From 959d1bd9ff6e102dd5b4ef39ad3b8390ec90d69b Mon Sep 17 00:00:00 2001 From: wikijm Date: Thu, 10 Oct 2024 01:18:48 +0000 Subject: [PATCH] Apply automatic changes --- .../proc_creation_win_addinutil_uncommon_child_process.md | 2 +- .../proc_creation_win_appvlp_uncommon_child_process.md | 2 +- .../proc_creation_win_aspnet_compiler_exectuion.md | 2 +- .../proc_creation_win_aspnet_compiler_susp_child_process.md | 2 +- .../proc_creation_win_aspnet_compiler_susp_paths.md | 2 +- .../proc_creation_win_at_interactive_execution.md | 2 +- .../proc_creation_win_auditpol_nt_resource_kit_usage.md | 2 +- .../proc_creation_win_bginfo_suspicious_child_process.md | 2 +- .../proc_creation_win_bginfo_uncommon_child_process.md | 2 +- .../proc_creation_win_bitlockertogo_execution.md | 2 +- .../proc_creation_win_browsers_chromium_headless_debugging.md | 2 +- .../proc_creation_win_browsers_chromium_headless_exec.md | 2 +- ...roc_creation_win_browsers_chromium_headless_file_download.md | 2 +- .../proc_creation_win_browsers_chromium_load_extension.md | 2 +- .../proc_creation_win_browsers_chromium_mockbin_abuse.md | 2 +- .../proc_creation_win_browsers_chromium_susp_load_extension.md | 2 +- .../proc_creation_win_browsers_inline_file_download.md | 2 +- .../proc_creation_win_browsers_remote_debugging.md | 2 +- .../proc_creation_win_browsers_tor_execution.md | 2 +- .../proc_creation_win_calc_uncommon_exec.md | 2 +- .../proc_creation_win_chcp_codepage_lookup.md | 2 +- .../proc_creation_win_chcp_codepage_switch.md | 2 +- .../proc_creation_win_cloudflared_portable_execution.md | 2 +- .../proc_creation_win_cloudflared_tunnel_cleanup.md | 2 +- .../proc_creation_win_cloudflared_tunnel_run.md | 2 +- .../proc_creation_win_cmd_curl_download_exec_combo.md | 2 +- .../proc_creation_win_cmd_dosfuscation.md | 2 +- .../proc_creation_win_cmd_http_appdata.md | 2 +- ...proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md | 2 +- .../proc_creation_win_cmd_no_space_execution.md | 2 +- .../proc_creation_win_cmd_ntdllpipe_redirect.md | 2 +- .../proc_creation_win_cmd_ping_del_combined_execution.md | 2 +- .../proc_creation_win_cmd_shadowcopy_access.md | 2 +- .../proc_creation_win_cmd_sticky_key_like_backdoor_execution.md | 2 +- .../proc_creation_win_cmd_sticky_keys_replace.md | 2 +- .../proc_creation_win_cmd_type_arbitrary_file_download.md | 2 +- .../proc_creation_win_cmd_unusual_parent.md | 2 +- .../proc_creation_win_cmstp_execution_by_creation.md | 2 +- .../proc_creation_win_conhost_legacy_option.md | 2 +- .../proc_creation_win_conhost_path_traversal.md | 2 +- .../proc_creation_win_conhost_uncommon_parent.md | 2 +- .../proc_creation_win_csc_susp_dynamic_compilation.md | 2 +- .../proc_creation_win_curl_susp_download.md | 2 +- .../proc_creation_win_defaultpack_uncommon_child_process.md | 2 +- .../proc_creation_win_desktopimgdownldr_remote_file_download.md | 2 +- .../proc_creation_win_desktopimgdownldr_susp_execution.md | 2 +- .../proc_creation_win_devinit_lolbin_usage.md | 2 +- .../proc_creation_win_dfsvc_suspicious_child_processes.md | 2 +- .../proc_creation_win_diskshadow_child_process_susp.md | 2 +- .../proc_creation_win_dism_remove.md | 2 +- .../proc_creation_win_dll_sideload_vmware_xfer.md | 2 +- .../proc_creation_win_dllhost_no_cli_execution.md | 2 +- .../proc_creation_win_dns_exfiltration_tools_execution.md | 2 +- .../proc_creation_win_dns_susp_child_process.md | 2 +- .../proc_creation_win_dnscmd_discovery.md | 2 +- ...c_creation_win_dnscmd_install_new_server_level_plugin_dll.md | 2 +- .../proc_creation_win_dnx_execute_csharp_code.md | 2 +- .../proc_creation_win_dtrace_kernel_dump.md | 2 +- .../proc_creation_win_esentutl_params.md | 2 +- .../proc_creation_win_eventvwr_susp_child_process.md | 2 +- .../proc_creation_win_expand_cabinet_files.md | 2 +- .../proc_creation_win_explorer_break_process_tree.md | 2 +- ...oc_creation_win_explorer_folder_shortcut_via_shell_binary.md | 2 +- .../proc_creation_win_explorer_nouaccheck.md | 2 +- .../proc_creation_win_findstr_recon_pipe_output.md | 2 +- .../proc_creation_win_forfiles_child_process_masquerading.md | 2 +- .../proc_creation_win_format_uncommon_filesystem_load.md | 2 +- ...c_creation_win_gfxdownloadwrapper_arbitrary_file_download.md | 2 +- .../proc_creation_win_googleupdate_susp_child_process.md | 2 +- .../proc_creation_win_gpg4win_decryption.md | 2 +- .../proc_creation_win_gpg4win_encryption.md | 2 +- .../proc_creation_win_gpg4win_susp_location.md | 2 +- .../proc_creation_win_gpresult_execution.md | 2 +- .../proc_creation_win_gup_arbitrary_binary_execution.md | 2 +- .../proc_creation_win_gup_suspicious_execution.md | 2 +- .../proc_creation_win_hh_html_help_susp_child_process.md | 2 +- .../proc_creation_win_hktl_adcspwn.md | 2 +- .../proc_creation_win_hktl_bloodhound_sharphound.md | 2 +- .../proc_creation_win_hktl_c3_rundll32_pattern.md | 2 +- .../proc_creation_win_hktl_cobaltstrike_process_patterns.md | 2 +- .../proc_creation_win_hktl_covenant.md | 2 +- .../proc_creation_win_hktl_crackmapexec_execution.md | 2 +- .../proc_creation_win_hktl_crackmapexec_execution_patterns.md | 2 +- .../proc_creation_win_hktl_crackmapexec_patterns.md | 2 +- .../proc_creation_win_hktl_dinjector.md | 2 +- .../proc_creation_win_hktl_empire_powershell_launch.md | 2 +- .../proc_creation_win_hktl_empire_powershell_uac_bypass.md | 2 +- .../proc_creation_win_hktl_evil_winrm.md | 2 +- .../proc_creation_win_hktl_execution_via_pe_metadata.md | 2 +- .../proc_creation_win_hktl_hashcat.md | 2 +- .../proc_creation_win_hktl_htran_or_natbypass.md | 2 +- .../proc_creation_win_hktl_hydra.md | 2 +- .../proc_creation_win_hktl_impacket_lateral_movement.md | 2 +- .../proc_creation_win_hktl_impacket_tools.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_clip.md | 2 +- ...on_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_stdin.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_var.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_compress.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_stdin.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md | 2 +- .../proc_creation_win_hktl_invoke_obfuscation_via_var.md | 2 +- .../proc_creation_win_hktl_jlaive_batch_execution.md | 2 +- .../proc_creation_win_hktl_lazagne.md | 2 +- .../proc_creation_win_hktl_meterpreter_getsystem.md | 2 +- .../proc_creation_win_hktl_mimikatz_command_line.md | 2 +- ...roc_creation_win_hktl_powersploit_empire_default_schtasks.md | 2 +- .../proc_creation_win_hktl_pypykatz.md | 2 +- .../proc_creation_win_hktl_quarks_pwdump.md | 2 +- .../proc_creation_win_hktl_redmimicry_winnti_playbook.md | 2 +- .../proc_creation_win_hktl_relay_attacks_tools.md | 2 +- .../proc_creation_win_hktl_sharp_chisel.md | 2 +- .../proc_creation_win_hktl_sharpersist.md | 2 +- .../proc_creation_win_hktl_sharpevtmute.md | 2 +- .../proc_creation_win_hktl_sharpup.md | 2 +- .../proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md | 2 +- .../proc_creation_win_hktl_silenttrinity_stager.md | 2 +- .../proc_creation_win_hktl_sliver_c2_execution_pattern.md | 2 +- .../proc_creation_win_hktl_soaphound_execution.md | 2 +- .../proc_creation_win_hktl_winpwn.md | 2 +- .../proc_creation_win_hktl_wmiexec_default_powershell.md | 2 +- .../proc_creation_win_hktl_xordump.md | 2 +- .../proc_creation_win_hktl_zipexec.md | 2 +- .../proc_creation_win_hostname_execution.md | 2 +- .../proc_creation_win_hwp_exploits.md | 2 +- .../proc_creation_win_hxtsr_masquerading.md | 2 +- .../proc_creation_win_iis_susp_module_registration.md | 2 +- .../proc_creation_win_imagingdevices_unusual_parents.md | 2 +- .../proc_creation_win_infdefaultinstall_execute_sct_scripts.md | 2 +- .../proc_creation_win_instalutil_no_log_execution.md | 2 +- .../proc_creation_win_java_keytool_susp_child_process.md | 2 +- .../proc_creation_win_java_manageengine_susp_child_process.md | 2 +- .../proc_creation_win_java_remote_debugging.md | 2 +- .../proc_creation_win_java_susp_child_process.md | 2 +- .../proc_creation_win_java_susp_child_process_2.md | 2 +- .../proc_creation_win_java_sysaidserver_susp_child_process.md | 2 +- .../proc_creation_win_kavremover_uncommon_execution.md | 2 +- .../proc_creation_win_link_uncommon_parent_process.md | 2 +- .../proc_creation_win_lolbin_customshellhost.md | 2 +- .../proc_creation_win_lolbin_device_credential_deployment.md | 2 +- .../proc_creation_win_lolbin_devtoolslauncher.md | 2 +- .../proc_creation_win_lolbin_diantz_ads.md | 2 +- .../proc_creation_win_lolbin_diantz_remote_cab.md | 2 +- .../proc_creation_win_lolbin_extrac32_ads.md | 2 +- .../proc_creation_win_lolbin_launch_vsdevshell.md | 2 +- .../proc_creation_win_lolbin_mavinject_process_injection.md | 2 +- .../proc_creation_win_lolbin_msdeploy.md | 2 +- .../proc_creation_win_lolbin_msdt_answer_file.md | 2 +- .../proc_creation_win_lolbin_openwith.md | 2 +- .../proc_creation_win_lolbin_pcalua.md | 2 +- .../proc_creation_win_lolbin_pcwrun.md | 2 +- .../proc_creation_win_lolbin_pcwrun_follina.md | 2 +- .../proc_creation_win_lolbin_pester.md | 2 +- .../proc_creation_win_lolbin_pester_1.md | 2 +- .../proc_creation_win_lolbin_printbrm.md | 2 +- .../proc_creation_win_lolbin_pubprn.md | 2 +- .../proc_creation_win_lolbin_register_app.md | 2 +- .../proc_creation_win_lolbin_replace.md | 2 +- .../proc_creation_win_lolbin_runexehelper.md | 2 +- .../proc_creation_win_lolbin_runscripthelper.md | 2 +- .../proc_creation_win_lolbin_settingsynchost.md | 2 +- .../proc_creation_win_lolbin_sftp.md | 2 +- ...proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md | 2 +- .../proc_creation_win_lolbin_susp_grpconv.md | 2 +- .../proc_creation_win_lolbin_susp_sqldumper_activity.md | 2 +- ...ation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md | 2 +- .../proc_creation_win_lolbin_tracker.md | 2 +- .../proc_creation_win_lolbin_tttracer_mod_load.md | 2 +- .../proc_creation_win_lolbin_utilityfunctions.md | 2 +- .../proc_creation_win_lolbin_visual_basic_compiler.md | 2 +- .../proc_creation_win_lsass_process_clone.md | 2 +- .../proc_creation_win_mftrace_child_process.md | 2 +- .../proc_creation_win_mmc_mmc20_lateral_movement.md | 2 +- .../proc_creation_win_mmc_susp_child_process.md | 2 +- .../proc_creation_win_mpcmdrun_dll_sideload_defender.md | 2 +- .../proc_creation_win_mshta_inline_vbscript.md | 2 +- .../proc_creation_win_mshta_lethalhta_technique.md | 2 +- .../proc_creation_win_mshta_susp_execution.md | 2 +- .../proc_creation_win_msiexec_embedding.md | 2 +- .../proc_creation_win_msiexec_execute_dll.md | 2 +- .../proc_creation_win_msiexec_web_install.md | 2 +- .../proc_creation_win_msra_process_injection.md | 2 +- .../proc_creation_win_mssql_susp_child_process.md | 2 +- .../proc_creation_win_mssql_veaam_susp_child_processes.md | 2 +- .../proc_creation_win_mstsc_rdp_hijack_shadowing.md | 2 +- .../proc_creation_win_msxsl_execution.md | 2 +- .../proc_creation_win_msxsl_remote_execution.md | 2 +- .../proc_creation_win_node_abuse.md | 2 +- .../proc_creation_win_node_adobe_creative_cloud_abuse.md | 2 +- .../proc_creation_win_nslookup_domain_discovery.md | 2 +- .../proc_creation_win_ntdsutil_usage.md | 2 +- .../proc_creation_win_odbcconf_uncommon_child_process.md | 2 +- ...roc_creation_win_office_onenote_embedded_script_execution.md | 2 +- ...eation_win_office_outlook_enable_unsafe_client_mail_rules.md | 2 +- .../proc_creation_win_office_outlook_execution_from_temp.md | 2 +- .../proc_creation_win_office_outlook_susp_child_processes.md | 2 +- ...c_creation_win_office_outlook_susp_child_processes_remote.md | 2 +- .../proc_creation_win_office_spawn_exe_from_users_directory.md | 2 +- .../proc_creation_win_pdqdeploy_runner_susp_children.md | 2 +- .../proc_creation_win_ping_hex_ip.md | 2 +- .../proc_creation_win_plink_port_forwarding.md | 2 +- .../proc_creation_win_plink_susp_tunneling.md | 2 +- .../proc_creation_win_powershell_amsi_init_failed_bypass.md | 2 +- .../proc_creation_win_powershell_amsi_null_bits_bypass.md | 2 +- .../proc_creation_win_powershell_audio_capture.md | 2 +- .../proc_creation_win_powershell_base64_encoded_obfusc.md | 2 +- .../proc_creation_win_powershell_base64_frombase64string.md | 2 +- .../proc_creation_win_powershell_base64_iex.md | 2 +- .../proc_creation_win_powershell_base64_mppreference.md | 2 +- ...c_creation_win_powershell_base64_reflection_assembly_load.md | 2 +- ...ion_win_powershell_base64_reflection_assembly_load_obfusc.md | 2 +- .../proc_creation_win_powershell_cl_invocation.md | 2 +- .../proc_creation_win_powershell_cl_loadassembly.md | 2 +- .../proc_creation_win_powershell_cl_mutexverifiers.md | 2 +- .../proc_creation_win_powershell_create_service.md | 2 +- .../proc_creation_win_powershell_decode_gzip.md | 2 +- .../proc_creation_win_powershell_defender_disable_feature.md | 2 +- .../proc_creation_win_powershell_defender_exclusion.md | 2 +- .../proc_creation_win_powershell_disable_ie_features.md | 2 +- .../proc_creation_win_powershell_downgrade_attack.md | 2 +- .../proc_creation_win_powershell_download_com_cradles.md | 2 +- .../proc_creation_win_powershell_download_cradle_obfuscated.md | 2 +- .../proc_creation_win_powershell_download_cradles.md | 2 +- .../proc_creation_win_powershell_download_dll.md | 2 +- .../proc_creation_win_powershell_download_iex.md | 2 +- .../proc_creation_win_powershell_dsinternals_cmdlets.md | 2 +- .../proc_creation_win_powershell_email_exfil.md | 2 +- ...ation_win_powershell_enable_susp_windows_optional_feature.md | 2 +- .../proc_creation_win_powershell_encode.md | 2 +- .../proc_creation_win_powershell_exec_data_file.md | 2 +- .../proc_creation_win_powershell_export_certificate.md | 2 +- .../proc_creation_win_powershell_frombase64string.md | 2 +- .../proc_creation_win_powershell_frombase64string_archive.md | 2 +- .../proc_creation_win_powershell_get_clipboard.md | 2 +- .../proc_creation_win_powershell_get_localgroup_member_recon.md | 2 +- .../proc_creation_win_powershell_getprocess_lsass.md | 2 +- .../proc_creation_win_powershell_iex_patterns.md | 2 +- .../proc_creation_win_powershell_import_cert_susp_locations.md | 2 +- .../proc_creation_win_powershell_import_module_susp_dirs.md | 2 +- .../proc_creation_win_powershell_invocation_specific.md | 2 +- .../proc_creation_win_powershell_mailboxexport_share.md | 2 +- .../proc_creation_win_powershell_malicious_cmdlets.md | 2 +- .../proc_creation_win_powershell_msexchange_transport_agent.md | 2 +- .../proc_creation_win_powershell_obfuscation_via_utf8.md | 2 +- .../proc_creation_win_powershell_public_folder.md | 2 +- ...roc_creation_win_powershell_remotefxvgpudisablement_abuse.md | 2 +- .../proc_creation_win_powershell_remove_mppreference.md | 2 +- .../proc_creation_win_powershell_run_script_from_ads.md | 2 +- ...proc_creation_win_powershell_run_script_from_input_stream.md | 2 +- .../proc_creation_win_powershell_sam_access.md | 2 +- .../proc_creation_win_powershell_script_engine_parent.md | 2 +- .../proc_creation_win_powershell_shadowcopy_deletion.md | 2 +- .../proc_creation_win_powershell_susp_download_patterns.md | 2 +- .../proc_creation_win_powershell_susp_parameter_variation.md | 2 +- .../proc_creation_win_powershell_susp_ps_appdata.md | 2 +- .../proc_creation_win_powershell_susp_ps_downloadfile.md | 2 +- .../proc_creation_win_powershell_token_obfuscation.md | 2 +- .../proc_creation_win_powershell_x509enrollment.md | 2 +- .../proc_creation_win_powershell_zip_compress.md | 2 +- .../proc_creation_win_pressanykey_lolbin_execution.md | 2 +- .../proc_creation_win_print_remote_file_copy.md | 2 +- .../proc_creation_win_provlaunch_potential_abuse.md | 2 +- .../proc_creation_win_provlaunch_susp_child_process.md | 2 +- .../proc_creation_win_psr_capture_screenshots.md | 2 +- .../proc_creation_win_pua_3proxy_execution.md | 2 +- .../proc_creation_win_pua_adfind_enumeration.md | 2 +- .../proc_creation_win_pua_adfind_susp_usage.md | 2 +- .../proc_creation_win_pua_advancedrun_priv_user.md | 2 +- .../proc_creation_win_pua_chisel.md | 2 +- .../proc_creation_win_pua_cleanwipe.md | 2 +- .../proc_creation_win_pua_csexec.md | 2 +- .../proc_creation_win_pua_defendercheck.md | 2 +- .../proc_creation_win_pua_ditsnap.md | 2 +- .../proc_creation_win_pua_mouselock_execution.md | 2 +- .../proc_creation_win_pua_netcat.md | 2 +- .../proc_creation_win_pua_netscan.md | 2 +- .../proc_creation_win_pua_ngrok.md | 2 +- .../proc_creation_win_pua_nircmd_as_system.md | 2 +- .../proc_creation_win_pua_rcedit_execution.md | 2 +- .../proc_creation_win_pua_rclone_execution.md | 2 +- .../proc_creation_win_pua_runxcmd.md | 2 +- .../proc_creation_win_pua_webbrowserpassview.md | 2 +- .../proc_creation_win_python_adidnsdump.md | 2 +- .../proc_creation_win_python_pty_spawn.md | 2 +- .../proc_creation_win_qemu_suspicious_execution.md | 2 +- .../proc_creation_win_query_session_exfil.md | 2 +- .../proc_creation_win_rar_compress_data.md | 2 +- .../proc_creation_win_rar_compression_with_password.md | 2 +- .../proc_creation_win_rar_susp_greedy_compression.md | 2 +- .../proc_creation_win_rasdial_execution.md | 2 +- .../proc_creation_win_reg_add_run_key.md | 2 +- .../proc_creation_win_reg_bitlocker.md | 2 +- ...oc_creation_win_reg_credential_access_via_password_filter.md | 2 +- .../proc_creation_win_reg_defender_exclusion.md | 2 +- ...c_creation_win_reg_direct_asep_registry_keys_modification.md | 2 +- .../proc_creation_win_reg_disable_sec_services.md | 2 +- ..._creation_win_reg_enumeration_for_credentials_in_registry.md | 2 +- .../proc_creation_win_reg_lsa_disable_restricted_admin.md | 2 +- .../proc_creation_win_reg_machineguid.md | 2 +- .../proc_creation_win_reg_nolmhash.md | 2 +- .../proc_creation_win_reg_open_command.md | 2 +- .../proc_creation_win_reg_screensaver.md | 2 +- .../proc_creation_win_reg_service_imagepath_change.md | 2 +- .../proc_creation_win_reg_software_discovery.md | 2 +- .../proc_creation_win_reg_volsnap_disable.md | 2 +- .../proc_creation_win_reg_write_protect_for_storage_disabled.md | 2 +- .../proc_creation_win_regedit_trustedinstaller.md | 2 +- .../proc_creation_win_registry_cimprovider_dll_load.md | 2 +- ...roc_creation_win_registry_enumeration_for_credentials_cli.md | 2 +- ...win_registry_ie_security_zone_protocol_defaults_downgrade.md | 2 +- .../proc_creation_win_registry_install_reg_debugger_backdoor.md | 2 +- .../proc_creation_win_registry_logon_script.md | 2 +- .../proc_creation_win_registry_new_network_provider.md | 2 +- ...tion_win_registry_office_disable_python_security_warnings.md | 2 +- ...reation_win_registry_privilege_escalation_via_service_key.md | 2 +- ...roc_creation_win_registry_provlaunch_provisioning_command.md | 2 +- ...proc_creation_win_registry_set_unsecure_powershell_policy.md | 2 +- .../proc_creation_win_registry_special_accounts_hide_user.md | 2 +- .../proc_creation_win_registry_typed_paths_persistence.md | 2 +- .../proc_creation_win_regsvr32_flags_anomaly.md | 2 +- .../proc_creation_win_regsvr32_susp_child_process.md | 2 +- .../proc_creation_win_regsvr32_susp_parent.md | 2 +- .../proc_creation_win_remote_access_tools_anydesk.md | 2 +- ...on_win_remote_access_tools_anydesk_piped_password_via_cli.md | 2 +- ...c_creation_win_remote_access_tools_anydesk_silent_install.md | 2 +- .../proc_creation_win_remote_access_tools_anydesk_susp_exec.md | 2 +- .../proc_creation_win_remote_access_tools_gotoopener.md | 2 +- .../proc_creation_win_remote_access_tools_logmein.md | 2 +- .../proc_creation_win_remote_access_tools_meshagent_exec.md | 2 +- ...eation_win_remote_access_tools_rurat_non_default_location.md | 2 +- .../proc_creation_win_remote_access_tools_screenconnect.md | 2 +- ..._remote_access_tools_screenconnect_installation_cli_param.md | 2 +- ...n_remote_access_tools_screenconnect_remote_execution_susp.md | 2 +- ...c_creation_win_remote_access_tools_screenconnect_webshell.md | 2 +- .../proc_creation_win_remote_access_tools_simple_help.md | 2 +- ...on_win_remote_access_tools_teamviewer_incoming_connection.md | 2 +- .../proc_creation_win_remote_time_discovery.md | 2 +- .../proc_creation_win_renamed_jusched.md | 2 +- .../proc_creation_win_renamed_rundll32_dllregisterserver.md | 2 +- .../proc_creation_win_renamed_rurat.md | 2 +- .../proc_creation_win_rpcping_credential_capture.md | 2 +- .../proc_creation_win_rundll32_inline_vbs.md | 2 +- .../proc_creation_win_rundll32_mshtml_runhtmlapplication.md | 2 +- .../proc_creation_win_rundll32_no_params.md | 2 +- .../proc_creation_win_rundll32_run_locations.md | 2 +- .../proc_creation_win_rundll32_setupapi_installhinfsection.md | 2 +- .../proc_creation_win_rundll32_spawn_explorer.md | 2 +- .../proc_creation_win_rundll32_susp_activity.md | 2 +- .../proc_creation_win_rundll32_susp_shellexec_execution.md | 2 +- .../proc_creation_win_rundll32_susp_shimcache_flush.md | 2 +- .../proc_creation_win_rundll32_sys.md | 2 +- .../proc_creation_win_rundll32_webdav_client_susp_execution.md | 2 +- .../proc_creation_win_rundll32_without_parameters.md | 2 +- .../proc_creation_win_runonce_execution.md | 2 +- ...roc_creation_win_sc_change_sevice_image_path_by_non_admin.md | 2 +- .../proc_creation_win_sc_create_service.md | 2 +- .../proc_creation_win_sc_new_kernel_driver.md | 2 +- .../proc_creation_win_sc_service_path_modification.md | 2 +- .../proc_creation_win_sc_service_tamper_for_persistence.md | 2 +- .../proc_creation_win_schtasks_appdata_local_system.md | 2 +- .../proc_creation_win_schtasks_change.md | 2 +- .../proc_creation_win_schtasks_creation.md | 2 +- .../proc_creation_win_schtasks_creation_temp_folder.md | 2 +- .../proc_creation_win_schtasks_delete.md | 2 +- .../proc_creation_win_schtasks_delete_all.md | 2 +- .../proc_creation_win_schtasks_disable.md | 2 +- .../proc_creation_win_schtasks_env_folder.md | 2 +- .../proc_creation_win_schtasks_guid_task_name.md | 2 +- .../proc_creation_win_schtasks_powershell_persistence.md | 2 +- .../proc_creation_win_schtasks_susp_pattern.md | 2 +- .../proc_creation_win_schtasks_system.md | 2 +- .../proc_creation_win_scrcons_susp_child_process.md | 2 +- .../proc_creation_win_sdclt_child_process.md | 2 +- .../proc_creation_win_sdiagnhost_susp_child.md | 2 +- .../proc_creation_win_servu_susp_child_process.md | 2 +- .../proc_creation_win_setres_uncommon_child_process.md | 2 +- .../proc_creation_win_shutdown_execution.md | 2 +- .../proc_creation_win_shutdown_logoff.md | 2 +- .../proc_creation_win_sigverif_uncommon_child_process.md | 2 +- .../proc_creation_win_sndvol_susp_child_processes.md | 2 +- .../proc_creation_win_soundrecorder_audio_capture.md | 2 +- .../proc_creation_win_splwow64_cli_anomaly.md | 2 +- .../proc_creation_win_sqlcmd_veeam_db_recon.md | 2 +- .../proc_creation_win_sqlcmd_veeam_dump.md | 2 +- .../proc_creation_win_sqlite_chromium_profile_data.md | 2 +- .../proc_creation_win_sqlite_firefox_gecko_profile_data.md | 2 +- .../proc_creation_win_squirrel_download.md | 2 +- .../proc_creation_win_squirrel_proxy_execution.md | 2 +- .../proc_creation_win_ssh_port_forward.md | 2 +- .../proc_creation_win_ssh_proxy_execution.md | 2 +- .../proc_creation_win_ssh_rdp_tunneling.md | 2 +- .../proc_creation_win_ssm_agent_abuse.md | 2 +- .../proc_creation_win_stordiag_susp_child_process.md | 2 +- .../proc_creation_win_susp_16bit_application.md | 2 +- .../proc_creation_win_susp_add_user_local_admin_group.md | 2 +- .../proc_creation_win_susp_add_user_privileged_group.md | 2 +- .../proc_creation_win_susp_add_user_remote_desktop_group.md | 2 +- .../proc_creation_win_susp_alternate_data_streams.md | 2 +- ...eation_win_susp_always_install_elevated_windows_installer.md | 2 +- .../proc_creation_win_susp_appx_execution.md | 2 +- ...ion_win_susp_arbitrary_shell_execution_via_settingcontent.md | 2 +- .../proc_creation_win_susp_archiver_iso_phishing.md | 2 +- .../proc_creation_win_susp_bad_opsec_sacrificial_processes.md | 2 +- ...tion_win_susp_browser_launch_from_document_reader_process.md | 2 +- .../proc_creation_win_susp_cli_obfuscation_escape_char.md | 2 +- ...proc_creation_win_susp_commandline_path_traversal_evasion.md | 2 +- .../proc_creation_win_susp_crypto_mining_monero.md | 2 +- .../proc_creation_win_susp_data_exfiltration_via_cli.md | 2 +- .../proc_creation_win_susp_disable_raccine.md | 2 +- .../proc_creation_win_susp_double_extension.md | 2 +- .../proc_creation_win_susp_double_extension_parent.md | 2 +- .../proc_creation_win_susp_download_office_domain.md | 2 +- .../proc_creation_win_susp_dumpstack_log_evasion.md | 2 +- .../proc_creation_win_susp_electron_app_children.md | 2 +- .../proc_creation_win_susp_embed_exe_lnk.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_1.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_2.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_3.md | 2 +- .../proc_creation_win_susp_emoji_usage_in_cli_4.md | 2 +- .../proc_creation_win_susp_etw_modification_cmdline.md | 2 +- .../proc_creation_win_susp_etw_trace_evasion.md | 2 +- .../proc_creation_win_susp_eventlog_clear.md | 2 +- ..._creation_win_susp_execution_from_public_folder_as_parent.md | 2 +- .../proc_creation_win_susp_execution_path.md | 2 +- .../proc_creation_win_susp_gather_network_info_execution.md | 2 +- .../proc_creation_win_susp_hidden_dir_index_allocation.md | 2 +- .../proc_creation_win_susp_hiding_malware_in_fonts_folder.md | 2 +- .../proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md | 2 +- .../proc_creation_win_susp_image_missing.md | 2 +- .../proc_creation_win_susp_inline_base64_mz_header.md | 2 +- .../proc_creation_win_susp_inline_win_api_access.md | 2 +- .../proc_creation_win_susp_jwt_token_search.md | 2 +- ...oc_creation_win_susp_local_system_owner_account_discovery.md | 2 +- .../proc_creation_win_susp_lsass_dmp_cli_keywords.md | 2 +- .../proc_creation_win_susp_ms_appinstaller_download.md | 2 +- .../proc_creation_win_susp_network_command.md | 2 +- .../proc_creation_win_susp_network_scan_loop.md | 2 +- .../proc_creation_win_susp_network_sniffing.md | 2 +- .../proc_creation_win_susp_no_image_name.md | 2 +- .../proc_creation_win_susp_non_exe_image.md | 2 +- .../proc_creation_win_susp_non_priv_reg_or_ps.md | 2 +- .../proc_creation_win_susp_ntds.md | 2 +- .../proc_creation_win_susp_nteventlogfile_usage.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_path_use_cli.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_path_use_image.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_cli.md | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_image.md | 2 +- .../proc_creation_win_susp_obfuscated_ip_download.md | 2 +- .../proc_creation_win_susp_obfuscated_ip_via_cli.md | 2 +- .../proc_creation_win_susp_parents.md | 2 +- .../proc_creation_win_susp_privilege_escalation_cli_patterns.md | 2 +- .../proc_creation_win_susp_proc_wrong_parent.md | 2 +- .../proc_creation_win_susp_progname.md | 2 +- .../proc_creation_win_susp_recycle_bin_fake_execution.md | 2 +- .../proc_creation_win_susp_redirect_local_admin_share.md | 2 +- .../proc_creation_win_susp_remote_desktop_tunneling.md | 2 +- .../proc_creation_win_susp_right_to_left_override.md | 2 +- .../proc_creation_win_susp_script_exec_from_temp.md | 2 +- .../proc_creation_win_susp_sensitive_file_access_shadowcopy.md | 2 +- .../proc_creation_win_susp_service_creation.md | 2 +- .../proc_creation_win_susp_service_dir.md | 2 +- .../proc_creation_win_susp_shell_spawn_susp_program.md | 2 +- .../proc_creation_win_susp_sysnative.md | 2 +- .../proc_creation_win_susp_system_exe_anomaly.md | 2 +- .../proc_creation_win_susp_system_user_anomaly.md | 2 +- .../proc_creation_win_susp_sysvol_access.md | 2 +- .../proc_creation_win_susp_task_folder_evasion.md | 2 +- .../proc_creation_win_susp_use_of_vsjitdebugger_bin.md | 2 +- .../proc_creation_win_susp_weak_or_abused_passwords.md | 2 +- .../proc_creation_win_susp_web_request_cmd_and_cmdlets.md | 2 +- .../proc_creation_win_susp_whoami_as_param.md | 2 +- .../proc_creation_win_susp_workfolders.md | 2 +- .../proc_creation_win_svchost_execution_with_no_cli_flags.md | 2 +- .../proc_creation_win_svchost_termserv_proc_spawn.md | 2 +- .../proc_creation_win_svchost_uncommon_parent_process.md | 2 +- .../proc_creation_win_sysinternals_eula_accepted.md | 2 +- .../proc_creation_win_sysinternals_procdump.md | 2 +- .../proc_creation_win_sysinternals_procdump_evasion.md | 2 +- .../proc_creation_win_sysinternals_procdump_lsass.md | 2 +- ...c_creation_win_sysinternals_psexec_paexec_escalate_system.md | 2 +- .../proc_creation_win_sysinternals_psexec_remote_execution.md | 2 +- .../proc_creation_win_sysinternals_psexesvc_as_system.md | 2 +- .../proc_creation_win_sysinternals_susp_psexec_paexec_flags.md | 2 +- .../proc_creation_win_sysinternals_sysmon_config_update.md | 2 +- .../proc_creation_win_sysinternals_sysmon_uninstall.md | 2 +- .../proc_creation_win_sysinternals_tools_masquerading.md | 2 +- .../proc_creation_win_sysprep_appdata.md | 2 +- .../proc_creation_win_takeown_recursive_own.md | 2 +- .../proc_creation_win_tapinstall_execution.md | 2 +- .../proc_creation_win_taskkill_sep.md | 2 +- .../proc_creation_win_taskmgr_localsystem.md | 2 +- .../proc_creation_win_taskmgr_susp_child_process.md | 2 +- ...oc_creation_win_teams_suspicious_command_line_cred_access.md | 2 +- .../proc_creation_win_tscon_localsystem.md | 2 +- .../proc_creation_win_tscon_rdp_redirect.md | 2 +- .../proc_creation_win_uac_bypass_changepk_slui.md | 2 +- .../proc_creation_win_uac_bypass_cleanmgr.md | 2 +- .../proc_creation_win_uac_bypass_cmstp_com_object_access.md | 2 +- .../proc_creation_win_uac_bypass_computerdefaults.md | 2 +- .../proc_creation_win_uac_bypass_consent_comctl32.md | 2 +- .../proc_creation_win_uac_bypass_dismhost.md | 2 +- .../proc_creation_win_uac_bypass_eventvwr_recentviews.md | 2 +- .../proc_creation_win_uac_bypass_fodhelper.md | 2 +- .../proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md | 2 +- .../proc_creation_win_uac_bypass_idiagnostic_profile.md | 2 +- .../proc_creation_win_uac_bypass_ieinstal.md | 2 +- .../proc_creation_win_uac_bypass_msconfig_gui.md | 2 +- .../proc_creation_win_uac_bypass_ntfs_reparse_point.md | 2 +- .../proc_creation_win_uac_bypass_pkgmgr_dism.md | 2 +- .../proc_creation_win_uac_bypass_sdclt.md | 2 +- .../proc_creation_win_uac_bypass_trustedpath.md | 2 +- .../proc_creation_win_uac_bypass_winsat.md | 2 +- .../proc_creation_win_uac_bypass_wmp.md | 2 +- .../proc_creation_win_uac_bypass_wsreset_integrity_level.md | 2 +- .../proc_creation_win_ultravnc_susp_execution.md | 2 +- .../proc_creation_win_uninstall_crowdstrike_falcon.md | 2 +- .../proc_creation_win_userinit_uncommon_child_processes.md | 2 +- .../proc_creation_win_virtualbox_execution.md | 2 +- .../proc_creation_win_virtualbox_vboxdrvinst_execution.md | 2 +- .../proc_creation_win_vscode_child_processes_anomalies.md | 2 +- .../proc_creation_win_vscode_tunnel_remote_shell_.md | 2 +- .../proc_creation_win_vscode_tunnel_service_install.md | 2 +- .../proc_creation_win_vslsagent_agentextensionpath_load.md | 2 +- ...proc_creation_win_wab_execution_from_non_default_location.md | 2 +- .../proc_creation_win_wab_unusual_parents.md | 2 +- .../proc_creation_win_webdav_lnk_execution.md | 2 +- .../proc_creation_win_webshell_chopper.md | 2 +- .../proc_creation_win_webshell_hacking.md | 2 +- ...creation_win_webshell_susp_process_spawned_from_webserver.md | 2 +- .../proc_creation_win_webshell_tool_recon.md | 2 +- .../proc_creation_win_wermgr_susp_child_process.md | 2 +- .../proc_creation_win_wermgr_susp_exec_location.md | 2 +- .../proc_creation_win_windows_terminal_susp_children.md | 2 +- .../proc_creation_win_winrar_exfil_dmp_files.md | 2 +- .../proc_creation_win_winrar_uncommon_folder_execution.md | 2 +- .../proc_creation_win_winrm_awl_bypass.md | 2 +- ...proc_creation_win_winrm_remote_powershell_session_process.md | 2 +- .../proc_creation_win_winrm_susp_child_process.md | 2 +- .../proc_creation_win_winzip_password_compression.md | 2 +- .../proc_creation_win_wmi_backdoor_exchange_transport_agent.md | 2 +- .../proc_creation_win_wmi_persistence_script_event_consumer.md | 2 +- .../proc_creation_win_wmic_eventconsumer_creation.md | 2 +- .../proc_creation_win_wmic_susp_process_creation.md | 2 +- .../proc_creation_win_wmic_uninstall_security_products.md | 2 +- .../proc_creation_win_wmic_xsl_script_processing.md | 2 +- .../proc_creation_win_wmiprvse_susp_child_processes.md | 2 +- .../proc_creation_win_wpbbin_potential_persistence.md | 2 +- .../proc_creation_win_wscript_cscript_dropper.md | 2 +- .../proc_creation_win_wscript_cscript_susp_child_processes.md | 2 +- .../proc_creation_win_wsl_child_processes_anomalies.md | 2 +- .../proc_creation_win_wsl_windows_binaries_execution.md | 2 +- ...oc_creation_win_wusa_cab_files_extraction_from_susp_paths.md | 2 +- .../proc_creation_win_wusa_susp_parent_execution.md | 2 +- .../proc_creation_win_xwizard_runwizard_com_object_exec.md | 2 +- 555 files changed, 555 insertions(+), 555 deletions(-) diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md index 4be9404da..4a586af09 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\addinutil.exe" and (not (tgt.process.image.path contains ":\Windows\System32\conhost.exe" or tgt.process.image.path contains ":\Windows\System32\werfault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\werfault.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md index 426394b2b..312a79605 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\appvlp.exe" and (not (tgt.process.image.path contains ":\Windows\SysWOW64\rundll32.exe" or tgt.process.image.path contains ":\Windows\System32\rundll32.exe")) and (not ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\msoasb.exe") or ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\SkypeSrv\") and tgt.process.image.path contains "\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\MSOUC.EXE"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md index 38807970b..08349e0f4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md index ea97c3f73..fcdc14af8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\aspnet_compiler.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\notepad.exe") or (tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\AppData\Local\Roaming\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md index f2bcbc50d..a19b2523e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe" and (tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Local\Roaming\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains ":\Windows\System32\Tasks\" or tgt.process.cmdline contains ":\Windows\Tasks\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md index 1ea718f7f..07b7f42fb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\at.exe" and tgt.process.cmdline contains "interactive")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md index de7cc0ff9..7496abe92 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md index 7c019005f..f42c3c035 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\" or tgt.process.image.path contains "\AppData\Roaming\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\PerfLogs\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md index 83ed19c37..f6423538f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md index 951891b9c..c9f08dfd4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\BitLockerToGo.