdline contains "🏸" or tgt.process.cmdline contains "🏒" or tgt.process.cmdline contains "🏑" or tgt.process.cmdline contains "🥍" or tgt.process.cmdline contains "🏏" or tgt.process.cmdline contains "🪃" or tgt.process.cmdline contains "🥅" or tgt.process.cmdline contains "⛳️" or tgt.process.cmdline contains "🪁" or tgt.process.cmdline contains "🏹" or tgt.process.cmdline contains "🎣" or tgt.process.cmdline contains "🤿" or tgt.process.cmdline contains "🥊" or tgt.process.cmdline contains "🥋" or tgt.process.cmdline contains "🎽" or tgt.process.cmdline contains "🛹" or tgt.process.cmdline contains "🛼" or tgt.process.cmdline contains "🛷" or tgt.process.cmdline contains "⛸" or tgt.process.cmdline contains "🥌" or tgt.process.cmdline contains "🎿" or tgt.process.cmdline contains "⛷" or tgt.process.cmdline contains "🏂" or tgt.process.cmdline contains "🪂" or tgt.process.cmdline contains "🏋️‍♀️" or tgt.process.cmdline contains "🏋️" or tgt.process.cmdline contains "🏋️‍♂️" or tgt.process.cmdline contains "🤼‍♀️" or tgt.process.cmdline contains "🤼" or tgt.process.cmdline contains "🤼‍♂️" or tgt.process.cmdline contains "🤸‍♀️" or tgt.process.cmdline contains "🤸" or tgt.process.cmdline contains "🤸‍♂️" or tgt.process.cmdline contains "⛹️‍♀️" or tgt.process.cmdline contains "⛹️" or tgt.process.cmdline contains "⛹️‍♂️" or tgt.process.cmdline contains "🤺" or tgt.process.cmdline contains "🤾‍♀️" or tgt.process.cmdline contains "🤾" or tgt.process.cmdline contains "🤾‍♂️" or tgt.process.cmdline contains "🏌️‍♀️" or tgt.process.cmdline contains "🏌️" or tgt.process.cmdline contains "🏌️‍♂️" or tgt.process.cmdline contains "🏇" or tgt.process.cmdline contains "🧘‍♀️" or tgt.process.cmdline contains "🧘" or tgt.process.cmdline contains "🧘‍♂️" or tgt.process.cmdline contains "🏄‍♀️" or tgt.process.cmdline contains "🏄" or tgt.process.cmdline contains "🏄‍♂️" or tgt.process.cmdline contains "🏊‍♀️" or tgt.process.cmdline contains "🏊" or tgt.process.cmdline contains "🏊‍♂️" or tgt.process.cmdline contains "🤽‍♀️" or tgt.process.cmdline contains "🤽" or tgt.process.cmdline contains "🤽‍♂️" or tgt.process.cmdline contains "🚣‍♀️" or tgt.process.cmdline contains "🚣" or tgt.process.cmdline contains "🚣‍♂️" or tgt.process.cmdline contains "🧗‍♀️" or tgt.process.cmdline contains "🧗" or tgt.process.cmdline contains "🧗‍♂️" or tgt.process.cmdline contains "🚵‍♀️" or tgt.process.cmdline contains "🚵" or tgt.process.cmdline contains "🚵‍♂️" or tgt.process.cmdline contains "🚴‍♀️" or tgt.process.cmdline contains "🚴" or tgt.process.cmdline contains "🚴‍♂️" or tgt.process.cmdline contains "🏆" or tgt.process.cmdline contains "🥇" or tgt.process.cmdline contains "🥈" or tgt.process.cmdline contains "🥉" or tgt.process.cmdline contains "🏅" or tgt.process.cmdline contains "🎖" or tgt.process.cmdline contains "🏵" or tgt.process.cmdline contains "🎗" or tgt.process.cmdline contains "🎫" or tgt.process.cmdline contains "🎟" or tgt.process.cmdline contains "🎪" or tgt.process.cmdline contains "🤹" or tgt.process.cmdline contains "🤹‍♂️" or tgt.process.cmdline contains "🤹‍♀️" or tgt.process.cmdline contains "🎭" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "🎨" or tgt.process.cmdline contains "🎬" or tgt.process.cmdline contains "🎤" or tgt.process.cmdline contains "🎧" or tgt.process.cmdline contains "🎼" or tgt.process.cmdline contains "🎹" or tgt.process.cmdline contains "🥁" or tgt.process.cmdline contains "🪘" or tgt.process.cmdline contains "🎷" or tgt.process.cmdline contains "🎺" or tgt.process.cmdline contains "🪗" or tgt.process.cmdline contains "🎸" or tgt.process.cmdline contains "🪕" or tgt.process.cmdline contains "🎻" or tgt.process.cmdline contains "🎲" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "🎯" or tgt.process.cmdline contains "🎳" or tgt.process.cmdline contains "🎮" or tgt.process.cmdline contains "🎰" or tgt.process.cmdline contains "🧩" or tgt.process.cmdline contains "🚗" or tgt.process.cmdline contains "🚕" or tgt.process.cmdline contains "🚙" or tgt.process.cmdline contains "🚌" or tgt.process.cmdline contains "🚎" or tgt.process.cmdline contains "🏎" or tgt.process.cmdline contains "🚓" or tgt.process.cmdline contains "🚑" or tgt.process.cmdline contains "🚒" or tgt.process.cmdline contains "🚐" or tgt.process.cmdline contains "🛻" or tgt.process.cmdline contains "🚚" or tgt.process.cmdline contains "🚛" or tgt.process.cmdline contains "🚜" or tgt.process.cmdline contains "🦯" or tgt.process.cmdline contains "🦽" or tgt.process.cmdline contains "🦼" or tgt.process.cmdline contains "🛴" or tgt.process.cmdline contains "🚲" or tgt.process.cmdline contains "🛵" or tgt.process.cmdline contains "🏍" or tgt.process.cmdline contains "🛺" or tgt.process.cmdline contains "🚨" or tgt.process.cmdline contains "🚔" or tgt.process.cmdline contains "🚍" or tgt.process.cmdline contains "🚘" or tgt.process.cmdline contains "🚖" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🚡" or tgt.process.cmdline contains "🚠" or tgt.process.cmdline contains "🚟" or tgt.process.cmdline contains "🚃" or tgt.process.cmdline contains "🚋" or tgt.process.cmdline contains "🚞" or tgt.process.cmdline contains "🚝" or tgt.process.cmdline contains "🚄" or tgt.process.cmdline contains "🚅" or tgt.process.cmdline contains "🚈" or tgt.process.cmdline contains "🚂" or tgt.process.cmdline contains "🚆" or tgt.process.cmdline contains "🚇" or tgt.process.cmdline contains "🚊" or tgt.process.cmdline contains "🚉" or tgt.process.cmdline contains "✈️" or tgt.process.cmdline contains "🛫" or tgt.process.cmdline contains "🛬" or tgt.process.cmdline contains "🛩" or tgt.process.cmdline contains "💺" or tgt.process.cmdline contains "🛰" or tgt.process.cmdline contains "🚀" or tgt.process.cmdline contains "🛸" or tgt.process.cmdline contains "🚁" or tgt.process.cmdline contains "🛶" or tgt.process.cmdline contains "⛵️" or tgt.process.cmdline contains "🚤" or tgt.process.cmdline contains "🛥" or tgt.process.cmdline contains "🛳" or tgt.process.cmdline contains "⛴" or tgt.process.cmdline contains "🚢" or tgt.process.cmdline contains "⚓️" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪝" or tgt.process.cmdline contains "⛽️" or tgt.process.cmdline contains "🚧" or tgt.process.cmdline contains "🚦" or tgt.process.cmdline contains "🚥" or tgt.process.cmdline contains "🚏" or tgt.process.cmdline contains "🗺" or tgt.process.cmdline contains "🗿" or tgt.process.cmdline contains "🗽" or tgt.process.cmdline contains "🗼" or tgt.process.cmdline contains "🏰" or tgt.process.cmdline contains "🏯" or tgt.process.cmdline contains "🏟" or tgt.process.cmdline contains "🎡" or tgt.process.cmdline contains "🎢" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🎠" or tgt.process.cmdline contains "⛲️" or tgt.process.cmdline contains "⛱" or tgt.process.cmdline contains "🏖" or tgt.process.cmdline contains "🏝" or tgt.process.cmdline contains "🏜" or tgt.process.cmdline contains "🌋" or tgt.process.cmdline contains "⛰" or tgt.process.cmdline contains "🏔" or tgt.process.cmdline contains "🗻" or tgt.process.cmdline contains "🏕" or tgt.process.cmdline contains "⛺️" or tgt.process.cmdline contains "🛖" or tgt.process.cmdline contains "🏠" or tgt.process.cmdline contains "🏡" or tgt.process.cmdline contains "🏘" or tgt.process.cmdline contains "🏚" or tgt.process.cmdline contains "🏗" or tgt.process.cmdline contains "🏭" or tgt.process.cmdline contains "🏢" or tgt.process.cmdline contains "🏬" or tgt.process.cmdline contains "🏣" or tgt.process.cmdline contains "🏤" or tgt.process.cmdline contains "🏥" or tgt.process.cmdline contains "🏦" or tgt.process.cmdline contains "🏨" or tgt.process.cmdline contains "🏪" or tgt.process.cmdline contains "🏫" or tgt.process.cmdline contains "🏩" or tgt.process.cmdline contains "💒" or tgt.process.cmdline contains "🏛" or tgt.process.cmdline contains "⛪️" or tgt.process.cmdline contains "🕌" or tgt.process.cmdline contains "🕍" or tgt.process.cmdline contains "🛕" or tgt.process.cmdline contains "🕋" or tgt.process.cmdline contains "⛩" or tgt.process.cmdline contains "🛤" or tgt.process.cmdline contains "🛣" or tgt.process.cmdline contains "🗾" or tgt.process.cmdline contains "🎑" or tgt.process.cmdline contains "🏞" or tgt.process.cmdline contains "🌅" or tgt.process.cmdline contains "🌄" or tgt.process.cmdline contains "🌠" or tgt.process.cmdline contains "🎇" or tgt.process.cmdline contains "🎆" or tgt.process.cmdline contains "🌇" or tgt.process.cmdline contains "🌆" or tgt.process.cmdline contains "🏙" or tgt.process.cmdline contains "🌃" or tgt.process.cmdline contains "🌌" or tgt.process.cmdline contains "🌉" or tgt.process.cmdline contains "🌁" or tgt.process.cmdline contains "⌚️" or tgt.process.cmdline contains "📱" or tgt.process.cmdline contains "📲" or tgt.process.cmdline contains "💻" or tgt.process.cmdline contains "⌨️" or tgt.process.cmdline contains "🖥" or tgt.process.cmdline contains "🖨" or tgt.process.cmdline contains "🖱" or tgt.process.cmdline contains "🖲" or tgt.process.cmdline contains "🕹" or tgt.process.cmdline contains "🗜" or tgt.process.cmdline contains "💽" or tgt.process.cmdline contains "💾" or tgt.process.cmdline contains "💿" or tgt.process.cmdline contains "📀" or tgt.process.cmdline contains "📼" or tgt.process.cmdline contains "📷" or tgt.process.cmdline contains "📸" or tgt.process.cmdline contains "📹" or tgt.process.cmdline contains "🎥" or tgt.process.cmdline contains "📽" or tgt.process.cmdline contains "🎞" or tgt.process.cmdline contains "📞" or tgt.process.cmdline contains "☎️" or tgt.process.cmdline contains "📟" or tgt.process.cmdline contains "📠" or tgt.process.cmdline contains "📺" or tgt.process.cmdline contains "📻" or tgt.process.cmdline contains "🎙" or tgt.process.cmdline contains "🎚" or tgt.process.cmdline contains "🎛" or tgt.process.cmdline contains "🧭" or tgt.process.cmdline contains "⏱" or tgt.process.cmdline contains "⏲" or tgt.process.cmdline contains "⏰" or tgt.process.cmdline contains "🕰" or tgt.process.cmdline contains "⌛️" or tgt.process.cmdline contains "⏳" or tgt.process.cmdline contains "📡" or tgt.process.cmdline contains "🔋" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🔌" or tgt.process.cmdline contains "💡" or tgt.process.cmdline contains "🔦" or tgt.process.cmdline contains "🕯" or tgt.process.cmdline contains "🪔" or tgt.process.cmdline contains "🧯" or tgt.process.cmdline contains "🛢" or tgt.process.cmdline contains "💸" or tgt.process.cmdline contains "💵" or tgt.process.cmdline contains "💴" or tgt.process.cmdline contains "💶" or tgt.process.cmdline contains "💷" or tgt.process.cmdline contains "🪙" or tgt.process.cmdline contains "💰" or tgt.process.cmdline contains "💳" or tgt.process.cmdline contains "💎" or tgt.process.cmdline contains "⚖️" or tgt.process.cmdline contains "🪜" or tgt.process.cmdline contains "🧰" or tgt.process.cmdline contains "🪛" or tgt.process.cmdline contains "🔧" or tgt.process.cmdline contains "🔨" or tgt.process.cmdline contains "⚒" or tgt.process.cmdline contains "🛠" or tgt.process.cmdline contains "⛏" or tgt.process.cmdline contains "🪚" or tgt.process.cmdline contains "🔩" or tgt.process.cmdline contains "⚙️" or tgt.process.cmdline contains "🪤" or tgt.process.cmdline contains "🧱" or tgt.process.cmdline contains "⛓" or tgt.process.cmdline contains "🧲" or tgt.process.cmdline contains "🔫" or tgt.process.cmdline contains "💣" or tgt.process.cmdline contains "🧨" or tgt.process.cmdline contains "🪓" or tgt.process.cmdline contains "🔪" or tgt.process.cmdline contains "🗡" or tgt.process.cmdline contains "⚔️" or tgt.process.cmdline contains "🛡" or tgt.process.cmdline contains "🚬" or tgt.process.cmdline contains "⚰️" or tgt.process.cmdline contains "🪦" or tgt.process.cmdline contains "⚱️" or tgt.process.cmdline contains "🏺" or tgt.process.cmdline contains "🔮" or tgt.process.cmdline contains "📿" or tgt.process.cmdline contains "🧿" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "💈" or tgt.process.cmdline contains "⚗️" or tgt.process.cmdline contains "🔭" or tgt.process.cmdline contains "🔬" or tgt.process.cmdline contains "🕳" or tgt.process.cmdline contains "🩹" or tgt.process.cmdline contains "🩺" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "💊" or tgt.process.cmdline contains "💉" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "🧬" or tgt.process.cmdline contains "🦠" or tgt.process.cmdline contains "🧫" or tgt.process.cmdline contains "🧪" or tgt.process.cmdline contains "🌡" or tgt.process.cmdline contains "🧹" or tgt.process.cmdline contains "🪠" or tgt.process.cmdline contains "🧺" or tgt.process.cmdline contains "🧻" or tgt.process.cmdline contains "🚽" or tgt.process.cmdline contains "🚰" or tgt.process.cmdline contains "🚿" or tgt.process.cmdline contains "🛁" or tgt.process.cmdline contains "🛀" or tgt.process.cmdline contains "🧼" or tgt.process.cmdline contains "🪥" or tgt.process.cmdline contains "🪒" or tgt.process.cmdline contains "🧽" or tgt.process.cmdline contains "🪣" or tgt.process.cmdline contains "🧴" or tgt.process.cmdline contains "🛎" or tgt.process.cmdline contains "🔑" or tgt.process.cmdline contains "🗝" or tgt.process.cmdline contains "🚪" or tgt.process.cmdline contains "🪑" or tgt.process.cmdline contains "🛋" or tgt.process.cmdline contains "🛏" or tgt.process.cmdline contains "🛌" or tgt.process.cmdline contains "🧸" or tgt.process.cmdline contains "🪆" or tgt.process.cmdline contains "🖼" or tgt.process.cmdline contains "🪞" or tgt.process.cmdline contains "🪟" or tgt.process.cmdline contains "🛍" or tgt.process.cmdline contains "🛒" or tgt.process.cmdline contains "🎁" or tgt.process.cmdline contains "🎈" or tgt.process.cmdline contains "🎏" or tgt.process.cmdline contains "🎀" or tgt.process.cmdline contains "🪄" or tgt.process.cmdline contains "🪅" or tgt.process.cmdline contains "🎊" or tgt.process.cmdline contains "🎉" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🎎" or tgt.process.cmdline contains "🏮" or tgt.process.cmdline contains "🎐" or tgt.process.cmdline contains "🧧" or tgt.process.cmdline contains "✉️" or tgt.process.cmdline contains "📩" or tgt.process.cmdline contains "📨" or tgt.process.cmdline contains "📧" or tgt.process.cmdline contains "💌" or tgt.process.cmdline contains "📥" or tgt.process.cmdline contains "📤" or tgt.process.cmdline contains "📦" or tgt.process.cmdline contains "🏷" or tgt.process.cmdline contains "🪧" or tgt.process.cmdline contains "📪" or tgt.process.cmdline contains "📫" or tgt.process.cmdline contains "📬" or tgt.process.cmdline contains "📭" or tgt.process.cmdline contains "📮" or tgt.process.cmdline contains "📯" or tgt.process.cmdline contains "📜" or tgt.process.cmdline contains "📃" or tgt.process.cmdline contains "📄" or tgt.process.cmdline contains "📑" or tgt.process.cmdline contains "🧾" or tgt.process.cmdline contains "📊" or tgt.process.cmdline contains "📈" or tgt.process.cmdline contains "📉" or tgt.process.cmdline contains "🗒" or tgt.process.cmdline contains "🗓" or tgt.process.cmdline contains "📆" or tgt.process.cmdline contains "📅" or tgt.process.cmdline contains "🗑" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "📇" or tgt.process.cmdline contains "🗃" or tgt.process.cmdline contains "🗳" or tgt.process.cmdline contains "🗄" or tgt.process.cmdline contains "📋" or tgt.process.cmdline contains "📁" or tgt.process.cmdline contains "📂" or tgt.process.cmdline contains "🗂" or tgt.process.cmdline contains "🗞" or tgt.process.cmdline contains "📰" or tgt.process.cmdline contains "📓" or tgt.process.cmdline contains "📔" or tgt.process.cmdline contains "📒" or tgt.process.cmdline contains "📕" or tgt.process.cmdline contains "📗" or tgt.process.cmdline contains "📘" or tgt.process.cmdline contains "📙" or tgt.process.cmdline contains "📚" or tgt.process.cmdline contains "📖" or tgt.process.cmdline contains "🔖" or tgt.process.cmdline contains "🧷" or tgt.process.cmdline contains "🔗" or tgt.process.cmdline contains "📎" or tgt.process.cmdline contains "🖇" or tgt.process.cmdline contains "📐" or tgt.process.cmdline contains "📏" or tgt.process.cmdline contains "🧮" or tgt.process.cmdline contains "📌" or tgt.process.cmdline contains "📍" or tgt.process.cmdline contains "✂️" or tgt.process.cmdline contains "🖊" or tgt.process.cmdline contains "🖋" or tgt.process.cmdline contains "✒️" or tgt.process.cmdline contains "🖌" or tgt.process.cmdline contains "🖍" or tgt.process.cmdline contains "📝" or tgt.process.cmdline contains "✏️" or tgt.process.cmdline contains "🔍" or tgt.process.cmdline contains "🔎" or tgt.process.cmdline contains "🔏" or tgt.process.cmdline contains "🔐" or tgt.process.cmdline contains "🔒" or tgt.process.cmdline contains "🔓❤️" or tgt.process.cmdline contains "🧡" or tgt.process.cmdline contains "💛" or tgt.process.cmdline contains "💚" or tgt.process.cmdline contains "💙" or tgt.process.cmdline contains "💜" or tgt.process.cmdline contains "🖤" or tgt.process.cmdline contains "🤍" or tgt.process.cmdline contains "🤎" or tgt.process.cmdline contains "❤️‍🔥" or tgt.process.cmdline contains "❤️‍🩹" or tgt.process.cmdline contains "💔" or tgt.process.cmdline contains "❣️" or tgt.process.cmdline contains "💕" or tgt.process.cmdline contains "💞" or tgt.process.cmdline contains "💓" or tgt.process.cmdline contains "💗" or tgt.process.cmdline contains "💖" or tgt.process.cmdline contains "💘" or tgt.process.cmdline contains "💝" or tgt.process.cmdline contains "💟" or tgt.process.cmdline contains "☮️" or tgt.process.cmdline contains "✝️" or tgt.process.cmdline contains "☪️" or tgt.process.cmdline contains "🕉" or tgt.process.cmdline contains "☸️" or tgt.process.cmdline contains "✡️" or tgt.process.cmdline contains "🔯" or tgt.process.cmdline contains "🕎" or tgt.process.cmdline contains "☯️" or tgt.process.cmdline contains "☦️" or tgt.process.cmdline contains "🛐" or tgt.process.cmdline contains "⛎" or tgt.process.cmdline contains "♈️" or tgt.process.cmdline contains "♉️" or tgt.process.cmdline contains "♊️" or tgt.process.cmdline contains "♋️" or tgt.process.cmdline contains "♌️" or tgt.process.cmdline contains "♍️" or tgt.process.cmdline contains "♎️" or tgt.process.cmdline contains "♏️" or tgt.process.cmdline contains "♐️" or tgt.process.cmdline contains "♑️" or tgt.process.cmdline contains "♒️" or tgt.process.cmdline contains "♓️" or tgt.process.cmdline contains "🆔" or tgt.process.cmdline contains "⚛️" or tgt.process.cmdline contains "🉑" or tgt.process.cmdline contains "☢️" or tgt.process.cmdline contains "☣️" or tgt.process.cmdline contains "📴" or tgt.process.cmdline contains "📳" or tgt.process.cmdline contains "🈶" or tgt.process.cmdline contains "🈚️" or tgt.process.cmdline contains "🈸" or tgt.process.cmdline contains "🈺" or tgt.process.cmdline contains "🈷️" or tgt.process.cmdline contains "✴️" or tgt.process.cmdline contains "🆚" or tgt.process.cmdline contains "💮" or tgt.process.cmdline contains "🉐" or tgt.process.cmdline contains "㊙️" or tgt.process.cmdline contains "㊗️" or tgt.process.cmdline contains "🈴" or tgt.process.cmdline contains "🈵" or tgt.process.cmdline contains "🈹" or tgt.process.cmdline contains "🈲" or tgt.process.cmdline contains "🅰️" or tgt.process.cmdline contains "🅱️" or tgt.process.cmdline contains "🆎" or tgt.process.cmdline contains "🆑" or tgt.process.cmdline contains "🅾️" or tgt.process.cmdline contains "🆘" or tgt.process.cmdline contains "❌" or tgt.process.cmdline contains "⭕️" or tgt.process.cmdline contains "🛑" or tgt.process.cmdline contains "⛔️" or tgt.process.cmdline contains "📛" or tgt.process.cmdline contains "🚫" or tgt.process.cmdline contains "💯" or tgt.process.cmdline contains "💢" or tgt.process.cmdline contains "♨️" or tgt.process.cmdline contains "🚷" or tgt.process.cmdline contains "🚯" or tgt.process.cmdline contains "🚳" or tgt.process.cmdline contains "🚱" or tgt.process.cmdline contains "🔞" or tgt.process.cmdline contains "📵" or tgt.process.cmdline contains "🚭" or tgt.process.cmdline contains "❗️" or tgt.process.cmdline contains "❕" or tgt.process.cmdline contains "❓" or tgt.process.cmdline contains "❔" or tgt.process.cmdline contains "‼️" or tgt.process.cmdline contains "⁉️" or tgt.process.cmdline contains "🔅" or tgt.process.cmdline contains "🔆" or tgt.process.cmdline contains "〽️" or tgt.process.cmdline contains "⚠️" or tgt.process.cmdline contains "🚸" or tgt.process.cmdline contains "🔱" or tgt.process.cmdline contains "⚜️" or tgt.process.cmdline contains "🔰" or tgt.process.cmdline contains "♻️" or tgt.process.cmdline contains "✅" or tgt.process.cmdline contains "🈯️" or tgt.process.cmdline contains "💹" or tgt.process.cmdline contains "❇️" or tgt.process.cmdline contains "✳️" or tgt.process.cmdline contains "❎" or tgt.process.cmdline contains "🌐" or tgt.process.cmdline contains "💠" or tgt.process.cmdline contains "Ⓜ️" or tgt.process.cmdline contains "🌀" or tgt.process.cmdline contains "💤" or tgt.process.cmdline contains "🏧" or tgt.process.cmdline contains "🚾" or tgt.process.cmdline contains "♿️" or tgt.process.cmdline contains "🅿️" or tgt.process.cmdline contains "🛗" or tgt.process.cmdline contains "🈳" or tgt.process.cmdline contains "🈂️" or tgt.process.cmdline contains "🛂" or tgt.process.cmdline contains "🛃" or tgt.process.cmdline contains "🛄" or tgt.process.cmdline contains "🛅" or tgt.process.cmdline contains "🚹" or tgt.process.cmdline contains "🚺" or tgt.process.cmdline contains "🚼" or tgt.process.cmdline contains "⚧" or tgt.process.cmdline contains "🚻" or tgt.process.cmdline contains "🚮" or tgt.process.cmdline contains "🎦" or tgt.process.cmdline contains "📶" or tgt.process.cmdline contains "🈁" or tgt.process.cmdline contains "🔣" or tgt.process.cmdline contains "ℹ️" or tgt.process.cmdline contains "🔤" or tgt.process.cmdline contains "🔡" or tgt.process.cmdline contains "🔠" or tgt.process.cmdline contains "🆖" or tgt.process.cmdline contains "🆗" or tgt.process.cmdline contains "🆙" or tgt.process.cmdline contains "🆒" or tgt.process.cmdline contains "🆕" or tgt.process.cmdline contains "🆓" or tgt.process.cmdline contains "0️⃣" or tgt.process.cmdline contains "1️⃣" or tgt.process.cmdline contains "2️⃣" or tgt.process.cmdline contains "3️⃣" or tgt.process.cmdline contains "4️⃣" or tgt.process.cmdline contains "5️⃣" or tgt.process.cmdline contains "6️⃣" or tgt.process.cmdline contains "7️⃣" or tgt.process.cmdline contains "8️⃣" or tgt.process.cmdline contains "9️⃣" or tgt.process.cmdline contains "🔟" or tgt.process.cmdline contains "🔢" or tgt.process.cmdline contains "#️⃣" or tgt.process.cmdline contains "️⃣" or tgt.process.cmdline contains "⏏️" or tgt.process.cmdline contains "▶️" or tgt.process.cmdline contains "⏸" or tgt.process.cmdline contains "⏯" or tgt.process.cmdline contains "⏹" or tgt.process.cmdline contains "⏺" or tgt.process.cmdline contains "⏭" or tgt.process.cmdline contains "⏮" or tgt.process.cmdline contains "⏩" or tgt.process.cmdline contains "⏪" or tgt.process.cmdline contains "⏫" or tgt.process.cmdline contains "⏬" or tgt.process.cmdline contains "◀️" or tgt.process.cmdline contains "🔼" or tgt.process.cmdline contains "🔽" or tgt.process.cmdline contains "➡️" or tgt.process.cmdline contains "⬅️" or tgt.process.cmdline contains "⬆️" or tgt.process.cmdline contains "⬇️" or tgt.process.cmdline contains "↗️" or tgt.process.cmdline contains "↘️" or tgt.process.cmdline contains "↙️" or tgt.process.cmdline contains "↖️" or tgt.process.cmdline contains "↕️" or tgt.process.cmdline contains "↔️" or tgt.process.cmdline contains "↪️" or tgt.process.cmdline contains "↩️" or tgt.process.cmdline contains "⤴️" or tgt.process.cmdline contains "⤵️" or tgt.process.cmdline contains "🔀" or tgt.process.cmdline contains "🔁" or tgt.process.cmdline contains "🔂" or tgt.process.cmdline contains "🔄" or tgt.process.cmdline contains "🔃" or tgt.process.cmdline contains "🎵" or tgt.process.cmdline contains "🎶" or tgt.process.cmdline contains "➕" or tgt.process.cmdline contains "➖" or tgt.process.cmdline contains "➗" or tgt.process.cmdline contains "✖️" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "♾" or tgt.process.cmdline contains "💲" or tgt.process.cmdline contains "💱" or tgt.process.cmdline contains "™️" or tgt.process.cmdline contains "©️" or tgt.process.cmdline contains "®️" or tgt.process.cmdline contains "〰️" or tgt.process.cmdline contains "➰" or tgt.process.cmdline contains "➿" or tgt.process.cmdline contains "🔚" or tgt.process.cmdline contains "🔙" or tgt.process.cmdline contains "🔛" or tgt.process.cmdline contains "🔝" or tgt.process.cmdline contains "🔜" or tgt.process.cmdline contains "✔️" or tgt.process.cmdline contains "☑️" or tgt.process.cmdline contains "🔘" or tgt.process.cmdline contains "🔴" or tgt.process.cmdline contains "🟠" or tgt.process.cmdline contains "🟡" or tgt.process.cmdline contains "🟢" or tgt.process.cmdline contains "🔵" or tgt.process.cmdline contains "🟣" or tgt.process.cmdline contains "⚫️" or tgt.process.cmdline contains "⚪️" or tgt.process.cmdline contains "🟤" or tgt.process.cmdline contains "🔺" or tgt.process.cmdline contains "🔻")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md index 26698e733..1d751eacd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🔸" or tgt.process.cmdline contains "🔹" or tgt.process.cmdline contains "🔶" or tgt.process.cmdline contains "🔷" or tgt.process.cmdline contains "🔳" or tgt.process.cmdline contains "🔲" or tgt.process.cmdline contains "▪️" or tgt.process.cmdline contains "▫️" or tgt.process.cmdline contains "◾️" or tgt.process.cmdline contains "◽️" or tgt.process.cmdline contains "◼️" or tgt.process.cmdline contains "◻️" or tgt.process.cmdline contains "🟥" or tgt.process.cmdline contains "🟧" or tgt.process.cmdline contains "🟨" or tgt.process.cmdline contains "🟩" or tgt.process.cmdline contains "🟦" or tgt.process.cmdline contains "🟪" or tgt.process.cmdline contains "⬛️" or tgt.process.cmdline contains "⬜️" or tgt.process.cmdline contains "🟫" or tgt.process.cmdline contains "🔈" or tgt.process.cmdline contains "🔇" or tgt.process.cmdline contains "🔉" or tgt.process.cmdline contains "🔊" or tgt.process.cmdline contains "🔔" or tgt.process.cmdline contains "🔕" or tgt.process.cmdline contains "📣" or tgt.process.cmdline contains "📢" or tgt.process.cmdline contains "👁‍🗨" or tgt.process.cmdline contains "💬" or tgt.process.cmdline contains "💭" or tgt.process.cmdline contains "🗯" or tgt.process.cmdline contains "♠️" or tgt.process.cmdline contains "♣️" or tgt.process.cmdline contains "♥️" or tgt.process.cmdline contains "♦️" or tgt.process.cmdline contains "🃏" or tgt.process.cmdline contains "🎴" or tgt.process.cmdline contains "🀄️" or tgt.process.cmdline contains "🕐" or tgt.process.cmdline contains "🕑" or tgt.process.cmdline contains "🕒" or tgt.process.cmdline contains "🕓" or tgt.process.cmdline contains "🕔" or tgt.process.cmdline contains "🕕" or tgt.process.cmdline contains "🕖" or tgt.process.cmdline contains "🕗" or tgt.process.cmdline contains "🕘" or tgt.process.cmdline contains "🕙" or tgt.process.cmdline contains "🕚" or tgt.process.cmdline contains "🕛" or tgt.process.cmdline contains "🕜" or tgt.process.cmdline contains "🕝" or tgt.process.cmdline contains "🕞" or tgt.process.cmdline contains "🕟" or tgt.process.cmdline contains "🕠" or tgt.process.cmdline contains "🕡" or tgt.process.cmdline contains "🕢" or tgt.process.cmdline contains "🕣" or tgt.process.cmdline contains "🕤" or tgt.process.cmdline contains "🕥" or tgt.process.cmdline contains "🕦" or tgt.process.cmdline contains "🕧✢" or tgt.process.cmdline contains "✣" or tgt.process.cmdline contains "✤" or tgt.process.cmdline contains "✥" or tgt.process.cmdline contains "✦" or tgt.process.cmdline contains "✧" or tgt.process.cmdline contains "★" or tgt.process.cmdline contains "☆" or tgt.process.cmdline contains "✯" or tgt.process.cmdline contains "✡︎" or tgt.process.cmdline contains "✩" or tgt.process.cmdline contains "✪" or tgt.process.cmdline contains "✫" or tgt.process.cmdline contains "✬" or tgt.process.cmdline contains "✭" or tgt.process.cmdline contains "✮" or tgt.process.cmdline contains "✶" or tgt.process.cmdline contains "✷" or tgt.process.cmdline contains "✵" or tgt.process.cmdline contains "✸" or tgt.process.cmdline contains "✹" or tgt.process.cmdline contains "→" or tgt.process.cmdline contains "⇒" or tgt.process.cmdline contains "⟹" or tgt.process.cmdline contains "⇨" or tgt.process.cmdline contains "⇾" or tgt.process.cmdline contains "➾" or tgt.process.cmdline contains "⇢" or tgt.process.cmdline contains "☛" or tgt.process.cmdline contains "☞" or tgt.process.cmdline contains "➔" or tgt.process.cmdline contains "➜" or tgt.process.cmdline contains "➙" or tgt.process.cmdline contains "➛" or tgt.process.cmdline contains "➝" or tgt.process.cmdline contains "➞" or tgt.process.cmdline contains "♠︎" or tgt.process.cmdline contains "♣︎" or tgt.process.cmdline contains "♥︎" or tgt.process.cmdline contains "♦︎" or tgt.process.cmdline contains "♤" or tgt.process.cmdline contains "♧" or tgt.process.cmdline contains "♡" or tgt.process.cmdline contains "♢" or tgt.process.cmdline