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md index bef88b714..87f0c9230 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--remote-debugging-" and tgt.process.cmdline contains "--user-data-dir" and tgt.process.cmdline contains "--headless")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md index 966ca69fa..873e50591 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md index 0cf2626da..7121eb7ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and (tgt.process.cmdline contains "--headless" and tgt.process.cmdline contains "dump-dom" and tgt.process.cmdline contains "http"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md index d584f2e4c..3328eb6c0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md index 9a7865290..dab2717c5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless" and (tgt.process.cmdline contains "://run.mocky" or tgt.process.cmdline contains "://mockbin"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md index 23e9ff85f..2f6816f9e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\wscript.exe") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md index 53f70b987..6b701ea16 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "http" and (tgt.process.cmdline contains ".7z" or tgt.process.cmdline contains ".dat" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".ps1" or tgt.process.cmdline contains ".psm1" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md index f0784a9b4..86905a673 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --remote-debugging-" or (tgt.process.image.path contains "\firefox.exe" and tgt.process.cmdline contains " -start-debugger-server"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md index ae86da6f3..b86ae3a24 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tor.exe" or tgt.process.image.path contains "\Tor Browser\Browser\firefox.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md index aa0de0316..045ec4df6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\calc.exe " or (tgt.process.image.path contains "\calc.exe" and (not (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\" or tgt.process.image.path contains ":\Windows\WinSxS\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md index 3cab93a70..c7ff9cfde 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\cmd.exe" and (src.process.cmdline contains " -c " or src.process.cmdline contains " /c " or src.process.cmdline contains " –c " or src.process.cmdline contains " —c " or src.process.cmdline contains " ―c " or src.process.cmdline contains " -r " or src.process.cmdline contains " /r " or src.process.cmdline contains " –r " or src.process.cmdline contains " —r " or src.process.cmdline contains " ―r " or src.process.cmdline contains " -k " or src.process.cmdline contains " /k " or src.process.cmdline contains " –k " or src.process.cmdline contains " —k " or src.process.cmdline contains " ―k ") and tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains "chcp" or tgt.process.cmdline contains "chcp " or tgt.process.cmdline contains "chcp "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md index f1af810da..b50c20634 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains " 936" or tgt.process.cmdline contains " 1258"))) | columns src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md index ad51af08d..982f57cd9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cloudflared.exe" and (not (tgt.process.image.path contains ":\Program Files (x86)\cloudflared\" or tgt.process.image.path contains ":\Program Files\cloudflared\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md index 91e0f0324..7a597408e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains "cleanup ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-connector-id "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md index 73f2aa280..278de6500 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains " run ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-credentials-contents " or tgt.process.cmdline contains "-credentials-file " or tgt.process.cmdline contains "-token "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md index d6e48ad2a..67e42feab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " –c " or tgt.process.cmdline contains " —c " or tgt.process.cmdline contains " ―c ") and (tgt.process.cmdline contains "curl " and tgt.process.cmdline contains "http" and tgt.process.cmdline contains "-o" and tgt.process.cmdline contains "&"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md index aa755e089..f50439416 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "^^" or tgt.process.cmdline contains "^|^" or tgt.process.cmdline contains ",;," or tgt.process.cmdline contains ";;;;" or tgt.process.cmdline contains ";; ;;" or tgt.process.cmdline contains "(,(," or tgt.process.cmdline contains "%COMSPEC:~" or tgt.process.cmdline contains " c^m^d" or tgt.process.cmdline contains "^c^m^d" or tgt.process.cmdline contains " c^md" or tgt.process.cmdline contains " cm^d" or tgt.process.cmdline contains "^cm^d" or tgt.process.cmdline contains " s^et " or tgt.process.cmdline contains " s^e^t " or tgt.process.cmdline contains " se^t ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md index 0d1bf050f..ac0400709 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "://" and tgt.process.cmdline contains "%AppData%"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md index 93a748bb8..721b5b9b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "mklink" and tgt.process.cmdline contains "HarddiskVolumeShadowCopy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md index 79efaa03d..4f331dc98 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "cmd.exe/c" or tgt.process.cmdline contains "\cmd/c" or tgt.process.cmdline contains "\"cmd/c" or tgt.process.cmdline contains "cmd.exe/k" or tgt.process.cmdline contains "\cmd/k" or tgt.process.cmdline contains "\"cmd/k" or tgt.process.cmdline contains "cmd.exe/r" or tgt.process.cmdline contains "\cmd/r" or tgt.process.cmdline contains "\"cmd/r") or (tgt.process.cmdline contains "/cwhoami" or tgt.process.cmdline contains "/cpowershell" or tgt.process.cmdline contains "/cschtasks" or tgt.process.cmdline contains "/cbitsadmin" or tgt.process.cmdline contains "/ccertutil" or tgt.process.cmdline contains "/kwhoami" or tgt.process.cmdline contains "/kpowershell" or tgt.process.cmdline contains "/kschtasks" or tgt.process.cmdline contains "/kbitsadmin" or tgt.process.cmdline contains "/kcertutil") or (tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /r")) and (not ((tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /r ") or (tgt.process.cmdline contains "AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules" or tgt.process.cmdline contains "cmd.exe/c ." or tgt.process.cmdline="cmd.exe /c"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md index 42d00e165..56f6120c1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "type %windir%\system32\ntdll.dll" or tgt.process.cmdline contains "type %systemroot%\system32\ntdll.dll" or tgt.process.cmdline contains "type c:\windows\system32\ntdll.dll" or tgt.process.cmdline contains "\ntdll.dll > \\.\pipe\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md index cfa847a00..e0b66d064 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ") and tgt.process.cmdline contains "Nul" and (tgt.process.cmdline contains " -f " or tgt.process.cmdline contains " /f " or tgt.process.cmdline contains " –f " or tgt.process.cmdline contains " —f " or tgt.process.cmdline contains " ―f " or tgt.process.cmdline contains " -q " or tgt.process.cmdline contains " /q " or tgt.process.cmdline contains " –q " or tgt.process.cmdline contains " —q " or tgt.process.cmdline contains " ―q ") and (tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "del "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md index 134d19637..0b4f195ed 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md index 9ee66c73b..4e6e45272 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\winlogon.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "Magnify.exe" or tgt.process.cmdline contains "Narrator.exe" or tgt.process.cmdline contains "DisplaySwitch.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md index 4ec0f000f..d207e335b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "/y " and tgt.process.cmdline contains "C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md index a36ea0d02..7edb0e358 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > \\") or (tgt.process.cmdline contains "type \\" and tgt.process.cmdline contains " > "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md index 8597f82f0..3283e5bf3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\ctfmon.exe" or src.process.image.path contains "\dllhost.exe" or src.process.image.path contains "\epad.exe" or src.process.image.path contains "\FlashPlayerUpdateService.exe" or src.process.image.path contains "\GoogleUpdate.exe" or src.process.image.path contains "\jucheck.exe" or src.process.image.path contains "\jusched.exe" or src.process.image.path contains "\LogonUI.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\SearchIndexer.exe" or src.process.image.path contains "\SearchProtocolHost.exe" or src.process.image.path contains "\SIHClient.exe" or src.process.image.path contains "\sihost.exe" or src.process.image.path contains "\slui.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\sppsvc.exe" or src.process.image.path contains "\taskhostw.exe" or src.process.image.path contains "\unsecapp.exe" or src.process.image.path contains "\WerFault.exe" or src.process.image.path contains "\wermgr.exe" or src.process.image.path contains "\wlanext.exe" or src.process.image.path contains "\WUDFHost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md index 8500ba520..e073b2b2e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\cmstp.exe") | columns tgt.process.cmdline,src.process.cmdline,Details ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md index 053898d58..20ad868dc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.integrityLevel="High" and (tgt.process.cmdline contains "conhost.exe" and tgt.process.cmdline contains "0xffffffff" and tgt.process.cmdline contains "-ForceV1"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md index ff877d937..5e158ffe6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.cmdline contains "conhost" and tgt.process.cmdline contains "/../../")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md index 23163e5bd..4cb8184a7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\conhost.exe" and (src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\smss.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\userinit.exe" or src.process.image.path contains "\wininit.exe" or src.process.image.path contains "\winlogon.exe")) and (not (src.process.cmdline contains "-k apphost -s AppHostSvc" or src.process.cmdline contains "-k imgsvc" or src.process.cmdline contains "-k localService -p -s RemoteRegistry" or src.process.cmdline contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or src.process.cmdline contains "-k NetSvcs -p -s NcaSvc" or src.process.cmdline contains "-k netsvcs -p -s NetSetupSvc" or src.process.cmdline contains "-k netsvcs -p -s wlidsvc" or src.process.cmdline contains "-k NetworkService -p -s DoSvc" or src.process.cmdline contains "-k wsappx -p -s AppXSvc" or src.process.cmdline contains "-k wsappx -p -s ClipSVC")) and (not (src.process.cmdline contains "C:\Program Files (x86)\Dropbox\Client\" or src.process.cmdline contains "C:\Program Files\Dropbox\Client\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md index 2d5839da3..7b218cd33 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csc.exe" and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\Windows\Temp\") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Pictures\")) or tgt.process.cmdline matches "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not ((src.process.image.path contains "C:\Program Files (x86)\" or src.process.image.path contains "C:\Program Files\") or src.process.image.path="C:\Windows\System32\sdiagnhost.exe" or src.process.image.path="C:\Windows\System32\inetsrv\w3wp.exe")) and (not ((src.process.image.path in ("C:\ProgramData\chocolatey\choco.exe","C:\ProgramData\chocolatey\tools\shimgen.exe")) or src.process.cmdline contains "\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" or (src.process.cmdline contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or src.process.cmdline contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or src.process.cmdline contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md index 414586038..95223526a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\curl.exe" or tgt.process.displayName="The curl executable") and ((tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "C:\PerfLogs\" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Windows\Temp\") or (tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".gif" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".temp" or tgt.process.cmdline contains ".tmp" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs")) and (not (src.process.image.path="C:\Program Files\Git\usr\bin\sh.exe" and tgt.process.image.path="C:\Program Files\Git\mingw64\bin\curl.exe" and (tgt.process.cmdline contains "--silent --show-error --output " and tgt.process.cmdline contains "gfw-httpget-" and tgt.process.cmdline contains "AppData"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md index 6e708c03a..65ff4a7f0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\DefaultPack.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md index 28167c812..007496a31 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\desktopimgdownldr.exe" and src.process.image.path contains "\desktopimgdownldr.exe" and tgt.process.cmdline contains "/lockscreenurl:http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md index 6cfe88078..436b3c067 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /lockscreenurl:" and (not (tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".png"))) or (tgt.process.cmdline contains "reg delete" and tgt.process.cmdline contains "\PersonalizationCSP"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md index a4c842a44..74ec0f4b8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -t msi-install " and tgt.process.cmdline contains " -i http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md index 1ed5c7032..821283571 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\AppData\Local\Apps\2.0\" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md index 4db53e8d0..c346e998d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\diskshadow.exe" and (tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md index ed0029d3d..45829f70a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\DismHost.exe" and (src.process.cmdline contains "/Online" and src.process.cmdline contains "/Disable-Feature")) or (tgt.process.image.path contains "\Dism.exe" and (tgt.process.cmdline contains "/Online" and tgt.process.cmdline contains "/Disable-Feature")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md index daf47d6ce..75274de1e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VMwareXferlogs.exe" and (not tgt.process.image.path contains "C:\Program Files\VMware\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md index 6d5c0da45..5daa56db6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dllhost.exe" and (tgt.process.cmdline in ("dllhost.exe","dllhost"))) and (not not (tgt.process.cmdline matches "\.*")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md index 8adba9e6b..ecfbe9ac2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\iodine.exe" or tgt.process.image.path contains "\dnscat2")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md index 01f2595f8..092c7250c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\dns.exe" and (not tgt.process.image.path contains "\conhost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md index 6d365c5dd..9ffdae325 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/enumrecords" or tgt.process.cmdline contains "/enumzones" or tgt.process.cmdline contains "/ZonePrint" or tgt.process.cmdline contains "/info"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md index c4d983ec8..27b18bc3c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/config" and tgt.process.cmdline contains "/serverlevelplugindll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md index ea5f51e0d..2ce6c2147 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\dnx.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md index dca52d19a..3daf76f83 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dtrace.exe" and tgt.process.cmdline contains "lkd(0)") or (tgt.process.cmdline contains "syscall:::return" and tgt.process.cmdline contains "lkd("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md index 26e7d76ae..1e1332da4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "esentutl" and tgt.process.cmdline contains " /p")) | columns tgt.process.user,tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md index c58fc20ac..6cda93630 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\eventvwr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\WerFault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\WerFault.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md index 3e5ad3a29..06caa492f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\expand.exe" and (tgt.process.cmdline contains "-F:" or tgt.process.cmdline contains "/F:" or tgt.process.cmdline contains "–F:" or tgt.process.cmdline contains "—F:" or tgt.process.cmdline contains "―F:")) and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains ":\ProgramData" or tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\Temp" or tgt.process.cmdline contains ":\Windows\Temp") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\"))) and (not (src.process.image.path="C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" and tgt.process.cmdline contains "C:\ProgramData\Dell\UpdateService\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md index 34a92e340..fabf96a73 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or ((tgt.process.cmdline contains "explorer.exe") and (tgt.process.cmdline contains " -root," or tgt.process.cmdline contains " /root," or tgt.process.cmdline contains " –root," or tgt.process.cmdline contains " —root," or tgt.process.cmdline contains " ―root,")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md index c232a24fb..d519573b5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "shell:mycomputerfolder")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md index e907f4cac..54f873042 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "/NOUACCHECK") and (not (src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" or src.process.image.path="C:\Windows\System32\svchost.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md index a85e6fa03..fb7c41bba 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ipconfig*|*find*" or tgt.process.cmdline="*net*|*find*" or tgt.process.cmdline="*netstat*|*find*" or tgt.process.cmdline="*ping*|*find*" or tgt.process.cmdline="*systeminfo*|*find*" or tgt.process.cmdline="*tasklist*|*find*" or tgt.process.cmdline="*whoami*|*find*")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md index 9ee1c643a..aff1cfdcc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.cmdline contains ".exe" or src.process.cmdline contains ".exe\"") and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "/c echo \"") and (not ((src.process.image.path contains ":\Windows\System32\" or src.process.image.path contains ":\Windows\SysWOW64\") and src.process.image.path contains "\forfiles.exe" and (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\") and tgt.process.image.path contains "\cmd.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md index 1b413d845..28af2a122 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\format.com" and tgt.process.cmdline contains "/fs:") and (not (tgt.process.cmdline contains "/fs:exFAT" or tgt.process.cmdline contains "/fs:FAT" or tgt.process.cmdline contains "/fs:NTFS" or tgt.process.cmdline contains "/fs:ReFS" or tgt.process.cmdline contains "/fs:UDF")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md index 550e6a2b0..938808751 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\GfxDownloadWrapper.exe" and (tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://")) and (not tgt.process.cmdline contains "https://gameplayapi.intel.com/"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md index 33a25180e..960ff9f01 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\GoogleUpdate.exe" and (not ((tgt.process.image.path contains "\Google" or (tgt.process.image.path contains "\setup.exe" or tgt.process.image.path contains "chrome_updater.exe" or tgt.process.image.path contains "chrome_installer.exe")) or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md index fcba3b9b5..4ecfcabd4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -d " and tgt.process.cmdline contains "passphrase"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md index c490aa27c..b56b923d4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "passphrase"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md index 1e7b3e1d1..0cbafd29b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GNU Privacy Guard (GnuPG)" or tgt.process.displayName="GnuPG’s OpenPGP tool") and tgt.process.cmdline contains "-passphrase" and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Roaming\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md index 8e16f0063..c7b530166 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\gpresult.exe" and (tgt.process.cmdline contains "/z" or tgt.process.cmdline contains "/v"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md index be0a729cd..5e9a9149a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\gup.exe" and tgt.process.image.path contains "\explorer.exe") and (not ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "\Notepad++\notepad++.exe") or src.process.image.path contains "\Notepad++\updater\" or not (tgt.process.cmdline matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md index 0288ad59a..1e7bf0906 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\GUP.exe" and (not ((tgt.process.image.path contains "\Program Files\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\Program Files (x86)\Notepad++\updater\GUP.exe") or (tgt.process.image.path contains "\Users\" and (tgt.process.image.path contains "\AppData\Local\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\AppData\Roaming\Notepad++\updater\GUP.exe")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md index a73d47f3e..1d997a9a4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\hh.exe" and (tgt.process.image.path contains "\CertReq.exe" or tgt.process.image.path contains "\CertUtil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\installutil.exe" or tgt.process.image.path contains "\MSbuild.exe" or tgt.process.image.path contains "\MSHTA.EXE" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md index ce51e5b82..65e9e2353 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --adcs " and tgt.process.cmdline contains " --port ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md index b90411f61..a9e383b09 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName contains "SharpHound" or tgt.process.displayName contains "SharpHound" or (tgt.process.publisher contains "SpecterOps" or tgt.process.publisher contains "evil corp") or (tgt.process.image.path contains "\Bloodhound.exe" or tgt.process.image.path contains "\SharpHound.exe")) or (tgt.process.cmdline contains " -CollectionMethod All " or tgt.process.cmdline contains " --CollectionMethods Session " or tgt.process.cmdline contains " --Loop --Loopduration " or tgt.process.cmdline contains " --PortScanTimeout " or tgt.process.cmdline contains ".exe -c All -d " or tgt.process.cmdline contains "Invoke-Bloodhound" or tgt.process.cmdline contains "Get-BloodHoundData") or (tgt.process.cmdline contains " -JsonFolder " and tgt.process.cmdline contains " -ZipFileName ") or (tgt.process.cmdline contains " DCOnly " and tgt.process.cmdline contains " --NoSaveCache "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md index 802bd2a58..4dc57654c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains ".dll" and tgt.process.cmdline contains "StartNodeRelay")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md index 7e593628a..5c0ea9543 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd.exe /C whoami" and src.process.image.path contains "C:\Temp\") or ((src.process.image.path contains "\runonce.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.cmdline contains "cmd.exe /c echo" and tgt.process.cmdline contains "> \\.\pipe")) or ((src.process.cmdline contains "cmd.exe /C echo" and src.process.cmdline contains " > \\.\pipe") and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1") or (src.process.cmdline contains "/C whoami" and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md index b0507c9bb..ffd3056ed 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-Sta" and tgt.process.cmdline contains "-Nop" and tgt.process.cmdline contains "-Window" and tgt.process.cmdline contains "Hidden") and (tgt.process.cmdline contains "-Command" or tgt.process.cmdline contains "-EncodedCommand")) or (tgt.process.cmdline contains "sv o (New-Object IO.MemorySteam);sv d " or tgt.process.cmdline contains "mshta file.hta" or tgt.process.cmdline contains "GruntHTTP" or tgt.process.cmdline contains "-EncodedCommand cwB2ACAAbwAgA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md index 4a81c72e8..0feab4823 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\crackmapexec.exe" or tgt.process.cmdline contains " -M pe_inject " or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -x ") or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -H 'NTHASH'") or (tgt.process.cmdline contains " mssql " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -d ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -H " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -o ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " --local-auth")) or ((tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p ") and (tgt.process.cmdline contains " 10." and tgt.process.cmdline contains " 192.168." and tgt.process.cmdline contains "/24 ")))) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md index bf5a3788f..dc30f1414 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*cmd.exe /Q /c * 1> \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > *\Temp\* 2>&1*" or tgt.process.cmdline contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or tgt.process.cmdline contains "powershell.exe -noni -nop -w 1 -enc ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md index 5966ca24c..bac8fe524 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "tasklist /fi " and tgt.process.cmdline contains "Imagename eq lsass.exe") and (tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd /k ") and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) or (tgt.process.cmdline contains "do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump" and tgt.process.cmdline contains "\Windows\Temp\" and tgt.process.cmdline contains " full" and tgt.process.cmdline contains "%%B") or (tgt.process.cmdline contains "tasklist /v /fo csv" and tgt.process.cmdline contains "findstr /i \"lsass\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md index 689da0dd9..77332ef1e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /am51" and tgt.process.cmdline contains " /password")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md index 409ab479f..ddd867715 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -sta -NonI -W Hidden -Enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc " or tgt.process.cmdline contains " -NoP -NonI -W Hidden -enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc" or tgt.process.cmdline contains " -enc SQB" or tgt.process.cmdline contains " -nop -exec bypass -EncodedCommand ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md index 357b30962..38046ffc9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)" or tgt.process.cmdline contains " -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md index 85ed5f36d..412b3230a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ruby.exe" and (tgt.process.cmdline contains "-i " and tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md index f11606b70..8ea7e4816 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.publisher="Cube0x0") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md index 21a474baf..ca1a473be 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hashcat.exe" or (tgt.process.cmdline contains "-a " and tgt.process.cmdline contains "-m 1000 " and tgt.process.cmdline contains "-r "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md index 6c9abe852..5177e008e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\htran.exe" or tgt.process.image.path contains "\lcx.exe") or (tgt.process.cmdline contains ".exe -tran " or tgt.process.cmdline contains ".exe -slave "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md index 35496bd7f..2f9e0913f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p ") and (tgt.process.cmdline contains "^USER^" or tgt.process.cmdline contains "^PASS^"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md index caa15f2f9..e6f85a193 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\mmc.exe" or src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\services.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/Q" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "\\127.0.0.1\" and tgt.process.cmdline contains "&1")) or ((src.process.cmdline contains "svchost.exe -k netsvcs" or src.process.cmdline contains "taskeng.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/C" and tgt.process.cmdline contains "Windows\Temp\" and tgt.process.cmdline contains "&1")))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md index 661f824e1..b51b663a5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\goldenPac" or tgt.process.image.path contains "\karmaSMB" or tgt.process.image.path contains "\kintercept" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\rpcdump" or tgt.process.image.path contains "\samrdump" or tgt.process.image.path contains "\secretsdump" or tgt.process.image.path contains "\smbexec" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\wmiexec" or tgt.process.image.path contains "\wmipersist") or (tgt.process.image.path contains "\atexec_windows.exe" or tgt.process.image.path contains "\dcomexec_windows.exe" or tgt.process.image.path contains "\dpapi_windows.exe" or tgt.process.image.path contains "\findDelegation_windows.exe" or tgt.process.image.path contains "\GetADUsers_windows.exe" or tgt.process.image.path contains "\GetNPUsers_windows.exe" or tgt.process.image.path contains "\getPac_windows.exe" or tgt.process.image.path contains "\getST_windows.exe" or tgt.process.image.path contains "\getTGT_windows.exe" or tgt.process.image.path contains "\GetUserSPNs_windows.exe" or tgt.process.image.path contains "\ifmap_windows.exe" or tgt.process.image.path contains "\mimikatz_windows.exe" or tgt.process.image.path contains "\netview_windows.exe" or tgt.process.image.path contains "\nmapAnswerMachine_windows.exe" or tgt.process.image.path contains "\opdump_windows.exe" or tgt.process.image.path contains "\psexec_windows.exe" or tgt.process.image.path contains "\rdp_check_windows.exe" or tgt.process.image.path contains "\sambaPipe_windows.exe" or tgt.process.image.path contains "\smbclient_windows.exe" or tgt.process.image.path contains "\smbserver_windows.exe" or tgt.process.image.path contains "\sniff_windows.exe" or tgt.process.image.path contains "\sniffer_windows.exe" or tgt.process.image.path contains "\split_windows.exe" or tgt.process.image.path contains "\ticketer_windows.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md index c126f3959..3c3c88285 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "clipboard]::" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "/r"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md index f6f1af926..ff366928d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline matches "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or tgt.process.cmdline matches "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or tgt.process.cmdline matches "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or tgt.process.cmdline matches "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or tgt.process.cmdline matches "\\*mdr\\*\\W\\s*\\)\\.Name" or tgt.process.cmdline matches "\\$VerbosePreference\\.ToString\\(" or tgt.process.cmdline matches "\\[String\\]\\s*\\$VerbosePreference")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md index 5cd1fb877..3cffe4f0d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md index f7cd83dae..f3700e66c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md index 5bd8226dc..e93978735 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "text.encoding]::ascii") and (tgt.process.cmdline contains "system.io.compression.deflatestream" or tgt.process.cmdline contains "system.io.streamreader" or tgt.process.cmdline contains "readtoend("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md index e8864a8e9..248fee92c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md index e0ebd0af7..2a5e4536e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md index 32f95f0a7..cb08f5a6a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "set" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "vbscript:createobject" and tgt.process.cmdline contains ".run" and tgt.process.cmdline contains "(window.close)")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md index a0a6387c2..c513c17ed 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "&&set" and tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "{0}" or tgt.process.cmdline contains "{1}" or tgt.process.cmdline contains "{2}" or tgt.process.cmdline contains "{3}" or tgt.process.cmdline contains "{4}" or tgt.process.cmdline contains "{5}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md index 64f692a79..1bfc4381f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" and src.process.cmdline contains ".bat") and ((tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "powershell.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "pwsh.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\attrib.exe" and (tgt.process.cmdline contains "+s" and tgt.process.cmdline contains "+h" and tgt.process.cmdline contains ".bat.