contains "♚" or tgt.process.cmdline contains "♛" or tgt.process.cmdline contains "♜" or tgt.process.cmdline contains "♝" or tgt.process.cmdline contains "♞" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "♔" or tgt.process.cmdline contains "♕" or tgt.process.cmdline contains "♖" or tgt.process.cmdline contains "♗" or tgt.process.cmdline contains "♘" or tgt.process.cmdline contains "♙" or tgt.process.cmdline contains "⚀" or tgt.process.cmdline contains "⚁" or tgt.process.cmdline contains "⚂" or tgt.process.cmdline contains "⚃" or tgt.process.cmdline contains "⚄" or tgt.process.cmdline contains "⚅" or tgt.process.cmdline contains "🂠" or tgt.process.cmdline contains "⚈" or tgt.process.cmdline contains "⚉" or tgt.process.cmdline contains "⚆" or tgt.process.cmdline contains "⚇" or tgt.process.cmdline contains "𓀀" or tgt.process.cmdline contains "𓀁" or tgt.process.cmdline contains "𓀂" or tgt.process.cmdline contains "𓀃" or tgt.process.cmdline contains "𓀄" or tgt.process.cmdline contains "𓀅" or tgt.process.cmdline contains "𓀆" or tgt.process.cmdline contains "𓀇" or tgt.process.cmdline contains "𓀈" or tgt.process.cmdline contains "𓀉" or tgt.process.cmdline contains "𓀊" or tgt.process.cmdline contains "𓀋" or tgt.process.cmdline contains "𓀌" or tgt.process.cmdline contains "𓀍" or tgt.process.cmdline contains "𓀎" or tgt.process.cmdline contains "𓀏" or tgt.process.cmdline contains "𓀐" or tgt.process.cmdline contains "𓀑" or tgt.process.cmdline contains "𓀒" or tgt.process.cmdline contains "𓀓" or tgt.process.cmdline contains "𓀔" or tgt.process.cmdline contains "𓀕" or tgt.process.cmdline contains "𓀖" or tgt.process.cmdline contains "𓀗" or tgt.process.cmdline contains "𓀘" or tgt.process.cmdline contains "𓀙" or tgt.process.cmdline contains "𓀚" or tgt.process.cmdline contains "𓀛" or tgt.process.cmdline contains "𓀜" or tgt.process.cmdline contains "𓀝🏳️" or tgt.process.cmdline contains "🏴" or tgt.process.cmdline contains "🏁" or tgt.process.cmdline contains "🚩" or tgt.process.cmdline contains "🏳️‍🌈" or tgt.process.cmdline contains "🏳️‍⚧️" or tgt.process.cmdline contains "🏴‍☠️" or tgt.process.cmdline contains "🇦🇫" or tgt.process.cmdline contains "🇦🇽" or tgt.process.cmdline contains "🇦🇱" or tgt.process.cmdline contains "🇩🇿" or tgt.process.cmdline contains "🇦🇸" or tgt.process.cmdline contains "🇦🇩" or tgt.process.cmdline contains "🇦🇴" or tgt.process.cmdline contains "🇦🇮" or tgt.process.cmdline contains "🇦🇶" or tgt.process.cmdline contains "🇦🇬" or tgt.process.cmdline contains "🇦🇷" or tgt.process.cmdline contains "🇦🇲" or tgt.process.cmdline contains "🇦🇼" or tgt.process.cmdline contains "🇦🇺" or tgt.process.cmdline contains "🇦🇹" or tgt.process.cmdline contains "🇦🇿" or tgt.process.cmdline contains "🇧🇸" or tgt.process.cmdline contains "🇧🇭" or tgt.process.cmdline contains "🇧🇩" or tgt.process.cmdline contains "🇧🇧" or tgt.process.cmdline contains "🇧🇾" or tgt.process.cmdline contains "🇧🇪" or tgt.process.cmdline contains "🇧🇿" or tgt.process.cmdline contains "🇧🇯" or tgt.process.cmdline contains "🇧🇲" or tgt.process.cmdline contains "🇧🇹" or tgt.process.cmdline contains "🇧🇴" or tgt.process.cmdline contains "🇧🇦" or tgt.process.cmdline contains "🇧🇼" or tgt.process.cmdline contains "🇧🇷" or tgt.process.cmdline contains "🇮🇴" or tgt.process.cmdline contains "🇻🇬" or tgt.process.cmdline contains "🇧🇳" or tgt.process.cmdline contains "🇧🇬" or tgt.process.cmdline contains "🇧🇫" or tgt.process.cmdline contains "🇧🇮" or tgt.process.cmdline contains "🇰🇭" or tgt.process.cmdline contains "🇨🇲" or tgt.process.cmdline contains "🇨🇦" or tgt.process.cmdline contains "🇮🇨" or tgt.process.cmdline contains "🇨🇻" or tgt.process.cmdline contains "🇧🇶" or tgt.process.cmdline contains "🇰🇾" or tgt.process.cmdline contains "🇨🇫" or tgt.process.cmdline contains "🇹🇩" or tgt.process.cmdline contains "🇨🇱" or tgt.process.cmdline contains "🇨🇳" or tgt.process.cmdline contains "🇨🇽" or tgt.process.cmdline contains "🇨🇨" or tgt.process.cmdline contains "🇨🇴" or tgt.process.cmdline contains "🇰🇲" or tgt.process.cmdline contains "🇨🇬" or tgt.process.cmdline contains "🇨🇩" or tgt.process.cmdline contains "🇨🇰" or tgt.process.cmdline contains "🇨🇷" or tgt.process.cmdline contains "🇨🇮" or tgt.process.cmdline contains "🇭🇷" or tgt.process.cmdline contains "🇨🇺" or tgt.process.cmdline contains "🇨🇼" or tgt.process.cmdline contains "🇨🇾" or tgt.process.cmdline contains "🇨🇿" or tgt.process.cmdline contains "🇩🇰" or tgt.process.cmdline contains "🇩🇯" or tgt.process.cmdline contains "🇩🇲" or tgt.process.cmdline contains "🇩🇴" or tgt.process.cmdline contains "🇪🇨" or tgt.process.cmdline contains "🇪🇬" or tgt.process.cmdline contains "🇸🇻" or tgt.process.cmdline contains "🇬🇶" or tgt.process.cmdline contains "🇪🇷" or tgt.process.cmdline contains "🇪🇪" or tgt.process.cmdline contains "🇪🇹" or tgt.process.cmdline contains "🇪🇺" or tgt.process.cmdline contains "🇫🇰" or tgt.process.cmdline contains "🇫🇴" or tgt.process.cmdline contains "🇫🇯" or tgt.process.cmdline contains "🇫🇮" or tgt.process.cmdline contains "🇫🇷" or tgt.process.cmdline contains "🇬🇫" or tgt.process.cmdline contains "🇵🇫" or tgt.process.cmdline contains "🇹🇫" or tgt.process.cmdline contains "🇬🇦" or tgt.process.cmdline contains "🇬🇲" or tgt.process.cmdline contains "🇬🇪" or tgt.process.cmdline contains "🇩🇪" or tgt.process.cmdline contains "🇬🇭" or tgt.process.cmdline contains "🇬🇮" or tgt.process.cmdline contains "🇬🇷" or tgt.process.cmdline contains "🇬🇱" or tgt.process.cmdline contains "🇬🇩" or tgt.process.cmdline contains "🇬🇵" or tgt.process.cmdline contains "🇬🇺" or tgt.process.cmdline contains "🇬🇹" or tgt.process.cmdline contains "🇬🇬" or tgt.process.cmdline contains "🇬🇳" or tgt.process.cmdline contains "🇬🇼" or tgt.process.cmdline contains "🇬🇾" or tgt.process.cmdline contains "🇭🇹" or tgt.process.cmdline contains "🇭🇳" or tgt.process.cmdline contains "🇭🇰" or tgt.process.cmdline contains "🇭🇺" or tgt.process.cmdline contains "🇮🇸" or tgt.process.cmdline contains "🇮🇳" or tgt.process.cmdline contains "🇮🇩" or tgt.process.cmdline contains "🇮🇷" or tgt.process.cmdline contains "🇮🇶" or tgt.process.cmdline contains "🇮🇪" or tgt.process.cmdline contains "🇮🇲" or tgt.process.cmdline contains "🇮🇱" or tgt.process.cmdline contains "🇮🇹" or tgt.process.cmdline contains "🇯🇲" or tgt.process.cmdline contains "🇯🇵" or tgt.process.cmdline contains "🎌" or tgt.process.cmdline contains "🇯🇪" or tgt.process.cmdline contains "🇯🇴" or tgt.process.cmdline contains "🇰🇿" or tgt.process.cmdline contains "🇰🇪" or tgt.process.cmdline contains "🇰🇮" or tgt.process.cmdline contains "🇽🇰" or tgt.process.cmdline contains "🇰🇼" or tgt.process.cmdline contains "🇰🇬" or tgt.process.cmdline contains "🇱🇦" or tgt.process.cmdline contains "🇱🇻" or tgt.process.cmdline contains "🇱🇧" or tgt.process.cmdline contains "🇱🇸" or tgt.process.cmdline contains "🇱🇷" or tgt.process.cmdline contains "🇱🇾" or tgt.process.cmdline contains "🇱🇮" or tgt.process.cmdline contains "🇱🇹" or tgt.process.cmdline contains "🇱🇺" or tgt.process.cmdline contains "🇲🇴" or tgt.process.cmdline contains "🇲🇰" or tgt.process.cmdline contains "🇲🇬" or tgt.process.cmdline contains "🇲🇼" or tgt.process.cmdline contains "🇲🇾" or tgt.process.cmdline contains "🇲🇻" or tgt.process.cmdline contains "🇲🇱" or tgt.process.cmdline contains "🇲🇹" or tgt.process.cmdline contains "🇲🇭" or tgt.process.cmdline contains "🇲🇶" or tgt.process.cmdline contains "🇲🇷" or tgt.process.cmdline contains "🇲🇺" or tgt.process.cmdline contains "🇾🇹" or tgt.process.cmdline contains "🇲🇽" or tgt.process.cmdline contains "🇫🇲" or tgt.process.cmdline contains "🇲🇩" or tgt.process.cmdline contains "🇲🇨" or tgt.process.cmdline contains "🇲🇳" or tgt.process.cmdline contains "🇲🇪" or tgt.process.cmdline contains "🇲🇸" or tgt.process.cmdline contains "🇲🇦" or tgt.process.cmdline contains "🇲🇿" or tgt.process.cmdline contains "🇲🇲" or tgt.process.cmdline contains "🇳🇦" or tgt.process.cmdline contains "🇳🇷" or tgt.process.cmdline contains "🇳🇵" or tgt.process.cmdline contains "🇳🇱" or tgt.process.cmdline contains "🇳🇨" or tgt.process.cmdline contains "🇳🇿" or tgt.process.cmdline contains "🇳🇮" or tgt.process.cmdline contains "🇳🇪" or tgt.process.cmdline contains "🇳🇬" or tgt.process.cmdline contains "🇳🇺" or tgt.process.cmdline contains "🇳🇫" or tgt.process.cmdline contains "🇰🇵" or tgt.process.cmdline contains "🇲🇵" or tgt.process.cmdline contains "🇳🇴" or tgt.process.cmdline contains "🇴🇲" or tgt.process.cmdline contains "🇵🇰" or tgt.process.cmdline contains "🇵🇼" or tgt.process.cmdline contains "🇵🇸" or tgt.process.cmdline contains "🇵🇦" or tgt.process.cmdline contains "🇵🇬" or tgt.process.cmdline contains "🇵🇾" or tgt.process.cmdline contains "🇵🇪" or tgt.process.cmdline contains "🇵🇭" or tgt.process.cmdline contains "🇵🇳" or tgt.process.cmdline contains "🇵🇱" or tgt.process.cmdline contains "🇵🇹" or tgt.process.cmdline contains "🇵🇷" or tgt.process.cmdline contains "🇶🇦" or tgt.process.cmdline contains "🇷🇪" or tgt.process.cmdline contains "🇷🇴" or tgt.process.cmdline contains "🇷🇺" or tgt.process.cmdline contains "🇷🇼" or tgt.process.cmdline contains "🇼🇸" or tgt.process.cmdline contains "🇸🇲" or tgt.process.cmdline contains "🇸🇦" or tgt.process.cmdline contains "🇸🇳" or tgt.process.cmdline contains "🇷🇸" or tgt.process.cmdline contains "🇸🇨" or tgt.process.cmdline contains "🇸🇱" or tgt.process.cmdline contains "🇸🇬" or tgt.process.cmdline contains "🇸🇽" or tgt.process.cmdline contains "🇸🇰" or tgt.process.cmdline contains "🇸🇮" or tgt.process.cmdline contains "🇬🇸" or tgt.process.cmdline contains "🇸🇧" or tgt.process.cmdline contains "🇸🇴" or tgt.process.cmdline contains "🇿🇦" or tgt.process.cmdline contains "🇰🇷" or tgt.process.cmdline contains "🇸🇸" or tgt.process.cmdline contains "🇪🇸" or tgt.process.cmdline contains "🇱🇰" or tgt.process.cmdline contains "🇧🇱" or tgt.process.cmdline contains "🇸🇭" or tgt.process.cmdline contains "🇰🇳" or tgt.process.cmdline contains "🇱🇨" or tgt.process.cmdline contains "🇵🇲" or tgt.process.cmdline contains "🇻🇨" or tgt.process.cmdline contains "🇸🇩" or tgt.process.cmdline contains "🇸🇷" or tgt.process.cmdline contains "🇸🇿" or tgt.process.cmdline contains "🇸🇪" or tgt.process.cmdline contains "🇨🇭" or tgt.process.cmdline contains "🇸🇾" or tgt.process.cmdline contains "🇹🇼" or tgt.process.cmdline contains "🇹🇯" or tgt.process.cmdline contains "🇹🇿" or tgt.process.cmdline contains "🇹🇭" or tgt.process.cmdline contains "🇹🇱" or tgt.process.cmdline contains "🇹🇬" or tgt.process.cmdline contains "🇹🇰" or tgt.process.cmdline contains "🇹🇴" or tgt.process.cmdline contains "🇹🇹" or tgt.process.cmdline contains "🇹🇳" or tgt.process.cmdline contains "🇹🇷" or tgt.process.cmdline contains "🇹🇲" or tgt.process.cmdline contains "🇹🇨" or tgt.process.cmdline contains "🇹🇻" or tgt.process.cmdline contains "🇻🇮" or tgt.process.cmdline contains "🇺🇬" or tgt.process.cmdline contains "🇺🇦" or tgt.process.cmdline contains "🇦🇪" or tgt.process.cmdline contains "🇬🇧" or tgt.process.cmdline contains "🏴󠁧󠁢󠁥󠁮󠁧󠁿" or tgt.process.cmdline contains "🏴󠁧󠁢󠁳󠁣󠁴󠁿" or tgt.process.cmdline contains "🏴󠁧󠁢󠁷󠁬󠁳󠁿" or tgt.process.cmdline contains "🇺🇳" or tgt.process.cmdline contains "🇺🇸" or tgt.process.cmdline contains "🇺🇾" or tgt.process.cmdline contains "🇺🇿" or tgt.process.cmdline contains "🇻🇺" or tgt.process.cmdline contains "🇻🇦" or tgt.process.cmdline contains "🇻🇪" or tgt.process.cmdline contains "🇻🇳" or tgt.process.cmdline contains "🇼🇫" or tgt.process.cmdline contains "🇪🇭" or tgt.process.cmdline contains "🇾🇪" or tgt.process.cmdline contains "🇿🇲" or tgt.process.cmdline contains "🇿🇼🫠" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🫤" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🤝🏻" or tgt.process.cmdline contains "🤝🏼" or tgt.process.cmdline contains "🤝🏽" or tgt.process.cmdline contains "🤝🏾" or tgt.process.cmdline contains "🤝🏿" or tgt.process.cmdline contains "🫱🏻‍🫲🏼" or tgt.process.cmdline contains "🫱🏻‍🫲🏽" or tgt.process.cmdline contains "🫱🏻‍🫲🏾" or tgt.process.cmdline contains "🫱🏻‍🫲🏿" or tgt.process.cmdline contains "🫱🏼‍🫲🏻" or tgt.process.cmdline contains "🫱🏼‍🫲🏽" or tgt.process.cmdline contains "🫱🏼‍🫲🏾" or tgt.process.cmdline contains "🫱🏼‍🫲🏿" or tgt.process.cmdline contains "🫱🏽‍🫲🏻" or tgt.process.cmdline contains "🫱🏽‍🫲🏼" or tgt.process.cmdline contains "🫱🏽‍🫲🏾" or tgt.process.cmdline contains "🫱🏽‍🫲🏿" or tgt.process.cmdline contains "🫱🏾‍🫲🏻" or tgt.process.cmdline contains "🫱🏾‍🫲🏼" or tgt.process.cmdline contains "🫱🏾‍🫲🏽" or tgt.process.cmdline contains "🫱🏾‍🫲🏿" or tgt.process.cmdline contains "🫱🏿‍🫲🏻" or tgt.process.cmdline contains "🫱🏿‍🫲🏼" or tgt.process.cmdline contains "🫱🏿‍🫲🏽" or tgt.process.cmdline contains "🫱🏿‍🫲🏾" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "😮‍💨" or tgt.process.cmdline contains "😵‍💫" or tgt.process.cmdline contains "😶‍🌫️" or tgt.process.cmdline contains "❤️‍🔥" or tgt.process.cmdline contains "❤️‍🩹" or tgt.process.cmdline contains "🧔‍♀️" or tgt.process.cmdline contains "🧔🏻‍♀️" or tgt.process.cmdline contains "🧔🏼‍♀️" or tgt.process.cmdline contains "🧔🏽‍♀️" or tgt.process.cmdline contains "🧔🏾‍♀️" or tgt.process.cmdline contains "🧔🏿‍♀️" or tgt.process.cmdline contains "🧔‍♂️" or tgt.process.cmdline contains "🧔🏻‍♂️" or tgt.process.cmdline contains "🧔🏼‍♂️" or tgt.process.cmdline contains "🧔🏽‍♂️" or tgt.process.cmdline contains "🧔🏾‍♂️" or tgt.process.cmdline contains "🧔🏿‍♂️" or tgt.process.cmdline contains "💑🏻" or tgt.process.cmdline contains "💑🏼" or tgt.process.cmdline contains "💑🏽" or tgt.process.cmdline contains "💑🏾" or tgt.process.cmdline contains "💑🏿" or tgt.process.cmdline contains "💏🏻" or tgt.process.cmdline contains "💏🏼" or tgt.process.cmdline contains "💏🏽" or tgt.process.cmdline contains "💏🏾" or tgt.process.cmdline contains "💏🏿" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏿" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏾")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md index 7b5cf77fc..90ab8d776 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "COMPlus_ETWEnabled" or tgt.process.cmdline contains "COMPlus_ETWFlags")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md index f08b63956..5cf7e74ab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cl" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "clear-log" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "sl" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "set-log" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "logman" and tgt.process.cmdline contains "update" and tgt.process.cmdline contains "trace" and tgt.process.cmdline contains "--p" and tgt.process.cmdline contains "-ets") or tgt.process.cmdline contains "Remove-EtwTraceProvider" or (tgt.process.cmdline contains "Set-EtwTraceProvider" and tgt.process.cmdline contains "0x11"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md index a32f108e2..6f58c04bb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\wevtutil.exe" and (tgt.process.cmdline contains "clear-log " or tgt.process.cmdline contains " cl " or tgt.process.cmdline contains "set-log " or tgt.process.cmdline contains " sl " or tgt.process.cmdline contains "lfn:")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Clear-EventLog " or tgt.process.cmdline contains "Remove-EventLog " or tgt.process.cmdline contains "Limit-EventLog " or tgt.process.cmdline contains "Clear-WinEvent ")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wmic.exe") and tgt.process.cmdline contains "ClearEventLog")) and (not ((src.process.image.path in ("C:\Windows\SysWOW64\msiexec.exe","C:\Windows\System32\msiexec.exe")) and tgt.process.cmdline contains " sl ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md index c38126401..8234d8cb2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains ":\Users\Public\" and ((tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md index b2864a9b8..43dedc580 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\Perflogs\" or tgt.process.image.path contains ":\Users\All Users\" or tgt.process.image.path contains ":\Users\Default\" or tgt.process.image.path contains ":\Users\NetworkService\" or tgt.process.image.path contains ":\Windows\addins\" or tgt.process.image.path contains ":\Windows\debug\" or tgt.process.image.path contains ":\Windows\Fonts\" or tgt.process.image.path contains ":\Windows\Help\" or tgt.process.image.path contains ":\Windows\IME\" or tgt.process.image.path contains ":\Windows\Media\" or tgt.process.image.path contains ":\Windows\repair\" or tgt.process.image.path contains ":\Windows\security\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\" or tgt.process.image.path contains "$Recycle.bin" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Intel\Logs\" or tgt.process.image.path contains "\RSA\MachineKeys\") and (not (tgt.process.image.path contains "C:\Users\Public\IBM\ClientSolutions\Start_Programs\" or (tgt.process.image.path contains "C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\" and tgt.process.image.path contains "\CitrixReceiverUpdater.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md index ad7d93552..224a49b02 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "gatherNetworkInfo.vbs" and (not (tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md index ad7bb587d..66a248704 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::$index_allocation") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md index 809bdf669..89873b3e2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "type" or tgt.process.cmdline contains "file createnew" or tgt.process.cmdline contains "cacls") and tgt.process.cmdline contains "C:\Windows\Fonts\" and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh" or tgt.process.cmdline contains ".reg" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl" or tgt.process.cmdline contains ".inf" or tgt.process.cmdline contains ".cpl" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".msi" or tgt.process.cmdline contains ".vbs"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md index 95d85fb9e..1ed2d2add 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "А" or tgt.process.cmdline contains "В" or tgt.process.cmdline contains "Е" or tgt.process.cmdline contains "К" or tgt.process.cmdline contains "М" or tgt.process.cmdline contains "Н" or tgt.process.cmdline contains "О" or tgt.process.cmdline contains "Р" or tgt.process.cmdline contains "С" or tgt.process.cmdline contains "Т" or tgt.process.cmdline contains "Х" or tgt.process.cmdline contains "Ѕ" or tgt.process.cmdline contains "І" or tgt.process.cmdline contains "Ј" or tgt.process.cmdline contains "Ү" or tgt.process.cmdline contains "Ӏ" or tgt.process.cmdline contains "Ԍ" or tgt.process.cmdline contains "Ԛ" or tgt.process.cmdline contains "Ԝ" or tgt.process.cmdline contains "Α" or tgt.process.cmdline contains "Β" or tgt.process.cmdline contains "Ε" or tgt.process.cmdline contains "Ζ" or tgt.process.cmdline contains "Η" or tgt.process.cmdline contains "Ι" or tgt.process.cmdline contains "Κ" or tgt.process.cmdline contains "Μ" or tgt.process.cmdline contains "Ν" or tgt.process.cmdline contains "Ο" or tgt.process.cmdline contains "Ρ" or tgt.process.cmdline contains "Τ" or tgt.process.cmdline contains "Υ" or tgt.process.cmdline contains "Χ") or (tgt.process.cmdline contains "а" or tgt.process.cmdline contains "е" or tgt.process.cmdline contains "о" or tgt.process.cmdline contains "р" or tgt.process.cmdline contains "с" or tgt.process.cmdline contains "х" or tgt.process.cmdline contains "ѕ" or tgt.process.cmdline contains "і" or tgt.process.cmdline contains "ӏ" or tgt.process.cmdline contains "ј" or tgt.process.cmdline contains "һ" or tgt.process.cmdline contains "ԁ" or tgt.process.cmdline contains "ԛ" or tgt.process.cmdline contains "ԝ" or tgt.process.cmdline contains "ο"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md index 5d59f9ef0..a15cd6f8e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((not tgt.process.image.path contains "\") and (not (not (tgt.process.image.path matches "\.*") or (tgt.process.image.path in ("-","")) or ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or (tgt.process.cmdline in ("Registry","MemCompression","vmmem"))))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md index de204fc08..a95c72895 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "TVqQAAMAAAAEAAAA" or tgt.process.cmdline contains "TVpQAAIAAAAEAA8A" or tgt.process.cmdline contains "TVqAAAEAAAAEABAA" or tgt.process.cmdline contains "TVoAAAAAAAAAAAAA" or tgt.process.cmdline contains "TVpTAQEAAAAEAAAA")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md index 5ba6f5075..200c1c7ad 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "AddSecurityPackage" or tgt.process.cmdline contains "AdjustTokenPrivileges" or tgt.process.cmdline contains "Advapi32" or tgt.process.cmdline contains "CloseHandle" or tgt.process.cmdline contains "CreateProcessWithToken" or tgt.process.cmdline contains "CreatePseudoConsole" or tgt.process.cmdline contains "CreateRemoteThread" or tgt.process.cmdline contains "CreateThread" or tgt.process.cmdline contains "CreateUserThread" or tgt.process.cmdline contains "DangerousGetHandle" or tgt.process.cmdline contains "DuplicateTokenEx" or tgt.process.cmdline contains "EnumerateSecurityPackages" or tgt.process.cmdline contains "FreeHGlobal" or tgt.process.cmdline contains "FreeLibrary" or tgt.process.cmdline contains "GetDelegateForFunctionPointer" or tgt.process.cmdline contains "GetLogonSessionData" or tgt.process.cmdline contains "GetModuleHandle" or tgt.process.cmdline contains "GetProcAddress" or tgt.process.cmdline contains "GetProcessHandle" or tgt.process.cmdline contains "GetTokenInformation" or tgt.process.cmdline contains "ImpersonateLoggedOnUser" or tgt.process.cmdline contains "kernel32" or tgt.process.cmdline contains "LoadLibrary" or tgt.process.cmdline contains "memcpy" or tgt.process.cmdline contains "MiniDumpWriteDump" or tgt.process.cmdline contains "ntdll" or tgt.process.cmdline contains "OpenDesktop" or tgt.process.cmdline contains "OpenProcess" or tgt.process.cmdline contains "OpenProcessToken" or tgt.process.cmdline contains "OpenThreadToken" or tgt.process.cmdline contains "OpenWindowStation" or tgt.process.cmdline contains "PtrToString" or tgt.process.cmdline contains "QueueUserApc" or tgt.process.cmdline contains "ReadProcessMemory" or tgt.process.cmdline contains "RevertToSelf" or tgt.process.cmdline contains "RtlCreateUserThread" or tgt.process.cmdline contains "secur32" or tgt.process.cmdline contains "SetThreadToken" or tgt.process.cmdline contains "VirtualAlloc" or tgt.process.cmdline contains "VirtualFree" or tgt.process.cmdline contains "VirtualProtect" or tgt.process.cmdline contains "WaitForSingleObject" or tgt.process.cmdline contains "WriteInt32" or tgt.process.cmdline contains "WriteProcessMemory" or tgt.process.cmdline contains "ZeroFreeGlobalAllocUnicode") and (not (tgt.process.image.path contains "\MpCmdRun.exe" and tgt.process.cmdline contains "GetLoadLibraryWAddress32")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md index f5a57c786..f629e68c0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "eyJ0eXAiOi" or tgt.process.cmdline contains "eyJhbGciOi" or tgt.process.cmdline contains " eyJ0eX" or tgt.process.cmdline contains " \"eyJ0eX\"" or tgt.process.cmdline contains " 'eyJ0eX'" or tgt.process.cmdline contains " eyJhbG" or tgt.process.cmdline contains " \"eyJhbG\"" or tgt.process.cmdline contains " 'eyJhbG'")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md index f7e6e5754..c32ea6ed9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains " /c" and tgt.process.cmdline contains "dir " and tgt.process.cmdline contains "\Users\")) and (not tgt.process.cmdline contains " rmdir ")) or (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "user") and (not (tgt.process.cmdline contains "/domain" or tgt.process.cmdline contains "/add" or tgt.process.cmdline contains "/delete" or tgt.process.cmdline contains "/active" or tgt.process.cmdline contains "/expires" or tgt.process.cmdline contains "/passwordreq" or tgt.process.cmdline contains "/scriptpath" or tgt.process.cmdline contains "/times" or tgt.process.cmdline contains "/workstations"))) or ((tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\quser.exe" or tgt.process.image.path contains "\qwinsta.exe") or (tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "useraccount" and tgt.process.cmdline contains "get")) or (tgt.process.image.path contains "\cmdkey.exe" and tgt.process.cmdline contains " /l")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md index addb5dbdf..1ad426d5b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lsass.dmp" or tgt.process.cmdline contains "lsass.zip" or tgt.process.cmdline contains "lsass.rar" or tgt.process.cmdline contains "Andrew.dmp" or tgt.process.cmdline contains "Coredump.dmp" or tgt.process.cmdline contains "NotLSASS.zip" or tgt.process.cmdline contains "lsass_2" or tgt.process.cmdline contains "lsassdump" or tgt.process.cmdline contains "lsassdmp") or (tgt.process.cmdline contains "lsass" and tgt.process.cmdline contains ".dmp") or (tgt.process.cmdline contains "SQLDmpr" and tgt.process.cmdline contains ".mdmp") or (tgt.process.cmdline contains "nanodump" and tgt.process.cmdline contains ".dmp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md index 3dc7b3e54..bf50305ac 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ms-appinstaller://*source=*" and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md index 886980cee..5404061e3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ipconfig /all" or tgt.process.cmdline contains "netsh interface show interface" or tgt.process.cmdline contains "arp -a" or tgt.process.cmdline contains "nbtstat -n" or tgt.process.cmdline contains "net config" or tgt.process.cmdline contains "route print")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md index cf9117598..c1405f1ba 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "for " or tgt.process.cmdline contains "foreach ") and (tgt.process.cmdline contains "nslookup" or tgt.process.cmdline contains "ping"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md index 4b3de7b60..d2ef5f151 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\tshark.exe" and tgt.process.cmdline contains "-i") or tgt.process.image.path contains "\windump.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md index ad22d4e40..dd8cf6717 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md index 38fc42c53..2a215a199 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains ".bin" or tgt.process.image.path contains ".cgi" or tgt.process.image.path contains ".com" or tgt.process.image.path contains ".exe" or tgt.process.image.path contains ".scr" or tgt.process.image.path contains ".tmp")) and (not ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or tgt.process.image.path contains ":\Windows\Installer\MSI" or tgt.process.image.path contains ":\Windows\System32\DriverStore\FileRepository\" or (tgt.process.image.path contains ":\Config.Msi\" and (tgt.process.image.path contains ".rbf" or tgt.process.image.path contains ".rbs")) or (src.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\Temp\") or tgt.process.image.path contains ":\$Extend\$Deleted\" or (tgt.process.image.path in ("-","")) or not (tgt.process.image.path matches "\.