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md index 3f40b73dd..61bf05042 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\lazagne.exe" or ((tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Tmp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Users\Public\") and (tgt.process.cmdline contains ".exe all" or tgt.process.cmdline contains ".exe browsers" or tgt.process.cmdline contains ".exe chats" or tgt.process.cmdline contains ".exe databases" or tgt.process.cmdline contains ".exe games" or tgt.process.cmdline contains ".exe git" or tgt.process.cmdline contains ".exe mails" or tgt.process.cmdline contains ".exe maven" or tgt.process.cmdline contains ".exe memory" or tgt.process.cmdline contains ".exe multimedia" or tgt.process.cmdline contains ".exe sysadmin" or tgt.process.cmdline contains ".exe unused" or tgt.process.cmdline contains ".exe wifi" or tgt.process.cmdline contains ".exe windows")) or ((tgt.process.cmdline contains "all " or tgt.process.cmdline contains "browsers " or tgt.process.cmdline contains "chats " or tgt.process.cmdline contains "databases " or tgt.process.cmdline contains "games " or tgt.process.cmdline contains "git " or tgt.process.cmdline contains "mails " or tgt.process.cmdline contains "maven " or tgt.process.cmdline contains "memory " or tgt.process.cmdline contains "multimedia " or tgt.process.cmdline contains "php " or tgt.process.cmdline contains "svn " or tgt.process.cmdline contains "sysadmin " or tgt.process.cmdline contains "unused " or tgt.process.cmdline contains "wifi " or tgt.process.cmdline contains "windows ") and (tgt.process.cmdline contains "-oA" or tgt.process.cmdline contains "-oJ" or tgt.process.cmdline contains "-oN" or tgt.process.cmdline contains "-output" or tgt.process.cmdline contains "-password" or tgt.process.cmdline contains "-1Password" or tgt.process.cmdline contains "-apachedirectorystudio" or tgt.process.cmdline contains "-autologon" or tgt.process.cmdline contains "-ChromiumBased" or tgt.process.cmdline contains "-composer" or tgt.process.cmdline contains "-coreftp" or tgt.process.cmdline contains "-credfiles" or tgt.process.cmdline contains "-credman" or tgt.process.cmdline contains "-cyberduck" or tgt.process.cmdline contains "-dbvis" or tgt.process.cmdline contains "-EyeCon" or tgt.process.cmdline contains "-filezilla" or tgt.process.cmdline contains "-filezillaserver" or tgt.process.cmdline contains "-ftpnavigator" or tgt.process.cmdline contains "-galconfusion" or tgt.process.cmdline contains "-gitforwindows" or tgt.process.cmdline contains "-hashdump" or tgt.process.cmdline contains "-iisapppool" or tgt.process.cmdline contains "-IISCentralCertP" or tgt.process.cmdline contains "-kalypsomedia" or tgt.process.cmdline contains "-keepass" or tgt.process.cmdline contains "-keepassconfig" or tgt.process.cmdline contains "-lsa_secrets" or tgt.process.cmdline contains "-mavenrepositories" or tgt.process.cmdline contains "-memory_dump" or tgt.process.cmdline contains "-Mozilla" or tgt.process.cmdline contains "-mRemoteNG" or tgt.process.cmdline contains "-mscache" or tgt.process.cmdline contains "-opensshforwindows" or tgt.process.cmdline contains "-openvpn" or tgt.process.cmdline contains "-outlook" or tgt.process.cmdline contains "-pidgin" or tgt.process.cmdline contains "-postgresql" or tgt.process.cmdline contains "-psi-im" or tgt.process.cmdline contains "-puttycm" or tgt.process.cmdline contains "-pypykatz" or tgt.process.cmdline contains "-Rclone" or tgt.process.cmdline contains "-rdpmanager" or tgt.process.cmdline contains "-robomongo" or tgt.process.cmdline contains "-roguestale" or tgt.process.cmdline contains "-skype" or tgt.process.cmdline contains "-SQLDeveloper" or tgt.process.cmdline contains "-squirrel" or tgt.process.cmdline contains "-tortoise" or tgt.process.cmdline contains "-turba" or tgt.process.cmdline contains "-UCBrowser" or tgt.process.cmdline contains "-unattended" or tgt.process.cmdline contains "-vault" or tgt.process.cmdline contains "-vaultfiles" or tgt.process.cmdline contains "-vnc" or tgt.process.cmdline contains "-windows" or tgt.process.cmdline contains "-winscp" or tgt.process.cmdline contains "-wsl")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md index c0f433db5..7df2c0e96 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\services.exe" and (((tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "echo" and tgt.process.cmdline contains "\pipe\") and (tgt.process.cmdline contains "cmd" or tgt.process.cmdline contains "%COMSPEC%")) or (tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains ".dll,a" and tgt.process.cmdline contains "/p:")) and (not tgt.process.cmdline contains "MpCmdRun"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md index db47eeb23..08f372393 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "DumpCreds" or tgt.process.cmdline contains "mimikatz") or (tgt.process.cmdline contains "::aadcookie" or tgt.process.cmdline contains "::detours" or tgt.process.cmdline contains "::memssp" or tgt.process.cmdline contains "::mflt" or tgt.process.cmdline contains "::ncroutemon" or tgt.process.cmdline contains "::ngcsign" or tgt.process.cmdline contains "::printnightmare" or tgt.process.cmdline contains "::skeleton" or tgt.process.cmdline contains "::preshutdown" or tgt.process.cmdline contains "::mstsc" or tgt.process.cmdline contains "::multirdp") or (tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "crypto::" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "process::" or tgt.process.cmdline contains "vault::"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md index e49ccc559..a3f614284 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "powershell.exe -NonI" and tgt.process.cmdline contains "/TN Updater /TR") and (tgt.process.cmdline contains "/SC ONLOGON" or tgt.process.cmdline contains "/SC DAILY /ST" or tgt.process.cmdline contains "/SC ONIDLE" or tgt.process.cmdline contains "/SC HOURLY"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md index b0bded723..4f4994047 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\pypykatz.exe" or tgt.process.image.path contains "\python.exe") and (tgt.process.cmdline contains "live" and tgt.process.cmdline contains "registry"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md index ac91fc66b..7862575a6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\QuarksPwDump.exe" or (tgt.process.cmdline in (" -dhl"," --dump-hash-local"," -dhdc"," --dump-hash-domain-cached"," --dump-bitlocker"," -dhd "," --dump-hash-domain ","--ntds-file")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md index b8ad7a125..29fbfe09e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "gthread-3.6.dll" or tgt.process.cmdline contains "\Windows\Temp\tmp.bat" or tgt.process.cmdline contains "sigcmm-2.4.dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md index b132b0b5e..9b41cc429 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "PetitPotam" or tgt.process.image.path contains "RottenPotato" or tgt.process.image.path contains "HotPotato" or tgt.process.image.path contains "JuicyPotato" or tgt.process.image.path contains "\just_dce_" or tgt.process.image.path contains "Juicy Potato" or tgt.process.image.path contains "\temp\rot.exe" or tgt.process.image.path contains "\Potato.exe" or tgt.process.image.path contains "\SpoolSample.exe" or tgt.process.image.path contains "\Responder.exe" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\LocalPotato") or (tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains " smbrelay" or tgt.process.cmdline contains " ntlmrelay" or tgt.process.cmdline contains "cme smb " or tgt.process.cmdline contains " /ntlm:NTLMhash " or tgt.process.cmdline contains "Invoke-PetitPotam" or tgt.process.cmdline="*.exe -t * -p *") or (tgt.process.cmdline contains ".exe -c \"{" and tgt.process.cmdline contains "}\" -z")) and (not (tgt.process.image.path contains "HotPotatoes6" or tgt.process.image.path contains "HotPotatoes7" or tgt.process.image.path contains "HotPotatoes ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md index 4c75f1087..d6db16a27 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpChisel.exe" or tgt.process.displayName="SharpChisel")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md index 40219dfd4..ff8975f08 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\SharPersist.exe" or tgt.process.displayName="SharPersist") or (tgt.process.cmdline contains " -t schtask -c " or tgt.process.cmdline contains " -t startupfolder -c ") or (tgt.process.cmdline contains " -t reg -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t service -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t schtask -c " and tgt.process.cmdline contains " -m add"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md index 18297eb07..2dbb53531 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpEvtMute.exe" or tgt.process.displayName="SharpEvtMute" or (tgt.process.cmdline contains "--Filter \"rule " or tgt.process.cmdline contains "--Encoded --Filter \\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md index cf2ee9926..13d7de705 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpUp.exe" or tgt.process.displayName="SharpUp" or (tgt.process.cmdline contains "HijackablePaths" or tgt.process.cmdline contains "UnquotedServicePath" or tgt.process.cmdline contains "ProcessDLLHijack" or tgt.process.cmdline contains "ModifiableServiceBinaries" or tgt.process.cmdline contains "ModifiableScheduledTask" or tgt.process.cmdline contains "DomainGPPPassword" or tgt.process.cmdline contains "CachedGPPPassword"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md index 61bb7a6f9..6f3f9ac68 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -Inject " and (tgt.process.cmdline contains " -PayloadArgs " or tgt.process.cmdline contains " -PayloadFile ")) or ((tgt.process.cmdline contains " approve " or tgt.process.cmdline contains " create " or tgt.process.cmdline contains " check " or tgt.process.cmdline contains " delete ") and (tgt.process.cmdline contains " /payload:" or tgt.process.cmdline contains " /payload=" or tgt.process.cmdline contains " /updateid:" or tgt.process.cmdline contains " /updateid=")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md index 2f0dbd259..a65c88c1d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.displayName contains "st2stager") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md index 39607411d..ba1ea17e1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md index e48f17b7f..8b01ae9c9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --buildcache " or tgt.process.cmdline contains " --bhdump " or tgt.process.cmdline contains " --certdump " or tgt.process.cmdline contains " --dnsdump ") and (tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " --cachefilename " or tgt.process.cmdline contains " -o " or tgt.process.cmdline contains " --outputdirectory"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md index 88d24022d..6b1b02c55 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Offline_Winpwn" or tgt.process.cmdline contains "WinPwn " or tgt.process.cmdline contains "WinPwn.exe" or tgt.process.cmdline contains "WinPwn.ps1")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md index b0d01f132..bc36d4990 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md index 0bcabb6ee..0bd01675f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\xordump.exe" or (tgt.process.cmdline contains " -process lsass.exe " or tgt.process.cmdline contains " -m comsvcs " or tgt.process.cmdline contains " -m dbghelp " or tgt.process.cmdline contains " -m dbgcore "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md index 768f05f96..ae82bfef8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip" and tgt.process.cmdline contains "/pass:" and tgt.process.cmdline contains "/user:") or (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md index b9da5d408..90ad1c835 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\HOSTNAME.EXE") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md index c0bf6eb14..c6606de99 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Hwp.exe" and tgt.process.image.path contains "\gbb.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md index 660f26e82..84a1778a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hxtsr.exe" and (not (tgt.process.image.path contains ":\program files\windowsapps\microsoft.windowscommunicationsapps_" and tgt.process.image.path contains "\hxtsr.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md index 7bac26dd2..332518f19 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\w3wp.exe" and (tgt.process.cmdline contains "appcmd.exe add module" or (tgt.process.cmdline contains " system.enterpriseservices.internal.publish" and tgt.process.image.path contains "\powershell.exe") or (tgt.process.cmdline contains "gacutil" and tgt.process.cmdline contains " /I")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md index bce5329d4..5a3210fab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and tgt.process.image.path contains "\ImagingDevices.exe") or src.process.image.path contains "\ImagingDevices.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md index 35166b5ff..bcf9d7076 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "InfDefaultInstall.exe " and tgt.process.cmdline contains ".inf")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md index b42ba0c09..965c4b753 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\InstallUtil.exe" and tgt.process.image.path contains "Microsoft.NET\Framework" and (tgt.process.cmdline contains "/logfile= " and tgt.process.cmdline contains "/LogToConsole=false"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md index c0ad3702f..0a4f04894 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\keytool.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\query.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md index e3e811451..3c68ca6f4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\ManageEngine\ServiceDesk\" and src.process.image.path contains "\java.exe") and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe")) and (not ((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains " stop")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md index fe89cf47f..350ac6f0c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "transport=dt_socket,address=" and (tgt.process.cmdline contains "jre1." or tgt.process.cmdline contains "jdk1.")) and (not (tgt.process.cmdline contains "address=127.0.0.1" or tgt.process.cmdline contains "address=localhost")))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md index 9d81a3df1..b222d7466 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md index 261031cd5..e68eac408 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not (src.process.image.path contains "build" and tgt.process.cmdline contains "build")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md index 6827e486c..791c80c9a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and src.process.cmdline contains "SysAidServer")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md index dbf00cc46..a2c188e17 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " run run-cmd " and (not (src.process.image.path contains "\cleanapi.exe" or src.process.image.path contains "\kavremover.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md index d8ed45254..ec0ba7af2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\link.exe" and tgt.process.cmdline contains "LINK /") and (not ((src.process.image.path contains "C:\Program Files\Microsoft Visual Studio\" or src.process.image.path contains "C:\Program Files (x86)\Microsoft Visual Studio\") and (src.process.image.path contains "\VC\bin\" or src.process.image.path contains "\VC\Tools\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md index bbfbbd9e4..798fad230 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\CustomShellHost.exe" and (not tgt.process.image.path="C:\Windows\explorer.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md index 2912339fe..61df9df09 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\DeviceCredentialDeployment.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md index 4de4c13e7..4bf018df8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\devtoolslauncher.exe" and tgt.process.cmdline contains "LaunchForDeploy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md index eb0792697..1ab2c83a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md index b95e74498..82b18c571 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains " \\" and tgt.process.cmdline contains ".cab")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md index 57108eb1c..25b91a453 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "extrac32.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md index 4f1393ea6..063b17fae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Launch-VsDevShell.ps1" and (tgt.process.cmdline contains "VsWherePath " or tgt.process.cmdline contains "VsInstallationPath "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md index 57ff77e52..e676161b4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /INJECTRUNNING " and (not src.process.image.path="C:\Windows\System32\AppVClient.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md index e0f7a744a..b1c63d5c8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "verb:sync" and tgt.process.cmdline contains "-source:RunCommand" and tgt.process.cmdline contains "-dest:runCommand") and tgt.process.image.path contains "\msdeploy.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md index 4c7d332dd..1dd00a16d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\msdt.exe" and tgt.process.cmdline contains "\WINDOWS\diagnostics\index\PCWDiagnostic.xml") and (tgt.process.cmdline contains " -af " or tgt.process.cmdline contains " /af ")) and (not src.process.image.path contains "\pcwrun.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md index da9545b5f..1c245c726 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\OpenWith.exe" and tgt.process.cmdline contains "/c")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md index 755f142b6..7ff24ca9d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcalua.exe" and tgt.process.cmdline contains " -a")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md index f7f7b20e7..94251ab1b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\pcwrun.exe") | columns ComputerName,tgt.process.user,src.process.cmdline,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md index 8005a196f..4d698573d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcwrun.exe" and tgt.process.cmdline contains "../")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md index 292e8d609..1d74ddcf9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and src.process.cmdline contains "\WindowsPowerShell\Modules\Pester\") and (src.process.cmdline contains "{ Invoke-Pester -EnableExit ;" or src.process.cmdline contains "{ Get-Help \""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md index e41a47acd..68435eaae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Pester" and tgt.process.cmdline contains "Get-Help")) or ((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "pester" and tgt.process.cmdline contains ";")) and (tgt.process.cmdline contains "help" or tgt.process.cmdline contains "?")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md index 706c55749..d59efa0b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\PrintBrm.exe" and (tgt.process.cmdline contains " -f" and tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md index 1766d3d13..e5697893d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\pubprn.vbs" and tgt.process.cmdline contains "script:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md index bb17d3a84..fe92f91e7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\register_app.vbs" and tgt.process.cmdline contains "-register")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md index 7e0a5cf8f..72f7fec83 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\replace.exe" and (tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/a" or tgt.process.cmdline contains "–a" or tgt.process.cmdline contains "—a" or tgt.process.cmdline contains "―a"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md index 15a9d4eab..78e556814 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\runexehelper.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md index 16063785e..d90b83377 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Runscripthelper.exe" and tgt.process.cmdline contains "surfacecheck")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md index 9ddd13064..c9a97507c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\")) and (src.process.cmdline contains "cmd.exe /c" and src.process.cmdline contains "RoamDiag.cmd" and src.process.cmdline contains "-outputpath"))) | columns TargetFilename,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md index 0d3e56edd..dd036ce7d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sftp.exe" and (tgt.process.cmdline contains " -D .." or tgt.process.cmdline contains " -D C:\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md index a5c614cf8..dcab30cab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-i" or tgt.process.cmdline contains "/install" or tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/add-driver" or tgt.process.cmdline contains ".inf") and tgt.process.image.path contains "\pnputil.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md index d15164f66..e7e0749a1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "grpconv.exe -o" or tgt.process.cmdline contains "grpconv -o")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md index e9ea09360..5263d5ead 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqldumper.exe" and (tgt.process.cmdline contains "0x0110" or tgt.process.cmdline contains "0x01100:40"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md index d37812c0b..b8b927255 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SyncAppvPublishingServer.vbs" and tgt.process.cmdline contains ";")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md index bc77cba73..4677c25c3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\tracker.exe" or tgt.process.displayName="Tracker") and (tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " /c ")) and (not (tgt.process.cmdline contains " /ERRORREPORT:PROMPT " or (src.process.image.path contains "\Msbuild\Current\Bin\MSBuild.exe" or src.process.image.path contains "\Msbuild\Current\Bin\amd64\MSBuild.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md index fdc443576..43ed889c7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\tttracer.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md index 9393444d2..474096ea5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "UtilityFunctions.ps1" or tgt.process.cmdline contains "RegSnapin ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md index 64e1188cf..ed18dfcaa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vbc.exe" and tgt.process.image.path contains "\cvtres.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md index c1581ef25..5331b6f88 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Windows\System32\lsass.exe" and tgt.process.image.path contains "\Windows\System32\lsass.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md index 9b70ea668..5deb049fc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\mftrace.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md index 2c1f567b6..086813f2c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mmc.exe" and tgt.process.cmdline contains "-Embedding")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md index f49225600..0e0a20056 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\mmc.exe" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe") or tgt.process.image.path contains "\BITSADMIN"))) | columns tgt.process.cmdline,tgt.process.image.path,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md index 2712f3ffb..8fe2f9756 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\MpCmdRun.exe" or tgt.process.image.path contains "\NisSrv.exe") and (not (tgt.process.image.path contains "C:\Program Files (x86)\Windows Defender\" or tgt.process.image.path contains "C:\Program Files\Microsoft Security Client\" or tgt.process.image.path contains "C:\Program Files\Windows Defender\" or tgt.process.image.path contains "C:\ProgramData\Microsoft\Windows Defender\Platform\" or tgt.process.image.path contains "C:\Windows\WinSxS\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md index fb0551ba7..bd5982398 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Wscript." and tgt.process.cmdline contains ".Shell" and tgt.process.cmdline contains ".Run")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md index fa7f4aeb0..56cae7e76 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mshta.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md index d82dd8cdb..d8024de8c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\mshta.exe" and (tgt.process.cmdline contains "vbscript" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".lnk" or tgt.process.cmdline contains ".xls" or tgt.process.cmdline contains ".doc" or tgt.process.cmdline contains ".zip" or tgt.process.cmdline contains ".dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md index 0df748fe7..7bf54cba7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (src.process.cmdline contains "MsiExec.exe" and src.process.cmdline contains "-Embedding ")) and (not ((tgt.process.image.path contains ":\Windows\System32\cmd.exe" and tgt.process.cmdline contains "C:\Program Files\SplunkUniversalForwarder\bin\") or (tgt.process.cmdline contains "\DismFoDInstall.cmd" or (src.process.cmdline contains "\MsiExec.exe -Embedding " and src.process.cmdline contains "Global\MSI0000")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md index e92232208..d38295042 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\msiexec.exe" and (tgt.process.cmdline contains " -y" or tgt.process.cmdline contains " /y" or tgt.process.cmdline contains " –y" or tgt.process.cmdline contains " —y" or tgt.process.cmdline contains " ―y")) and (not (tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" /Y C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y C:\Windows\CCM\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md index cbc4fc843..929454b27 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " msiexec" and tgt.process.cmdline contains "://")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md index ac838fc73..01993abeb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\msra.exe" and src.process.cmdline contains "msra.exe" and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\route.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\whoami.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md index 5ac81498e..6fc9dab5c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\wsl.exe")) and (not (src.process.image.path contains "C:\Program Files\Microsoft SQL Server\" and src.process.image.path contains "DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\cmd.exe\" ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md index 6bb0ea9b3..38ef925d1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and src.process.cmdline contains "VEEAMSQL") and (((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "-ex " or tgt.process.cmdline contains "bypass" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "copy ")) or (tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\whoami.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md index fcd4dd6cd..8532acaab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "noconsentprompt" and tgt.process.cmdline contains "shadow:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md index 827e0b83c..b5af072d3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\msxsl.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md index 0a10c9e00..3334c1490 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\msxsl.exe" and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md index ffd250fb7..fe28879a4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\node.exe" and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " --eval ")) and (tgt.process.cmdline contains ".exec(" and tgt.process.cmdline contains "net.socket" and tgt.process.cmdline contains ".connect" and tgt.process.cmdline contains "child_process"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md index 556c6329b..891387d90 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Adobe Creative Cloud Experience\libs\node.exe" and (not tgt.process.cmdline contains "Adobe Creative Cloud Experience\js"))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md index f2dafc41b..3767fa7f9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "nslookup" and tgt.process.cmdline contains "_ldap._tcp.dc._msdcs.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md index 3efbe847b..3815186f8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\ntdsutil.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md index 00a46337d..05323ee59 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\odbcconf.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md index 844ad252e..5a0032a3d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\onenote.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and (tgt.process.cmdline contains "\exported\" or tgt.process.cmdline contains "\onenoteofflinecache_files\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md index 53d3ef9cd..3da4c268f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Outlook\Security\EnableUnsafeClientMailRules") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md index 20af8991a..0eef525b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\Temporary Internet Files\Content.Outlook\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md index d8610b0d3..d0fd0f49d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\OUTLOOK.EXE" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\msbuild.exe" or tgt.process.image.path contains "\msdt.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md index 016148ed8..6c3f85847 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\outlook.exe" and tgt.process.image.path contains "\\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md index 89d38bb29..66a77529c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WINWORD.EXE" or src.process.image.path contains "\EXCEL.EXE" or src.process.image.path contains "\POWERPNT.exe" or src.process.image.path contains "\MSPUB.exe" or src.process.image.path contains "\VISIO.exe" or src.process.image.path contains "\MSACCESS.exe" or src.process.image.path contains "\EQNEDT32.exe") and tgt.process.image.path contains "C:\users\" and tgt.process.image.path contains ".exe") and (not tgt.process.image.path contains "\Teams.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md index 90877f38b..d6b29ac0f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\PDQDeployRunner-" and ((tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\TEMP\" or tgt.process.image.path contains "\AppData\Local\Temp") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -encodedcommand " or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "http" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md index 67319efe4..e4896454b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ping.exe" and tgt.process.cmdline contains "0x")) | columns src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md index 5953afd77..ae74809f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Command-line SSH, Telnet, and Rlogin client" and tgt.process.cmdline contains " -R ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md index ed0793918..90cff5292 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":127.0.0.1:3389") or ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":3389") and (tgt.process.cmdline contains " -P 443" or tgt.process.cmdline contains " -P 22")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md index 735a45310..8a4786b13 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "System.Management.Automation.AmsiUtils" and tgt.process.cmdline contains "amsiInitFailed") or (tgt.process.cmdline contains "[Ref].Assembly.GetType" and tgt.process.cmdline contains "SetValue($null,$true)" and tgt.process.cmdline contains "NonPublic,Static"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md index 7ecef5f33..8b8d4cbb2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "if(0){{{0}}}' -f $(0 -as [char]) +" or tgt.process.cmdline contains "#")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md index 8f0fc27b4..b66c2464a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WindowsAudioDevice-Powershell-Cmdlet" or tgt.process.cmdline contains "Toggle-AudioDevice" or tgt.process.cmdline contains "Get-AudioDevice " or tgt.process.cmdline contains "Set-AudioDevice " or tgt.process.cmdline contains "Write-AudioDevice ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md index c9470126b..c4f020870 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IAAtAGIAeABvAHIAIAAwAHgA" or tgt.process.cmdline contains "AALQBiAHgAbwByACAAMAB4A" or tgt.process.cmdline contains "gAC0AYgB4AG8AcgAgADAAeA" or tgt.process.cmdline contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or tgt.process.cmdline contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or tgt.process.cmdline contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md index f4f3588ee..2e3ba3c8a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OjpGcm9tQmFzZTY0U3RyaW5n" or tgt.process.cmdline contains "o6RnJvbUJhc2U2NFN0cmluZ" or tgt.process.cmdline contains "6OkZyb21CYXNlNjRTdHJpbm" or (tgt.process.cmdline contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or tgt.process.cmdline contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or tgt.process.cmdline contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md index 48abeac12..d65b79549 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "SUVYIChb" or tgt.process.cmdline contains "lFWCAoW" or tgt.process.cmdline contains "JRVggKF" or tgt.process.cmdline contains "aWV4IChb" or tgt.process.cmdline contains "lleCAoW" or tgt.process.cmdline contains "pZXggKF" or tgt.process.cmdline contains "aWV4IChOZX" or tgt.process.cmdline contains "lleCAoTmV3" or tgt.process.cmdline contains "pZXggKE5ld" or tgt.process.cmdline contains "SUVYIChOZX" or tgt.process.cmdline contains "lFWCAoTmV3" or tgt.process.cmdline contains "JRVggKE5ld" or tgt.process.cmdline contains "SUVYKF" or tgt.process.cmdline contains "lFWChb" or tgt.process.cmdline contains "JRVgoW" or tgt.process.cmdline contains "aWV4KF" or tgt.process.cmdline contains "lleChb" or tgt.process.cmdline contains "pZXgoW" or tgt.process.cmdline contains "aWV4KE5ld" or tgt.process.cmdline contains "lleChOZX" or tgt.process.cmdline contains "pZXgoTmV3" or tgt.process.cmdline contains "SUVYKE5ld" or tgt.process.cmdline contains "lFWChOZX" or tgt.process.cmdline contains "JRVgoTmV3" or tgt.process.cmdline contains "SUVYKCgn" or tgt.process.cmdline contains "lFWCgoJ" or tgt.process.cmdline contains "JRVgoKC" or tgt.process.cmdline contains "aWV4KCgn" or tgt.process.cmdline contains "lleCgoJ" or tgt.process.cmdline contains "pZXgoKC") or (tgt.process.cmdline contains "SQBFAFgAIAAoAFsA" or tgt.process.cmdline contains "kARQBYACAAKABbA" or tgt.process.cmdline contains "JAEUAWAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAFsA" or tgt.process.cmdline contains "kAZQB4ACAAKABbA" or tgt.process.cmdline contains "pAGUAeAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kAZQB4ACAAKABOAGUAdw" or tgt.process.cmdline contains "pAGUAeAAgACgATgBlAHcA" or tgt.process.cmdline contains "SQBFAFgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kARQBYACAAKABOAGUAdw" or tgt.process.cmdline contains "JAEUAWAAgACgATgBlAHcA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md index 220ac7e6a..f7598f940 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "QWRkLU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "BZGQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "U2V0LU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "TZXQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "YWRkLW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "hZGQtbXBwcmVmZXJlbmNlI" or