*"))) and (not (src.process.image.path contains ":\ProgramData\Avira\" or (tgt.process.image.path contains "NVIDIA\NvBackend\" and tgt.process.image.path contains ".dat") or ((tgt.process.image.path contains ":\Program Files (x86)\WINPAKPRO\" or tgt.process.image.path contains ":\Program Files\WINPAKPRO\") and tgt.process.image.path contains ".ngn") or (tgt.process.image.path contains ":\Program Files (x86)\MyQ\Server\pcltool.dll" or tgt.process.image.path contains ":\Program Files\MyQ\Server\pcltool.dll") or (tgt.process.image.path contains "\AppData\Local\Packages\" and tgt.process.image.path contains "\LocalState\rootfs\") or tgt.process.image.path contains "\LZMA_EXE" or tgt.process.image.path contains ":\Program Files\Mozilla Firefox\" or (src.process.image.path="C:\Windows\System32\services.exe" and tgt.process.image.path contains "com.docker.service"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md index 424c33bd9..0a035131e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add") or (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "set-itemproperty" or tgt.process.cmdline contains " sp " or tgt.process.cmdline contains "new-itemproperty")) and (tgt.process.integrityLevel="Medium" and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "Services") and (tgt.process.cmdline contains "ImagePath" or tgt.process.cmdline contains "FailureCommand" or tgt.process.cmdline contains "ServiceDLL")))) | columns EventID,tgt.process.integrityLevel,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md index 414332caa..a5674bb16 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\NTDSDump.exe" or tgt.process.image.path contains "\NTDSDumpEx.exe") or (tgt.process.cmdline contains "ntds.dit" and tgt.process.cmdline contains "system.hiv") or tgt.process.cmdline contains "NTDSgrab.ps1") or (tgt.process.cmdline contains "ac i ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "/c copy " and tgt.process.cmdline contains "\windows\ntds\ntds.dit") or (tgt.process.cmdline contains "activate instance ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "ntds.dit")) or (tgt.process.cmdline contains "ntds.dit" and ((src.process.image.path contains "\apache" or src.process.image.path contains "\tomcat" or src.process.image.path contains "\AppData\" or src.process.image.path contains "\Temp\" or src.process.image.path contains "\Public\" or src.process.image.path contains "\PerfLogs\") or (tgt.process.image.path contains "\apache" or tgt.process.image.path contains "\tomcat" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Temp\" or tgt.process.image.path contains "\Public\" or tgt.process.image.path contains "\PerfLogs\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md index c5e261e18..75c0d584d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Win32_NTEventlogFile" and (tgt.process.cmdline contains ".BackupEventlog(" or tgt.process.cmdline contains ".ChangeSecurityPermissions(" or tgt.process.cmdline contains ".ChangeSecurityPermissionsEx(" or tgt.process.cmdline contains ".ClearEventLog(" or tgt.process.cmdline contains ".Delete(" or tgt.process.cmdline contains ".DeleteEx(" or tgt.process.cmdline contains ".Rename(" or tgt.process.cmdline contains ".TakeOwnerShip(" or tgt.process.cmdline contains ".TakeOwnerShipEx("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md index c6ad3cbe4..5c7290e4d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1\" or tgt.process.cmdline contains "~2\") and (not ((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe","C:\Program Files\GPSoftware\Directory Opus\dopus.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or src.process.image.path contains "\veam.backup.shell.exe" or src.process.image.path contains "\winget.exe" or src.process.image.path contains "\Everything\Everything.exe") or src.process.image.path contains "\AppData\Local\Temp\WinGet\" or (tgt.process.cmdline contains "\appdata\local\webex\webex64\meetings\wbxreport.exe" or tgt.process.cmdline contains "C:\Program Files\Git\post-install.bat" or tgt.process.cmdline contains "C:\Program Files\Git\cmd\scalar.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md index 2b4264b7c..558faea45 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1\" or tgt.process.image.path contains "~2\") and (not (((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.displayName="InstallShield (R)" or tgt.process.displayName="InstallShield (R) Setup Engine" or tgt.process.publisher="InstallShield Software Corporation") or ((tgt.process.image.path contains "\AppData\" and tgt.process.image.path contains "\Temp\") or (tgt.process.image.path contains "~1\unzip.exe" or tgt.process.image.path contains "~1\7zG.exe")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md index b44f0a977..95c753387 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1.exe" or tgt.process.cmdline contains "~1.bat" or tgt.process.cmdline contains "~1.msi" or tgt.process.cmdline contains "~1.vbe" or tgt.process.cmdline contains "~1.vbs" or tgt.process.cmdline contains "~1.dll" or tgt.process.cmdline contains "~1.ps1" or tgt.process.cmdline contains "~1.js" or tgt.process.cmdline contains "~1.hta" or tgt.process.cmdline contains "~2.exe" or tgt.process.cmdline contains "~2.bat" or tgt.process.cmdline contains "~2.msi" or tgt.process.cmdline contains "~2.vbe" or tgt.process.cmdline contains "~2.vbs" or tgt.process.cmdline contains "~2.dll" or tgt.process.cmdline contains "~2.ps1" or tgt.process.cmdline contains "~2.js" or tgt.process.cmdline contains "~2.hta") and (not ((src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.cmdline contains "C:\xampp\vcredist\VCREDI~1.EXE")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md index cbdd940bb..40e7f4a50 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1.bat" or tgt.process.image.path contains "~1.dll" or tgt.process.image.path contains "~1.exe" or tgt.process.image.path contains "~1.hta" or tgt.process.image.path contains "~1.js" or tgt.process.image.path contains "~1.msi" or tgt.process.image.path contains "~1.ps1" or tgt.process.image.path contains "~1.tmp" or tgt.process.image.path contains "~1.vbe" or tgt.process.image.path contains "~1.vbs" or tgt.process.image.path contains "~2.bat" or tgt.process.image.path contains "~2.dll" or tgt.process.image.path contains "~2.exe" or tgt.process.image.path contains "~2.hta" or tgt.process.image.path contains "~2.js" or tgt.process.image.path contains "~2.msi" or tgt.process.image.path contains "~2.ps1" or tgt.process.image.path contains "~2.tmp" or tgt.process.image.path contains "~2.vbe" or tgt.process.image.path contains "~2.vbs") and (not src.process.image.path="C:\Windows\explorer.exe") and (not (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or tgt.process.image.path="C:\PROGRA~1\WinZip\WZPREL~1.EXE" or tgt.process.image.path contains "\VCREDI~1.EXE")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md index 521ca0104..045fca51e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "DownloadFile" or tgt.process.cmdline contains "DownloadString") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md index b8fa2cf81..56350707c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\arp.exe") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md index 4f69b44a4..3a4b5aa0b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\minesweeper.exe" or src.process.image.path contains "\winver.exe" or src.process.image.path contains "\bitsadmin.exe") or ((src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\certutil.exe" or src.process.image.path contains "\eventvwr.exe" or src.process.image.path contains "\calc.exe" or src.process.image.path contains "\notepad.exe") and (not ((tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\wermgr.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\mmc.exe" or tgt.process.image.path contains "\win32calc.exe" or tgt.process.image.path contains "\notepad.exe") or not (tgt.process.image.path matches "\.*")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md index 9630c0c4c..9bac56b16 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -u system " or tgt.process.cmdline contains " --user system " or tgt.process.cmdline contains " -u NT" or tgt.process.cmdline contains " -u \"NT" or tgt.process.cmdline contains " -u 'NT" or tgt.process.cmdline contains " --system " or tgt.process.cmdline contains " -u administrator ") and (tgt.process.cmdline contains " -c cmd" or tgt.process.cmdline contains " -c \"cmd" or tgt.process.cmdline contains " -c powershell" or tgt.process.cmdline contains " -c \"powershell" or tgt.process.cmdline contains " --command cmd" or tgt.process.cmdline contains " --command powershell" or tgt.process.cmdline contains " -c whoami" or tgt.process.cmdline contains " -c wscript" or tgt.process.cmdline contains " -c cscript"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md index 5a65477d1..7b0ee7810 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\lsaiso.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe") and (not (((src.process.image.path contains "\SavService.exe" or src.process.image.path contains "\ngen.exe") or (src.process.image.path contains "\System32\" or src.process.image.path contains "\SysWOW64\")) or ((src.process.image.path contains "\Windows Defender\" or src.process.image.path contains "\Microsoft Security Client\") and src.process.image.path contains "\MsMpEng.exe") or (not (src.process.image.path matches "\.*") or src.process.image.path="-"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md index 2469f997c..ab0954d6c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\CVE-202" or tgt.process.image.path contains "\CVE202") or (tgt.process.image.path contains "\poc.exe" or tgt.process.image.path contains "\artifact.exe" or tgt.process.image.path contains "\artifact64.exe" or tgt.process.image.path contains "\artifact_protected.exe" or tgt.process.image.path contains "\artifact32.exe" or tgt.process.image.path contains "\artifact32big.exe" or tgt.process.image.path contains "obfuscated.exe" or tgt.process.image.path contains "obfusc.exe" or tgt.process.image.path contains "\meterpreter")) or (tgt.process.cmdline contains "inject.ps1" or tgt.process.cmdline contains "Invoke-CVE" or tgt.process.cmdline contains "pupy.ps1" or tgt.process.cmdline contains "payload.ps1" or tgt.process.cmdline contains "beacon.ps1" or tgt.process.cmdline contains "PowerView.ps1" or tgt.process.cmdline contains "bypass.ps1" or tgt.process.cmdline contains "obfuscated.ps1" or tgt.process.cmdline contains "obfusc.ps1" or tgt.process.cmdline contains "obfus.ps1" or tgt.process.cmdline contains "obfs.ps1" or tgt.process.cmdline contains "evil.ps1" or tgt.process.cmdline contains "MiniDogz.ps1" or tgt.process.cmdline contains "_enc.ps1" or tgt.process.cmdline contains "\shell.ps1" or tgt.process.cmdline contains "\rshell.ps1" or tgt.process.cmdline contains "revshell.ps1" or tgt.process.cmdline contains "\av.ps1" or tgt.process.cmdline contains "\av_test.ps1" or tgt.process.cmdline contains "adrecon.ps1" or tgt.process.cmdline contains "mimikatz.ps1" or tgt.process.cmdline contains "\PowerUp_" or tgt.process.cmdline contains "powerup.ps1" or tgt.process.cmdline contains "\Temp\a.ps1" or tgt.process.cmdline contains "\Temp\p.ps1" or tgt.process.cmdline contains "\Temp\1.ps1" or tgt.process.cmdline contains "Hound.ps1" or tgt.process.cmdline contains "encode.ps1" or tgt.process.cmdline contains "powercat.ps1"))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md index 6be862d85..a6a7b5d59 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "RECYCLERS.BIN\" or tgt.process.image.path contains "RECYCLER.BIN\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md index 5f1410cd6..bbe47b116 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ">" and (tgt.process.cmdline contains "\\127.0.0.1\admin$\" or tgt.process.cmdline contains "\\localhost\admin$\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md index d8c5239ea..2df848d28 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":3389" and (tgt.process.cmdline contains " -L " or tgt.process.cmdline contains " -P " or tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " -pw " or tgt.process.cmdline contains " -ssh "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md index 38fd3cc70..81c10838b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "‮") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md index f20b95c89..6e1b45558 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains "\Windows\Temp" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\Temp" or tgt.process.cmdline contains "%TEMP%" or tgt.process.cmdline contains "%TMP%" or tgt.process.cmdline contains "%LocalAppData%\Temp")) and (not (tgt.process.cmdline contains " >" or tgt.process.cmdline contains "Out-File" or tgt.process.cmdline contains "ConvertTo-Json" or tgt.process.cmdline contains "-WindowStyle hidden -Verb runAs" or tgt.process.cmdline contains "\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md index 06547f3a0..f9717711f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" and (tgt.process.cmdline contains "\NTDS.dit" or tgt.process.cmdline contains "\SYSTEM" or tgt.process.cmdline contains "\SECURITY"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md index 269d8a47c..a14808d1b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath=")) or (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md index 9de7cf679..b6af3653c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\$Recycle.bin" or tgt.process.image.path contains "\Users\All Users\" or tgt.process.image.path contains "\Users\Default\" or tgt.process.image.path contains "\Users\Contacts\" or tgt.process.image.path contains "\Users\Searches\" or tgt.process.image.path contains "C:\Perflogs\" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Windows\Fonts\" or tgt.process.image.path contains "\Windows\IME\" or tgt.process.image.path contains "\Windows\addins\") and (src.process.image.path contains "\services.exe" or src.process.image.path contains "\svchost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md index 4f5c50d62..f27c2c175 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\regsvr32.exe") and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\mshta.exe")) and (not (tgt.process.image.path contains "\ccmcache\" or (src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1" or src.process.cmdline contains "\nessus_") or tgt.process.cmdline contains "\nessus_" or (src.process.image.path contains "\mshta.exe" and tgt.process.image.path contains "\mshta.exe" and (src.process.cmdline contains "C:\MEM_Configmgr_" and src.process.cmdline contains "\splash.hta" and src.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}") and (tgt.process.cmdline contains "C:\MEM_Configmgr_" and tgt.process.cmdline contains "\SMSSETUP\BIN\" and tgt.process.cmdline contains "\autorun.hta" and tgt.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}")))))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path,tgt.process.image.path,src.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md index 71a596007..26a216871 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":\Windows\Sysnative\" or tgt.process.image.path contains ":\Windows\Sysnative\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md index 2a45baa68..d2e51613a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\atbroker.exe" or tgt.process.image.path contains "\audiodg.exe" or tgt.process.image.path contains "\bcdedit.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certreq.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmstp.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\consent.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\dashost.exe" or tgt.process.image.path contains "\defrag.exe" or tgt.process.image.path contains "\dfrgui.exe" or tgt.process.image.path contains "\dism.