tgt.process.cmdline contains "c2V0LW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "zZXQtbXBwcmVmZXJlbmNlI") or (tgt.process.cmdline contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md index 64377c97b..cdd9cf2d2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or tgt.process.cmdline contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or tgt.process.cmdline contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or tgt.process.cmdline contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or tgt.process.cmdline contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md index d4309683c..4781a0fe8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md index 9c2a429f2..6eab42154 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SyncInvoke ") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md index 5ecffe802..9d1c0d0ec 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "LoadAssemblyFromPath " or tgt.process.cmdline contains "LoadAssemblyFromNS ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md index 73d19ad29..0e1a7dc2e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\powershell.exe" and tgt.process.cmdline contains " -nologo -windowstyle minimized -file ") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Windows\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md index d988ce1d9..0d13ed11e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md index 0bdd7a455..8bb5a13ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "GZipStream" and tgt.process.cmdline contains "::Decompress")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md index 07d33fd6b..f0a4b482b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains "DisableArchiveScanning " or tgt.process.cmdline contains "DisableRealtimeMonitoring " or tgt.process.cmdline contains "DisableIOAVProtection " or tgt.process.cmdline contains "DisableBehaviorMonitoring " or tgt.process.cmdline contains "DisableBlockAtFirstSeen " or tgt.process.cmdline contains "DisableCatchupFullScan " or tgt.process.cmdline contains "DisableCatchupQuickScan ") and (tgt.process.cmdline contains "$true" or tgt.process.cmdline contains " 1 ")) or ((tgt.process.cmdline contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or tgt.process.cmdline contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or tgt.process.cmdline contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or tgt.process.cmdline contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or tgt.process.cmdline contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or tgt.process.cmdline contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or tgt.process.cmdline contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or tgt.process.cmdline contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or tgt.process.cmdline contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or tgt.process.cmdline contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or tgt.process.cmdline contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") or (tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md index c371b8f25..7bd694725 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains " -ExclusionPath " or tgt.process.cmdline contains " -ExclusionExtension " or tgt.process.cmdline contains " -ExclusionProcess " or tgt.process.cmdline contains " -ExclusionIpAddress "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md index c0f51c2a4..b18a5ccf1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -name IEHarden " and tgt.process.cmdline contains " -value 0 ") or (tgt.process.cmdline contains " -name DEPOff " and tgt.process.cmdline contains " -value 1 ") or (tgt.process.cmdline contains " -name DisableFirstRunCustomize " and tgt.process.cmdline contains " -value 2 "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md index fb6abdb12..8bb47f241 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains " -version 2 " or tgt.process.cmdline contains " -versio 2 " or tgt.process.cmdline contains " -versi 2 " or tgt.process.cmdline contains " -vers 2 " or tgt.process.cmdline contains " -ver 2 " or tgt.process.cmdline contains " -ve 2 " or tgt.process.cmdline contains " -v 2 "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md index f7aaa53e8..9ac52b4f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[Type]::GetTypeFromCLSID(" and (tgt.process.cmdline contains "0002DF01-0000-0000-C000-000000000046" or tgt.process.cmdline contains "F6D90F16-9C73-11D3-B32E-00C04F990BB4" or tgt.process.cmdline contains "F5078F35-C551-11D3-89B9-0000F81FE221" or tgt.process.cmdline contains "88d96a0a-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "AFBA6B42-5692-48EA-8141-DC517DCF0EF1" or tgt.process.cmdline contains "AFB40FFD-B609-40A3-9828-F88BBE11E4E3" or tgt.process.cmdline contains "88d96a0b-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "2087c2f4-2cef-4953-a8ab-66779b670495" or tgt.process.cmdline contains "000209FF-0000-0000-C000-000000000046" or tgt.process.cmdline contains "00024500-0000-0000-C000-000000000046"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md index 17b44b452..08f287ea3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "http://127.0.0.1" and tgt.process.cmdline contains "%{(IRM $_)}" and tgt.process.cmdline contains ".SubString.ToString()[67,72,64]-Join" and tgt.process.cmdline contains "Import-Module"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md index b0da296ba..c89b8b89a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md index b5ae4b8ba..c3cd17e3d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "IWR ") and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "OutFile" and tgt.process.cmdline contains ".dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md index 33e2f1bf1..fa2611124 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ") and (tgt.process.cmdline contains ";iex $" or tgt.process.cmdline contains "| IEX" or tgt.process.cmdline contains "|IEX " or tgt.process.cmdline contains "I`E`X" or tgt.process.cmdline contains "I`EX" or tgt.process.cmdline contains "IE`X" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "IEX (" or tgt.process.cmdline contains "IEX(" or tgt.process.cmdline contains "Invoke-Expression"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md index 89d84abde..fdf40ace7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-ADDBSidHistory" or tgt.process.cmdline contains "Add-ADNgcKey" or tgt.process.cmdline contains "Add-ADReplNgcKey" or tgt.process.cmdline contains "ConvertFrom-ADManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-GPPrefPassword" or tgt.process.cmdline contains "ConvertFrom-ManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-UnattendXmlPassword" or tgt.process.cmdline contains "ConvertFrom-UnicodePassword" or tgt.process.cmdline contains "ConvertTo-AADHash" or tgt.process.cmdline contains "ConvertTo-GPPrefPassword" or tgt.process.cmdline contains "ConvertTo-KerberosKey" or tgt.process.cmdline contains "ConvertTo-LMHash" or tgt.process.cmdline contains "ConvertTo-MsoPasswordHash" or tgt.process.cmdline contains "ConvertTo-NTHash" or tgt.process.cmdline contains "ConvertTo-OrgIdHash" or tgt.process.cmdline contains "ConvertTo-UnicodePassword" or tgt.process.cmdline contains "Disable-ADDBAccount" or tgt.process.cmdline contains "Enable-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBBackupKey" or tgt.process.cmdline contains "Get-ADDBDomainController" or tgt.process.cmdline contains "Get-ADDBGroupManagedServiceAccount" or tgt.process.cmdline contains "Get-ADDBKdsRootKey" or tgt.process.cmdline contains "Get-ADDBSchemaAttribute" or tgt.process.cmdline contains "Get-ADDBServiceAccount" or tgt.process.cmdline contains "Get-ADDefaultPasswordPolicy" or tgt.process.cmdline contains "Get-ADKeyCredential" or tgt.process.cmdline contains "Get-ADPasswordPolicy" or tgt.process.cmdline contains "Get-ADReplAccount" or tgt.process.cmdline contains "Get-ADReplBackupKey" or tgt.process.cmdline contains "Get-ADReplicationAccount" or tgt.process.cmdline contains "Get-ADSIAccount" or tgt.process.cmdline contains "Get-AzureADUserEx" or tgt.process.cmdline contains "Get-BootKey" or tgt.process.cmdline contains "Get-KeyCredential" or tgt.process.cmdline contains "Get-LsaBackupKey" or tgt.process.cmdline contains "Get-LsaPolicy" or tgt.process.cmdline contains "Get-SamPasswordPolicy" or tgt.process.cmdline contains "Get-SysKey" or tgt.process.cmdline contains "Get-SystemKey" or tgt.process.cmdline contains "New-ADDBRestoreFromMediaScript" or tgt.process.cmdline contains "New-ADKeyCredential" or tgt.process.cmdline contains "New-ADNgcKey" or tgt.process.cmdline contains "New-NTHashSet" or tgt.process.cmdline contains "Remove-ADDBObject" or tgt.process.cmdline contains "Save-DPAPIBlob" or tgt.process.cmdline contains "Set-ADAccountPasswordHash" or tgt.process.cmdline contains "Set-ADDBAccountPassword" or tgt.process.cmdline contains "Set-ADDBBootKey" or tgt.process.cmdline contains "Set-ADDBDomainController" or tgt.process.cmdline contains "Set-ADDBPrimaryGroup" or tgt.process.cmdline contains "Set-ADDBSysKey" or tgt.process.cmdline contains "Set-AzureADUserEx" or tgt.process.cmdline contains "Set-LsaPolicy" or tgt.process.cmdline contains "Set-SamAccountPasswordHash" or tgt.process.cmdline contains "Set-WinUserPasswordHash" or tgt.process.cmdline contains "Test-ADDBPasswordQuality" or tgt.process.cmdline contains "Test-ADPasswordQuality" or tgt.process.cmdline contains "Test-ADReplPasswordQuality" or tgt.process.cmdline contains "Test-PasswordQuality" or tgt.process.cmdline contains "Unlock-ADDBAccount" or tgt.process.cmdline contains "Write-ADNgcKey" or tgt.process.cmdline contains "Write-ADReplNgcKey")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md index 068d18b2f..4ed88df32 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Add-PSSnapin" and tgt.process.cmdline contains "Get-Recipient" and tgt.process.cmdline contains "-ExpandProperty" and tgt.process.cmdline contains "EmailAddresses" and tgt.process.cmdline contains "SmtpAddress" and tgt.process.cmdline contains "-hidetableheaders"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md index c5e981173..d11c6ebc1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Enable-WindowsOptionalFeature" and tgt.process.cmdline contains "-Online" and tgt.process.cmdline contains "-FeatureName") and (tgt.process.cmdline contains "TelnetServer" or tgt.process.cmdline contains "Internet-Explorer-Optional-amd64" or tgt.process.cmdline contains "TFTP" or tgt.process.cmdline contains "SMB1Protocol" or tgt.process.cmdline contains "Client-ProjFS" or tgt.process.cmdline contains "Microsoft-Windows-Subsystem-Linux"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md index af0a247b9..9a3099021 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -enco" or tgt.process.cmdline contains " -ec ")) and (not (tgt.process.cmdline contains " -Encoding " or (src.process.image.path contains "C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or src.process.image.path contains "\gc_worker.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md index d020fc6fa..1246781a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-Expression " or tgt.process.cmdline contains "Invoke-Command " or tgt.process.cmdline contains "icm ") and (tgt.process.cmdline contains "cat " or tgt.process.cmdline contains "get-content " or tgt.process.cmdline contains "type ") and tgt.process.cmdline contains " -raw")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md index ae3719f96..d9bd95aea 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Export-PfxCertificate " or tgt.process.cmdline contains "Export-Certificate ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md index 6e27256a7..7f6b95181 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::FromBase64String(") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md index aeb899bae..54bd65cef 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "FromBase64String" and tgt.process.cmdline contains "MemoryStream" and tgt.process.cmdline contains "H4sI")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md index 5c061457b..99d8c90f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Get-Clipboard") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md index af07630b7..d597c26c8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-LocalGroupMember " and (tgt.process.cmdline contains "domain admins" or tgt.process.cmdline contains " administrator" or tgt.process.cmdline contains " administrateur" or tgt.process.cmdline contains "enterprise admins" or tgt.process.cmdline contains "Exchange Trusted Subsystem" or tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md index cc63516f6..0d03515e6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-Process lsas" or tgt.process.cmdline contains "ps lsas" or tgt.process.cmdline contains "gps lsas")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md index ce2c81fa7..766ba1062 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " | iex;" or tgt.process.cmdline contains " | iex " or tgt.process.cmdline contains " | iex}" or tgt.process.cmdline contains " | IEX ;" or tgt.process.cmdline contains " | IEX -Error" or tgt.process.cmdline contains " | IEX (new" or tgt.process.cmdline contains ");IEX ")) and (tgt.process.cmdline contains "::FromBase64String" or tgt.process.cmdline contains ".GetString([System.Convert]::")) or (tgt.process.cmdline contains ")|iex;$" or tgt.process.cmdline contains ");iex($" or tgt.process.cmdline contains ");iex $" or tgt.process.cmdline contains " | IEX | " or tgt.process.cmdline contains " | iex\\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md index fb5276c59..6edb550bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Import-Certificate" and tgt.process.cmdline contains " -FilePath " and tgt.process.cmdline contains "Cert:\LocalMachine\Root") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains ":\Windows\TEMP\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md index 4d618848d..4c97d4001 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Import-Module \"$Env:Temp\" or tgt.process.cmdline contains "Import-Module '$Env:Temp\" or tgt.process.cmdline contains "Import-Module $Env:Temp\" or tgt.process.cmdline contains "Import-Module \"$Env:Appdata\" or tgt.process.cmdline contains "Import-Module '$Env:Appdata\" or tgt.process.cmdline contains "Import-Module $Env:Appdata\" or tgt.process.cmdline contains "Import-Module C:\Users\Public\" or tgt.process.cmdline contains "ipmo \"$Env:Temp\" or tgt.process.cmdline contains "ipmo '$Env:Temp\" or tgt.process.cmdline contains "ipmo $Env:Temp\" or tgt.process.cmdline contains "ipmo \"$Env:Appdata\" or tgt.process.cmdline contains "ipmo '$Env:Appdata\" or tgt.process.cmdline contains "ipmo $Env:Appdata\" or tgt.process.cmdline contains "ipmo C:\Users\Public\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md index 1390c9438..1e2121dcb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "[Convert]::FromBase64String") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-noni" and tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-ep" and tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-Enc") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "\software\") or (tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-noprofile" and tgt.process.cmdline contains "-windowstyle" and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "system.net.webclient" and tgt.process.cmdline contains ".download") or (tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object" and tgt.process.cmdline contains "Net.WebClient" and tgt.process.cmdline contains ".Download")) and (not (tgt.process.cmdline contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or tgt.process.cmdline contains "Write-ChocolateyWarning")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md index f435a92ac..286ceafdd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-MailboxExportRequest" and tgt.process.cmdline contains " -Mailbox " and tgt.process.cmdline contains " -FilePath \\")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md index 12e5ce96e..29dfec7bf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-Exfiltration" or tgt.process.cmdline contains "Add-Persistence" or tgt.process.cmdline contains "Add-RegBackdoor" or tgt.process.cmdline contains "Add-RemoteRegBackdoor" or tgt.process.cmdline contains "Add-ScrnSaveBackdoor" or tgt.process.cmdline contains "Check-VM" or tgt.process.cmdline contains "ConvertTo-Rc4ByteStream" or tgt.process.cmdline contains "Decrypt-Hash" or tgt.process.cmdline contains "Disable-ADIDNSNode" or tgt.process.cmdline contains "Disable-MachineAccount" or tgt.process.cmdline contains "Do-Exfiltration" or tgt.process.cmdline contains "Enable-ADIDNSNode" or tgt.process.cmdline contains "Enable-MachineAccount" or tgt.process.cmdline contains "Enabled-DuplicateToken" or tgt.process.cmdline contains "Exploit-Jboss" or tgt.process.cmdline contains "Export-ADR" or tgt.process.cmdline contains "Export-ADRCSV" or tgt.process.cmdline contains "Export-ADRExcel" or tgt.process.cmdline contains "Export-ADRHTML" or tgt.process.cmdline contains "Export-ADRJSON" or tgt.process.cmdline contains "Export-ADRXML" or tgt.process.cmdline contains "Find-Fruit" or tgt.process.cmdline contains "Find-GPOLocation" or tgt.process.cmdline contains "Find-TrustedDocuments" or tgt.process.cmdline contains "Get-ADIDNS" or tgt.process.cmdline contains "Get-ApplicationHost" or tgt.process.cmdline contains "Get-ChromeDump" or tgt.process.cmdline contains "Get-ClipboardContents" or tgt.process.cmdline contains "Get-FoxDump" or tgt.process.cmdline contains "Get-GPPPassword" or tgt.process.cmdline contains "Get-IndexedItem" or tgt.process.cmdline contains "Get-KerberosAESKey" or tgt.process.cmdline contains "Get-Keystrokes" or tgt.process.cmdline contains "Get-LSASecret" or tgt.process.cmdline contains "Get-MachineAccountAttribute" or tgt.process.cmdline contains "Get-MachineAccountCreator" or tgt.process.cmdline contains "Get-PassHashes" or tgt.process.cmdline contains "Get-RegAlwaysInstallElevated" or tgt.process.cmdline contains "Get-RegAutoLogon" or tgt.process.cmdline contains "Get-RemoteBootKey" or tgt.process.cmdline contains "Get-RemoteCachedCredential" or tgt.process.cmdline contains "Get-RemoteLocalAccountHash" or tgt.process.cmdline contains "Get-RemoteLSAKey" or tgt.process.cmdline contains "Get-RemoteMachineAccountHash" or tgt.process.cmdline contains "Get-RemoteNLKMKey" or tgt.process.cmdline contains "Get-RickAstley" or tgt.process.cmdline contains "Get-Screenshot" or tgt.process.cmdline contains "Get-SecurityPackages" or tgt.process.cmdline contains "Get-ServiceFilePermission" or tgt.process.cmdline contains "Get-ServicePermission" or tgt.process.cmdline contains "Get-ServiceUnquoted" or tgt.process.cmdline contains "Get-SiteListPassword" or tgt.process.cmdline contains "Get-System" or tgt.process.cmdline contains "Get-TimedScreenshot" or tgt.process.cmdline contains "Get-UnattendedInstallFile" or tgt.process.cmdline contains "Get-Unconstrained" or tgt.process.cmdline contains "Get-USBKeystrokes" or tgt.process.cmdline contains "Get-VaultCredential" or tgt.process.cmdline contains "Get-VulnAutoRun" or tgt.process.cmdline contains "Get-VulnSchTask" or tgt.process.cmdline contains "Grant-ADIDNSPermission" or tgt.process.cmdline contains "Gupt-Backdoor" or tgt.process.cmdline contains "HTTP-Login" or tgt.process.cmdline contains "Install-ServiceBinary" or tgt.process.cmdline contains "Install-SSP" or tgt.process.cmdline contains "Invoke-ACLScanner" or tgt.process.cmdline contains "Invoke-ADRecon" or tgt.process.cmdline contains "Invoke-ADSBackdoor" or tgt.process.cmdline contains "Invoke-AgentSmith" or tgt.process.cmdline contains "Invoke-AllChecks" or tgt.process.cmdline contains "Invoke-ARPScan" or tgt.process.cmdline contains "Invoke-AzureHound" or tgt.process.cmdline contains "Invoke-BackdoorLNK" or tgt.process.cmdline contains "Invoke-BadPotato" or tgt.process.cmdline contains "Invoke-BetterSafetyKatz" or tgt.process.cmdline contains "Invoke-BypassUAC" or tgt.process.cmdline contains "Invoke-Carbuncle" or tgt.process.cmdline contains "Invoke-Certify" or tgt.process.cmdline contains "Invoke-ConPtyShell" or tgt.process.cmdline contains "Invoke-CredentialInjection" or tgt.process.cmdline contains "Invoke-DAFT" or tgt.process.cmdline contains "Invoke-DCSync" or tgt.process.cmdline contains "Invoke-DinvokeKatz" or tgt.process.cmdline contains "Invoke-DllInjection" or tgt.process.cmdline contains "Invoke-DNSUpdate" or tgt.process.cmdline contains "Invoke-DomainPasswordSpray" or tgt.process.cmdline contains "Invoke-DowngradeAccount" or tgt.process.cmdline contains "Invoke-EgressCheck" or tgt.process.cmdline contains "Invoke-Eyewitness" or tgt.process.cmdline contains "Invoke-FakeLogonScreen" or tgt.process.cmdline contains "Invoke-Farmer" or tgt.process.cmdline contains "Invoke-Get-RBCD-Threaded" or tgt.process.cmdline contains "Invoke-Gopher" or tgt.process.cmdline contains "Invoke-Grouper" or tgt.process.cmdline contains "Invoke-HandleKatz" or tgt.process.cmdline contains "Invoke-ImpersonatedProcess" or tgt.process.cmdline contains "Invoke-ImpersonateSystem" or tgt.process.cmdline contains "Invoke-InteractiveSystemPowerShell" or tgt.process.cmdline contains "Invoke-Internalmonologue" or tgt.process.cmdline contains "Invoke-Inveigh" or tgt.process.cmdline contains "Invoke-InveighRelay" or tgt.process.cmdline contains "Invoke-KrbRelay" or tgt.process.cmdline contains "Invoke-LdapSignCheck" or tgt.process.cmdline contains "Invoke-Lockless" or tgt.process.cmdline contains "Invoke-MalSCCM" or tgt.process.cmdline contains "Invoke-Mimikatz" or tgt.process.cmdline contains "Invoke-Mimikittenz" or tgt.process.cmdline contains "Invoke-MITM6" or tgt.process.cmdline contains "Invoke-NanoDump" or tgt.process.cmdline contains "Invoke-NetRipper" or tgt.process.cmdline contains "Invoke-Nightmare" or tgt.process.cmdline contains "Invoke-NinjaCopy" or tgt.process.cmdline contains "Invoke-OfficeScrape" or tgt.process.cmdline contains "Invoke-OxidResolver" or tgt.process.cmdline contains "Invoke-P0wnedshell" or tgt.process.cmdline contains "Invoke-Paranoia" or tgt.process.cmdline contains "Invoke-PortScan" or tgt.process.cmdline contains "Invoke-PoshRatHttp" or tgt.process.cmdline contains "Invoke-PostExfil" or tgt.process.cmdline contains "Invoke-PowerDump" or tgt.process.cmdline contains "Invoke-PowerShellTCP" or tgt.process.cmdline contains "Invoke-PowerShellWMI" or tgt.process.cmdline contains "Invoke-PPLDump" or tgt.process.cmdline contains "Invoke-PsExec" or tgt.process.cmdline contains "Invoke-PSInject" or tgt.process.cmdline contains "Invoke-PsUaCme" or tgt.process.cmdline contains "Invoke-ReflectivePEInjection" or tgt.process.cmdline contains "Invoke-ReverseDNSLookup" or tgt.process.cmdline contains "Invoke-Rubeus" or tgt.process.cmdline contains "Invoke-RunAs" or tgt.process.cmdline contains "Invoke-SafetyKatz" or tgt.process.cmdline contains "Invoke-SauronEye" or tgt.process.cmdline contains "Invoke-SCShell" or tgt.process.cmdline contains "Invoke-Seatbelt" or tgt.process.cmdline contains "Invoke-ServiceAbuse" or tgt.process.cmdline contains "Invoke-ShadowSpray" or tgt.process.cmdline contains "Invoke-Sharp" or tgt.process.cmdline contains "Invoke-Shellcode" or tgt.process.cmdline contains "Invoke-SMBScanner" or tgt.process.cmdline contains "Invoke-Snaffler" or tgt.process.cmdline contains "Invoke-Spoolsample" or tgt.process.cmdline contains "Invoke-SpraySinglePassword" or tgt.process.cmdline contains "Invoke-SSHCommand" or tgt.process.cmdline contains "Invoke-StandIn" or tgt.process.cmdline contains "Invoke-StickyNotesExtract" or tgt.process.cmdline contains "Invoke-SystemCommand" or tgt.process.cmdline contains "Invoke-Tasksbackdoor" or tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains "Invoke-Thunderfox" or tgt.process.cmdline contains "Invoke-ThunderStruck" or tgt.process.cmdline contains "Invoke-TokenManipulation" or tgt.process.cmdline contains "Invoke-Tokenvator" or tgt.process.cmdline contains "Invoke-TotalExec" or tgt.process.cmdline contains "Invoke-UrbanBishop" or tgt.process.cmdline contains "Invoke-UserHunter" or tgt.process.cmdline contains "Invoke-VoiceTroll" or tgt.process.cmdline contains "Invoke-Whisker" or tgt.process.cmdline contains "Invoke-WinEnum" or tgt.process.cmdline contains "Invoke-winPEAS" or tgt.process.cmdline contains "Invoke-WireTap" or tgt.process.cmdline contains "Invoke-WmiCommand" or tgt.process.cmdline contains "Invoke-WMIExec" or tgt.process.cmdline contains "Invoke-WScriptBypassUAC" or tgt.process.cmdline contains "Invoke-Zerologon" or tgt.process.cmdline contains "MailRaider" or tgt.process.cmdline contains "New-ADIDNSNode" or tgt.process.cmdline contains "New-DNSRecordArray" or tgt.process.cmdline contains "New-HoneyHash" or tgt.process.cmdline contains "New-InMemoryModule" or tgt.process.cmdline contains "New-MachineAccount" or tgt.process.cmdline contains "New-SOASerialNumberArray" or tgt.process.cmdline contains "Out-Minidump" or tgt.process.cmdline contains "Port-Scan" or tgt.process.cmdline contains "PowerBreach" or tgt.process.cmdline contains "powercat " or tgt.process.cmdline contains "PowerUp" or tgt.process.cmdline contains "PowerView" or tgt.process.cmdline contains "Remove-ADIDNSNode" or tgt.process.cmdline contains "Remove-MachineAccount" or tgt.process.cmdline contains "Remove-Update" or tgt.process.cmdline contains "Rename-ADIDNSNode" or tgt.process.cmdline contains "Revoke-ADIDNSPermission" or tgt.process.cmdline contains "Set-ADIDNSNode" or tgt.process.cmdline contains "Set-MacAttribute" or tgt.process.cmdline contains "Set-MachineAccountAttribute" or tgt.process.cmdline contains "Set-Wallpaper" or tgt.process.cmdline contains "Show-TargetScreen" or tgt.process.cmdline contains "Start-CaptureServer" or tgt.process.cmdline contains "Start-Dnscat2" or tgt.process.cmdline contains "Start-WebcamRecorder" or tgt.process.cmdline contains "VolumeShadowCopyTools")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md index bc33967a2..8ffb17b7e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Install-TransportAgent") | columns AssemblyPath ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md index 712762eea..6eacc0c9b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "(WCHAR)0x") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md index a0ffb0e2c..6b48bf3a9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "-f C:\Users\Public" or tgt.process.cmdline contains "-f \"C:\Users\Public" or tgt.process.cmdline contains "-f %Public%" or tgt.process.cmdline contains "-fi C:\Users\Public" or tgt.process.cmdline contains "-fi \"C:\Users\Public" or tgt.process.cmdline contains "-fi %Public%" or tgt.process.cmdline contains "-fil C:\Users\Public" or tgt.process.cmdline contains "-fil \"C:\Users\Public" or tgt.process.cmdline contains "-fil %Public%" or tgt.process.cmdline contains "-file C:\Users\Public" or tgt.process.cmdline contains "-file \"C:\Users\Public" or tgt.process.cmdline contains "-file %Public%"))) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md index 5681225c1..db98e72b7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisableme")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md index 322c14b8f..846124576 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Remove-MpPreference" and (tgt.process.cmdline contains "-ControlledFolderAccessProtectedFolders " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Ids " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Actions " or tgt.process.cmdline contains "-CheckForSignaturesBeforeRunningScan "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md index 2640f0a07..714c15e2c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Get-Content" and tgt.process.cmdline contains "-Stream"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md index 07851bb1c..96f11b4b8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline matches "\\s-\\s*<")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md index 31352ef5b..82289a326 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\HarddiskVolumeShadowCopy" and tgt.process.cmdline contains "System32\config\sam") and (tgt.process.cmdline contains "Copy-Item" or tgt.process.cmdline contains "cp $_." or tgt.process.cmdline contains "cpi $_." or tgt.process.cmdline contains "copy $_." or tgt.process.cmdline contains ".File]::Copy("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md index 98e1b42c4..d886c1840 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not tgt.process.image.path contains "\Health Service State\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md index 70e980c14..d5aebdb15 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Get-WmiObject" or tgt.process.cmdline contains "gwmi" or tgt.process.cmdline contains "Get-CimInstance" or tgt.process.cmdline contains "gcim") and tgt.process.cmdline contains "Win32_ShadowCopy" and (tgt.process.cmdline contains ".Delete()" or tgt.process.cmdline contains "Remove-WmiObject" or tgt.process.cmdline contains "rwmi" or tgt.process.cmdline contains "Remove-CimInstance" or tgt.process.cmdline contains "rcim"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md index 009371ac7..d0466a834 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IEX ((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX (New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX(New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains " -command (New-Object System.Net.WebClient).DownloadFile(" or tgt.process.cmdline contains " -c (New-Object System.Net.WebClient).DownloadFile(")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md index f9bcf084b..24d5b5ded 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -windowstyle h " or tgt.process.cmdline contains " -windowstyl h" or tgt.process.cmdline contains " -windowsty h" or tgt.process.cmdline contains " -windowst h" or tgt.process.cmdline contains " -windows h" or tgt.process.cmdline contains " -windo h" or tgt.process.cmdline contains " -wind h" or tgt.process.cmdline contains " -win h" or tgt.process.cmdline contains " -wi h" or tgt.process.cmdline contains " -win h " or tgt.process.cmdline contains " -win hi " or tgt.process.cmdline contains " -win hid " or tgt.process.cmdline contains " -win hidd " or tgt.process.cmdline contains " -win hidde " or tgt.process.cmdline contains " -NoPr " or tgt.process.cmdline contains " -NoPro " or tgt.process.cmdline contains " -NoProf " or tgt.process.cmdline contains " -NoProfi " or tgt.process.cmdline contains " -NoProfil " or tgt.process.cmdline contains " -nonin " or tgt.process.cmdline contains " -nonint " or tgt.process.cmdline contains " -noninte " or tgt.process.cmdline contains " -noninter " or tgt.process.cmdline contains " -nonintera " or tgt.process.cmdline contains " -noninterac " or tgt.process.cmdline contains " -noninteract " or tgt.process.cmdline contains " -noninteracti " or tgt.process.cmdline contains " -noninteractiv " or tgt.process.cmdline contains " -ec " or tgt.process.cmdline contains " -encodedComman " or tgt.process.cmdline contains " -encodedComma " or tgt.process.cmdline contains " -encodedComm " or tgt.process.cmdline contains " -encodedCom " or tgt.process.cmdline contains " -encodedCo " or tgt.process.cmdline contains " -encodedC " or tgt.process.cmdline contains " -encoded " or tgt.process.cmdline contains " -encode " or tgt.process.cmdline contains " -encod " or tgt.process.cmdline contains " -enco " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -executionpolic " or tgt.process.cmdline contains " -executionpoli " or tgt.process.cmdline contains " -executionpol " or tgt.process.cmdline contains " -executionpo " or tgt.process.cmdline contains " -executionp " or tgt.process.cmdline contains " -execution bypass" or tgt.process.cmdline contains " -executio bypass" or tgt.process.cmdline contains " -executi bypass" or tgt.process.cmdline contains " -execut bypass" or tgt.process.cmdline contains " -execu bypass" or tgt.process.cmdline contains " -exec bypass" or tgt.process.cmdline contains " -exe bypass" or tgt.process.cmdline contains " -ex bypass" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " /windowstyle h " or tgt.process.cmdline contains " /windowstyl h" or tgt.process.cmdline contains " /windowsty h" or tgt.process.cmdline contains " /windowst h" or tgt.process.cmdline contains " /windows h" or tgt.process.cmdline contains " /windo h" or tgt.process.cmdline contains " /wind h" or tgt.process.cmdline contains " /win h" or tgt.process.cmdline contains " /wi h" or tgt.process.cmdline contains " /win h " or tgt.process.cmdline contains " /win hi " or tgt.process.cmdline contains " /win hid " or tgt.process.cmdline contains " /win hidd " or tgt.process.cmdline contains " /win hidde " or tgt.process.cmdline contains " /NoPr " or tgt.process.cmdline contains " /NoPro " or tgt.process.cmdline contains " /NoProf " or tgt.process.cmdline contains " /NoProfi " or tgt.process.cmdline contains " /NoProfil " or tgt.process.cmdline contains " /nonin " or tgt.process.cmdline contains " /nonint " or tgt.process.cmdline contains " /noninte " or tgt.process.cmdline contains " /noninter " or tgt.process.cmdline contains " /nonintera " or tgt.process.cmdline contains " /noninterac " or tgt.process.cmdline contains " /noninteract " or tgt.process.cmdline contains " /noninteracti " or tgt.process.cmdline contains " /noninteractiv " or tgt.process.cmdline contains " /ec " or tgt.process.cmdline contains " /encodedComman " or tgt.process.cmdline contains " /encodedComma " or tgt.process.cmdline contains " /encodedComm " or tgt.process.cmdline contains " /encodedCom " or tgt.process.cmdline contains " /encodedCo " or tgt.process.cmdline contains " /encodedC " or tgt.process.cmdline contains " /encoded " or tgt.process.cmdline contains " /encode " or tgt.process.cmdline contains " /encod " or tgt.process.cmdline contains " /enco " or tgt.process.cmdline contains " /en " or tgt.process.cmdline contains " /executionpolic " or tgt.process.cmdline contains " /executionpoli " or tgt.process.cmdline contains " /executionpol " or tgt.process.cmdline contains " /executionpo " or tgt.process.cmdline contains " /executionp " or tgt.process.cmdline contains " /execution bypass" or tgt.process.cmdline contains " /executio bypass" or tgt.process.cmdline contains " /executi bypass" or tgt.process.cmdline contains " /execut bypass" or tgt.process.cmdline contains " /execu bypass" or tgt.process.cmdline contains " /exec bypass" or tgt.process.cmdline contains " /exe bypass" or tgt.process.cmdline contains " /ex bypass" or tgt.process.cmdline contains " /ep bypass"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md index 17c078ddf..f62b73a75 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "powershell.exe" or tgt.process.cmdline contains "\powershell" or tgt.process.cmdline contains "\pwsh" or tgt.process.cmdline contains "pwsh.exe") and ((tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "\AppData\") and (tgt.process.cmdline contains "Local\" or tgt.process.cmdline contains "Roaming\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md index 8d75246af..7e826d32f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".DownloadFile" and tgt.process.cmdline contains "System.Net.WebClient")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md index 2ab787a4f..58417c357 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline matches "\\w+`(\\w+|-|.)