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\dllhst3g.exe" or tgt.process.image.path contains "\dwm.exe" or tgt.process.image.path contains "\eventvwr.exe" or tgt.process.image.path contains "\logonui.exe" or tgt.process.image.path contains "\LsaIso.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\ntoskrnl.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\runonce.exe" or tgt.process.image.path contains "\RuntimeBroker.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\sihost.exe" or tgt.process.image.path contains "\smartscreen.exe" or tgt.process.image.path contains "\smss.exe" or tgt.process.image.path contains "\spoolsv.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\Taskmgr.exe" or tgt.process.image.path contains "\userinit.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe" or tgt.process.image.path contains "\winver.exe" or tgt.process.image.path contains "\wlanext.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wsmprovhost.exe") and (not ((tgt.process.image.path contains "C:\$WINDOWS.~BT\" or tgt.process.image.path contains "C:\$WinREAgent\" or tgt.process.image.path contains "C:\Windows\SoftwareDistribution\" or tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SystemTemp\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\uus\" or tgt.process.image.path contains "C:\Windows\WinSxS\") or (tgt.process.image.path in ("C:\Program Files\PowerShell\7\pwsh.exe","C:\Program Files\PowerShell\7-preview\pwsh.exe")) or (tgt.process.image.path contains "C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux" and tgt.process.image.path contains "\wsl.exe"))) and (not tgt.process.image.path contains "\SystemRoot\System32\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md index 59dc3cf4b..f26b26e95 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel="System" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /urlcache " or tgt.process.cmdline contains " -urlcache " or tgt.process.cmdline="* -e* JAB*" or tgt.process.cmdline="* -e* SUVYI*" or tgt.process.cmdline="* -e* SQBFAFgA*" or tgt.process.cmdline="* -e* aWV4I*" or tgt.process.cmdline="* -e* IAB*" or tgt.process.cmdline="* -e* PAA*" or tgt.process.cmdline="* -e* aQBlAHgA*" or tgt.process.cmdline contains "vssadmin delete shadows" or tgt.process.cmdline contains "reg SAVE HKLM" or tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains "Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "event::clear" or tgt.process.cmdline contains "event::drop" or tgt.process.cmdline contains "id::modify" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "misc::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "sid::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "vault::cred" or tgt.process.cmdline contains "vault::list" or tgt.process.cmdline contains " p::d " or tgt.process.cmdline contains ";iex(" or tgt.process.cmdline contains "MiniDump" or tgt.process.cmdline contains "net user "))) and (not (tgt.process.cmdline contains "ping 127.0.0.1 -n" or (tgt.process.image.path contains "\PING.EXE" and src.process.cmdline contains "\DismFoDInstall.cmd") or src.process.image.path contains ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or ((src.process.image.path contains ":\Program Files (x86)\Java\" or src.process.image.path contains ":\Program Files\Java\") and src.process.image.path contains "\bin\javaws.exe" and (tgt.process.image.path contains ":\Program Files (x86)\Java\" or tgt.process.image.path contains ":\Program Files\Java\") and tgt.process.image.path contains "\bin\jp2launcher.exe" and tgt.process.cmdline contains " -ma "))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md index 6796a32b1..527ea06c8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SYSVOL\" and tgt.process.cmdline contains "\policies\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md index ba8f53f85..95544f3be 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo " or tgt.process.cmdline contains "copy " or tgt.process.cmdline contains "type " or tgt.process.cmdline contains "file createnew") and (tgt.process.cmdline contains " C:\Windows\System32\Tasks\" or tgt.process.cmdline contains " C:\Windows\SysWow64\Tasks\"))) | columns tgt.process.cmdline,ParentProcess ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md index a2a6e3013..7b90c3894 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vsjitdebugger.exe" and (not (tgt.process.image.path="*\vsimmersiveactivatehelper*.exe" or tgt.process.image.path contains "\devenv.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md index 20963ccb9..daf2f6ae0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "123456789" or tgt.process.cmdline contains "123123qwE" or tgt.process.cmdline contains "Asd123.aaaa" or tgt.process.cmdline contains "Decryptme" or tgt.process.cmdline contains "P@ssw0rd!" or tgt.process.cmdline contains "Pass8080" or tgt.process.cmdline contains "password123" or tgt.process.cmdline contains "test@202")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md index 2249caa41..a82c08239 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[System.Net.WebRequest]::create" or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "Invoke-RestMethod" or tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "Net.WebClient" or tgt.process.cmdline contains "Resume-BitsTransfer" or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "WinHttp.WinHttpRequest")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md index 0534a5806..f8dda45e0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains ".exe whoami") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md index d87b14c22..78def3ba5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\control.exe" and src.process.image.path contains "\WorkFolders.exe") and (not tgt.process.image.path="C:\Windows\System32\control.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md index 16abfd695..bd0ac511e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "svchost.exe" and tgt.process.image.path contains "\svchost.exe") and (not ((src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\rpcnetp.exe") or not (tgt.process.cmdline matches "\.*"))))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md index 549d9bc73..5e4a8e42f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains "\svchost.exe" and src.process.cmdline contains "termsvcs") and (not ((tgt.process.image.path contains "\rdpclip.exe" or tgt.process.image.path contains ":\Windows\System32\csrss.exe" or tgt.process.image.path contains ":\Windows\System32\wininit.exe" or tgt.process.image.path contains ":\Windows\System32\winlogon.exe") or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md index 203ee9769..13f40bc0f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\svchost.exe" and (not ((src.process.image.path contains "\Mrt.exe" or src.process.image.path contains "\MsMpEng.exe" or src.process.image.path contains "\ngen.exe" or src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\TiWorker.exe") or not (src.process.image.path matches "\.*") or (src.process.image.path in ("-","")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md index c469ef5cc..93d02a8bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -accepteula" or tgt.process.cmdline contains " /accepteula" or tgt.process.cmdline contains " –accepteula" or tgt.process.cmdline contains " —accepteula" or tgt.process.cmdline contains " ―accepteula")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md index 36e231f36..ec5fc06eb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md index bec36ada5..7bc5aeede 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "copy procdump" or tgt.process.cmdline contains "move procdump") or ((tgt.process.cmdline contains "copy " and tgt.process.cmdline contains ".dmp ") and (tgt.process.cmdline contains "2.dmp" or tgt.process.cmdline contains "lsass" or tgt.process.cmdline contains "out.dmp")) or (tgt.process.cmdline contains "copy lsass.exe_" or tgt.process.cmdline contains "move lsass.exe_"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md index 992bafeda..f52c66bbc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains " /ma " or tgt.process.cmdline contains " –ma " or tgt.process.cmdline contains " —ma " or tgt.process.cmdline contains " ―ma ") and tgt.process.cmdline contains " ls")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md index ab98ee651..b0a2ab85a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (tgt.process.cmdline contains "psexec" or tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "accepteula"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md index deaea3dd5..4490cfbb2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "accepteula" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " \\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md index d95f6060a..be1b88bd8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\PSEXESVC.exe" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md index 00f1299d4..3f6d302fd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (not (tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "PsExec" or tgt.process.cmdline contains "accepteula")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md index 192acdaa5..d5df53cb3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-c" or tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "–c" or tgt.process.cmdline contains "—c" or tgt.process.cmdline contains "―c"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md index 519ef58bb..f7dd8d9b4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md index b4af2b645..3e50c0a1e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\accesschk.exe" or tgt.process.image.path contains "\accesschk64.exe" or tgt.process.image.path contains "\AccessEnum.exe" or tgt.process.image.path contains "\ADExplorer.exe" or tgt.process.image.path contains "\ADExplorer64.exe" or tgt.process.image.path contains "\ADInsight.exe" or tgt.process.image.path contains "\ADInsight64.exe" or tgt.process.image.path contains "\adrestore.exe" or tgt.process.image.path contains "\adrestore64.exe" or tgt.process.image.path contains "\Autologon.exe" or tgt.process.image.path contains "\Autologon64.exe" or tgt.process.image.path contains "\Autoruns.exe" or tgt.process.image.path contains "\Autoruns64.exe" or tgt.process.image.path contains "\autorunsc.exe" or tgt.process.image.path contains "\autorunsc64.exe" or tgt.process.image.path contains "\Bginfo.exe" or tgt.process.image.path contains "\Bginfo64.exe" or tgt.process.image.path contains "\Cacheset.exe" or tgt.process.image.path contains "\Cacheset64.exe" or tgt.process.image.path contains "\Clockres.exe" or tgt.process.image.path contains "\Clockres64.exe" or tgt.process.image.path contains "\Contig.exe" or tgt.process.image.path contains "\Contig64.exe" or tgt.process.image.path contains "\Coreinfo.exe" or tgt.process.image.path contains "\Coreinfo64.exe" or tgt.process.image.path contains "\CPUSTRES.EXE" or tgt.process.image.path contains "\CPUSTRES64.EXE" or tgt.process.image.path contains "\ctrl2cap.exe" or tgt.process.image.path contains "\Dbgview.exe" or tgt.process.image.path contains "\dbgview64.exe" or tgt.process.image.path contains "\Desktops.exe" or tgt.process.image.path contains "\Desktops64.exe" or tgt.process.image.path contains "\disk2vhd.exe" or tgt.process.image.path contains "\disk2vhd64.exe" or tgt.process.image.path contains "\diskext.exe" or tgt.process.image.path contains "\diskext64.exe" or tgt.process.image.path contains "\Diskmon.exe" or tgt.process.image.path contains "\Diskmon64.exe" or tgt.process.image.path contains "\DiskView.exe" or tgt.process.image.path contains "\DiskView64.exe" or tgt.process.image.path contains "\du.exe" or tgt.process.image.path contains "\du64.exe" or tgt.process.image.path contains "\efsdump.exe" or tgt.process.image.path contains "\FindLinks.exe" or tgt.process.image.path contains "\FindLinks64.exe" or tgt.process.image.path contains "\handle.exe" or tgt.process.image.path contains "\handle64.exe" or tgt.process.image.path contains "\hex2dec.exe" or tgt.process.image.path contains "\hex2dec64.exe" or tgt.process.image.path contains "\junction.exe" or tgt.process.image.path contains "\junction64.exe" or tgt.process.image.path contains "\ldmdump.exe" or tgt.process.image.path contains "\listdlls.exe" or tgt.process.image.path contains "\listdlls64.exe" or tgt.process.image.path contains "\livekd.exe" or tgt.process.image.path contains "\livekd64.exe" or tgt.process.image.path contains "\loadOrd.exe" or tgt.process.image.path contains "\loadOrd64.exe" or tgt.process.image.path contains "\loadOrdC.exe" or tgt.process.image.path contains "\loadOrdC64.exe" or tgt.process.image.path contains "\logonsessions.exe" or tgt.process.image.path contains "\logonsessions64.exe" or tgt.process.image.path contains "\movefile.exe" or tgt.process.image.path contains "\movefile64.exe" or tgt.process.image.path contains "\notmyfault.exe" or tgt.process.image.path contains "\notmyfault64.exe" or tgt.process.image.path contains "\notmyfaultc.exe" or tgt.process.image.path contains "\notmyfaultc64.exe" or tgt.process.image.path contains "\ntfsinfo.exe" or tgt.process.image.path contains "\ntfsinfo64.exe" or tgt.process.image.path contains "\pendmoves.exe" or tgt.process.image.path contains "\pendmoves64.exe" or tgt.process.image.path contains "\pipelist.exe" or tgt.process.image.path contains "\pipelist64.exe" or tgt.process.image.path contains "\portmon.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe" or tgt.process.image.path contains "\procexp.exe" or tgt.process.image.path contains "\procexp64.exe" or tgt.process.image.path contains "\Procmon.exe" or tgt.process.image.path contains "\Procmon64.exe" or tgt.process.image.path contains "\psExec.exe" or tgt.process.image.path contains "\psExec64.exe" or tgt.process.image.path contains "\psfile.exe" or tgt.process.image.path contains "\psfile64.exe" or tgt.process.image.path contains "\psGetsid.exe" or tgt.process.image.path contains "\psGetsid64.exe" or tgt.process.image.path contains "\psInfo.exe" or tgt.process.image.path contains "\psInfo64.exe" or tgt.process.image.path contains "\pskill.exe" or tgt.process.image.path contains "\pskill64.exe" or tgt.process.image.path contains "\pslist.exe" or tgt.process.image.path contains "\pslist64.exe" or tgt.process.image.path contains "\psLoggedon.exe" or tgt.process.image.path contains "\psLoggedon64.exe" or tgt.process.image.path contains "\psloglist.exe" or tgt.process.image.path contains "\psloglist64.exe" or tgt.process.image.path contains "\pspasswd.exe" or tgt.process.image.path contains "\pspasswd64.exe" or tgt.process.image.path contains "\psping.exe" or tgt.process.image.path contains "\psping64.exe" or tgt.process.image.path contains "\psService.exe" or tgt.process.image.path contains "\psService64.exe" or tgt.process.image.path contains "\psshutdown.exe" or tgt.process.image.path contains "\psshutdown64.exe" or tgt.process.image.path contains "\pssuspend.exe" or tgt.process.image.path contains "\pssuspend64.exe" or tgt.process.image.path contains "\RAMMap.exe" or tgt.process.image.path contains "\RDCMan.exe" or tgt.process.image.path contains "\RegDelNull.exe" or tgt.process.image.path contains "\RegDelNull64.exe" or tgt.process.image.path contains "\regjump.exe" or tgt.process.image.path contains "\ru.exe" or tgt.process.image.path contains "\ru64.exe" or tgt.process.image.path contains "\sdelete.exe" or tgt.process.image.path contains "\sdelete64.exe" or tgt.process.image.path contains "\ShareEnum.exe" or tgt.process.image.path contains "\ShareEnum64.exe" or tgt.process.image.path contains "\shellRunas.exe" or tgt.process.image.path contains "\sigcheck.exe" or tgt.process.image.path contains "\sigcheck64.exe" or tgt.process.image.path contains "\streams.exe" or tgt.process.image.path contains "\streams64.exe" or tgt.process.image.path contains "\strings.exe" or tgt.process.image.path contains "\strings64.exe" or tgt.process.image.path contains "\sync.exe" or tgt.process.image.path contains "\sync64.exe" or tgt.process.image.path contains "\Sysmon.exe" or tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\tcpvcon.exe" or tgt.process.image.path contains "\tcpvcon64.exe" or tgt.process.image.path contains "\tcpview.exe" or tgt.process.image.path contains "\tcpview64.exe" or tgt.process.image.path contains "\Testlimit.exe" or tgt.process.image.path contains "\Testlimit64.exe" or tgt.process.image.path contains "\vmmap.exe" or tgt.process.image.path contains "\vmmap64.exe" or tgt.process.image.path contains "\Volumeid.exe" or tgt.process.image.path contains "\Volumeid64.exe" or tgt.process.image.path contains "\whois.exe" or tgt.process.image.path contains "\whois64.exe" or tgt.process.image.path contains "\Winobj.exe" or tgt.process.image.path contains "\Winobj64.exe" or tgt.process.image.path contains "\ZoomIt.exe" or tgt.process.image.path contains "\ZoomIt64.exe") and (not ((tgt.process.publisher in ("Sysinternals - www.sysinternals.com","Sysinternals")) or not (tgt.process.publisher matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md index cb76674f4..9b8bc68d8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sysprep.exe" and tgt.process.cmdline contains "\AppData\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md index 4df5882de..3eb353f33 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\takeown.exe" and (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "/r"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md index 5d614bd06..8a7ff6f4a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tapinstall.exe" and (not ((tgt.process.image.path contains ":\Program Files\Avast Software\SecureLine VPN\" or tgt.process.image.path contains ":\Program Files (x86)\Avast Software\SecureLine VPN\") or tgt.process.image.path contains ":\Program Files\OpenVPN Connect\drivers\tap\" or tgt.process.image.path contains ":\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md index 613129fae..0e83d83dc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "taskkill" and tgt.process.cmdline contains " /F " and tgt.process.cmdline contains " /IM " and tgt.process.cmdline contains "ccSvcHst.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md index aab14feb9..f64a9969c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\taskmgr.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md index 00c1e63ff..8c3829ea0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\taskmgr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\resmon.exe" or tgt.process.image.path contains ":\Windows\System32\Taskmgr.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md index f6b6fac97..4c298f061 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Teams\Cookies" or tgt.process.cmdline contains "\Microsoft\Teams\Local Storage\leveldb") and (not tgt.process.image.path contains "\Microsoft\Teams\current\Teams.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md index 6b8de006b..85760094b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\tscon.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md index 22b805bc2..f8d6aa7c5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " /dest:rdp-tcp#") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md index eb63602bd..6482e35e3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\changepk.exe" and src.process.image.path contains "\slui.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md index 380a3c575..8ab66397f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\"\system32\cleanmgr.exe /autoclean /d C:" and src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md index d9d8c9862..8a64197d4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and (src.process.cmdline contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or src.process.cmdline contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or src.process.cmdline contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or src.process.cmdline contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or src.process.cmdline contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md index 1a20572e5..a780f791e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel in ("High","System")) and tgt.process.image.path="C:\Windows\System32\ComputerDefaults.exe") and (not (src.process.image.path contains ":\Windows\System32" or src.process.image.path contains ":\Program Files")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md index db4693f78..037c7dbca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\consent.exe" and tgt.process.image.path contains "\werfault.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md index 14872ebd1..1866bc429 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "C:\Users\" and src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "\DismHost.exe") and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md index 1c15ec15a..076d85251 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Event Viewer\RecentViews" or tgt.process.cmdline contains "\EventV~1\RecentViews") and tgt.process.cmdline contains ">")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md index e3606d1c9..f7130b516 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\fodhelper.exe") | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md index 3e5395e9a..98c426f17 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\mmc.exe" and src.process.cmdline contains "WF.msc") and (not tgt.process.image.path contains "\WerFault.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md index 05f61c50c..0dc7e540c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and src.process.cmdline contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md index 94e798b48..3141839cc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\ieinstal.exe" and tgt.process.image.path contains "\AppData\Local\Temp\" and tgt.process.image.path contains "consent.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md index 551b637a7..d7153b558 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\AppData\Local\Temp\pkgmgr.exe" and tgt.process.cmdline="\"C:\Windows\system32\msconfig.exe\" -5")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md index 573310c74..22afde834 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\"C:\Windows\system32\wusa.exe\" /quiet C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\update.msu" and (tgt.process.integrityLevel in ("High","System"))) or (src.process.cmdline="\"C:\Windows\system32\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\Windows\system32\pe386\" /ignorecheck" and (tgt.process.integrityLevel in ("High","System")) and (tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "\dismhost.exe {") and tgt.process.image.path contains "\DismHost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md index ab2bf2413..3bbfe6ee5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\pkgmgr.exe" and tgt.process.image.path contains "\dism.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md index 308854df1..097df2df4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "sdclt.exe" and tgt.process.integrityLevel="High")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md index 7456e9061..5418dab4b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "C:\Windows \System32\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md index 28de1500e..a9431ca92 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\AppData\Local\Temp\system32\winsat.exe" and src.process.cmdline contains "C:\Windows \system32\winsat.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md index 5e655c1f9..e979acac2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path="C:\Program Files\Windows Media Player\osk.exe" and (tgt.process.integrityLevel in ("High","System"))) or (tgt.process.image.path="C:\Windows\System32\cmd.exe" and src.process.cmdline="\"C:\Windows\system32\mmc.exe\" \"C:\Windows\system32\eventvwr.msc\" /s" and (tgt.process.integrityLevel in ("High","System"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md index cb16cd99c..f77e65605 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsreset.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md index 1c02632cb..56659b0d5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "-autoreconnect " and tgt.process.cmdline contains "-connect " and tgt.process.cmdline contains "-id:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md index 9eeee0607..7776cd6b8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\WindowsSensor.exe" and tgt.process.cmdline contains " /uninstall" and tgt.process.cmdline contains " /quiet")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md index e5c5153e8..72eb39372 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\userinit.exe" and (not tgt.process.image.path contains ":\WINDOWS\explorer.exe") and (not ((tgt.process.cmdline contains "netlogon.bat" or tgt.process.cmdline contains "UsrLogon.cmd") or tgt.process.cmdline="PowerShell.exe" or (tgt.process.image.path contains ":\Windows\System32\proquota.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\proquota.exe") or (tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\System32\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\System32\icast.exe") or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md index 1b90ba8b7..02b7f9523 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "VBoxRT.dll,RTR3Init" or tgt.process.cmdline contains "VBoxC.dll" or tgt.process.cmdline contains "VBoxDrv.sys") or (tgt.process.cmdline contains "startvm" or tgt.process.cmdline contains "controlvm"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md index baa2c5396..85b9a38d3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VBoxDrvInst.exe" and (tgt.process.cmdline contains "driver" and tgt.process.cmdline contains "executeinf"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md index bfcc5c2bf..021ce24aa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\code.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe") or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-Expressions" or tgt.process.cmdline contains "IEX" or tgt.process.cmdline contains "Invoke-Command" or tgt.process.cmdline contains "ICM" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript")) or (tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md index e72245248..eaf0912b7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\servers\Stable-" and src.process.image.path contains "\server\node.exe" and src.process.cmdline contains ".vscode-server") and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline contains "\terminal\browser\media\shellIntegration.ps1") or (tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\bash.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md index 6b5af8e5e..a1d4e7150 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "tunnel " and tgt.process.cmdline contains "service" and tgt.process.cmdline contains "internal-run" and tgt.process.cmdline contains "tunnel-service.log")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md index 0bf0d8342..37e00dd18 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\vsls-agent.exe" and tgt.process.cmdline contains "--agentExtensionPath") and (not tgt.process.cmdline contains "Microsoft.VisualStudio.LiveShare.Agent."))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md index d47ee71ef..af6e674fd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe") and (not (tgt.process.image.path contains "C:\Windows\WinSxS\" or tgt.process.image.path contains "C:\Program Files\Windows Mail\" or tgt.process.image.path contains "C:\Program Files (x86)\Windows Mail\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md index 175dfb95a..21206d928 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe")) or (src.process.image.path contains "\wab.exe" or src.process.image.path contains "\wabmig.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md index 6deea3a61..596f3f333 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\explorer.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and tgt.process.cmdline contains "\DavWWWRoot\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md index 64d41e0d3..aac9d97db 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\w3wp.exe") and (tgt.process.cmdline contains "&ipconfig&echo" or tgt.process.cmdline contains "&quser&echo" or tgt.process.cmdline contains "&whoami&echo" or tgt.process.cmdline contains "&c:&echo" or tgt.process.cmdline contains "&cd&echo" or tgt.process.cmdline contains "&dir&echo" or tgt.process.cmdline contains "&echo [E]" or tgt.process.cmdline contains "&echo [S]"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md index c0c6c22be..414579ed0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "catalina.jar" or tgt.process.cmdline contains "CATALINA_HOME"))) and ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "comsvcs") or (tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " a " and tgt.process.cmdline contains " -m") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " user " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " localgroup " and tgt.process.cmdline contains " administrators " and tgt.process.cmdline contains "/add") or (tgt.process.image.path contains "\ntdsutil.exe" or tgt.process.image.path contains "\ldifde.exe" or tgt.process.image.path contains "\adfind.