`[\\w+|\\s]" or tgt.process.cmdline matches ""(\\{\\d\\})+"\\s*-f" or tgt.process.cmdline matches "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not tgt.process.cmdline contains "${env:path}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md index 1b94f9064..3b484b2a2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "X509Enrollment.CBinaryConverter" or tgt.process.cmdline contains "884e2002-217d-11da-b2a4-000e7bbb2b09")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md index 78f2e5718..ed5c5d5b5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath $env:TEMP*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*:\Windows\Temp\*")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md index d6f79519a..3c4621edd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\Microsoft.NodejsTools.PressAnyKey.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md index 846902141..e1cf88381 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\print.exe" and tgt.process.cmdline contains "print" and (tgt.process.cmdline contains "/D" and tgt.process.cmdline contains ".exe")) and (not tgt.process.cmdline contains "print.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md index e649aa197..173f4d6aa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and (not ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md index 1ceb19c89..cf50efe0c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md index acf27aa30..6c1a51db5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Psr.exe" and (tgt.process.cmdline contains "/start" or tgt.process.cmdline contains "-start"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md index 6524d7b1c..af1cfdd50 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\3proxy.exe" or tgt.process.displayName="3proxy - tiny proxy server" or tgt.process.cmdline contains ".exe -i127.0.0.1 -p")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md index c9fe9732b..b43252310 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lockoutduration" or tgt.process.cmdline contains "lockoutthreshold" or tgt.process.cmdline contains "lockoutobservationwindow" or tgt.process.cmdline contains "maxpwdage" or tgt.process.cmdline contains "minpwdage" or tgt.process.cmdline contains "minpwdlength" or tgt.process.cmdline contains "pwdhistorylength" or tgt.process.cmdline contains "pwdproperties") or tgt.process.cmdline contains "-sc admincountdmp" or tgt.process.cmdline contains "-sc exchaddresses")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md index a32f2bf0f..cf7f3c0dc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "domainlist" or tgt.process.cmdline contains "trustdmp" or tgt.process.cmdline contains "dcmodes" or tgt.process.cmdline contains "adinfo" or tgt.process.cmdline contains " dclist " or tgt.process.cmdline contains "computer_pwdnotreqd" or tgt.process.cmdline contains "objectcategory=" or tgt.process.cmdline contains "-subnets -f" or tgt.process.cmdline contains "name=\"Domain Admins\"" or tgt.process.cmdline contains "-sc u:" or tgt.process.cmdline contains "domainncs" or tgt.process.cmdline contains "dompol" or tgt.process.cmdline contains " oudmp " or tgt.process.cmdline contains "subnetdmp" or tgt.process.cmdline contains "gpodmp" or tgt.process.cmdline contains "fspdmp" or tgt.process.cmdline contains "users_noexpire" or tgt.process.cmdline contains "computers_active" or tgt.process.cmdline contains "computers_pwdnotreqd")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md index b6a6ba443..15b96db8a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/EXEFilename" or tgt.process.cmdline contains "/CommandLine") and ((tgt.process.cmdline contains " /RunAs 8 " or tgt.process.cmdline contains " /RunAs 4 " or tgt.process.cmdline contains " /RunAs 10 " or tgt.process.cmdline contains " /RunAs 11 ") or (tgt.process.cmdline contains "/RunAs 8" or tgt.process.cmdline contains "/RunAs 4" or tgt.process.cmdline contains "/RunAs 10" or tgt.process.cmdline contains "/RunAs 11")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md index c132e28e2..d8436cc63 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chisel.exe" or ((tgt.process.cmdline contains "exe client " or tgt.process.cmdline contains "exe server ") and (tgt.process.cmdline contains "-socks5" or tgt.process.cmdline contains "-reverse" or tgt.process.cmdline contains " r:" or tgt.process.cmdline contains ":127.0.0.1:" or tgt.process.cmdline contains "-tls-skip-verify " or tgt.process.cmdline contains ":socks")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md index ddc56c0ac..7d7b4ace6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SepRemovalToolNative_x64.exe" or (tgt.process.image.path contains "\CATClean.exe" and tgt.process.cmdline contains "--uninstall") or (tgt.process.image.path contains "\NetInstaller.exe" and tgt.process.cmdline contains "-r") or (tgt.process.image.path contains "\WFPUnins.exe" and (tgt.process.cmdline contains "/uninstall" and tgt.process.cmdline contains "/enterprise")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md index 2e59e2e43..549f8c2e4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csexec.exe" or tgt.process.displayName="csexec")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md index df3694621..fec46aa6a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DefenderCheck.exe" or tgt.process.displayName="DefenderCheck")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md index c9eec1bc5..d33f5da8f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ditsnap.exe" or tgt.process.cmdline contains "ditsnap.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md index 726d785b6..aa0ce6245 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName contains "Mouse Lock" or tgt.process.publisher contains "Misc314" or tgt.process.cmdline contains "Mouse Lock_")) | columns tgt.process.displayName,tgt.process.publisher,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md index bb73b1d7e..156793ffd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\nc.exe" or tgt.process.image.path contains "\ncat.exe" or tgt.process.image.path contains "\netcat.exe") or (tgt.process.cmdline contains " -lvp " or tgt.process.cmdline contains " -lvnp" or tgt.process.cmdline contains " -l -v -p " or tgt.process.cmdline contains " -lv -p " or tgt.process.cmdline contains " -l --proxy-type http " or tgt.process.cmdline contains " -vnl --exec " or tgt.process.cmdline contains " -vnl -e " or tgt.process.cmdline contains " --lua-exec " or tgt.process.cmdline contains " --sh-exec "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md index 1862459ea..2c7ae6fa1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\netscan.exe" or tgt.process.displayName="Network Scanner" or tgt.process.displayName="Application for scanning networks")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md index 5ca96b013..9b67734a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tcp 139" or tgt.process.cmdline contains " tcp 445" or tgt.process.cmdline contains " tcp 3389" or tgt.process.cmdline contains " tcp 5985" or tgt.process.cmdline contains " tcp 5986") or (tgt.process.cmdline contains " start " and tgt.process.cmdline contains "--all" and tgt.process.cmdline contains "--config" and tgt.process.cmdline contains ".yml") or (tgt.process.image.path contains "ngrok.exe" and (tgt.process.cmdline contains " tcp " or tgt.process.cmdline contains " http " or tgt.process.cmdline contains " authtoken ")) or (tgt.process.cmdline contains ".exe authtoken " or tgt.process.cmdline contains ".exe start --all"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md index a018a96ec..60913ec81 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " runassystem ") | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md index a29f0acc5..86a860648 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rcedit-x64.exe" or tgt.process.image.path contains "\rcedit-x86.exe") or tgt.process.displayName="Edit resources of exe" or tgt.process.displayName="rcedit") and tgt.process.cmdline contains "--set-" and (tgt.process.cmdline contains "OriginalFileName" or tgt.process.cmdline contains "CompanyName" or tgt.process.cmdline contains "FileDescription" or tgt.process.cmdline contains "ProductName" or tgt.process.cmdline contains "ProductVersion" or tgt.process.cmdline contains "LegalCopyright"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md index f4098f657..8b500fc07 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "--config " and tgt.process.cmdline contains "--no-check-certificate " and tgt.process.cmdline contains " copy ") or ((tgt.process.image.path contains "\rclone.exe" or tgt.process.displayName="Rsync for cloud storage") and (tgt.process.cmdline contains "pass" or tgt.process.cmdline contains "user" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "sync" or tgt.process.cmdline contains "config" or tgt.process.cmdline contains "lsd" or tgt.process.cmdline contains "remote" or tgt.process.cmdline contains "ls" or tgt.process.cmdline contains "mega" or tgt.process.cmdline contains "pcloud" or tgt.process.cmdline contains "ftp" or tgt.process.cmdline contains "ignore-existing" or tgt.process.cmdline contains "auto-confirm" or tgt.process.cmdline contains "transfers" or tgt.process.cmdline contains "multi-thread-streams" or tgt.process.cmdline contains "no-check-certificate ")))) | columns tgt.process.cmdline,src.process.cmdline,Details ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md index 47d817a9b..918bb85d8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /account=system " or tgt.process.cmdline contains " /account=ti ") and tgt.process.cmdline contains "/exec=")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md index 3f2a37eed..c1cf23968 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Web Browser Password Viewer" or tgt.process.image.path contains "\WebBrowserPassView.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md index 028d457e1..94cea9162 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\python.exe" and tgt.process.cmdline contains "adidnsdump")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md index e3835e568..eb3163630 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "python.exe" or tgt.process.image.path contains "python3.exe" or tgt.process.image.path contains "python2.exe") and ((tgt.process.cmdline contains "import pty" and tgt.process.cmdline contains ".spawn(") or tgt.process.cmdline contains "from pty import spawn"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md index b6a8446af..8df8560d1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-m 1M" or tgt.process.cmdline contains "-m 2M" or tgt.process.cmdline contains "-m 3M") and (tgt.process.cmdline contains "restrict=off" and tgt.process.cmdline contains "-netdev " and tgt.process.cmdline contains "connect=" and tgt.process.cmdline contains "-nographic")) and (not (tgt.process.cmdline contains " -cdrom " or tgt.process.cmdline contains " type=virt " or tgt.process.cmdline contains " -blockdev ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md index 322111bc6..978399a15 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains ":\Windows\System32\query.exe" and (tgt.process.cmdline contains "session >" or tgt.process.cmdline contains "process >"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md index 4fe0ef018..186b2c9fc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rar.exe" and tgt.process.cmdline contains " a ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md index b50d7fbd3..e15e1e197 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -hp" and (tgt.process.cmdline contains " -m" or tgt.process.cmdline contains " a "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md index b44ef3713..0412af432 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.displayName="Command line RAR") or (tgt.process.cmdline contains ".exe a " or tgt.process.cmdline contains " a -m")) and ((tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " -r ") and (tgt.process.cmdline="* *:\\*.*" or tgt.process.cmdline="* *:\\\*.*" or tgt.process.cmdline="* *:\$Recycle.bin\*" or tgt.process.cmdline="* *:\PerfLogs\*" or tgt.process.cmdline="* *:\Temp*" or tgt.process.cmdline="* *:\Users\Public\*" or tgt.process.cmdline="* *:\Windows\*" or tgt.process.cmdline contains " %public%")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md index fb0e484ff..7844b4264 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "rasdial.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md index 053766e40..4b0846f1f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains " ADD " and tgt.process.cmdline contains "Software\Microsoft\Windows\CurrentVersion\Run")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md index 907d13b33..f6baf1715 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "REG" and tgt.process.cmdline contains "ADD" and tgt.process.cmdline contains "\SOFTWARE\Policies\Microsoft\FVE" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/f") and (tgt.process.cmdline contains "EnableBDEWithNoTPM" or tgt.process.cmdline contains "UseAdvancedStartup" or tgt.process.cmdline contains "UseTPM" or tgt.process.cmdline contains "UseTPMKey" or tgt.process.cmdline contains "UseTPMKeyPIN" or tgt.process.cmdline contains "RecoveryKeyMessageSource" or tgt.process.cmdline contains "UseTPMPIN" or tgt.process.cmdline contains "RecoveryKeyMessage"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md index 04d5c1d66..be0945ba7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "scecli\0" and tgt.process.cmdline contains "reg add")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md index 74b09ef68..92e479616 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" or tgt.process.cmdline contains "SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths") and (tgt.process.cmdline contains "ADD " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_DWORD " and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "0"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md index faaf05262..e75ee8f8a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and tgt.process.cmdline contains "add") and (tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Windows" or tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" or tgt.process.cmdline contains "\system\CurrentControlSet\Control\SafeBoot\AlternateShell"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md index bb2ba468d..78c4ad92c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add") and ((tgt.process.cmdline contains "d 4" and tgt.process.cmdline contains "v Start") and (tgt.process.cmdline contains "\AppIDSvc" or tgt.process.cmdline contains "\MsMpSvc" or tgt.process.cmdline contains "\NisSrv" or tgt.process.cmdline contains "\SecurityHealthService" or tgt.process.cmdline contains "\Sense" or tgt.process.cmdline contains "\UsoSvc" or tgt.process.cmdline contains "\WdBoot" or tgt.process.cmdline contains "\WdFilter" or tgt.process.cmdline contains "\WdNisDrv" or tgt.process.cmdline contains "\WdNisSvc" or tgt.process.cmdline contains "\WinDefend" or tgt.process.cmdline contains "\wscsvc" or tgt.process.cmdline contains "\wuauserv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md index 06a12d7b1..82d97b4fd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains " query " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_SZ" and tgt.process.cmdline contains "/s")) and ((tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKLM") or (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKCU") or tgt.process.cmdline contains "HKCU\Software\SimonTatham\PuTTY\Sessions"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md index c30861ae0..c764ac654 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa\" and tgt.process.cmdline contains "DisableRestrictedAdmin")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md index e39d99993..c61b74a1f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Cryptography" and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "MachineGuid"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md index 66c499763..25e106768 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "NoLMHash" and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md index 18206fbda..6ce5bf107 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/ve " and tgt.process.cmdline contains "/d") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "DelegateExecute") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md index 0572f8f05..643bb214f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "HKEY_CURRENT_USER\Control Panel\Desktop" or tgt.process.cmdline contains "HKCU\Control Panel\Desktop")) and ((tgt.process.cmdline contains "/v ScreenSaveActive" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 1" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaveTimeout" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaverIsSecure" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 0" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v SCRNSAVE.EXE" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains ".scr" and tgt.process.cmdline contains "/f")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md index 56d636453..b5641298e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "add " and tgt.process.cmdline contains "SYSTEM\CurrentControlSet\Services\" and tgt.process.cmdline contains " ImagePath ")) and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " –d " or tgt.process.cmdline contains " —d " or tgt.process.cmdline contains " ―d "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md index fa4c7c4a8..645420472 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "query" and tgt.process.cmdline contains "\software\" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "svcversion"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md index 6835f9f8a..401750640 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Services\VSS\Diag" and tgt.process.cmdline contains "/d Disabled")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md index 707ee1117..0d24a5b93 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control" and tgt.process.cmdline contains "Write Protection" and tgt.process.cmdline contains "0" and tgt.process.cmdline contains "storage")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md index 773ba50b4..fab370430 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\regedit.exe" and (src.process.image.path contains "\TrustedInstaller.exe" or src.process.image.path contains "\ProcessHacker.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md index bc4c4672b..2858caa8b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\register-cimprovider.exe" and (tgt.process.cmdline contains "-path" and tgt.process.cmdline contains "dll"))) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md index 58b3a964a..a140fd1b5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\Sessions" or tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\SshHostKeys\" or tgt.process.cmdline contains "\Software\Mobatek\MobaXterm\" or tgt.process.cmdline contains "\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin" or tgt.process.cmdline contains "\Software\Aerofox\FoxmailPreview" or tgt.process.cmdline contains "\Software\Aerofox\Foxmail\V3.1" or tgt.process.cmdline contains "\Software\IncrediMail\Identities" or tgt.process.cmdline contains "\Software\Qualcomm\Eudora\CommandLine" or tgt.process.cmdline contains "\Software\RimArts\B2\Settings" or tgt.process.cmdline contains "\Software\OpenVPN-GUI\configs" or tgt.process.cmdline contains "\Software\Martin Prikryl\WinSCP 2\Sessions" or tgt.process.cmdline contains "\Software\FTPWare\COREFTP\Sites" or tgt.process.cmdline contains "\Software\DownloadManager\Passwords" or tgt.process.cmdline contains "\Software\OpenSSH\Agent\Keys" or tgt.process.cmdline contains "\Software\TightVNC\Server" or tgt.process.cmdline contains "\Software\ORL\WinVNC3\Password" or tgt.process.cmdline contains "\Software\RealVNC\WinVNC4")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md index 48d5c93f1..d10d73407 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" and tgt.process.cmdline contains "http" and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md index 637aa7ddf..79ac065ce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\CurrentVersion\Image File Execution Options\" and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "magnify.exe" or tgt.process.cmdline contains "narrator.exe" or tgt.process.cmdline contains "displayswitch.exe" or tgt.process.cmdline contains "atbroker.exe" or tgt.process.cmdline contains "HelpPane.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md index 93ab0799f..d16841853 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "UserInitMprLogonScript") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md index c41bf7439..a6db0c850 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Services\" and tgt.process.cmdline contains "\NetworkProvider")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md index 3a6a3f320..5ad9b2b30 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Office\" and tgt.process.cmdline contains "\Excel\Security" and tgt.process.cmdline contains "PythonFunctionWarnings") and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md index cf6efee56..8a3f40271 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.integrityLevel="Medium" and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "services") and (tgt.process.cmdline contains "\ImagePath" or tgt.process.cmdline contains "\FailureCommand" or tgt.process.cmdline contains "\ServiceDll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md index e42fcec2c..9141b2116 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SOFTWARE\Microsoft\Provisioning\Commands\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md index fd6d038fa..8ab8edd3f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\ShellIds\Microsoft.PowerShell\ExecutionPolicy" or tgt.process.cmdline contains "\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy") and (tgt.process.cmdline contains "Bypass" or tgt.process.cmdline contains "RemoteSigned" or tgt.process.cmdline contains "Unrestricted"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md index c15e78ae4..3daaba28a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/d 0"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md index 603eff2a1..bdfeafd33 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md index 4b33b8a72..28e9e1688 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\regsvr32.exe" and (tgt.process.cmdline contains " -i:" or tgt.process.cmdline contains " /i:" or tgt.process.cmdline contains " –i:" or tgt.process.cmdline contains " —i:" or tgt.process.cmdline contains " ―i:")) and (not tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md index 24b2a075a..3fae71afd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\regsvr32.exe" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\werfault.exe" and tgt.process.cmdline contains " -u -p ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md index ad60708db..6aa163cd9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell_ise.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\wscript.exe") and tgt.process.image.path contains "\regsvr32.exe") and (not (src.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains " /s C:\Windows\System32\RpcProxy\RpcProxy.dll")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md index 84b363b4a..7218c8ccf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md index 9bd9205a6..3a2bc369d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "echo " and tgt.process.cmdline contains ".exe --set-password")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md index 5c441332e..da287f720 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--install" and tgt.process.cmdline contains "--start-with-win" and tgt.process.cmdline contains "--silent")) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md index 529ff0cbd..20d22e1f8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH") and (not (tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "Program Files (x86)\AnyDesk" or tgt.process.image.path contains "Program Files\AnyDesk")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md index 5e3ab63d6..507ae6d0c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="GoTo Opener" or tgt.process.displayName="GoTo Opener" or tgt.process.publisher="LogMeIn, Inc.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md index c26f0b7b5..be3d27c65 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="LMIGuardianSvc" or tgt.process.displayName="LMIGuardianSvc" or tgt.process.publisher="LogMeIn, Inc.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md index 8984d5672..6298bc95b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\meshagent.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md index cb3aef275..80d282ecd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe") or tgt.process.displayName="Remote Utilities") and (not (tgt.process.image.path contains "C:\Program Files\Remote Utilities" or tgt.process.image.path contains "C:\Program Files (x86)\Remote Utilities")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md index b4098c34c..c17533b8a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="ScreenConnect Service" or tgt.process.displayName="ScreenConnect" or tgt.process.publisher="ScreenConnect Software")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md index b96a857d7..c3442cba1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "e=Access&" and tgt.process.cmdline contains "y=Guest&" and tgt.process.cmdline contains "&p=" and tgt.process.cmdline contains "&c=" and tgt.process.cmdline contains "&k=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md index 166c9080a..cd45b1261 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains ":\Windows\TEMP\ScreenConnect\" and src.process.cmdline contains "run.cmd") and (tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wevtutil.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md index 9f7466940..5c876f298 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\ScreenConnect.Service.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md index 4013ba36f..52d5bbae9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\JWrapper-Remote Access\" or tgt.process.image.path contains "\JWrapper-Remote Support\") and tgt.process.image.path contains "\SimpleService.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md index 182534e77..53cb5460f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="TeamViewer_Desktop.exe" and src.process.image.path="TeamViewer_Service.exe" and tgt.process.cmdline contains "TeamViewer_Desktop.exe --IPCport 5939 --Module 1")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md index 26bfc90e4..c236cbf6a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "time") or (tgt.process.image.path contains "\w32tm.exe" and tgt.process.cmdline contains "tz"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md index 8a9732233..3c52ee243 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName in ("Java Update Scheduler","Java(TM) Update Scheduler")) and (not tgt.process.image.path contains "\jusched.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md index 76be955aa..91b5717b9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "DllRegisterServer" and (not tgt.process.image.path contains "\rundll32.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md index c5815de53..323797095 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Remote Utilities" and (not (tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md index 5a391053d..591bed15f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rpcping.exe" and (tgt.process.cmdline contains "-s" or tgt.process.cmdline contains "/s" or tgt.process.cmdline contains "–s" or tgt.process.cmdline contains "—s" or tgt.process.cmdline contains "―s") and (((tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u") and (tgt.process.cmdline contains "NTLM")) or ((tgt.process.cmdline contains "-t" or tgt.process.cmdline contains "/t" or tgt.process.cmdline contains "–t" or tgt.process.cmdline contains "—t" or tgt.process.cmdline contains "―t") and (tgt.process.cmdline contains "ncacn_np"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md index 4f75014c1..8538b24e2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains "Execute" and tgt.process.cmdline contains "RegRead" and tgt.process.cmdline contains "window.close")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md index 05c58b575..bcf5b979e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\..\" and tgt.process.cmdline contains "mshtml") and (tgt.process.cmdline contains "#135" or tgt.process.cmdline contains "RunHTMLApplication"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md index aec7bd406..cc655726c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\rundll32.exe" or tgt.process.cmdline contains "\rundll32.exe\"" or tgt.process.cmdline contains "\rundll32") and (not (src.process.image.path contains "\AppData\Local\" or src.process.image.path contains "\Microsoft\Edge\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md index 2abecebdc..dee4acaf5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\RECYCLER\" or tgt.process.image.path contains ":\SystemVolumeInformation\") or (tgt.process.image.path contains "C:\Windows\Tasks\" or tgt.process.image.path contains "C:\Windows\debug\" or tgt.process.image.path contains "C:\Windows\fonts\" or tgt.process.image.path contains "C:\Windows\help\" or tgt.process.image.path contains "C:\Windows\drivers\" or tgt.process.image.path contains "C:\Windows\addins\" or tgt.process.image.path contains "C:\Windows\cursors\" or tgt.process.image.path contains "C:\Windows\system32\tasks\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md index 99e5367c7..73f33c0ea 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\runonce.exe" and src.process.image.path contains "\rundll32.exe" and (src.process.cmdline contains "setupapi.dll" and src.process.cmdline contains "InstallHinfSection"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md index 6e4b68d59..7becc324e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\rundll32.exe" and tgt.process.image.path contains "\explorer.exe") and (not src.process.cmdline contains "\shell32.dll,Control_RunDLL"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md index 5e315cc8a..8b22b9164 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "javascript:" and tgt.process.cmdline contains ".RegisterXLL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURLA") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "FileProtocolHandler") or (tgt.process.cmdline contains "zipfldr.dll" and tgt.process.cmdline contains "RouteTheCall") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "Control_RunDLL") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "ShellExec_RunDLL") or (tgt.process.cmdline contains "mshtml.dll" and tgt.process.cmdline contains "PrintHTML") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieframe.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "shdocvw.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "syssetup.dll" and tgt.process.cmdline contains "SetupInfObjectInstallAction") or (tgt.process.cmdline contains "setupapi.dll" and tgt.process.cmdline contains "InstallHinfSection") or (tgt.process.cmdline contains "pcwutl.dll" and tgt.process.cmdline contains "LaunchApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbShortcut") or (tgt.process.cmdline contains "scrobj.dll" and tgt.process.cmdline contains "GenerateTypeLib" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "shimgvw.dll" and tgt.process.cmdline contains "ImageView_Fullscreen" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "comsvcs.dll" and tgt.process.cmdline contains "MiniDump")) and (not (tgt.process.cmdline contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (src.process.image.path="C:\Windows\System32\control.exe" and src.process.cmdline contains ".cpl" and (tgt.process.cmdline contains "Shell32.dll" and tgt.process.cmdline contains "Control_RunDLL" and tgt.process.cmdline contains ".cpl")) or (src.process.image.path="C:\Windows\System32\control.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\Windows\System32\" and tgt.process.cmdline contains ".cpl\","))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md index 0474a97c1..d598b4688 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ShellExec_RunDLL" and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "odbcconf" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "iex" or tgt.process.cmdline contains "comspec"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md index caa1a90e1..150a07a80 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "apphelp.dll") and (tgt.process.cmdline contains "ShimFlushCache" or tgt.process.cmdline contains "#250")) or ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "kernel32.dll") and (tgt.process.cmdline contains "BaseFlushAppcompatCache" or tgt.process.cmdline contains "#46")))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md index 590aebff7..eef81cba5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and (tgt.process.cmdline contains ".sys," or tgt.process.cmdline contains ".sys "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md index ac3817688..af7136093 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\svchost.exe" and src.process.cmdline contains "-s WebClient" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "C:\windows\system32\davclnt.dll,DavSetCookie" and tgt.process.cmdline matches "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") and (not (tgt.process.cmdline contains "://10." or tgt.process.cmdline contains "://192.168." or tgt.process.cmdline contains "://172.16." or tgt.process.cmdline contains "://172.17." or tgt.process.cmdline contains "://172.18." or tgt.process.cmdline contains "://172.19." or tgt.process.cmdline contains "://172.20." or tgt.process.cmdline contains "://172.21." or tgt.process.cmdline contains "://172.22." or tgt.process.cmdline contains "://172.23." or tgt.process.cmdline contains "://172.24." or tgt.process.cmdline contains "://172.25." or tgt.process.cmdline contains "://172.26." or tgt.process.cmdline contains "://172.27." or tgt.process.cmdline contains "://172.28." or tgt.process.cmdline contains "://172.29." or tgt.process.cmdline contains "://172.30." or tgt.process.cmdline contains "://172.31." or tgt.process.cmdline contains "://127." or tgt.process.cmdline contains "://169.254.")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md index ab3f56d64..e55b83a4c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline in ("rundll32.exe","rundll32"))) | columns ComputerName,SubjectUserName,tgt.process.cmdline,tgt.process.image.path,src.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md index 3665ac351..dde0d699d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\runonce.exe" or tgt.process.displayName="Run Once Wrapper") and (tgt.process.cmdline contains "/AlternateShellStartup" or tgt.process.cmdline contains "/r"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md index 1241c8a0a..0a4dcbc25 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sc.exe" and tgt.process.integrityLevel="Medium") and ((tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") or (tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md index 4a0e64ed9..7954e26a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md index ca642a16c..2b2475f39 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" or tgt.process.cmdline contains "config") and (tgt.process.cmdline contains "binPath" and tgt.process.cmdline contains "type" and tgt.process.cmdline contains "kernel"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md index dbf5e615c..5eeb5c90d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md index f5e772c4d..1dd1157ae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "config " and tgt.process.cmdline contains "binpath=") or (tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command=")) or (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "FailureCommand") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "ImagePath")) and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin$" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh$" or tgt.process.cmdline contains ".reg$" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md index 1d258bd4d..1b7b146fb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "/RU" and tgt.process.cmdline contains "/TR" and tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\") and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "TeamViewer_.exe") and tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/TN TVInstallRestore")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md index b6d1d8d19..75196ee69 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /Change " and tgt.process.cmdline contains " /TN ")) and (tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\WINDOWS\Temp\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Perflogs\" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%") and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "bash.exe" or tgt.process.cmdline contains "bash " or tgt.process.cmdline contains "scrcons" or tgt.process.cmdline contains "wmic " or tgt.process.cmdline contains "wmic.exe" or tgt.process.cmdline contains "forfiles" or tgt.process.cmdline contains "scriptrunner" or tgt.process.cmdline contains "hh.exe" or tgt.process.cmdline contains "hh "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md index 42d2d5c7f..894e51be4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (not (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md index 38e67e076..3bf2e4307 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /create " and tgt.process.cmdline contains " /sc once " and tgt.process.cmdline contains "\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md index 7c38753f8..70ca9ffac 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "/tn") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md index ce99e1931..cea9b4d6d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /delete " and tgt.process.cmdline contains "/tn \*" and tgt.process.cmdline contains " /f"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md index 90da71bb2..5d4bc2c9f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Change" and tgt.process.cmdline contains "/TN" and tgt.process.cmdline contains "/disable") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md index 33583aeb8..e2b1c6a0d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\Users\Public" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%")) or (src.process.cmdline contains "\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\Users\Public" or tgt.process.cmdline contains "%Public%"))) and (not (((tgt.process.cmdline contains "update_task.xml" or tgt.process.cmdline contains "/Create /TN TVInstallRestore /TR") or src.process.cmdline contains "unattended.ini") or (tgt.process.cmdline contains "/Create /Xml \"C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\.CR." and tgt.process.cmdline contains "Avira_Security_Installation.xml") or ((tgt.process.cmdline contains "/Create /F /TN" and tgt.process.cmdline contains "/Xml " and tgt.process.cmdline contains "\AppData\Local\Temp\is-" and tgt.process.cmdline contains "Avira_") and (tgt.process.cmdline contains ".tmp\UpdateFallbackTask.xml" or tgt.process.cmdline contains ".tmp\WatchdogServiceControlManagerTimeout.xml" or tgt.process.cmdline contains ".tmp\SystrayAutostart.xml" or tgt.process.cmdline contains ".tmp\MaintenanceTask.xml")) or (tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "/Create /TN \"klcp_update\" /XML " and tgt.process.cmdline contains "\klcp_update_task.xml"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md index 9eeed69e6..71a66f18f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (tgt.process.cmdline contains "/TN \"{" or tgt.process.cmdline contains "/TN '{" or tgt.process.cmdline contains "/TN {") and (tgt.process.cmdline contains "}\"" or tgt.process.cmdline contains "}'" or tgt.process.cmdline contains "} "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md index 5f2972c92..73179670c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\WINDOWS\System32\svchost.exe" and (src.process.cmdline contains "-k netsvcs" and src.process.cmdline contains "-s Schedule") and (tgt.process.cmdline contains " -windowstyle hidden" or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " -noni"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md index f42a0bcae..6921a5a09 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (((tgt.process.cmdline contains "/sc minute " or tgt.process.cmdline contains "/ru system ") and (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r ")) or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -w hidden " or tgt.process.cmdline contains " bypass " or tgt.process.cmdline contains " IEX" or tgt.process.cmdline contains ".DownloadData" or tgt.process.cmdline contains ".DownloadFile" or tgt.process.cmdline contains ".DownloadString" or tgt.process.cmdline contains "/c start /min " or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "mshta http" or tgt.process.cmdline contains "mshta.exe http") or ((tgt.process.cmdline contains ":\ProgramData\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%") and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "curl" or tgt.process.cmdline contains "wscript"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md index 8323caae5..e8fc0ffe0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /change " or tgt.process.cmdline contains " /create ")) and tgt.process.cmdline contains "/ru " and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/TN TVInstallRestore" and tgt.process.cmdline contains "\TeamViewer_.exe")) or (tgt.process.cmdline contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or tgt.process.cmdline contains ":\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe" or tgt.process.cmdline contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md index bb71b60ee..1ad3c9e04 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\scrcons.exe" and (tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\msbuild.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md index 5a350f1da..80bc966a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\sdclt.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md index 80a5c9374..ac6f05725 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sdiagnhost.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\taskkill.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\calc.exe")) and (not ((tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "bits") or (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "-noprofile -" or tgt.process.cmdline contains "-noprofile")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md index 62e737866..0829b9c5d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Serv-U.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md index 45a9dcab2..4e722edce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\setres.exe" and tgt.process.image.path contains "\choice") and (not (tgt.process.image.path contains "C:\Windows\System32\choice.exe" or tgt.process.image.path contains "C:\Windows\SysWOW64\choice.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md index 13554e42e..5991d180d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and (tgt.process.cmdline contains "/r " or tgt.process.cmdline contains "/s "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md index abc5dc402..26bc09907 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and tgt.process.cmdline contains "/l")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md index 6e92a50ad..44c296d12 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\sigverif.exe" and (not (tgt.process.image.path in ("C:\Windows\System32\WerFault.exe","C:\Windows\SysWOW64\WerFault.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md index 908f8c189..3d6f64ead 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\SndVol.exe" and (not (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains " shell32.dll,Control_RunDLL ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md index ff4d2347d..ab1229db4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SoundRecorder.exe" and tgt.process.cmdline contains "/FILE")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md index 52fcf5207..445a8fe41 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\splwow64.exe" and tgt.process.cmdline contains "splwow64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md index 9e765579a..ff334e163 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "VeeamBackup" and tgt.process.cmdline contains "From ")) and (tgt.process.cmdline contains "BackupRepositories" or tgt.process.cmdline contains "Backups" or tgt.process.cmdline contains "Credentials" or tgt.process.cmdline contains "HostCreds" or tgt.process.cmdline contains "SmbFileShares" or tgt.process.cmdline contains "Ssh_creds" or tgt.process.cmdline contains "VSphereInfo"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md index c8ea6e81d..a84fbbee5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "SELECT" and tgt.process.cmdline contains "TOP" and tgt.process.cmdline contains "[VeeamBackup].[dbo].[Credentials]"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md index 9f4a0b105..49863a15e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "\User Data\" or tgt.process.cmdline contains "\Opera Software\" or tgt.process.cmdline contains "\ChromiumViewer\") and (tgt.process.cmdline contains "Login Data" or tgt.process.cmdline contains "Cookies" or tgt.process.cmdline contains "Web Data" or tgt.process.cmdline contains "History" or tgt.process.cmdline contains "Bookmarks"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md index 8bd6d665b..7236ec22e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "cookies.sqlite" or tgt.process.cmdline contains "places.sqlite"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md index 48215de72..07a5f95a6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains " --download " or tgt.process.cmdline contains " --update " or tgt.process.cmdline contains " --updateRollback=") and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md index e4c8a563b..b48149627 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--processStartAndWait" or tgt.process.cmdline contains "--createShortcut")) and (not ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Discord\Update.exe" and tgt.process.cmdline contains " --processStart" and tgt.process.cmdline contains "Discord.exe") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\GitHubDesktop\Update.exe" and tgt.process.cmdline contains "GitHubDesktop.exe") and (tgt.process.cmdline contains "--createShortcut" or tgt.process.cmdline contains "--processStartAndWait")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Microsoft\Teams\Update.exe" and tgt.process.cmdline contains "Teams.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\yammerdesktop\Update.exe" and tgt.process.cmdline contains "Yammer.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md index d7cb27cfb..450508973 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " /R " or tgt.process.cmdline contains " –R " or tgt.process.cmdline contains " —R " or tgt.process.cmdline contains " ―R "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md index 698dc3b34..4ea18b2a3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\System32\OpenSSH\sshd.exe" or (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains "ProxyCommand=" or (tgt.process.cmdline contains "PermitLocalCommand" and tgt.process.cmdline contains "LocalCommand"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md index 5d4ad0b5f..d3672b105 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and tgt.process.cmdline contains ":3389")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md index 10479dd8d..a7c28e407 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\amazon-ssm-agent.exe" and (tgt.process.cmdline contains "-register " and tgt.process.cmdline contains "-code " and tgt.process.cmdline contains "-id " and tgt.process.cmdline contains "-region "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md index a71976031..3143b613b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\stordiag.exe" and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\fltmc.exe")) and (not (src.process.image.path contains "c:\windows\system32\" or src.process.image.path contains "c:\windows\syswow64\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md index 27716770f..2cb8f558a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ntvdm.exe" or tgt.process.image.path contains "\csrstub.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md index bfe93dc0f..9894b44c6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains " administrators " or tgt.process.cmdline contains " administrateur"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md index a3ce3eac5..52d7e457f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Group Policy Creator Owners" or tgt.process.cmdline contains "Schema Admins"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md index bf2de8790..2938f0573 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md index 4e084dda1..10da8fbc3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "txt:" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > ") or (tgt.process.cmdline contains "makecab " and tgt.process.cmdline contains ".cab") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains " export ") or (tgt.process.cmdline contains "regedit " and tgt.process.cmdline contains " /E ") or (tgt.process.cmdline contains "esentutl " and tgt.process.cmdline contains " /y " and tgt.process.cmdline contains " /d " and tgt.process.cmdline contains " /o ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md index 8178326a0..d9ca51361 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\Windows\Installer\" and tgt.process.image.path contains "msi") and tgt.process.image.path contains "tmp") or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.integrityLevel="System")) and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and (not (src.process.image.path="C:\Windows\System32\services.exe" or (tgt.process.cmdline contains "\system32\msiexec.exe /V" or src.process.cmdline contains "\system32\msiexec.exe /V") or src.process.image.path contains "C:\ProgramData\Sophos\" or src.process.image.path contains "C:\ProgramData\Avira\" or (src.process.image.path contains "C:\Program Files\Avast Software\" or src.process.image.path contains "C:\Program Files (x86)\Avast Software\") or (src.process.image.path contains "C:\Program Files\Google\Update\" or src.process.image.path contains "C:\Program Files (x86)\Google\Update\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md index e33c3e214..cce1e0e65 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "C:\Program Files\WindowsApps\" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Base64")) and (not (src.process.image.path contains ":\Program Files\WindowsApps\Microsoft.WindowsTerminal" and src.process.image.path contains "\WindowsTerminal.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\pwsh.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md index de5641b94..b8c81596e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".SettingContent-ms" and (not tgt.process.cmdline contains "immersivecontrolpanel"))) | columns ParentProcess,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md index c90fceb15..af4267f7d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\Winrar.exe" or src.process.image.path contains "\7zFM.exe" or src.process.image.path contains "\peazip.exe") and (tgt.process.image.path contains "\isoburn.exe" or tgt.process.image.path contains "\PowerISO.exe" or tgt.process.image.path contains "\ImgBurn.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md index fa5708686..d880579c5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\WerFault.exe" and tgt.process.cmdline contains "WerFault.exe") or (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or (tgt.process.image.path contains "\regsvcs.exe" and tgt.process.cmdline contains "regsvcs.exe") or (tgt.process.image.path contains "\regasm.exe" and tgt.process.cmdline contains "regasm.exe") or (tgt.process.image.path contains "\regsvr32.exe" and tgt.process.cmdline contains "regsvr32.exe")) and (not ((src.process.image.path contains "\AppData\Local\Microsoft\EdgeUpdate\Install\{" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or ((src.process.image.path contains "\AppData\Local\BraveSoftware\Brave-Browser\Application\" or src.process.image.path contains "\AppData\Local\Google\Chrome\Application\") and src.process.image.path contains "\Installer\setup.exe" and src.process.cmdline contains "--uninstall " and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md index 8177e7eaf..84a1647da 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "Acrobat Reader" or src.process.image.path contains "Microsoft Office" or src.process.image.path contains "PDF Reader") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\firefox.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\maxthon.exe" or tgt.process.image.path contains "\seamonkey.exe" or tgt.process.image.path contains "\vivaldi.exe" or tgt.process.image.path contains "") and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md index 2cde86c84..c7fe4b1a8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "h^t^t^p" or tgt.process.cmdline contains "h\"t\"t\"p")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md index 736a05d46..00f0c2749 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Windows\" and (tgt.process.cmdline contains "\..\Windows\" or tgt.process.cmdline contains "\..\System32\" or tgt.process.cmdline contains "\..\..\")) or tgt.process.cmdline contains ".exe\..\") and (not (tgt.process.cmdline contains "\Google\Drive\googledrivesync.exe\..\" or tgt.process.cmdline contains "\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md index 5e46ad212..3521e078f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --cpu-priority=" or tgt.process.cmdline contains "--donate-level=0" or tgt.process.cmdline contains " -o pool." or tgt.process.cmdline contains " --nicehash" or tgt.process.cmdline contains " --algo=rx/0 " or tgt.process.cmdline contains "stratum+tcp://" or tgt.process.cmdline contains "stratum+udp://" or tgt.process.cmdline contains "LS1kb25hdGUtbGV2ZWw9" or tgt.process.cmdline contains "0tZG9uYXRlLWxldmVsP" or tgt.process.cmdline contains "tLWRvbmF0ZS1sZXZlbD" or tgt.process.cmdline contains "c3RyYXR1bSt0Y3A6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdGNwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3RjcDovL" or tgt.process.cmdline contains "c3RyYXR1bSt1ZHA6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdWRwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3VkcDovL") and (not (tgt.process.cmdline contains " pool.c " or tgt.process.cmdline contains " pool.o " or tgt.process.cmdline contains "gcc -")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md index f3fe0ee54..d897945d2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl ") and (tgt.process.cmdline contains " -ur" and tgt.process.cmdline contains " -me" and tgt.process.cmdline contains " -b" and tgt.process.cmdline contains " POST ")) or ((tgt.process.image.path contains "\curl.exe" and tgt.process.cmdline contains "--ur") and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " --data ")) or (tgt.process.image.path contains "\wget.exe" and (tgt.process.cmdline contains "--post-data" or tgt.process.cmdline contains "--post-file"))) and ((tgt.process.cmdline contains "Get-Content" or tgt.process.cmdline contains "GetBytes" or tgt.process.cmdline contains "hostname" or tgt.process.cmdline contains "ifconfig" or tgt.process.cmdline contains "ipconfig" or tgt.process.cmdline contains "net view" or tgt.process.cmdline contains "netstat" or tgt.process.cmdline contains "nltest" or tgt.process.cmdline contains "qprocess" or tgt.process.cmdline contains "sc query" or tgt.process.cmdline contains "systeminfo" or tgt.process.cmdline contains "tasklist" or tgt.process.cmdline contains "ToBase64String" or tgt.process.cmdline contains "whoami") or (tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > " and tgt.process.cmdline contains " C:\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md index db80f555e..d14e1c5cc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "taskkill " and tgt.process.cmdline contains "RaccineSettings.exe") or (tgt.process.cmdline contains "reg.exe" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "Raccine Tray") or (tgt.process.cmdline contains "schtasks" and tgt.process.cmdline contains "/DELETE" and tgt.process.cmdline contains "Raccine Rules Updater"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md index 522def86c..af4ad174e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ".doc.exe" or tgt.process.image.path contains ".docx.exe" or tgt.process.image.path contains ".xls.exe" or tgt.process.image.path contains ".xlsx.exe" or tgt.process.image.path contains ".ppt.exe" or tgt.process.image.path contains ".pptx.exe" or tgt.process.image.path contains ".rtf.exe" or tgt.process.image.path contains ".pdf.exe" or tgt.process.image.path contains ".txt.exe" or tgt.process.image.path contains " .exe" or tgt.process.image.path contains "______.exe" or tgt.process.image.path contains ".doc.js" or tgt.process.image.path contains ".docx.js" or tgt.process.image.path contains ".xls.js" or tgt.process.image.path contains ".xlsx.js" or tgt.process.image.path contains ".ppt.js" or tgt.process.image.path contains ".pptx.js" or tgt.process.image.path contains ".rtf.js" or tgt.process.image.path contains ".pdf.js" or tgt.process.image.path contains ".txt.js") and (tgt.process.cmdline contains ".doc.exe" or tgt.process.cmdline contains ".docx.exe" or tgt.process.cmdline contains ".xls.exe" or tgt.process.cmdline contains ".xlsx.exe" or tgt.process.cmdline contains ".ppt.exe" or tgt.process.cmdline contains ".pptx.exe" or tgt.process.cmdline contains ".rtf.exe" or tgt.process.cmdline contains ".pdf.exe" or tgt.process.cmdline contains ".txt.exe" or tgt.process.cmdline contains " .exe" or tgt.process.cmdline contains "______.exe" or tgt.process.cmdline contains ".doc.js" or tgt.process.cmdline contains ".docx.js" or tgt.process.cmdline contains ".xls.js" or tgt.process.cmdline contains ".xlsx.js" or tgt.process.cmdline contains ".ppt.js" or tgt.process.cmdline contains ".pptx.js" or tgt.process.cmdline contains ".rtf.js" or tgt.process.cmdline contains ".pdf.js" or tgt.process.cmdline contains ".txt.js"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md index 098d04897..3d4846634 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains ".doc.lnk" or src.process.image.path contains ".docx.lnk" or src.process.image.path contains ".xls.lnk" or src.process.image.path contains ".xlsx.lnk" or src.process.image.path contains ".ppt.lnk" or src.process.image.path contains ".pptx.lnk" or src.process.image.path contains ".rtf.lnk" or src.process.image.path contains ".pdf.lnk" or src.process.image.path contains ".txt.lnk" or src.process.image.path contains ".doc.js" or src.process.image.path contains ".docx.js" or src.process.image.path contains ".xls.js" or src.process.image.path contains ".xlsx.js" or src.process.image.path contains ".ppt.js" or src.process.image.path contains ".pptx.js" or src.process.image.path contains ".rtf.js" or src.process.image.path contains ".pdf.js" or src.process.image.path contains ".txt.js") or (src.process.cmdline contains ".doc.lnk" or src.process.cmdline contains ".docx.lnk" or src.process.cmdline contains ".xls.lnk" or src.process.cmdline contains ".xlsx.lnk" or src.process.cmdline contains ".ppt.lnk" or src.process.cmdline contains ".pptx.lnk" or src.process.cmdline contains ".rtf.lnk" or src.process.cmdline contains ".pdf.lnk" or src.process.cmdline contains ".txt.lnk" or src.process.cmdline contains ".doc.js" or src.process.cmdline contains ".docx.js" or src.process.cmdline contains ".xls.js" or src.process.cmdline contains ".xlsx.js" or src.process.cmdline contains ".ppt.js" or src.process.cmdline contains ".pptx.js" or src.process.cmdline contains ".rtf.js" or src.process.cmdline contains ".pdf.js" or src.process.cmdline contains ".txt.js"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md index 7e09c2bdb..80fbd9ce6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\wget.exe") or (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains ".DownloadString(")) and (tgt.process.cmdline contains "https://attachment.outlook.live.net/owa/" or tgt.process.cmdline contains "https://onenoteonlinesync.onenote.com/onenoteonlinesync/"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md index f3d61080a..a6430f876 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DumpStack.log" or tgt.process.cmdline contains " -o DumpStack.log")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md index 9698d8343..4eb893290 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\chrome.exe" or src.process.image.path contains "\discord.exe" or src.process.image.path contains "\GitHubDesktop.exe" or src.process.image.path contains "\keybase.exe" or src.process.image.path contains "\msedge.exe" or src.process.image.path contains "\msedgewebview2.exe" or src.process.image.path contains "\msteams.exe" or src.process.image.path contains "\slack.exe" or src.process.image.path contains "\teams.exe") and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\Windows\Temp\")) and (not (src.process.image.path contains "\Discord.exe" and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "\NVSMI\nvidia-smi.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md index 3784a9750..1e67c336c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\explorer.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".lnk"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md index 95411be79..261b7626a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "😀" or tgt.process.cmdline contains "😃" or tgt.process.cmdline contains "😄" or tgt.process.cmdline contains "😁" or tgt.process.cmdline contains "😆" or tgt.process.cmdline contains "😅" or tgt.process.cmdline contains "😂" or tgt.process.cmdline contains "🤣" or tgt.process.cmdline contains "🥲" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "☺️" or tgt.process.cmdline contains "😊" or tgt.process.cmdline contains "😇" or tgt.process.cmdline contains "🙂" or tgt.process.cmdline contains "🙃" or tgt.process.cmdline contains "😉" or tgt.process.cmdline contains "😌" or tgt.process.cmdline contains "😍" or tgt.process.cmdline contains "🥰" or tgt.process.cmdline contains "😘" or tgt.process.cmdline contains "😗" or tgt.process.cmdline contains "😙" or tgt.process.cmdline contains "😚" or tgt.process.cmdline contains "😋" or tgt.process.cmdline contains "😛" or tgt.process.cmdline contains "😝" or tgt.process.cmdline contains "😜" or tgt.process.cmdline contains "🤪" or tgt.process.cmdline contains "🤨" or tgt.process.cmdline contains "🧐" or tgt.process.cmdline contains "🤓" or tgt.process.cmdline contains "😎" or tgt.process.cmdline contains "🥸" or tgt.process.cmdline contains "🤩" or tgt.process.cmdline contains "🥳" or tgt.process.cmdline contains "😏" or tgt.process.cmdline contains "😒" or tgt.process.cmdline contains "😞" or tgt.process.cmdline contains "😔" or tgt.process.cmdline contains "😟" or tgt.process.cmdline contains "😕" or tgt.process.cmdline contains "🙁" or tgt.process.cmdline contains "☹️" or tgt.process.cmdline contains "😣" or tgt.process.cmdline contains "😖" or tgt.process.cmdline contains "😫" or tgt.process.cmdline contains "😩" or tgt.process.cmdline contains "🥺" or tgt.process.cmdline contains "😢" or tgt.process.cmdline contains "😭" or tgt.process.cmdline contains "😮‍💨" or tgt.process.cmdline contains "😤" or tgt.process.cmdline contains "😠" or tgt.process.cmdline contains "😡" or tgt.process.cmdline contains "🤬" or tgt.process.cmdline contains "🤯" or tgt.process.cmdline contains "😳" or tgt.process.cmdline contains "🥵" or tgt.process.cmdline contains "🥶" or tgt.process.cmdline contains "😱" or tgt.process.cmdline contains "😨" or tgt.process.cmdline contains "😰" or tgt.process.cmdline contains "😥" or tgt.process.cmdline contains "😓" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🤗" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🤔" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🤭" or tgt.process.cmdline contains "🤫" or tgt.process.cmdline contains "🤥" or tgt.process.cmdline contains "😶" or tgt.process.cmdline contains "😶‍🌫️" or tgt.process.cmdline contains "😐" or tgt.process.cmdline contains "😑" or tgt.process.cmdline contains "😬" or tgt.process.cmdline contains "🫠" or tgt.process.cmdline contains "🙄" or tgt.process.cmdline contains "😯" or tgt.process.cmdline contains "😦" or tgt.process.cmdline contains "😧" or tgt.process.cmdline contains "😮" or tgt.process.cmdline contains "😲" or tgt.process.cmdline contains "🥱" or tgt.process.cmdline contains "😴" or tgt.process.cmdline contains "🤤" or tgt.process.cmdline contains "😪" or tgt.process.cmdline contains "😵" or tgt.process.cmdline contains "😵‍💫" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🤐" or tgt.process.cmdline contains "🥴" or tgt.process.cmdline contains "🤢" or tgt.process.cmdline contains "🤮" or tgt.process.cmdline contains "🤧" or tgt.process.cmdline contains "😷" or tgt.process.cmdline contains "🤒" or tgt.process.cmdline contains "🤕" or tgt.process.cmdline contains "🤑" or tgt.process.cmdline contains "🤠" or tgt.process.cmdline contains "😈" or tgt.process.cmdline contains "👿" or tgt.process.cmdline contains "👹" or tgt.process.cmdline contains "👺" or tgt.process.cmdline contains "🤡" or tgt.process.cmdline contains "💩" or tgt.process.cmdline contains "👻" or tgt.process.cmdline contains "💀" or tgt.process.cmdline contains "☠️" or tgt.process.cmdline contains "👽" or tgt.process.cmdline contains "👾" or tgt.process.cmdline contains "🤖" or tgt.process.cmdline contains "🎃" or tgt.process.cmdline contains "😺" or tgt.process.cmdline contains "😸" or tgt.process.cmdline contains "😹" or tgt.process.cmdline contains "😻" or tgt.process.cmdline contains "😼" or tgt.process.cmdline contains "😽" or tgt.process.cmdline contains "🙀" or tgt.process.cmdline contains "😿" or tgt.process.cmdline contains "😾" or tgt.process.cmdline contains "👋" or tgt.process.cmdline contains "🤚" or tgt.process.cmdline contains "🖐" or tgt.process.cmdline contains "✋" or tgt.process.cmdline contains "🖖" or tgt.process.cmdline contains "👌" or tgt.process.cmdline contains "🤌" or tgt.process.cmdline contains "🤏" or tgt.process.cmdline contains "✌️" or tgt.process.cmdline contains "🤞" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🤟" or tgt.process.cmdline contains "🤘" or tgt.process.cmdline contains "🤙" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "👈" or tgt.process.cmdline contains "👉" or tgt.process.cmdline contains "👆" or tgt.process.cmdline contains "🖕" or tgt.process.cmdline contains "👇" or tgt.process.cmdline contains "☝️" or tgt.process.cmdline contains "👍" or tgt.process.cmdline contains "👎" or tgt.process.cmdline contains "✊" or tgt.process.cmdline contains "👊" or tgt.process.cmdline contains "🤛" or tgt.process.cmdline contains "🤜" or tgt.process.cmdline contains "👏" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🙌" or tgt.process.cmdline contains "👐" or tgt.process.cmdline contains "🤲" or tgt.process.cmdline contains "🤝" or tgt.process.cmdline contains "🙏" or tgt.process.cmdline contains "✍️" or tgt.process.cmdline contains "💪" or tgt.process.cmdline contains "🦾" or tgt.process.cmdline contains "🦵" or tgt.process.cmdline contains "🦿" or tgt.process.cmdline contains "🦶" or tgt.process.cmdline contains "👣" or tgt.process.cmdline contains "👂" or tgt.process.cmdline contains "🦻" or tgt.process.cmdline contains "👃" or tgt.process.cmdline contains "🫀" or tgt.process.cmdline contains "🫁" or tgt.process.cmdline contains "🧠" or tgt.process.cmdline contains "🦷" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "👀" or tgt.process.cmdline contains "👁" or tgt.process.cmdline contains "👅" or tgt.process.cmdline contains "👄" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "💋" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "👶" or tgt.process.cmdline contains "👧" or tgt.process.cmdline contains "🧒" or tgt.process.cmdline contains "👦" or tgt.process.cmdline contains "👩" or tgt.process.cmdline contains "🧑" or tgt.process.cmdline contains "👨" or tgt.process.cmdline contains "👩‍🦱" or tgt.process.cmdline contains "🧑‍🦱" or tgt.process.cmdline contains "👨‍🦱" or tgt.process.cmdline contains "👩‍🦰" or tgt.process.cmdline contains "🧑‍🦰" or tgt.process.cmdline contains "👨‍🦰" or tgt.process.cmdline contains "👱‍♀️" or tgt.process.cmdline contains "👱" or tgt.process.cmdline contains "👱‍♂️" or tgt.process.cmdline contains "👩‍🦳" or tgt.process.cmdline contains "🧑‍🦳" or tgt.process.cmdline contains "👨‍🦳" or tgt.process.cmdline contains "👩‍🦲" or tgt.process.cmdline contains "🧑‍🦲" or tgt.process.cmdline contains "👨‍🦲" or tgt.process.cmdline contains "🧔‍♀️" or tgt.process.cmdline contains "🧔" or tgt.process.cmdline contains "🧔‍♂️" or tgt.process.cmdline contains "👵" or tgt.process.cmdline contains "🧓" or tgt.process.cmdline contains "👴" or tgt.process.cmdline contains "👲" or tgt.process.cmdline contains "👳‍♀️" or tgt.process.cmdline contains "👳" or tgt.process.cmdline contains "👳‍♂️" or tgt.process.cmdline contains "🧕" or tgt.process.cmdline contains "👮‍♀️" or tgt.process.cmdline contains "👮" or tgt.process.cmdline contains "👮‍♂️" or tgt.process.cmdline contains "👷‍♀️" or tgt.process.cmdline contains "👷" or tgt.process.cmdline contains "👷‍♂️" or tgt.process.cmdline contains "💂‍♀️" or tgt.process.cmdline contains "💂" or tgt.process.cmdline contains "💂‍♂️" or tgt.process.cmdline contains "🕵️‍♀️" or tgt.process.cmdline contains "🕵️" or tgt.process.cmdline contains "🕵️‍♂️" or tgt.process.cmdline contains "👩‍⚕️" or tgt.process.cmdline contains "🧑‍⚕️" or tgt.process.cmdline contains "👨‍⚕️" or tgt.process.cmdline contains "👩‍🌾" or tgt.process.cmdline contains "🧑‍🌾" or tgt.process.cmdline contains "👨‍🌾" or tgt.process.cmdline