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\Nanodump.exe" or tgt.process.image.path contains "\vssadmin.exe" or tgt.process.image.path contains "\fsutil.exe") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains " sekurlsa" or tgt.process.cmdline contains ".dmp full" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "process call create" or tgt.process.cmdline contains "reg save " or tgt.process.cmdline contains "whoami /priv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md index d59df219b..d72601e7f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\php.exe" or src.process.image.path contains "\tomcat.exe" or src.process.image.path contains "\UMWorkerProcess.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_TomcatService.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.cmdline contains "CATALINA_HOME" or src.process.cmdline contains "catalina.home" or src.process.cmdline contains "catalina.jar"))) and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\at.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dsget.exe" or tgt.process.image.path contains "\hostname.exe" or tgt.process.image.path contains "\nbtstat.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netdom.exe" or tgt.process.image.path contains "\netsh.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ntdutil.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\qprocess.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\qwinsta.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sc.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wusa.exe") and (not ((src.process.image.path contains "\java.exe" and tgt.process.cmdline contains "Windows\system32\cmd.exe /c C:\ManageEngine\ADManager \"Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") or (src.process.image.path contains "\java.exe" and (tgt.process.cmdline contains "sc query" and tgt.process.cmdline contains "ADManager Plus")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md index 246121bd4..a72783cb9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "CATALINA_HOME" or tgt.process.cmdline contains "catalina.jar"))) and (tgt.process.cmdline contains "perl --help" or tgt.process.cmdline contains "perl -h" or tgt.process.cmdline contains "python --help" or tgt.process.cmdline contains "python -h" or tgt.process.cmdline contains "python3 --help" or tgt.process.cmdline contains "python3 -h" or tgt.process.cmdline contains "wget --help"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md index e480e93cd..6b0cea1bb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wermgr.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\ipconfig.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "C:\Windows\system32\WerConCpl.dll" and tgt.process.cmdline contains "LaunchErcApp ") and (tgt.process.cmdline contains "-queuereporting" or tgt.process.cmdline contains "-responsepester"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md index a01fbeaec..857f6774e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wermgr.exe" and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\WinSxS\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md index d65bb0231..1f72d07f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WindowsTerminal.exe" or src.process.image.path contains "\wt.exe") and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\csc.exe") or (tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Windows\TEMP\") or (tgt.process.cmdline contains " iex " or tgt.process.cmdline contains " icm" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Import-Module " or tgt.process.cmdline contains "ipmo " or tgt.process.cmdline contains "DownloadString(" or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " /k " or tgt.process.cmdline contains " /r "))) and (not ((tgt.process.cmdline contains "Import-Module" and tgt.process.cmdline contains "Microsoft.VisualStudio.DevShell.dll" and tgt.process.cmdline contains "Enter-VsDevShell") or (tgt.process.cmdline contains "\AppData\Local\Packages\Microsoft.WindowsTerminal_" and tgt.process.cmdline contains "\LocalState\settings.json") or (tgt.process.cmdline contains "C:\Program Files\Microsoft Visual Studio\" and tgt.process.cmdline contains "\Common7\Tools\VsDevCmd.bat"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md index 68608fa42..20de287ac 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (tgt.process.cmdline contains ".dmp" or tgt.process.cmdline contains ".dump" or tgt.process.cmdline contains ".hdmp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md index d11b4e99a..b96a51d7c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (not (tgt.process.image.path contains "\UnRAR.exe" or (tgt.process.image.path contains ":\Program Files (x86)\WinRAR\" or tgt.process.image.path contains ":\Program Files\WinRAR\"))) and (not tgt.process.image.path contains ":\Windows\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md index 8ea0b4f52..620013b43 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "winrm" and ((tgt.process.cmdline contains "format:pretty" or tgt.process.cmdline contains "format:\"pretty\"" or tgt.process.cmdline contains "format:\"text\"" or tgt.process.cmdline contains "format:text") and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md index 9a809c285..c6c771636 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsmprovhost.exe" or src.process.image.path contains "\wsmprovhost.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md index 151d6c6e4..dbbefdf41 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wsmprovhost.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md index 0d68c33c5..4f48eddd4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "winzip.exe" or tgt.process.cmdline contains "winzip64.exe") and tgt.process.cmdline contains "-s\"" and (tgt.process.cmdline contains " -min " or tgt.process.cmdline contains " -a "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md index c2e2567b7..271a426cf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\EdgeTransport.exe" and (not (tgt.process.image.path="C:\Windows\System32\conhost.exe" or (tgt.process.image.path contains "C:\Program Files\Microsoft\Exchange Server\" and tgt.process.image.path contains "\Bin\OleConverter.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md index d507b5673..c190cda19 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="C:\WINDOWS\system32\wbem\scrcons.exe" and src.process.image.path="C:\Windows\System32\svchost.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md index 2fa374dcd..2991c60a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ActiveScriptEventConsumer" and tgt.process.cmdline contains " CREATE ")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md index 1401ac924..995b09561 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "process " and tgt.process.cmdline contains "call " and tgt.process.cmdline contains "create ") and (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "%temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md index 80e5d7745..9f46bdfff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "product where " and tgt.process.cmdline contains "call" and tgt.process.cmdline contains "uninstall" and tgt.process.cmdline contains "/nointeractive") or ((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "caption like ") and (tgt.process.cmdline contains "call delete" or tgt.process.cmdline contains "call terminate")) or (tgt.process.cmdline contains "process " and tgt.process.cmdline contains "where " and tgt.process.cmdline contains "delete")) and (tgt.process.cmdline contains "%carbon%" or tgt.process.cmdline contains "%cylance%" or tgt.process.cmdline contains "%endpoint%" or tgt.process.cmdline contains "%eset%" or tgt.process.cmdline contains "%malware%" or tgt.process.cmdline contains "%Sophos%" or tgt.process.cmdline contains "%symantec%" or tgt.process.cmdline contains "Antivirus" or tgt.process.cmdline contains "AVG " or tgt.process.cmdline contains "Carbon Black" or tgt.process.cmdline contains "CarbonBlack" or tgt.process.cmdline contains "Cb Defense Sensor 64-bit" or tgt.process.cmdline contains "Crowdstrike Sensor" or tgt.process.cmdline contains "Cylance " or tgt.process.cmdline contains "Dell Threat Defense" or tgt.process.cmdline contains "DLP Endpoint" or tgt.process.cmdline contains "Endpoint Detection" or tgt.process.cmdline contains "Endpoint Protection" or tgt.process.cmdline contains "Endpoint Security" or tgt.process.cmdline contains "Endpoint Sensor" or tgt.process.cmdline contains "ESET File Security" or tgt.process.cmdline contains "LogRhythm System Monitor Service" or tgt.process.cmdline contains "Malwarebytes" or tgt.process.cmdline contains "McAfee Agent" or tgt.process.cmdline contains "Microsoft Security Client" or tgt.process.cmdline contains "Sophos Anti-Virus" or tgt.process.cmdline contains "Sophos AutoUpdate" or tgt.process.cmdline contains "Sophos Credential Store" or tgt.process.cmdline contains "Sophos Management Console" or tgt.process.cmdline contains "Sophos Management Database" or tgt.process.cmdline contains "Sophos Management Server" or tgt.process.cmdline contains "Sophos Remote Management System" or tgt.process.cmdline contains "Sophos Update Manager" or tgt.process.cmdline contains "Threat Protection" or tgt.process.cmdline contains "VirusScan" or tgt.process.cmdline contains "Webroot SecureAnywhere" or tgt.process.cmdline contains "Windows Defender"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md index 8b6a5c967..37156218a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "-format" or tgt.process.cmdline contains "/format" or tgt.process.cmdline contains "–format" or tgt.process.cmdline contains "—format" or tgt.process.cmdline contains "―format")) and (not (tgt.process.cmdline contains "Format:List" or tgt.process.cmdline contains "Format:htable" or tgt.process.cmdline contains "Format:hform" or tgt.process.cmdline contains "Format:table" or tgt.process.cmdline contains "Format:mof" or tgt.process.cmdline contains "Format:value" or tgt.process.cmdline contains "Format:rawxml" or tgt.process.cmdline contains "Format:xml" or tgt.process.cmdline contains "Format:csv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md index 067ba3396..1b862fc66 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wbem\WmiPrvSE.exe" and ((tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\verclsid.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript"))) and (not (tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\WmiPrvSE.exe" or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.cmdline contains "/i "))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md index 425d6827e..7b0e12e67 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path="C:\Windows\System32\wpbbin.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md index 21bb3b269..cc20d3a46 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\") and (tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".jse" or tgt.process.cmdline contains ".vba" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".wsf"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md index daffc6a23..3301aaf46 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\rundll32.exe" or ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and ((tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec")))) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "UpdatePerUserSystemParameters" or tgt.process.cmdline contains "PrintUIEntry" or tgt.process.cmdline contains "ClearMyTracksByProcess"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md index 2192b0b1a..43c48a0a5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wsl.exe" or src.process.image.path contains "\wslhost.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "C:\Windows\Temp\" or tgt.process.image.path contains "C:\Temp\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md index 363891b6a..0fff87c8c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path matches "[a-zA-Z]:\\\\" and tgt.process.image.path contains "\\wsl.localhost")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md index 8eeec2f2e..1560bb904 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wusa.exe" and tgt.process.cmdline contains "/extract:") and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\Appdata\Local\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md index 55f00eb1d..5fc2e7c9a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wusa.exe" and ((src.process.image.path contains ":\Perflogs\" or src.process.image.path contains ":\Users\Public\" or src.process.image.path contains ":\Windows\Temp\" or src.process.image.path contains "\Appdata\Local\Temp\" or src.process.image.path contains "\Temporary Internet") or ((src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favorites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favourites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Contacts\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Pictures\"))) and (not tgt.process.cmdline contains ".msu"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md index f2d1b62a8..ba59c305b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 08-10-2024 01:19:09): +// Translated content (automatically translated on 09-10-2024 01:18:40): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="RunWizard" and tgt.process.cmdline matches "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}")) ``` diff --git a/sigma b/sigma index 5b59c6d11..f33530e75 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit 5b59c6d1153a36602c1aa1b4fa8080482613a1db +Subproject commit f33530e7561d98bc6f898f5a9137c3b2a7159a1b