contains "👩‍🍳" or tgt.process.cmdline contains "🧑‍🍳" or tgt.process.cmdline contains "👨‍🍳" or tgt.process.cmdline contains "👩‍🎓" or tgt.process.cmdline contains "🧑‍🎓" or tgt.process.cmdline contains "👨‍🎓" or tgt.process.cmdline contains "👩‍🎤" or tgt.process.cmdline contains "🧑‍🎤" or tgt.process.cmdline contains "👨‍🎤" or tgt.process.cmdline contains "👩‍🏫" or tgt.process.cmdline contains "🧑‍🏫" or tgt.process.cmdline contains "👨‍🏫" or tgt.process.cmdline contains "👩‍🏭" or tgt.process.cmdline contains "🧑‍🏭" or tgt.process.cmdline contains "👨‍🏭" or tgt.process.cmdline contains "👩‍💻" or tgt.process.cmdline contains "🧑‍💻" or tgt.process.cmdline contains "👨‍💻" or tgt.process.cmdline contains "👩‍💼" or tgt.process.cmdline contains "🧑‍💼" or tgt.process.cmdline contains "👨‍💼" or tgt.process.cmdline contains "👩‍🔧" or tgt.process.cmdline contains "🧑‍🔧" or tgt.process.cmdline contains "👨‍🔧" or tgt.process.cmdline contains "👩‍🔬" or tgt.process.cmdline contains "🧑‍🔬" or tgt.process.cmdline contains "👨‍🔬" or tgt.process.cmdline contains "👩‍🎨" or tgt.process.cmdline contains "🧑‍🎨" or tgt.process.cmdline contains "👨‍🎨" or tgt.process.cmdline contains "👩‍🚒" or tgt.process.cmdline contains "🧑‍🚒" or tgt.process.cmdline contains "👨‍🚒" or tgt.process.cmdline contains "👩‍✈️" or tgt.process.cmdline contains "🧑‍✈️" or tgt.process.cmdline contains "👨‍✈️" or tgt.process.cmdline contains "👩‍🚀" or tgt.process.cmdline contains "🧑‍🚀" or tgt.process.cmdline contains "👨‍🚀" or tgt.process.cmdline contains "👩‍⚖️" or tgt.process.cmdline contains "🧑‍⚖️" or tgt.process.cmdline contains "👨‍⚖️" or tgt.process.cmdline contains "👰‍♀️" or tgt.process.cmdline contains "👰" or tgt.process.cmdline contains "👰‍♂️" or tgt.process.cmdline contains "🤵‍♀️" or tgt.process.cmdline contains "🤵" or tgt.process.cmdline contains "🤵‍♂️" or tgt.process.cmdline contains "👸" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🤴" or tgt.process.cmdline contains "🥷" or tgt.process.cmdline contains "🦸‍♀️" or tgt.process.cmdline contains "🦸" or tgt.process.cmdline contains "🦸‍♂️" or tgt.process.cmdline contains "🦹‍♀️" or tgt.process.cmdline contains "🦹" or tgt.process.cmdline contains "🦹‍♂️" or tgt.process.cmdline contains "🤶" or tgt.process.cmdline contains "🧑‍🎄" or tgt.process.cmdline contains "🎅" or tgt.process.cmdline contains "🧙‍♀️" or tgt.process.cmdline contains "🧙" or tgt.process.cmdline contains "🧙‍♂️" or tgt.process.cmdline contains "🧝‍♀️" or tgt.process.cmdline contains "🧝" or tgt.process.cmdline contains "🧝‍♂️" or tgt.process.cmdline contains "🧛‍♀️" or tgt.process.cmdline contains "🧛" or tgt.process.cmdline contains "🧛‍♂️" or tgt.process.cmdline contains "🧟‍♀️" or tgt.process.cmdline contains "🧟" or tgt.process.cmdline contains "🧟‍♂️" or tgt.process.cmdline contains "🧞‍♀️" or tgt.process.cmdline contains "🧞" or tgt.process.cmdline contains "🧞‍♂️" or tgt.process.cmdline contains "🧜‍♀️" or tgt.process.cmdline contains "🧜" or tgt.process.cmdline contains "🧜‍♂️" or tgt.process.cmdline contains "🧚‍♀️" or tgt.process.cmdline contains "🧚" or tgt.process.cmdline contains "🧚‍♂️" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "👼" or tgt.process.cmdline contains "🤰" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🤱" or tgt.process.cmdline contains "👩‍🍼" or tgt.process.cmdline contains "🧑‍🍼" or tgt.process.cmdline contains "👨‍🍼" or tgt.process.cmdline contains "🙇‍♀️" or tgt.process.cmdline contains "🙇" or tgt.process.cmdline contains "🙇‍♂️" or tgt.process.cmdline contains "💁‍♀️" or tgt.process.cmdline contains "💁" or tgt.process.cmdline contains "💁‍♂️" or tgt.process.cmdline contains "🙅‍♀️" or tgt.process.cmdline contains "🙅" or tgt.process.cmdline contains "🙅‍♂️" or tgt.process.cmdline contains "🙆‍♀️" or tgt.process.cmdline contains "🙆" or tgt.process.cmdline contains "🙆‍♂️" or tgt.process.cmdline contains "🙋‍♀️" or tgt.process.cmdline contains "🙋" or tgt.process.cmdline contains "🙋‍♂️" or tgt.process.cmdline contains "🧏‍♀️" or tgt.process.cmdline contains "🧏" or tgt.process.cmdline contains "🧏‍♂️" or tgt.process.cmdline contains "🤦‍♀️" or tgt.process.cmdline contains "🤦" or tgt.process.cmdline contains "🤦‍♂️" or tgt.process.cmdline contains "🤷‍♀️" or tgt.process.cmdline contains "🤷" or tgt.process.cmdline contains "🤷‍♂️" or tgt.process.cmdline contains "🙎‍♀️" or tgt.process.cmdline contains "🙎" or tgt.process.cmdline contains "🙎‍♂️" or tgt.process.cmdline contains "🙍‍♀️" or tgt.process.cmdline contains "🙍" or tgt.process.cmdline contains "🙍‍♂️" or tgt.process.cmdline contains "💇‍♀️" or tgt.process.cmdline contains "💇" or tgt.process.cmdline contains "💇‍♂️" or tgt.process.cmdline contains "💆‍♀️" or tgt.process.cmdline contains "💆" or tgt.process.cmdline contains "💆‍♂️" or tgt.process.cmdline contains "🧖‍♀️" or tgt.process.cmdline contains "🧖" or tgt.process.cmdline contains "🧖‍♂️" or tgt.process.cmdline contains "💅" or tgt.process.cmdline contains "💃" or tgt.process.cmdline contains "🕺" or tgt.process.cmdline contains "👯‍♀️" or tgt.process.cmdline contains "👯" or tgt.process.cmdline contains "👯‍♂️" or tgt.process.cmdline contains "🕴" or tgt.process.cmdline contains "👩‍🦽" or tgt.process.cmdline contains "🧑‍🦽" or tgt.process.cmdline contains "👨‍🦽" or tgt.process.cmdline contains "👩‍🦼" or tgt.process.cmdline contains "🧑‍🦼" or tgt.process.cmdline contains "👨‍🦼" or tgt.process.cmdline contains "🚶‍♀️" or tgt.process.cmdline contains "🚶" or tgt.process.cmdline contains "🚶‍♂️" or tgt.process.cmdline contains "👩‍🦯" or tgt.process.cmdline contains "🧑‍🦯" or tgt.process.cmdline contains "👨‍🦯" or tgt.process.cmdline contains "🧎‍♀️" or tgt.process.cmdline contains "🧎" or tgt.process.cmdline contains "🧎‍♂️" or tgt.process.cmdline contains "🏃‍♀️" or tgt.process.cmdline contains "🏃" or tgt.process.cmdline contains "🏃‍♂️" or tgt.process.cmdline contains "🧍‍♀️" or tgt.process.cmdline contains "🧍" or tgt.process.cmdline contains "🧍‍♂️" or tgt.process.cmdline contains "👭" or tgt.process.cmdline contains "🧑‍🤝‍🧑" or tgt.process.cmdline contains "👬" or tgt.process.cmdline contains "👫" or tgt.process.cmdline contains "👩‍❤️‍👩" or tgt.process.cmdline contains "💑" or tgt.process.cmdline contains "👨‍❤️‍👨" or tgt.process.cmdline contains "👩‍❤️‍👨" or tgt.process.cmdline contains "👩‍❤️‍💋‍👩" or tgt.process.cmdline contains "💏" or tgt.process.cmdline contains "👨‍❤️‍💋‍👨" or tgt.process.cmdline contains "👩‍❤️‍💋‍👨" or tgt.process.cmdline contains "👪" or tgt.process.cmdline contains "👨‍👩‍👦" or tgt.process.cmdline contains "👨‍👩‍👧" or tgt.process.cmdline contains "👨‍👩‍👧‍👦" or tgt.process.cmdline contains "👨‍👩‍👦‍👦" or tgt.process.cmdline contains "👨‍👩‍👧‍👧" or tgt.process.cmdline contains "👨‍👨‍👦" or tgt.process.cmdline contains "👨‍👨‍👧" or tgt.process.cmdline contains "👨‍👨‍👧‍👦" or tgt.process.cmdline contains "👨‍👨‍👦‍👦" or tgt.process.cmdline contains "👨‍👨‍👧‍👧" or tgt.process.cmdline contains "👩‍👩‍👦" or tgt.process.cmdline contains "👩‍👩‍👧" or tgt.process.cmdline contains "👩‍👩‍👧‍👦" or tgt.process.cmdline contains "👩‍👩‍👦‍👦" or tgt.process.cmdline contains "👩‍👩‍👧‍👧" or tgt.process.cmdline contains "👨‍👦" or tgt.process.cmdline contains "👨‍👦‍👦" or tgt.process.cmdline contains "👨‍👧" or tgt.process.cmdline contains "👨‍👧‍👦" or tgt.process.cmdline contains "👨‍👧‍👧" or tgt.process.cmdline contains "👩‍👦" or tgt.process.cmdline contains "👩‍👦‍👦" or tgt.process.cmdline contains "👩‍👧" or tgt.process.cmdline contains "👩‍👧‍👦" or tgt.process.cmdline contains "👩‍👧‍👧" or tgt.process.cmdline contains "🗣" or tgt.process.cmdline contains "👤" or tgt.process.cmdline contains "👥" or tgt.process.cmdline contains "🫂" or tgt.process.cmdline contains "🧳" or tgt.process.cmdline contains "🌂" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🧵" or tgt.process.cmdline contains "🪡" or tgt.process.cmdline contains "🪢" or tgt.process.cmdline contains "🧶" or tgt.process.cmdline contains "👓" or tgt.process.cmdline contains "🕶" or tgt.process.cmdline contains "🥽" or tgt.process.cmdline contains "🥼" or tgt.process.cmdline contains "🦺" or tgt.process.cmdline contains "👔" or tgt.process.cmdline contains "👕" or tgt.process.cmdline contains "👖" or tgt.process.cmdline contains "🧣" or tgt.process.cmdline contains "🧤" or tgt.process.cmdline contains "🧥" or tgt.process.cmdline contains "🧦" or tgt.process.cmdline contains "👗" or tgt.process.cmdline contains "👘" or tgt.process.cmdline contains "🥻" or tgt.process.cmdline contains "🩴" or tgt.process.cmdline contains "🩱" or tgt.process.cmdline contains "🩲" or tgt.process.cmdline contains "🩳" or tgt.process.cmdline contains "👙" or tgt.process.cmdline contains "👚" or tgt.process.cmdline contains "👛" or tgt.process.cmdline contains "👜" or tgt.process.cmdline contains "👝" or tgt.process.cmdline contains "🎒" or tgt.process.cmdline contains "👞" or tgt.process.cmdline contains "👟" or tgt.process.cmdline contains "🥾" or tgt.process.cmdline contains "🥿" or tgt.process.cmdline contains "👠" or tgt.process.cmdline contains "👡" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "👢" or tgt.process.cmdline contains "👑" or tgt.process.cmdline contains "👒" or tgt.process.cmdline contains "🎩" or tgt.process.cmdline contains "🎓" or tgt.process.cmdline contains "🧢" or tgt.process.cmdline contains "⛑" or tgt.process.cmdline contains "🪖" or tgt.process.cmdline contains "💄" or tgt.process.cmdline contains "💍" or tgt.process.cmdline contains "💼" or tgt.process.cmdline contains "👋🏻" or tgt.process.cmdline contains "🤚🏻" or tgt.process.cmdline contains "🖐🏻" or tgt.process.cmdline contains "✋🏻" or tgt.process.cmdline contains "🖖🏻" or tgt.process.cmdline contains "👌🏻" or tgt.process.cmdline contains "🤌🏻" or tgt.process.cmdline contains "🤏🏻" or tgt.process.cmdline contains "✌🏻" or tgt.process.cmdline contains "🤞🏻" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🤟🏻" or tgt.process.cmdline contains "🤘🏻" or tgt.process.cmdline contains "🤙🏻" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "👈🏻" or tgt.process.cmdline contains "👉🏻" or tgt.process.cmdline contains "👆🏻" or tgt.process.cmdline contains "🖕🏻" or tgt.process.cmdline contains "👇🏻" or tgt.process.cmdline contains "☝🏻" or tgt.process.cmdline contains "👍🏻" or tgt.process.cmdline contains "👎🏻" or tgt.process.cmdline contains "✊🏻" or tgt.process.cmdline contains "👊🏻" or tgt.process.cmdline contains "🤛🏻" or tgt.process.cmdline contains "🤜🏻" or tgt.process.cmdline contains "👏🏻" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🙌🏻" or tgt.process.cmdline contains "👐🏻" or tgt.process.cmdline contains "🤲🏻" or tgt.process.cmdline contains "🙏🏻" or tgt.process.cmdline contains "✍🏻" or tgt.process.cmdline contains "💪🏻" or tgt.process.cmdline contains "🦵🏻" or tgt.process.cmdline contains "🦶🏻" or tgt.process.cmdline contains "👂🏻" or tgt.process.cmdline contains "🦻🏻" or tgt.process.cmdline contains "👃🏻" or tgt.process.cmdline contains "👶🏻" or tgt.process.cmdline contains "👧🏻" or tgt.process.cmdline contains "🧒🏻" or tgt.process.cmdline contains "👦🏻" or tgt.process.cmdline contains "👩🏻" or tgt.process.cmdline contains "🧑🏻" or tgt.process.cmdline contains "👨🏻" or tgt.process.cmdline contains "👩🏻‍🦱" or tgt.process.cmdline contains "🧑🏻‍🦱" or tgt.process.cmdline contains "👨🏻‍🦱" or tgt.process.cmdline contains "👩🏻‍🦰" or tgt.process.cmdline contains "🧑🏻‍🦰" or tgt.process.cmdline contains "👨🏻‍🦰" or tgt.process.cmdline contains "👱🏻‍♀️" or tgt.process.cmdline contains "👱🏻" or tgt.process.cmdline contains "👱🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍🦳" or tgt.process.cmdline contains "🧑🏻‍🦳" or tgt.process.cmdline contains "👨🏻‍🦳" or tgt.process.cmdline contains "👩🏻‍🦲" or tgt.process.cmdline contains "🧑🏻‍🦲" or tgt.process.cmdline contains "👨🏻‍🦲" or tgt.process.cmdline contains "🧔🏻‍♀️" or tgt.process.cmdline contains "🧔🏻" or tgt.process.cmdline contains "🧔🏻‍♂️" or tgt.process.cmdline contains "👵🏻" or tgt.process.cmdline contains "🧓🏻" or tgt.process.cmdline contains "👴🏻" or tgt.process.cmdline contains "👲🏻" or tgt.process.cmdline contains "👳🏻‍♀️" or tgt.process.cmdline contains "👳🏻" or tgt.process.cmdline contains "👳🏻‍♂️" or tgt.process.cmdline contains "🧕🏻" or tgt.process.cmdline contains "👮🏻‍♀️" or tgt.process.cmdline contains "👮🏻" or tgt.process.cmdline contains "👮🏻‍♂️" or tgt.process.cmdline contains "👷🏻‍♀️" or tgt.process.cmdline contains "👷🏻" or tgt.process.cmdline contains "👷🏻‍♂️" or tgt.process.cmdline contains "💂🏻‍♀️" or tgt.process.cmdline contains "💂🏻" or tgt.process.cmdline contains "💂🏻‍♂️" or tgt.process.cmdline contains "🕵🏻‍♀️" or tgt.process.cmdline contains "🕵🏻" or tgt.process.cmdline contains "🕵🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍⚕️" or tgt.process.cmdline contains "🧑🏻‍⚕️" or tgt.process.cmdline contains "👨🏻‍⚕️" or tgt.process.cmdline contains "👩🏻‍🌾" or tgt.process.cmdline contains "🧑🏻‍🌾" or tgt.process.cmdline contains "👨🏻‍🌾" or tgt.process.cmdline contains "👩🏻‍🍳" or tgt.process.cmdline contains "🧑🏻‍🍳" or tgt.process.cmdline contains "👨🏻‍🍳" or tgt.process.cmdline contains "👩🏻‍🎓" or tgt.process.cmdline contains "🧑🏻‍🎓" or tgt.process.cmdline contains "👨🏻‍🎓" or tgt.process.cmdline contains "👩🏻‍🎤" or tgt.process.cmdline contains "🧑🏻‍🎤" or tgt.process.cmdline contains "👨🏻‍🎤" or tgt.process.cmdline contains "👩🏻‍🏫" or tgt.process.cmdline contains "🧑🏻‍🏫" or tgt.process.cmdline contains "👨🏻‍🏫" or tgt.process.cmdline contains "👩🏻‍🏭" or tgt.process.cmdline contains "🧑🏻‍🏭" or tgt.process.cmdline contains "👨🏻‍🏭" or tgt.process.cmdline contains "👩🏻‍💻" or tgt.process.cmdline contains "🧑🏻‍💻" or tgt.process.cmdline contains "👨🏻‍💻" or tgt.process.cmdline contains "👩🏻‍💼" or tgt.process.cmdline contains "🧑🏻‍💼" or tgt.process.cmdline contains "👨🏻‍💼" or tgt.process.cmdline contains "👩🏻‍🔧" or tgt.process.cmdline contains "🧑🏻‍🔧" or tgt.process.cmdline contains "👨🏻‍🔧" or tgt.process.cmdline contains "👩🏻‍🔬" or tgt.process.cmdline contains "🧑🏻‍🔬" or tgt.process.cmdline contains "👨🏻‍🔬" or tgt.process.cmdline contains "👩🏻‍🎨" or tgt.process.cmdline contains "🧑🏻‍🎨" or tgt.process.cmdline contains "👨🏻‍🎨" or tgt.process.cmdline contains "👩🏻‍🚒" or tgt.process.cmdline contains "🧑🏻‍🚒" or tgt.process.cmdline contains "👨🏻‍🚒" or tgt.process.cmdline contains "👩🏻‍✈️" or tgt.process.cmdline contains "🧑🏻‍✈️" or tgt.process.cmdline contains "👨🏻‍✈️" or tgt.process.cmdline contains "👩🏻‍🚀" or tgt.process.cmdline contains "🧑🏻‍🚀" or tgt.process.cmdline contains "👨🏻‍🚀" or tgt.process.cmdline contains "👩🏻‍⚖️" or tgt.process.cmdline contains "🧑🏻‍⚖️" or tgt.process.cmdline contains "👨🏻‍⚖️" or tgt.process.cmdline contains "👰🏻‍♀️" or tgt.process.cmdline contains "👰🏻" or tgt.process.cmdline contains "👰🏻‍♂️" or tgt.process.cmdline contains "🤵🏻‍♀️" or tgt.process.cmdline contains "🤵🏻" or tgt.process.cmdline contains "🤵🏻‍♂️" or tgt.process.cmdline contains "👸🏻" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🤴🏻" or tgt.process.cmdline contains "🥷🏻" or tgt.process.cmdline contains "🦸🏻‍♀️" or tgt.process.cmdline contains "🦸🏻" or tgt.process.cmdline contains "🦸🏻‍♂️" or tgt.process.cmdline contains "🦹🏻‍♀️" or tgt.process.cmdline contains "🦹🏻" or tgt.process.cmdline contains "🦹🏻‍♂️" or tgt.process.cmdline contains "🤶🏻" or tgt.process.cmdline contains "🧑🏻‍🎄" or tgt.process.cmdline contains "🎅🏻" or tgt.process.cmdline contains "🧙🏻‍♀️" or tgt.process.cmdline contains "🧙🏻" or tgt.process.cmdline contains "🧙🏻‍♂️" or tgt.process.cmdline contains "🧝🏻‍♀️" or tgt.process.cmdline contains "🧝🏻" or tgt.process.cmdline contains "🧝🏻‍♂️" or tgt.process.cmdline contains "🧛🏻‍♀️" or tgt.process.cmdline contains "🧛🏻" or tgt.process.cmdline contains "🧛🏻‍♂️" or tgt.process.cmdline contains "🧜🏻‍♀️" or tgt.process.cmdline contains "🧜🏻" or tgt.process.cmdline contains "🧜🏻‍♂️" or tgt.process.cmdline contains "🧚🏻‍♀️" or tgt.process.cmdline contains "🧚🏻" or tgt.process.cmdline contains "🧚🏻‍♂️" or tgt.process.cmdline contains "👼🏻" or tgt.process.cmdline contains "🤰🏻" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🤱🏻" or tgt.process.cmdline contains "👩🏻‍🍼" or tgt.process.cmdline contains "🧑🏻‍🍼" or tgt.process.cmdline contains "👨🏻‍🍼" or tgt.process.cmdline contains "🙇🏻‍♀️" or tgt.process.cmdline contains "🙇🏻" or tgt.process.cmdline contains "🙇🏻‍♂️" or tgt.process.cmdline contains "💁🏻‍♀️" or tgt.process.cmdline contains "💁🏻" or tgt.process.cmdline contains "💁🏻‍♂️" or tgt.process.cmdline contains "🙅🏻‍♀️" or tgt.process.cmdline contains "🙅🏻" or tgt.process.cmdline contains "🙅🏻‍♂️" or tgt.process.cmdline contains "🙆🏻‍♀️" or tgt.process.cmdline contains "🙆🏻" or tgt.process.cmdline contains "🙆🏻‍♂️" or tgt.process.cmdline contains "🙋🏻‍♀️" or tgt.process.cmdline contains "🙋🏻" or tgt.process.cmdline contains "🙋🏻‍♂️" or tgt.process.cmdline contains "🧏🏻‍♀️" or tgt.process.cmdline contains "🧏🏻" or tgt.process.cmdline contains "🧏🏻‍♂️" or tgt.process.cmdline contains "🤦🏻‍♀️" or tgt.process.cmdline contains "🤦🏻" or tgt.process.cmdline contains "🤦🏻‍♂️" or tgt.process.cmdline contains "🤷🏻‍♀️" or tgt.process.cmdline contains "🤷🏻" or tgt.process.cmdline contains "🤷🏻‍♂️" or tgt.process.cmdline contains "🙎🏻‍♀️" or tgt.process.cmdline contains "🙎🏻" or tgt.process.cmdline contains "🙎🏻‍♂️" or tgt.process.cmdline contains "🙍🏻‍♀️" or tgt.process.cmdline contains "🙍🏻" or tgt.process.cmdline contains "🙍🏻‍♂️" or tgt.process.cmdline contains "💇🏻‍♀️" or tgt.process.cmdline contains "💇🏻" or tgt.process.cmdline contains "💇🏻‍♂️" or tgt.process.cmdline contains "💆🏻‍♀️" or tgt.process.cmdline contains "💆🏻" or tgt.process.cmdline contains "💆🏻‍♂️" or tgt.process.cmdline contains "🧖🏻‍♀️" or tgt.process.cmdline contains "🧖🏻" or tgt.process.cmdline contains "🧖🏻‍♂️" or tgt.process.cmdline contains "💃🏻" or tgt.process.cmdline contains "🕺🏻" or tgt.process.cmdline contains "🕴🏻" or tgt.process.cmdline contains "👩🏻‍🦽" or tgt.process.cmdline contains "🧑🏻‍🦽" or tgt.process.cmdline contains "👨🏻‍🦽" or tgt.process.cmdline contains "👩🏻‍🦼" or tgt.process.cmdline contains "🧑🏻‍🦼" or tgt.process.cmdline contains "👨🏻‍🦼" or tgt.process.cmdline contains "🚶🏻‍♀️" or tgt.process.cmdline contains "🚶🏻" or tgt.process.cmdline contains "🚶🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍🦯" or tgt.process.cmdline contains "🧑🏻‍🦯" or tgt.process.cmdline contains "👨🏻‍🦯" or tgt.process.cmdline contains "🧎🏻‍♀️" or tgt.process.cmdline contains "🧎🏻" or tgt.process.cmdline contains "🧎🏻‍♂️" or tgt.process.cmdline contains "🏃🏻‍♀️" or tgt.process.cmdline contains "🏃🏻" or tgt.process.cmdline contains "🏃🏻‍♂️" or tgt.process.cmdline contains "🧍🏻‍♀️" or tgt.process.cmdline contains "🧍🏻" or tgt.process.cmdline contains "🧍🏻‍♂️" or tgt.process.cmdline contains "👭🏻" or tgt.process.cmdline contains "🧑🏻‍🤝‍🧑🏻" or tgt.process.cmdline contains "👬🏻" or tgt.process.cmdline contains "👫🏻" or tgt.process.cmdline contains "🧗🏻‍♀️" or tgt.process.cmdline contains "🧗🏻" or tgt.process.cmdline contains "🧗🏻‍♂️" or tgt.process.cmdline contains "🏇🏻" or tgt.process.cmdline contains "🏂🏻" or tgt.process.cmdline contains "🏌🏻‍♀️" or tgt.process.cmdline contains "🏌🏻" or tgt.process.cmdline contains "🏌🏻‍♂️" or tgt.process.cmdline contains "🏄🏻‍♀️" or tgt.process.cmdline contains "🏄🏻" or tgt.process.cmdline contains "🏄🏻‍♂️" or tgt.process.cmdline contains "🚣🏻‍♀️" or tgt.process.cmdline contains "🚣🏻" or tgt.process.cmdline contains "🚣🏻‍♂️" or tgt.process.cmdline contains "🏊🏻‍♀️" or tgt.process.cmdline contains "🏊🏻" or tgt.process.cmdline contains "🏊🏻‍♂️" or tgt.process.cmdline contains "⛹🏻‍♀️" or tgt.process.cmdline contains "⛹🏻" or tgt.process.cmdline contains "⛹🏻‍♂️" or tgt.process.cmdline contains "🏋🏻‍♀️" or tgt.process.cmdline contains "🏋🏻" or tgt.process.cmdline contains "🏋🏻‍♂️" or tgt.process.cmdline contains "🚴🏻‍♀️" or tgt.process.cmdline contains "🚴🏻" or tgt.process.cmdline contains "🚴🏻‍♂️" or tgt.process.cmdline contains "🚵🏻‍♀️" or tgt.process.cmdline contains "🚵🏻" or tgt.process.cmdline contains "🚵🏻‍♂️" or tgt.process.cmdline contains "🤸🏻‍♀️" or tgt.process.cmdline contains "🤸🏻" or tgt.process.cmdline contains "🤸🏻‍♂️" or tgt.process.cmdline contains "🤽🏻‍♀️" or tgt.process.cmdline contains "🤽🏻" or tgt.process.cmdline contains "🤽🏻‍♂️" or tgt.process.cmdline contains "🤾🏻‍♀️" or tgt.process.cmdline contains "🤾🏻" or tgt.process.cmdline contains "🤾🏻‍♂️" or tgt.process.cmdline contains "🤹🏻‍♀️" or tgt.process.cmdline contains "🤹🏻" or tgt.process.cmdline contains "🤹🏻‍♂️" or tgt.process.cmdline contains "🧘🏻‍♀️" or tgt.process.cmdline contains "🧘🏻" or tgt.process.cmdline contains "🧘🏻‍♂️" or tgt.process.cmdline contains "🛀🏻" or tgt.process.cmdline contains "🛌🏻" or tgt.process.cmdline contains "👋🏼" or tgt.process.cmdline contains "🤚🏼" or tgt.process.cmdline contains "🖐🏼" or tgt.process.cmdline contains "✋🏼" or tgt.process.cmdline contains "🖖🏼" or tgt.process.cmdline contains "👌🏼" or tgt.process.cmdline contains "🤌🏼" or tgt.process.cmdline contains "🤏🏼" or tgt.process.cmdline contains "✌🏼" or tgt.process.cmdline contains "🤞🏼" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🤟🏼" or tgt.process.cmdline contains "🤘🏼" or tgt.process.cmdline contains "🤙🏼" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "👈🏼" or tgt.process.cmdline contains "👉🏼" or tgt.process.cmdline contains "👆🏼" or tgt.process.cmdline contains "🖕🏼" or tgt.process.cmdline contains "👇🏼" or tgt.process.cmdline contains "☝🏼" or tgt.process.cmdline contains "👍🏼" or tgt.process.cmdline contains "👎🏼" or tgt.process.cmdline contains "✊🏼" or tgt.process.cmdline contains "👊🏼" or tgt.process.cmdline contains "🤛🏼" or tgt.process.cmdline contains "🤜🏼" or tgt.process.cmdline contains "👏🏼" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🙌🏼" or tgt.process.cmdline contains "👐🏼" or tgt.process.cmdline contains "🤲🏼" or tgt.process.cmdline contains "🙏🏼" or tgt.process.cmdline contains "✍🏼" or tgt.process.cmdline contains "💪🏼" or tgt.process.cmdline contains "🦵🏼" or tgt.process.cmdline contains "🦶🏼" or tgt.process.cmdline contains "👂🏼" or tgt.process.cmdline contains "🦻🏼" or tgt.process.cmdline contains "👃🏼" or tgt.process.cmdline contains "👶🏼" or tgt.process.cmdline contains "👧🏼" or tgt.process.cmdline contains "🧒🏼" or tgt.process.cmdline contains "👦🏼" or tgt.process.cmdline contains "👩🏼" or tgt.process.cmdline contains "🧑🏼" or tgt.process.cmdline contains "👨🏼" or tgt.process.cmdline contains "👩🏼‍🦱" or tgt.process.cmdline contains "🧑🏼‍🦱" or tgt.process.cmdline contains "👨🏼‍🦱" or tgt.process.cmdline contains "👩🏼‍🦰" or tgt.process.cmdline contains "🧑🏼‍🦰" or tgt.process.cmdline contains "👨🏼‍🦰" or tgt.process.cmdline contains "👱🏼‍♀️" or tgt.process.cmdline contains "👱🏼" or tgt.process.cmdline contains "👱🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍🦳" or tgt.process.cmdline contains "🧑🏼‍🦳" or tgt.process.cmdline contains "👨🏼‍🦳" or tgt.process.cmdline contains "👩🏼‍🦲" or tgt.process.cmdline contains "🧑🏼‍🦲" or tgt.process.cmdline contains "👨🏼‍🦲" or tgt.process.cmdline contains "🧔🏼‍♀️" or tgt.process.cmdline contains "🧔🏼" or tgt.process.cmdline contains "🧔🏼‍♂️" or tgt.process.cmdline contains "👵🏼" or tgt.process.cmdline contains "🧓🏼" or tgt.process.cmdline contains "👴🏼" or tgt.process.cmdline contains "👲🏼" or tgt.process.cmdline contains "👳🏼‍♀️" or tgt.process.cmdline contains "👳🏼" or tgt.process.cmdline contains "👳🏼‍♂️" or tgt.process.cmdline contains "🧕🏼" or tgt.process.cmdline contains "👮🏼‍♀️" or tgt.process.cmdline contains "👮🏼" or tgt.process.cmdline contains "👮🏼‍♂️" or tgt.process.cmdline contains "👷🏼‍♀️" or tgt.process.cmdline contains "👷🏼" or tgt.process.cmdline contains "👷🏼‍♂️" or tgt.process.cmdline contains "💂🏼‍♀️" or tgt.process.cmdline contains "💂🏼" or tgt.process.cmdline contains "💂🏼‍♂️" or tgt.process.cmdline contains "🕵🏼‍♀️" or tgt.process.cmdline contains "🕵🏼" or tgt.process.cmdline contains "🕵🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍⚕️" or tgt.process.cmdline contains "🧑🏼‍⚕️" or tgt.process.cmdline contains "👨🏼‍⚕️" or tgt.process.cmdline contains "👩🏼‍🌾" or tgt.process.cmdline contains "🧑🏼‍🌾" or tgt.process.cmdline contains "👨🏼‍🌾" or tgt.process.cmdline contains "👩🏼‍🍳" or tgt.process.cmdline contains "🧑🏼‍🍳" or tgt.process.cmdline contains "👨🏼‍🍳" or tgt.process.cmdline contains "👩🏼‍🎓" or tgt.process.cmdline contains "🧑🏼‍🎓" or tgt.process.cmdline contains "👨🏼‍🎓" or tgt.process.cmdline contains "👩🏼‍🎤" or tgt.process.cmdline contains "🧑🏼‍🎤" or tgt.process.cmdline contains "👨🏼‍🎤" or tgt.process.cmdline contains "👩🏼‍🏫" or tgt.process.cmdline contains "🧑🏼‍🏫" or tgt.process.cmdline contains "👨🏼‍🏫" or tgt.process.cmdline contains "👩🏼‍🏭" or tgt.process.cmdline contains "🧑🏼‍🏭" or tgt.process.cmdline contains "👨🏼‍🏭" or tgt.process.cmdline contains "👩🏼‍💻" or tgt.process.cmdline contains "🧑🏼‍💻" or tgt.process.cmdline contains "👨🏼‍💻" or tgt.process.cmdline contains "👩🏼‍💼" or tgt.process.cmdline contains "🧑🏼‍💼" or tgt.process.cmdline contains "👨🏼‍💼" or tgt.process.cmdline contains "👩🏼‍🔧" or tgt.process.cmdline contains "🧑🏼‍🔧" or tgt.process.cmdline contains "👨🏼‍🔧" or tgt.process.cmdline contains "👩🏼‍🔬" or tgt.process.cmdline contains "🧑🏼‍🔬" or tgt.process.cmdline contains "👨🏼‍🔬" or tgt.process.cmdline contains "👩🏼‍🎨" or tgt.process.cmdline contains "🧑🏼‍🎨" or tgt.process.cmdline contains "👨🏼‍🎨" or tgt.process.cmdline contains "👩🏼‍🚒" or tgt.process.cmdline contains "🧑🏼‍🚒" or tgt.process.cmdline contains "👨🏼‍🚒" or tgt.process.cmdline contains "👩🏼‍✈️" or tgt.process.cmdline contains "🧑🏼‍✈️" or tgt.process.cmdline contains "👨🏼‍✈️" or tgt.process.cmdline contains "👩🏼‍🚀" or tgt.process.cmdline contains "🧑🏼‍🚀" or tgt.process.cmdline contains "👨🏼‍🚀" or tgt.process.cmdline contains "👩🏼‍⚖️" or tgt.process.cmdline contains "🧑🏼‍⚖️" or tgt.process.cmdline contains "👨🏼‍⚖️" or tgt.process.cmdline contains "👰🏼‍♀️" or tgt.process.cmdline contains "👰🏼" or tgt.process.cmdline contains "👰🏼‍♂️" or tgt.process.cmdline contains "🤵🏼‍♀️" or tgt.process.cmdline contains "🤵🏼" or tgt.process.cmdline contains "🤵🏼‍♂️" or tgt.process.cmdline contains "👸🏼" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🤴🏼" or tgt.process.cmdline contains "🥷🏼" or tgt.process.cmdline contains "🦸🏼‍♀️" or tgt.process.cmdline contains "🦸🏼" or tgt.process.cmdline contains "🦸🏼‍♂️" or tgt.process.cmdline contains "🦹🏼‍♀️" or tgt.process.cmdline contains "🦹🏼" or tgt.process.cmdline contains "🦹🏼‍♂️" or tgt.process.cmdline contains "🤶🏼" or tgt.process.cmdline contains "🧑🏼‍🎄" or tgt.process.cmdline contains "🎅🏼" or tgt.process.cmdline contains "🧙🏼‍♀️" or tgt.process.cmdline contains "🧙🏼" or tgt.process.cmdline contains "🧙🏼‍♂️" or tgt.process.cmdline contains "🧝🏼‍♀️" or tgt.process.cmdline contains "🧝🏼" or tgt.process.cmdline contains "🧝🏼‍♂️" or tgt.process.cmdline contains "🧛🏼‍♀️" or tgt.process.cmdline contains "🧛🏼" or tgt.process.cmdline contains "🧛🏼‍♂️" or tgt.process.cmdline contains "🧜🏼‍♀️" or tgt.process.cmdline contains "🧜🏼" or tgt.process.cmdline contains "🧜🏼‍♂️" or tgt.process.cmdline contains "🧚🏼‍♀️" or tgt.process.cmdline contains "🧚🏼" or tgt.process.cmdline contains "🧚🏼‍♂️" or tgt.process.cmdline contains "👼🏼" or tgt.process.cmdline contains "🤰🏼" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🤱🏼" or tgt.process.cmdline contains "👩🏼‍🍼" or tgt.process.cmdline contains "🧑🏼‍🍼" or tgt.process.cmdline contains "👨🏼‍🍼" or tgt.process.cmdline contains "🙇🏼‍♀️" or tgt.process.cmdline contains "🙇🏼" or tgt.process.cmdline contains "🙇🏼‍♂️" or tgt.process.cmdline contains "💁🏼‍♀️" or tgt.process.cmdline contains "💁🏼" or tgt.process.cmdline contains "💁🏼‍♂️" or tgt.process.cmdline contains "🙅🏼‍♀️" or tgt.process.cmdline contains "🙅🏼" or tgt.process.cmdline contains "🙅🏼‍♂️" or tgt.process.cmdline contains "🙆🏼‍♀️" or tgt.process.cmdline contains "🙆🏼" or tgt.process.cmdline contains "🙆🏼‍♂️" or tgt.process.cmdline contains "🙋🏼‍♀️" or tgt.process.cmdline contains "🙋🏼" or tgt.process.cmdline contains "🙋🏼‍♂️" or tgt.process.cmdline contains "🧏🏼‍♀️" or tgt.process.cmdline contains "🧏🏼" or tgt.process.cmdline contains "🧏🏼‍♂️" or tgt.process.cmdline contains "🤦🏼‍♀️" or tgt.process.cmdline contains "🤦🏼" or tgt.process.cmdline contains "🤦🏼‍♂️" or tgt.process.cmdline contains "🤷🏼‍♀️")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md index 62b9d0659..95d3f6583 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🤷🏼" or tgt.process.cmdline contains "🤷🏼‍♂️" or tgt.process.cmdline contains "🙎🏼‍♀️" or tgt.process.cmdline contains "🙎🏼" or tgt.process.cmdline contains "🙎🏼‍♂️" or tgt.process.cmdline contains "🙍🏼‍♀️" or tgt.process.cmdline contains "🙍🏼" or tgt.process.cmdline contains "🙍🏼‍♂️" or tgt.process.cmdline contains "💇🏼‍♀️" or tgt.process.cmdline contains "💇🏼" or tgt.process.cmdline contains "💇🏼‍♂️" or tgt.process.cmdline contains "💆🏼‍♀️" or tgt.process.cmdline contains "💆🏼" or tgt.process.cmdline contains "💆🏼‍♂️" or tgt.process.cmdline contains "🧖🏼‍♀️" or tgt.process.cmdline contains "🧖🏼" or tgt.process.cmdline contains "🧖🏼‍♂️" or tgt.process.cmdline contains "💃🏼" or tgt.process.cmdline contains "🕺🏼" or tgt.process.cmdline contains "🕴🏼" or tgt.process.cmdline contains "👩🏼‍🦽" or tgt.process.cmdline contains "🧑🏼‍🦽" or tgt.process.cmdline contains "👨🏼‍🦽" or tgt.process.cmdline contains "👩🏼‍🦼" or tgt.process.cmdline contains "🧑🏼‍🦼" or tgt.process.cmdline contains "👨🏼‍🦼" or tgt.process.cmdline contains "🚶🏼‍♀️" or tgt.process.cmdline contains "🚶🏼" or tgt.process.cmdline contains "🚶🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍🦯" or tgt.process.cmdline contains "🧑🏼‍🦯" or tgt.process.cmdline contains "👨🏼‍🦯" or tgt.process.cmdline contains "🧎🏼‍♀️" or tgt.process.cmdline contains "🧎🏼" or tgt.process.cmdline contains "🧎🏼‍♂️" or tgt.process.cmdline contains "🏃🏼‍♀️" or tgt.process.cmdline contains "🏃🏼" or tgt.process.cmdline contains "🏃🏼‍♂️" or tgt.process.cmdline contains "🧍🏼‍♀️" or tgt.process.cmdline contains "🧍🏼" or tgt.process.cmdline contains "🧍🏼‍♂️" or tgt.process.cmdline contains "👭🏼" or tgt.process.cmdline contains "🧑🏼‍🤝‍🧑🏼" or tgt.process.cmdline contains "👬🏼" or tgt.process.cmdline contains "👫🏼" or tgt.process.cmdline contains "🧗🏼‍♀️" or tgt.process.cmdline contains "🧗🏼" or tgt.process.cmdline contains "🧗🏼‍♂️" or tgt.process.cmdline contains "🏇🏼" or tgt.process.cmdline contains "🏂🏼" or tgt.process.cmdline contains "🏌🏼‍♀️" or tgt.process.cmdline contains "🏌🏼" or tgt.process.cmdline contains "🏌🏼‍♂️" or tgt.process.cmdline contains "🏄🏼‍♀️" or tgt.process.cmdline contains "🏄🏼" or tgt.process.cmdline contains "🏄🏼‍♂️" or tgt.process.cmdline contains "🚣🏼‍♀️" or tgt.process.cmdline contains "🚣🏼" or tgt.process.cmdline contains "🚣🏼‍♂️" or tgt.process.cmdline contains "🏊🏼‍♀️" or tgt.process.cmdline contains "🏊🏼" or tgt.process.cmdline contains "🏊🏼‍♂️" or tgt.process.cmdline contains "⛹🏼‍♀️" or tgt.process.cmdline contains "⛹🏼" or tgt.process.cmdline contains "⛹🏼‍♂️" or tgt.process.cmdline contains "🏋🏼‍♀️" or tgt.process.cmdline contains "🏋🏼" or tgt.process.cmdline contains "🏋🏼‍♂️" or tgt.process.cmdline contains "🚴🏼‍♀️" or tgt.process.cmdline contains "🚴🏼" or tgt.process.cmdline contains "🚴🏼‍♂️" or tgt.process.cmdline contains "🚵🏼‍♀️" or tgt.process.cmdline contains "🚵🏼" or tgt.process.cmdline contains "🚵🏼‍♂️" or tgt.process.cmdline contains "🤸🏼‍♀️" or tgt.process.cmdline contains "🤸🏼" or tgt.process.cmdline contains "🤸🏼‍♂️" or tgt.process.cmdline contains "🤽🏼‍♀️" or tgt.process.cmdline contains "🤽🏼" or tgt.process.cmdline contains "🤽🏼‍♂️" or tgt.process.cmdline contains "🤾🏼‍♀️" or tgt.process.cmdline contains "🤾🏼" or tgt.process.cmdline contains "🤾🏼‍♂️" or tgt.process.cmdline contains "🤹🏼‍♀️" or tgt.process.cmdline contains "🤹🏼" or tgt.process.cmdline contains "🤹🏼‍♂️" or tgt.process.cmdline contains "🧘🏼‍♀️" or tgt.process.cmdline contains "🧘🏼" or tgt.process.cmdline contains "🧘🏼‍♂️" or tgt.process.cmdline contains "🛀🏼" or tgt.process.cmdline contains "🛌🏼" or tgt.process.cmdline contains "👋🏽" or tgt.process.cmdline contains "🤚🏽" or tgt.process.cmdline contains "🖐🏽" or tgt.process.cmdline contains "✋🏽" or tgt.process.cmdline contains "🖖🏽" or tgt.process.cmdline contains "👌🏽" or tgt.process.cmdline contains "🤌🏽" or tgt.process.cmdline contains "🤏🏽" or tgt.process.cmdline contains "✌🏽" or tgt.process.cmdline contains "🤞🏽" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🤟🏽" or tgt.process.cmdline contains "🤘🏽" or tgt.process.cmdline contains "🤙🏽" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "👈🏽" or tgt.process.cmdline contains "👉🏽" or tgt.process.cmdline contains "👆🏽" or tgt.process.cmdline contains "🖕🏽" or tgt.process.cmdline contains "👇🏽" or tgt.process.cmdline contains "☝🏽" or tgt.process.cmdline contains "👍🏽" or tgt.process.cmdline contains "👎🏽" or tgt.process.cmdline contains "✊🏽" or tgt.process.cmdline contains "👊🏽" or tgt.process.cmdline contains "🤛🏽" or tgt.process.cmdline contains "🤜🏽" or tgt.process.cmdline contains "👏🏽" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🙌🏽" or tgt.process.cmdline contains "👐🏽" or tgt.process.cmdline contains "🤲🏽" or tgt.process.cmdline contains "🙏🏽" or tgt.process.cmdline contains "✍🏽" or tgt.process.cmdline contains "💪🏽" or tgt.process.cmdline contains "🦵🏽" or tgt.process.cmdline contains "🦶🏽" or tgt.process.cmdline contains "👂🏽" or tgt.process.cmdline contains "🦻🏽" or tgt.process.cmdline contains "👃🏽" or tgt.process.cmdline contains "👶🏽" or tgt.process.cmdline contains "👧🏽" or tgt.process.cmdline contains "🧒🏽" or tgt.process.cmdline contains "👦🏽" or tgt.process.cmdline contains "👩🏽" or tgt.process.cmdline contains "🧑🏽" or tgt.process.cmdline contains "👨🏽" or tgt.process.cmdline contains "👩🏽‍🦱" or tgt.process.cmdline contains "🧑🏽‍🦱" or tgt.process.cmdline contains "👨🏽‍🦱" or tgt.process.cmdline contains "👩🏽‍🦰" or tgt.process.cmdline contains "🧑🏽‍🦰" or tgt.process.cmdline contains "👨🏽‍🦰" or tgt.process.cmdline contains "👱🏽‍♀️" or tgt.process.cmdline contains "👱🏽" or tgt.process.cmdline contains "👱🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍🦳" or tgt.process.cmdline contains "🧑🏽‍🦳" or tgt.process.cmdline contains "👨🏽‍🦳" or tgt.process.cmdline contains "👩🏽‍🦲" or tgt.process.cmdline contains "🧑🏽‍🦲" or tgt.process.cmdline contains "👨🏽‍🦲" or tgt.process.cmdline contains "🧔🏽‍♀️" or tgt.process.cmdline contains "🧔🏽" or tgt.process.cmdline contains "🧔🏽‍♂️" or tgt.process.cmdline contains "👵🏽" or tgt.process.cmdline contains "🧓🏽" or tgt.process.cmdline contains "👴🏽" or tgt.process.cmdline contains "👲🏽" or tgt.process.cmdline contains "👳🏽‍♀️" or tgt.process.cmdline contains "👳🏽" or tgt.process.cmdline contains "👳🏽‍♂️" or tgt.process.cmdline contains "🧕🏽" or tgt.process.cmdline contains "👮🏽‍♀️" or tgt.process.cmdline contains "👮🏽" or tgt.process.cmdline contains "👮🏽‍♂️" or tgt.process.cmdline contains "👷🏽‍♀️" or tgt.process.cmdline contains "👷🏽" or tgt.process.cmdline contains "👷🏽‍♂️" or tgt.process.cmdline contains "💂🏽‍♀️" or tgt.process.cmdline contains "💂🏽" or tgt.process.cmdline contains "💂🏽‍♂️" or tgt.process.cmdline contains "🕵🏽‍♀️" or tgt.process.cmdline contains "🕵🏽" or tgt.process.cmdline contains "🕵🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍⚕️" or tgt.process.cmdline contains "🧑🏽‍⚕️" or tgt.process.cmdline contains "👨🏽‍⚕️" or tgt.process.cmdline contains "👩🏽‍🌾" or tgt.process.cmdline contains "🧑🏽‍🌾" or tgt.process.cmdline contains "👨🏽‍🌾" or tgt.process.cmdline contains "👩🏽‍🍳" or tgt.process.cmdline contains "🧑🏽‍🍳" or tgt.process.cmdline contains "👨🏽‍🍳" or tgt.process.cmdline contains "👩🏽‍🎓" or tgt.process.cmdline contains "🧑🏽‍🎓" or tgt.process.cmdline contains "👨🏽‍🎓" or tgt.process.cmdline contains "👩🏽‍🎤" or tgt.process.cmdline contains "🧑🏽‍🎤" or tgt.process.cmdline contains "👨🏽‍🎤" or tgt.process.cmdline contains "👩🏽‍🏫" or tgt.process.cmdline contains "🧑🏽‍🏫" or tgt.process.cmdline contains "👨🏽‍🏫" or tgt.process.cmdline contains "👩🏽‍🏭" or tgt.process.cmdline contains "🧑🏽‍🏭" or tgt.process.cmdline contains "👨🏽‍🏭" or tgt.process.cmdline contains "👩🏽‍💻" or tgt.process.cmdline contains "🧑🏽‍💻" or tgt.process.cmdline contains "👨🏽‍💻" or tgt.process.cmdline contains "👩🏽‍💼" or tgt.process.cmdline contains "🧑🏽‍💼" or tgt.process.cmdline contains "👨🏽‍💼" or tgt.process.cmdline contains "👩🏽‍🔧" or tgt.process.cmdline contains "🧑🏽‍🔧" or tgt.process.cmdline contains "👨🏽‍🔧" or tgt.process.cmdline contains "👩🏽‍🔬" or tgt.process.cmdline contains "🧑🏽‍🔬" or tgt.process.cmdline contains "👨🏽‍🔬" or tgt.process.cmdline contains "👩🏽‍🎨" or tgt.process.cmdline contains "🧑🏽‍🎨" or tgt.process.cmdline contains "👨🏽‍🎨" or tgt.process.cmdline contains "👩🏽‍🚒" or tgt.process.cmdline contains "🧑🏽‍🚒" or tgt.process.cmdline contains "👨🏽‍🚒" or tgt.process.cmdline contains "👩🏽‍✈️" or tgt.process.cmdline contains "🧑🏽‍✈️" or tgt.process.cmdline contains "👨🏽‍✈️" or tgt.process.cmdline contains "👩🏽‍🚀" or tgt.process.cmdline contains "🧑🏽‍🚀" or tgt.process.cmdline contains "👨🏽‍🚀" or tgt.process.cmdline contains "👩🏽‍⚖️" or tgt.process.cmdline contains "🧑🏽‍⚖️" or tgt.process.cmdline contains "👨🏽‍⚖️" or tgt.process.cmdline contains "👰🏽‍♀️" or tgt.process.cmdline contains "👰🏽" or tgt.process.cmdline contains "👰🏽‍♂️" or tgt.process.cmdline contains "🤵🏽‍♀️" or tgt.process.cmdline contains "🤵🏽" or tgt.process.cmdline contains "🤵🏽‍♂️" or tgt.process.cmdline contains "👸🏽" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🤴🏽" or tgt.process.cmdline contains "🥷🏽" or tgt.process.cmdline contains "🦸🏽‍♀️" or tgt.process.cmdline contains "🦸🏽" or tgt.process.cmdline contains "🦸🏽‍♂️" or tgt.process.cmdline contains "🦹🏽‍♀️" or tgt.process.cmdline contains "🦹🏽" or tgt.process.cmdline contains "🦹🏽‍♂️" or tgt.process.cmdline contains "🤶🏽" or tgt.process.cmdline contains "🧑🏽‍🎄" or tgt.process.cmdline contains "🎅🏽" or tgt.process.cmdline contains "🧙🏽‍♀️" or tgt.process.cmdline contains "🧙🏽" or tgt.process.cmdline contains "🧙🏽‍♂️" or tgt.process.cmdline contains "🧝🏽‍♀️" or tgt.process.cmdline contains "🧝🏽" or tgt.process.cmdline contains "🧝🏽‍♂️" or tgt.process.cmdline contains "🧛🏽‍♀️" or tgt.process.cmdline contains "🧛🏽" or tgt.process.cmdline contains "🧛🏽‍♂️" or tgt.process.cmdline contains "🧜🏽‍♀️" or tgt.process.cmdline contains "🧜🏽" or tgt.process.cmdline contains "🧜🏽‍♂️" or tgt.process.cmdline contains "🧚🏽‍♀️" or tgt.process.cmdline contains "🧚🏽" or tgt.process.cmdline contains "🧚🏽‍♂️" or tgt.process.cmdline contains "👼🏽" or tgt.process.cmdline contains "🤰🏽" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🤱🏽" or tgt.process.cmdline contains "👩🏽‍🍼" or tgt.process.cmdline contains "🧑🏽‍🍼" or tgt.process.cmdline contains "👨🏽‍🍼" or tgt.process.cmdline contains "🙇🏽‍♀️" or tgt.process.cmdline contains "🙇🏽" or tgt.process.cmdline contains "🙇🏽‍♂️" or tgt.process.cmdline contains "💁🏽‍♀️" or tgt.process.cmdline contains "💁🏽" or tgt.process.cmdline contains "💁🏽‍♂️" or tgt.process.cmdline contains "🙅🏽‍♀️" or tgt.process.cmdline contains "🙅🏽" or tgt.process.cmdline contains "🙅🏽‍♂️" or tgt.process.cmdline contains "🙆🏽‍♀️" or tgt.process.cmdline contains "🙆🏽" or tgt.process.cmdline contains "🙆🏽‍♂️" or tgt.process.cmdline contains "🙋🏽‍♀️" or tgt.process.cmdline contains "🙋🏽" or tgt.process.cmdline contains "🙋🏽‍♂️" or tgt.process.cmdline contains "🧏🏽‍♀️" or tgt.process.cmdline contains "🧏🏽" or tgt.process.cmdline contains "🧏🏽‍♂️" or tgt.process.cmdline contains "🤦🏽‍♀️" or tgt.process.cmdline contains "🤦🏽" or tgt.process.cmdline contains "🤦🏽‍♂️" or tgt.process.cmdline contains "🤷🏽‍♀️" or tgt.process.cmdline contains "🤷🏽" or tgt.process.cmdline contains "🤷🏽‍♂️" or tgt.process.cmdline contains "🙎🏽‍♀️" or tgt.process.cmdline contains "🙎🏽" or tgt.process.cmdline contains "🙎🏽‍♂️" or tgt.process.cmdline contains "🙍🏽‍♀️" or tgt.process.cmdline contains "🙍🏽" or tgt.process.cmdline contains "🙍🏽‍♂️" or tgt.process.cmdline contains "💇🏽‍♀️" or tgt.process.cmdline contains "💇🏽" or tgt.process.cmdline contains "💇🏽‍♂️" or tgt.process.cmdline contains "💆🏽‍♀️" or tgt.process.cmdline contains "💆🏽" or tgt.process.cmdline contains "💆🏽‍♂️" or tgt.process.cmdline contains "🧖🏽‍♀️" or tgt.process.cmdline contains "🧖🏽" or tgt.process.cmdline contains "🧖🏽‍♂️" or tgt.process.cmdline contains "💃🏽" or tgt.process.cmdline contains "🕺🏽" or tgt.process.cmdline contains "🕴🏽" or tgt.process.cmdline contains "👩🏽‍🦽" or tgt.process.cmdline contains "🧑🏽‍🦽" or tgt.process.cmdline contains "👨🏽‍🦽" or tgt.process.cmdline contains "👩🏽‍🦼" or tgt.process.cmdline contains "🧑🏽‍🦼" or tgt.process.cmdline contains "👨🏽‍🦼" or tgt.process.cmdline contains "🚶🏽‍♀️" or tgt.process.cmdline contains "🚶🏽" or tgt.process.cmdline contains "🚶🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍🦯" or tgt.process.cmdline contains "🧑🏽‍🦯" or tgt.process.cmdline contains "👨🏽‍🦯" or tgt.process.cmdline contains "🧎🏽‍♀️" or tgt.process.cmdline contains "🧎🏽" or tgt.process.cmdline contains "🧎🏽‍♂️" or tgt.process.cmdline contains "🏃🏽‍♀️" or tgt.process.cmdline contains "🏃🏽" or tgt.process.cmdline contains "🏃🏽‍♂️" or tgt.process.cmdline contains "🧍🏽‍♀️" or tgt.process.cmdline contains "🧍🏽" or tgt.process.cmdline contains "🧍🏽‍♂️" or tgt.process.cmdline contains "👭🏽" or tgt.process.cmdline contains "🧑🏽‍🤝‍🧑🏽" or tgt.process.cmdline contains "👬🏽" or tgt.process.cmdline contains "👫🏽" or tgt.process.cmdline contains "🧗🏽‍♀️" or tgt.process.cmdline contains "🧗🏽" or tgt.process.cmdline contains "🧗🏽‍♂️" or tgt.process.cmdline contains "🏇🏽" or tgt.process.cmdline contains "🏂🏽" or tgt.process.cmdline contains "🏌🏽‍♀️" or tgt.process.cmdline contains "🏌🏽" or tgt.process.cmdline contains "🏌🏽‍♂️" or tgt.process.cmdline contains "🏄🏽‍♀️" or tgt.process.cmdline contains "🏄🏽" or tgt.process.cmdline contains "🏄🏽‍♂️" or tgt.process.cmdline contains "🚣🏽‍♀️" or tgt.process.cmdline contains "🚣🏽" or tgt.process.cmdline contains "🚣🏽‍♂️" or tgt.process.cmdline contains "🏊🏽‍♀️" or tgt.process.cmdline contains "🏊🏽" or tgt.process.cmdline contains "🏊🏽‍♂️" or tgt.process.cmdline contains "⛹🏽‍♀️" or tgt.process.cmdline contains "⛹🏽" or tgt.process.cmdline contains "⛹🏽‍♂️" or tgt.process.cmdline contains "🏋🏽‍♀️" or tgt.process.cmdline contains "🏋🏽" or tgt.process.cmdline contains "🏋🏽‍♂️" or tgt.process.cmdline contains "🚴🏽‍♀️" or tgt.process.cmdline contains "🚴🏽" or tgt.process.cmdline contains "🚴🏽‍♂️" or tgt.process.cmdline contains "🚵🏽‍♀️" or tgt.process.cmdline contains "🚵🏽" or tgt.process.cmdline contains "🚵🏽‍♂️" or tgt.process.cmdline contains "🤸🏽‍♀️" or tgt.process.cmdline contains "🤸🏽" or tgt.process.cmdline contains "🤸🏽‍♂️" or tgt.process.cmdline contains "🤽🏽‍♀️" or tgt.process.cmdline contains "🤽🏽" or tgt.process.cmdline contains "🤽🏽‍♂️" or tgt.process.cmdline contains "🤾🏽‍♀️" or tgt.process.cmdline contains "🤾🏽" or tgt.process.cmdline contains "🤾🏽‍♂️" or tgt.process.cmdline contains "🤹🏽‍♀️" or tgt.process.cmdline contains "🤹🏽" or tgt.process.cmdline contains "🤹🏽‍♂️" or tgt.process.cmdline contains "🧘🏽‍♀️" or tgt.process.cmdline contains "🧘🏽" or tgt.process.cmdline contains "🧘🏽‍♂️" or tgt.process.cmdline contains "🛀🏽" or tgt.process.cmdline contains "🛌🏽" or tgt.process.cmdline contains "👋🏾" or tgt.process.cmdline contains "🤚🏾" or tgt.process.cmdline contains "🖐🏾" or tgt.process.cmdline contains "✋🏾" or tgt.process.cmdline contains "🖖🏾" or tgt.process.cmdline contains "👌🏾" or tgt.process.cmdline contains "🤌🏾" or tgt.process.cmdline contains "🤏🏾" or tgt.process.cmdline contains "✌🏾" or tgt.process.cmdline contains "🤞🏾" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🤟🏾" or tgt.process.cmdline contains "🤘🏾" or tgt.process.cmdline contains "🤙🏾" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "👈🏾" or tgt.process.cmdline contains "👉🏾" or tgt.process.cmdline contains "👆🏾" or tgt.process.cmdline contains "🖕🏾" or tgt.process.cmdline contains "👇🏾" or tgt.process.cmdline contains "☝🏾" or tgt.process.cmdline contains "👍🏾" or tgt.process.cmdline contains "👎🏾" or tgt.process.cmdline contains "✊🏾" or tgt.process.cmdline contains "👊🏾" or tgt.process.cmdline contains "🤛🏾" or tgt.process.cmdline contains "🤜🏾" or tgt.process.cmdline contains "👏🏾" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🙌🏾" or tgt.process.cmdline contains "👐🏾" or tgt.process.cmdline contains "🤲🏾" or tgt.process.cmdline contains "🙏🏾" or tgt.process.cmdline contains "✍🏾" or tgt.process.cmdline contains "💪🏾" or tgt.process.cmdline contains "🦵🏾" or tgt.process.cmdline contains "🦶🏾" or tgt.process.cmdline contains "👂🏾" or tgt.process.cmdline contains "🦻🏾" or tgt.process.cmdline contains "👃🏾" or tgt.process.cmdline contains "👶🏾" or tgt.process.cmdline contains "👧🏾" or tgt.process.cmdline contains "🧒🏾" or tgt.process.cmdline contains "👦🏾" or tgt.process.cmdline contains "👩🏾" or tgt.process.cmdline contains "🧑🏾" or tgt.process.cmdline contains "👨🏾" or tgt.process.cmdline contains "👩🏾‍🦱" or tgt.process.cmdline contains "🧑🏾‍🦱" or tgt.process.cmdline contains "👨🏾‍🦱" or tgt.process.cmdline contains "👩🏾‍🦰" or tgt.process.cmdline contains "🧑🏾‍🦰" or tgt.process.cmdline contains "👨🏾‍🦰" or tgt.process.cmdline contains "👱🏾‍♀️" or tgt.process.cmdline contains "👱🏾" or tgt.process.cmdline contains "👱🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍🦳" or tgt.process.cmdline contains "🧑🏾‍🦳" or tgt.process.cmdline contains "👨🏾‍🦳" or tgt.process.cmdline contains "👩🏾‍🦲" or tgt.process.cmdline contains "🧑🏾‍🦲" or tgt.process.cmdline contains "👨🏾‍🦲" or tgt.process.cmdline contains "🧔🏾‍♀️" or tgt.process.cmdline contains "🧔🏾" or tgt.process.cmdline contains "🧔🏾‍♂️" or tgt.process.cmdline contains "👵🏾" or tgt.process.cmdline contains "🧓🏾" or tgt.process.cmdline contains "👴🏾" or tgt.process.cmdline contains "👲🏾" or tgt.process.cmdline contains "👳🏾‍♀️" or tgt.process.cmdline contains "👳🏾" or tgt.process.cmdline contains "👳🏾‍♂️" or tgt.process.cmdline contains "🧕🏾" or tgt.process.cmdline contains "👮🏾‍♀️" or tgt.process.cmdline contains "👮🏾" or tgt.process.cmdline contains "👮🏾‍♂️" or tgt.process.cmdline contains "👷🏾‍♀️" or tgt.process.cmdline contains "👷🏾" or tgt.process.cmdline contains "👷🏾‍♂️" or tgt.process.cmdline contains "💂🏾‍♀️" or tgt.process.cmdline contains "💂🏾" or tgt.process.cmdline contains "💂🏾‍♂️" or tgt.process.cmdline contains "🕵🏾‍♀️" or tgt.process.cmdline contains "🕵🏾" or tgt.process.cmdline contains "🕵🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍⚕️" or tgt.process.cmdline contains "🧑🏾‍⚕️" or tgt.process.cmdline contains "👨🏾‍⚕️" or tgt.process.cmdline contains "👩🏾‍🌾" or tgt.process.cmdline contains "🧑🏾‍🌾" or tgt.process.cmdline contains "👨🏾‍🌾" or tgt.process.cmdline contains "👩🏾‍🍳" or tgt.process.cmdline contains "🧑🏾‍🍳" or tgt.process.cmdline contains "👨🏾‍🍳" or tgt.process.cmdline contains "👩🏾‍🎓" or tgt.process.cmdline contains "🧑🏾‍🎓" or tgt.process.cmdline contains "👨🏾‍🎓" or tgt.process.cmdline contains "👩🏾‍🎤" or tgt.process.cmdline contains "🧑🏾‍🎤" or tgt.process.cmdline contains "👨🏾‍🎤" or tgt.process.cmdline contains "👩🏾‍🏫" or tgt.process.cmdline contains "🧑🏾‍🏫" or tgt.process.cmdline contains "👨🏾‍🏫" or tgt.process.cmdline contains "👩🏾‍🏭" or tgt.process.cmdline contains "🧑🏾‍🏭" or tgt.process.cmdline contains "👨🏾‍🏭" or tgt.process.cmdline contains "👩🏾‍💻" or tgt.process.cmdline contains "🧑🏾‍💻" or tgt.process.cmdline contains "👨🏾‍💻" or tgt.process.cmdline contains "👩🏾‍💼" or tgt.process.cmdline contains "🧑🏾‍💼" or tgt.process.cmdline contains "👨🏾‍💼" or tgt.process.cmdline contains "👩🏾‍🔧" or tgt.process.cmdline contains "🧑🏾‍🔧" or tgt.process.cmdline contains "👨🏾‍🔧" or tgt.process.cmdline contains "👩🏾‍🔬" or tgt.process.cmdline contains "🧑🏾‍🔬" or tgt.process.cmdline contains "👨🏾‍🔬" or tgt.process.cmdline contains "👩🏾‍🎨" or tgt.process.cmdline contains "🧑🏾‍🎨" or tgt.process.cmdline contains "👨🏾‍🎨" or tgt.process.cmdline contains "👩🏾‍🚒" or tgt.process.cmdline contains "🧑🏾‍🚒" or tgt.process.cmdline contains "👨🏾‍🚒" or tgt.process.cmdline contains "👩🏾‍✈️" or tgt.process.cmdline contains "🧑🏾‍✈️" or tgt.process.cmdline contains "👨🏾‍✈️" or tgt.process.cmdline contains "👩🏾‍🚀" or tgt.process.cmdline contains "🧑🏾‍🚀" or tgt.process.cmdline contains "👨🏾‍🚀" or tgt.process.cmdline contains "👩🏾‍⚖️" or tgt.process.cmdline contains "🧑🏾‍⚖️" or tgt.process.cmdline contains "👨🏾‍⚖️" or tgt.process.cmdline contains "👰🏾‍♀️" or tgt.process.cmdline contains "👰🏾" or tgt.process.cmdline contains "👰🏾‍♂️" or tgt.process.cmdline contains "🤵🏾‍♀️" or tgt.process.cmdline contains "🤵🏾" or tgt.process.cmdline contains "🤵🏾‍♂️" or tgt.process.cmdline contains "👸🏾" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🤴🏾" or tgt.process.cmdline contains "🥷🏾" or tgt.process.cmdline contains "🦸🏾‍♀️" or tgt.process.cmdline contains "🦸🏾" or tgt.process.cmdline contains "🦸🏾‍♂️" or tgt.process.cmdline contains "🦹🏾‍♀️" or tgt.process.cmdline contains "🦹🏾" or tgt.process.cmdline contains "🦹🏾‍♂️" or tgt.process.cmdline contains "🤶🏾" or tgt.process.cmdline contains "🧑🏾‍🎄" or tgt.process.cmdline contains "🎅🏾" or tgt.process.cmdline contains "🧙🏾‍♀️" or tgt.process.cmdline contains "🧙🏾" or tgt.process.cmdline contains "🧙🏾‍♂️" or tgt.process.cmdline contains "🧝🏾‍♀️" or tgt.process.cmdline contains "🧝🏾" or tgt.process.cmdline contains "🧝🏾‍♂️" or tgt.process.cmdline contains "🧛🏾‍♀️" or tgt.process.cmdline contains "🧛🏾" or tgt.process.cmdline contains "🧛🏾‍♂️" or tgt.process.cmdline contains "🧜🏾‍♀️" or tgt.process.cmdline contains "🧜🏾" or tgt.process.cmdline contains "🧜🏾‍♂️" or tgt.process.cmdline contains "🧚🏾‍♀️" or tgt.process.cmdline contains "🧚🏾" or tgt.process.cmdline contains "🧚🏾‍♂️" or tgt.process.cmdline contains "👼🏾" or tgt.process.cmdline contains "🤰🏾" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🤱🏾" or tgt.process.cmdline contains "👩🏾‍🍼" or tgt.process.cmdline contains "🧑🏾‍🍼" or tgt.process.cmdline contains "👨🏾‍🍼" or tgt.process.cmdline contains "🙇🏾‍♀️" or tgt.process.cmdline contains "🙇🏾" or tgt.process.cmdline contains "🙇🏾‍♂️" or tgt.process.cmdline contains "💁🏾‍♀️" or tgt.process.cmdline contains "💁🏾" or tgt.process.cmdline contains "💁🏾‍♂️" or tgt.process.cmdline contains "🙅🏾‍♀️" or tgt.process.cmdline contains "🙅🏾" or tgt.process.cmdline contains "🙅🏾‍♂️" or tgt.process.cmdline contains "🙆🏾‍♀️" or tgt.process.cmdline contains "🙆🏾" or tgt.process.cmdline contains "🙆🏾‍♂️" or tgt.process.cmdline contains "🙋🏾‍♀️" or tgt.process.cmdline contains "🙋🏾" or tgt.process.cmdline contains "🙋🏾‍♂️" or tgt.process.cmdline contains "🧏🏾‍♀️" or tgt.process.cmdline contains "🧏🏾" or tgt.process.cmdline contains "🧏🏾‍♂️" or tgt.process.cmdline contains "🤦🏾‍♀️" or tgt.process.cmdline contains "🤦🏾" or tgt.process.cmdline contains "🤦🏾‍♂️" or tgt.process.cmdline contains "🤷🏾‍♀️" or tgt.process.cmdline contains "🤷🏾" or tgt.process.cmdline contains "🤷🏾‍♂️" or tgt.process.cmdline contains "🙎🏾‍♀️" or tgt.process.cmdline contains "🙎🏾" or tgt.process.cmdline contains "🙎🏾‍♂️" or tgt.process.cmdline contains "🙍🏾‍♀️" or tgt.process.cmdline contains "🙍🏾" or tgt.process.cmdline contains "🙍🏾‍♂️" or tgt.process.cmdline contains "💇🏾‍♀️" or tgt.process.cmdline contains "💇🏾" or tgt.process.cmdline contains "💇🏾‍♂️" or tgt.process.cmdline contains "💆🏾‍♀️" or tgt.process.cmdline contains "💆🏾" or tgt.process.cmdline contains "💆🏾‍♂️" or tgt.process.cmdline contains "🧖🏾‍♀️" or tgt.process.cmdline contains "🧖🏾" or tgt.process.cmdline contains "🧖🏾‍♂️" or tgt.process.cmdline contains "💃🏾" or tgt.process.cmdline contains "🕺🏾" or tgt.process.cmdline contains "👩🏾‍🦽" or tgt.process.cmdline contains "🧑🏾‍🦽" or tgt.process.cmdline contains "👨🏾‍🦽" or tgt.process.cmdline contains "👩🏾‍🦼" or tgt.process.cmdline contains "🧑🏾‍🦼" or tgt.process.cmdline contains "👨🏾‍🦼" or tgt.process.cmdline contains "🚶🏾‍♀️" or tgt.process.cmdline contains "🚶🏾" or tgt.process.cmdline contains "🚶🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍🦯" or tgt.process.cmdline contains "🧑🏾‍🦯" or tgt.process.cmdline contains "👨🏾‍🦯" or tgt.process.cmdline contains "🧎🏾‍♀️" or tgt.process.cmdline contains "🧎🏾" or tgt.process.cmdline contains "🧎🏾‍♂️" or tgt.process.cmdline contains "🏃🏾‍♀️" or tgt.process.cmdline contains "🏃🏾" or tgt.process.cmdline contains "🏃🏾‍♂️" or tgt.process.cmdline contains "🧍🏾‍♀️" or tgt.process.cmdline contains "🧍🏾" or tgt.process.cmdline contains "🧍🏾‍♂️" or tgt.process.cmdline contains "👭🏾" or tgt.process.cmdline contains "🧑🏾‍🤝‍🧑🏾" or tgt.process.cmdline contains "👬🏾" or tgt.process.cmdline contains "👫🏾" or tgt.process.cmdline contains "🧗🏾‍♀️" or tgt.process.cmdline contains "🧗🏾" or tgt.process.cmdline contains "🧗🏾‍♂️" or tgt.process.cmdline contains "🏇🏾" or tgt.process.cmdline contains "🏂🏾" or tgt.process.cmdline contains "🏌🏾‍♀️" or tgt.process.cmdline contains "🏌🏾" or tgt.process.cmdline contains "🏌🏾‍♂️" or tgt.process.cmdline contains "🏄🏾‍♀️" or tgt.process.cmdline contains "🏄🏾" or tgt.process.cmdline contains "🏄🏾‍♂️" or tgt.process.cmdline contains "🚣🏾‍♀️" or tgt.process.cmdline contains "🚣🏾" or tgt.process.cmdline contains "🚣🏾‍♂️" or tgt.process.cmdline contains "🏊🏾‍♀️" or tgt.process.cmdline contains "🏊🏾" or tgt.process.cmdline contains "🏊🏾‍♂️" or tgt.process.cmdline contains "⛹🏾‍♀️" or tgt.process.cmdline contains "⛹🏾" or tgt.process.cmdline contains "⛹🏾‍♂️" or tgt.process.cmdline contains "🏋🏾‍♀️" or tgt.process.cmdline contains "🏋🏾" or tgt.process.cmdline contains "🏋🏾‍♂️" or tgt.process.cmdline contains "🚴🏾‍♀️" or tgt.process.cmdline contains "🚴🏾" or tgt.process.cmdline contains "🚴🏾‍♂️" or tgt.process.cmdline contains "🚵🏾‍♀️" or tgt.process.cmdline contains "🚵🏾" or tgt.process.cmdline contains "🚵🏾‍♂️" or tgt.process.cmdline contains "🤸🏾‍♀️" or tgt.process.cmdline contains "🤸🏾" or tgt.process.cmdline contains "🤸🏾‍♂️" or tgt.process.cmdline contains "🤽🏾‍♀️" or tgt.process.cmdline contains "🤽🏾" or tgt.process.cmdline contains "🤽🏾‍♂️" or tgt.process.cmdline contains "🤾🏾‍♀️" or tgt.process.cmdline contains "🤾🏾" or tgt.process.cmdline contains "🤾🏾‍♂️" or tgt.process.cmdline contains "🤹🏾‍♀️" or tgt.process.cmdline contains "🤹🏾" or tgt.process.cmdline contains "🤹🏾‍♂️" or tgt.process.cmdline contains "🧘🏾‍♀️" or tgt.process.cmdline contains "🧘🏾" or tgt.process.cmdline contains "🧘🏾‍♂️" or tgt.process.cmdline contains "🛀🏾" or tgt.process.cmdline contains "🛌🏾" or tgt.process.cmdline contains "👋🏿" or tgt.process.cmdline contains "🤚🏿" or tgt.process.cmdline contains "🖐🏿" or tgt.process.cmdline contains "✋🏿" or tgt.process.cmdline contains "🖖🏿" or tgt.process.cmdline contains "👌🏿" or tgt.process.cmdline contains "🤌🏿" or tgt.process.cmdline contains "🤏🏿" or tgt.process.cmdline contains "✌🏿" or tgt.process.cmdline contains "🤞🏿" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🤟🏿" or tgt.process.cmdline contains "🤘🏿" or tgt.process.cmdline contains "🤙🏿" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "👈🏿" or tgt.process.cmdline contains "👉🏿" or tgt.process.cmdline contains "👆🏿" or tgt.process.cmdline contains "🖕🏿" or tgt.process.cmdline contains "👇🏿" or tgt.process.cmdline contains "☝🏿" or tgt.process.cmdline contains "👍🏿" or tgt.process.cmdline contains "👎🏿" or tgt.process.cmdline contains "✊🏿" or tgt.process.cmdline contains "👊🏿" or tgt.process.cmdline contains "🤛🏿" or tgt.process.cmdline contains "🤜🏿" or tgt.process.cmdline contains "👏🏿" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🙌🏿" or tgt.process.cmdline contains "👐🏿" or tgt.process.cmdline contains "🤲🏿" or tgt.process.cmdline contains "🙏🏿" or tgt.process.cmdline contains "✍🏿" or tgt.process.cmdline contains "🤳🏿" or tgt.process.cmdline contains "💪🏿" or tgt.process.cmdline contains "🦵🏿" or tgt.process.cmdline contains "🦶🏿" or tgt.process.cmdline contains "👂🏿" or tgt.process.cmdline contains "🦻🏿" or tgt.process.cmdline contains "👃🏿" or tgt.process.cmdline contains "👶🏿" or tgt.process.cmdline contains "👧🏿" or tgt.process.cmdline contains "🧒🏿" or tgt.process.cmdline contains "👦🏿" or tgt.process.cmdline contains "👩🏿" or tgt.process.cmdline contains "🧑🏿" or tgt.process.cmdline contains "👨🏿" or tgt.process.cmdline contains "👩🏿‍🦱" or tgt.process.cmdline contains "🧑🏿‍🦱" or tgt.process.cmdline contains "👨🏿‍🦱" or tgt.process.cmdline contains "👩🏿‍🦰" or tgt.process.cmdline contains "🧑🏿‍🦰" or tgt.process.cmdline contains "👨🏿‍🦰" or tgt.process.cmdline contains "👱🏿‍♀️" or tgt.process.cmdline contains "👱🏿" or tgt.process.cmdline contains "👱🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍🦳" or tgt.process.cmdline contains "🧑🏿‍🦳" or tgt.process.cmdline contains "👨🏿‍🦳" or tgt.process.cmdline contains "👩🏿‍🦲" or tgt.process.cmdline contains "🧑🏿‍🦲" or tgt.process.cmdline contains "👨🏿‍🦲" or tgt.process.cmdline contains "🧔🏿‍♀️" or tgt.process.cmdline contains "🧔🏿" or tgt.process.cmdline contains "🧔🏿‍♂️" or tgt.process.cmdline contains "👵🏿" or tgt.process.cmdline contains "🧓🏿" or tgt.process.cmdline contains "👴🏿" or tgt.process.cmdline contains "👲🏿" or tgt.process.cmdline contains "👳🏿‍♀️" or tgt.process.cmdline contains "👳🏿" or tgt.process.cmdline contains "👳🏿‍♂️" or tgt.process.cmdline contains "🧕🏿" or tgt.process.cmdline contains "👮🏿‍♀️" or tgt.process.cmdline contains "👮🏿" or tgt.process.cmdline contains "👮🏿‍♂️" or tgt.process.cmdline contains "👷🏿‍♀️" or tgt.process.cmdline contains "👷🏿" or tgt.process.cmdline contains "👷🏿‍♂️" or tgt.process.cmdline contains "💂🏿‍♀️" or tgt.process.cmdline contains "💂🏿" or tgt.process.cmdline contains "💂🏿‍♂️" or tgt.process.cmdline contains "🕵🏿‍♀️" or tgt.process.cmdline contains "🕵🏿" or tgt.process.cmdline contains "🕵🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍⚕️" or tgt.process.cmdline contains "🧑🏿‍⚕️" or tgt.process.cmdline contains "👨🏿‍⚕️" or tgt.process.cmdline contains "👩🏿‍🌾" or tgt.process.cmdline contains "🧑🏿‍🌾" or tgt.process.cmdline contains "👨🏿‍🌾" or tgt.process.cmdline contains "👩🏿‍🍳" or tgt.process.cmdline contains "🧑🏿‍🍳" or tgt.process.cmdline contains "👨🏿‍🍳" or tgt.process.cmdline contains "👩🏿‍🎓" or tgt.process.cmdline contains "🧑🏿‍🎓" or tgt.process.cmdline contains "👨🏿‍🎓" or tgt.process.cmdline contains "👩🏿‍🎤" or tgt.process.cmdline contains "🧑🏿‍🎤" or tgt.process.cmdline contains "👨🏿‍🎤" or tgt.process.cmdline contains "👩🏿‍🏫" or tgt.process.cmdline contains "🧑🏿‍🏫" or tgt.process.cmdline contains "👨🏿‍🏫" or tgt.process.cmdline contains "👩🏿‍🏭" or tgt.process.cmdline contains "🧑🏿‍🏭" or tgt.process.cmdline contains "👨🏿‍🏭" or tgt.process.cmdline contains "👩🏿‍💻" or tgt.process.cmdline contains "🧑🏿‍💻" or tgt.process.cmdline contains "👨🏿‍💻" or tgt.process.cmdline contains "👩🏿‍💼" or tgt.process.cmdline contains "🧑🏿‍💼" or tgt.process.cmdline contains "👨🏿‍💼" or tgt.process.cmdline contains "👩🏿‍🔧" or tgt.process.cmdline contains "🧑🏿‍🔧" or tgt.process.cmdline contains "👨🏿‍🔧" or tgt.process.cmdline contains "👩🏿‍🔬" or tgt.process.cmdline contains "🧑🏿‍🔬" or tgt.process.cmdline contains "👨🏿‍🔬" or tgt.process.cmdline contains "👩🏿‍🎨" or tgt.process.cmdline contains "🧑🏿‍🎨" or tgt.process.cmdline contains "👨🏿‍🎨" or tgt.process.cmdline contains "👩🏿‍🚒" or tgt.process.cmdline contains "🧑🏿‍🚒" or tgt.process.cmdline contains "👨🏿‍🚒" or tgt.process.cmdline contains "👩🏿‍✈️" or tgt.process.cmdline contains "🧑🏿‍✈️" or tgt.process.cmdline contains "👨🏿‍✈️" or tgt.process.cmdline contains "👩🏿‍🚀" or tgt.process.cmdline contains "🧑🏿‍🚀" or tgt.process.cmdline contains "👨🏿‍🚀" or tgt.process.cmdline contains "👩🏿‍⚖️" or tgt.process.cmdline contains "🧑🏿‍⚖️" or tgt.process.cmdline contains "👨🏿‍⚖️" or tgt.process.cmdline contains "👰🏿‍♀️" or tgt.process.cmdline contains "👰🏿" or tgt.process.cmdline contains "👰🏿‍♂️" or tgt.process.cmdline contains "🤵🏿‍♀️" or tgt.process.cmdline contains "🤵🏿" or tgt.process.cmdline contains "🤵🏿‍♂️" or tgt.process.cmdline contains "👸🏿" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🤴🏿" or tgt.process.cmdline contains "🥷🏿" or tgt.process.cmdline contains "🦸🏿‍♀️" or tgt.process.cmdline contains "🦸🏿" or tgt.process.cmdline contains "🦸🏿‍♂️" or tgt.process.cmdline contains "🦹🏿‍♀️" or tgt.process.cmdline contains "🦹🏿" or tgt.process.cmdline contains "🦹🏿‍♂️" or tgt.process.cmdline contains "🤶🏿" or tgt.process.cmdline contains "🧑🏿‍🎄" or tgt.process.cmdline contains "🎅🏿" or tgt.process.cmdline contains "🧙🏿‍♀️" or tgt.process.cmdline contains "🧙🏿" or tgt.process.cmdline contains "🧙🏿‍♂️" or tgt.process.cmdline contains "🧝🏿‍♀️" or tgt.process.cmdline contains "🧝🏿" or tgt.process.cmdline contains "🧝🏿‍♂️" or tgt.process.cmdline contains "🧛🏿‍♀️" or tgt.process.cmdline contains "🧛🏿" or tgt.process.cmdline contains "🧛🏿‍♂️" or tgt.process.cmdline contains "🧜🏿‍♀️" or tgt.process.cmdline contains "🧜🏿" or tgt.process.cmdline contains "🧜🏿‍♂️" or tgt.process.cmdline contains "🧚🏿‍♀️" or tgt.process.cmdline contains "🧚🏿" or tgt.process.cmdline contains "🧚🏿‍♂️" or tgt.process.cmdline contains "👼🏿" or tgt.process.cmdline contains "🤰🏿" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🤱🏿" or tgt.process.cmdline contains "👩🏿‍🍼" or tgt.process.cmdline contains "🧑🏿‍🍼" or tgt.process.cmdline contains "👨🏿‍🍼" or tgt.process.cmdline contains "🙇🏿‍♀️" or tgt.process.cmdline contains "🙇🏿" or tgt.process.cmdline contains "🙇🏿‍♂️" or tgt.process.cmdline contains "💁🏿‍♀️" or tgt.process.cmdline contains "💁🏿" or tgt.process.cmdline contains "💁🏿‍♂️" or tgt.process.cmdline contains "🙅🏿‍♀️" or tgt.process.cmdline contains "🙅🏿" or tgt.process.cmdline contains "🙅🏿‍♂️" or tgt.process.cmdline contains "🙆🏿‍♀️" or tgt.process.cmdline contains "🙆🏿" or tgt.process.cmdline contains "🙆🏿‍♂️" or tgt.process.cmdline contains "🙋🏿‍♀️" or tgt.process.cmdline contains "🙋🏿" or tgt.process.cmdline contains "🙋🏿‍♂️" or tgt.process.cmdline contains "🧏🏿‍♀️" or tgt.process.cmdline contains "🧏🏿" or tgt.process.cmdline contains "🧏🏿‍♂️" or tgt.process.cmdline contains "🤦🏿‍♀️" or tgt.process.cmdline contains "🤦🏿" or tgt.process.cmdline contains "🤦🏿‍♂️" or tgt.process.cmdline contains "🤷🏿‍♀️" or tgt.process.cmdline contains "🤷🏿" or tgt.process.cmdline contains "🤷🏿‍♂️" or tgt.process.cmdline contains "🙎🏿‍♀️" or tgt.process.cmdline contains "🙎🏿" or tgt.process.cmdline contains "🙎🏿‍♂️" or tgt.process.cmdline contains "🙍🏿‍♀️" or tgt.process.cmdline contains "🙍🏿" or tgt.process.cmdline contains "🙍🏿‍♂️" or tgt.process.cmdline contains "💇🏿‍♀️" or tgt.process.cmdline contains "💇🏿" or tgt.process.cmdline contains "💇🏿‍♂️" or tgt.process.cmdline contains "💆🏿‍♀️" or tgt.process.cmdline contains "💆🏿" or tgt.process.cmdline contains "💆🏿‍♂️" or tgt.process.cmdline contains "🧖🏿‍♀️" or tgt.process.cmdline contains "🧖🏿" or tgt.process.cmdline contains "🧖🏿‍♂️" or tgt.process.cmdline contains "💃🏿" or tgt.process.cmdline contains "🕺🏿" or tgt.process.cmdline contains "🕴🏿" or tgt.process.cmdline contains "👩🏿‍🦽" or tgt.process.cmdline contains "🧑🏿‍🦽" or tgt.process.cmdline contains "👨🏿‍🦽" or tgt.process.cmdline contains "👩🏿‍🦼" or tgt.process.cmdline contains "🧑🏿‍🦼" or tgt.process.cmdline contains "👨🏿‍🦼" or tgt.process.cmdline contains "🚶🏿‍♀️" or tgt.process.cmdline contains "🚶🏿" or tgt.process.cmdline contains "🚶🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍🦯" or tgt.process.cmdline contains "🧑🏿‍🦯" or tgt.process.cmdline contains "👨🏿‍🦯" or tgt.process.cmdline contains "🧎🏿‍♀️" or tgt.process.cmdline contains "🧎🏿" or tgt.process.cmdline contains "🧎🏿‍♂️" or tgt.process.cmdline contains "🏃🏿‍♀️" or tgt.process.cmdline contains "🏃🏿" or tgt.process.cmdline contains "🏃🏿‍♂️" or tgt.process.cmdline contains "🧍🏿‍♀️" or tgt.process.cmdline contains "🧍🏿" or tgt.process.cmdline contains "🧍🏿‍♂️" or tgt.process.cmdline contains "👭🏿" or tgt.process.cmdline contains "🧑🏿‍🤝‍🧑🏿" or tgt.process.cmdline contains "👬🏿" or tgt.process.cmdline contains "👫🏿" or tgt.process.cmdline contains "🧗🏿‍♀️" or tgt.process.cmdline contains "🧗🏿" or tgt.process.cmdline contains "🧗🏿‍♂️" or tgt.process.cmdline contains "🏇🏿" or tgt.process.cmdline contains "🏂🏿" or tgt.process.cmdline contains "🏌🏿‍♀️" or tgt.process.cmdline contains "🏌🏿" or tgt.process.cmdline contains "🏌🏿‍♂️" or tgt.process.cmdline contains "🏄🏿‍♀️" or tgt.process.cmdline contains "🏄🏿" or tgt.process.cmdline contains "🏄🏿‍♂️" or tgt.process.cmdline contains "🚣🏿‍♀️" or tgt.process.cmdline contains "🚣🏿" or tgt.process.cmdline contains "🚣🏿‍♂️" or tgt.process.cmdline contains "🏊🏿‍♀️" or tgt.process.cmdline contains "🏊🏿" or tgt.process.cmdline contains "🏊🏿‍♂️" or tgt.process.cmdline contains "⛹🏿‍♀️" or tgt.process.cmdline contains "⛹🏿" or tgt.process.cmdline contains "⛹🏿‍♂️" or tgt.process.cmdline contains "🏋🏿‍♀️" or tgt.process.cmdline contains "🏋🏿" or tgt.process.cmdline contains "🏋🏿‍♂️" or tgt.process.cmdline contains "🚴🏿‍♀️" or tgt.process.cmdline contains "🚴🏿" or tgt.process.cmdline contains "🚴🏿‍♂️" or tgt.process.cmdline contains "🚵🏿‍♀️" or tgt.process.cmdline contains "🚵🏿" or tgt.process.cmdline contains "🚵🏿‍♂️" or tgt.process.cmdline contains "🤸🏿‍♀️" or tgt.process.cmdline contains "🤸🏿" or tgt.process.cmdline contains "🤸🏿‍♂️" or tgt.process.cmdline contains "🤽🏿‍♀️" or tgt.process.cmdline contains "🤽🏿" or tgt.process.cmdline contains "🤽🏿‍♂️" or tgt.process.cmdline contains "🤾🏿‍♀️" or tgt.process.cmdline contains "🤾🏿" or tgt.process.cmdline contains "🤾🏿‍♂️" or tgt.process.cmdline contains "🤹🏿‍♀️" or tgt.process.cmdline contains "🤹🏿" or tgt.process.cmdline contains "🤹🏿‍♂️" or tgt.process.cmdline contains "🧘🏿‍♀️" or tgt.process.cmdline contains "🧘🏿" or tgt.process.cmdline contains "🧘🏿‍♂️" or tgt.process.cmdline contains "🛀🏿" or tgt.process.cmdline contains "🛌🏿" or tgt.process.cmdline contains "🐶" or tgt.process.cmdline contains "🐱" or tgt.process.cmdline contains "🐭" or tgt.process.cmdline contains "🐹" or tgt.process.cmdline contains "🐰" or tgt.process.cmdline contains "🦊" or tgt.process.cmdline contains "🐻" or tgt.process.cmdline contains "🐼" or tgt.process.cmdline contains "🐻‍❄️" or tgt.process.cmdline contains "🐨" or tgt.process.cmdline contains "🐯" or tgt.process.cmdline contains "🦁" or tgt.process.cmdline contains "🐮" or tgt.process.cmdline contains "🐷" or tgt.process.cmdline contains "🐽" or tgt.process.cmdline contains "🐸" or tgt.process.cmdline contains "🐵" or tgt.process.cmdline contains "🙈" or tgt.process.cmdline contains "🙉" or tgt.process.cmdline contains "🙊" or tgt.process.cmdline contains "🐒" or tgt.process.cmdline contains "🐔" or tgt.process.cmdline contains "🐧" or tgt.process.cmdline contains "🐦" or tgt.process.cmdline contains "🐤" or tgt.process.cmdline contains "🐣" or tgt.process.cmdline contains "🐥")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md index 1df824b88..ce9642218 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🦆" or tgt.process.cmdline contains "🦅" or tgt.process.cmdline contains "🦉" or tgt.process.cmdline contains "🦇" or tgt.process.cmdline contains "🐺" or tgt.process.cmdline contains "🐗" or tgt.process.cmdline contains "🐴" or tgt.process.cmdline contains "🦄" or tgt.process.cmdline contains "🐝" or tgt.process.cmdline contains "🪱" or tgt.process.cmdline contains "🐛" or tgt.process.cmdline contains "🦋" or tgt.process.cmdline contains "🐌" or tgt.process.cmdline contains "🐞" or tgt.process.cmdline contains "🐜" or tgt.process.cmdline contains "🪰" or tgt.process.cmdline contains "🪲" or tgt.process.cmdline contains "🪳" or tgt.process.cmdline contains "🦟" or tgt.process.cmdline contains "🦗" or tgt.process.cmdline contains "🕷" or tgt.process.cmdline contains "🕸" or tgt.process.cmdline contains "🦂" or tgt.process.cmdline contains "🐢" or tgt.process.cmdline contains "🐍" or tgt.process.cmdline contains "🦎" or tgt.process.cmdline contains "🦖" or tgt.process.cmdline contains "🦕" or tgt.process.cmdline contains "🐙" or tgt.process.cmdline contains "🦑" or tgt.process.cmdline contains "🦐" or tgt.process.cmdline contains "🦞" or tgt.process.cmdline contains "🦀" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🐡" or tgt.process.cmdline contains "🐠" or tgt.process.cmdline contains "🐟" or tgt.process.cmdline contains "🐬" or tgt.process.cmdline contains "🐳" or tgt.process.cmdline contains "🐋" or tgt.process.cmdline contains "🦈" or tgt.process.cmdline contains "🐊" or tgt.process.cmdline contains "🐅" or tgt.process.cmdline contains "🐆" or tgt.process.cmdline contains "🦓" or tgt.process.cmdline contains "🦍" or tgt.process.cmdline contains "🦧" or tgt.process.cmdline contains "🦣" or tgt.process.cmdline contains "🐘" or tgt.process.cmdline contains "🦛" or tgt.process.cmdline contains "🦏" or tgt.process.cmdline contains "🐪" or tgt.process.cmdline contains "🐫" or tgt.process.cmdline contains "🦒" or tgt.process.cmdline contains "🦘" or tgt.process.cmdline contains "🦬" or tgt.process.cmdline contains "🐃" or tgt.process.cmdline contains "🐂" or tgt.process.cmdline contains "🐄" or tgt.process.cmdline contains "🐎" or tgt.process.cmdline contains "🐖" or tgt.process.cmdline contains "🐏" or tgt.process.cmdline contains "🐑" or tgt.process.cmdline contains "🦙" or tgt.process.cmdline contains "🐐" or tgt.process.cmdline contains "🦌" or tgt.process.cmdline contains "🐕" or tgt.process.cmdline contains "🐩" or tgt.process.cmdline contains "🦮" or tgt.process.cmdline contains "🐕‍🦺" or tgt.process.cmdline contains "🐈" or tgt.process.cmdline contains "🐈‍⬛" or tgt.process.cmdline contains "🪶" or tgt.process.cmdline contains "🐓" or tgt.process.cmdline contains "🦃" or tgt.process.cmdline contains "🦤" or tgt.process.cmdline contains "🦚" or tgt.process.cmdline contains "🦜" or tgt.process.cmdline contains "🦢" or tgt.process.cmdline contains "🦩" or tgt.process.cmdline contains "🕊" or tgt.process.cmdline contains "🐇" or tgt.process.cmdline contains "🦝" or tgt.process.cmdline contains "🦨" or tgt.process.cmdline contains "🦡" or tgt.process.cmdline contains "🦫" or tgt.process.cmdline contains "🦦" or tgt.process.cmdline contains "🦥" or tgt.process.cmdline contains "🐁" or tgt.process.cmdline contains "🐀" or tgt.process.cmdline contains "🐿" or tgt.process.cmdline contains "🦔" or tgt.process.cmdline contains "🐾" or tgt.process.cmdline contains "🐉" or tgt.process.cmdline contains "🐲" or tgt.process.cmdline contains "🌵" or tgt.process.cmdline contains "🎄" or tgt.process.cmdline contains "🌲" or tgt.process.cmdline contains "🌳" or tgt.process.cmdline contains "🌴" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🪵" or tgt.process.cmdline contains "🌱" or tgt.process.cmdline contains "🌿" or tgt.process.cmdline contains "☘️" or tgt.process.cmdline contains "🍀" or tgt.process.cmdline contains "🎍" or tgt.process.cmdline contains "🪴" or tgt.process.cmdline contains "🎋" or tgt.process.cmdline contains "🍃" or tgt.process.cmdline contains "🍂" or tgt.process.cmdline contains "🍁" or tgt.process.cmdline contains "🍄" or tgt.process.cmdline contains "🐚" or tgt.process.cmdline contains "🪨" or tgt.process.cmdline contains "🌾" or tgt.process.cmdline contains "💐" or tgt.process.cmdline contains "🌷" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🌹" or tgt.process.cmdline contains "🥀" or tgt.process.cmdline contains "🌺" or tgt.process.cmdline contains "🌸" or tgt.process.cmdline contains "🌼" or tgt.process.cmdline contains "🌻" or tgt.process.cmdline contains "🌞" or tgt.process.cmdline contains "🌝" or tgt.process.cmdline contains "🌛" or tgt.process.cmdline contains "🌜" or tgt.process.cmdline contains "🌚" or tgt.process.cmdline contains "🌕" or tgt.process.cmdline contains "🌖" or tgt.process.cmdline contains "🌗" or tgt.process.cmdline contains "🌘" or tgt.process.cmdline contains "🌑" or tgt.process.cmdline contains "🌒" or tgt.process.cmdline contains "🌓" or tgt.process.cmdline contains "🌔" or tgt.process.cmdline contains "🌙" or tgt.process.cmdline contains "🌎" or tgt.process.cmdline contains "🌍" or tgt.process.cmdline contains "🌏" or tgt.process.cmdline contains "🪐" or tgt.process.cmdline contains "💫" or tgt.process.cmdline contains "⭐️" or tgt.process.cmdline contains "🌟" or tgt.process.cmdline contains "✨" or tgt.process.cmdline contains "⚡️" or tgt.process.cmdline contains "☄️" or tgt.process.cmdline contains "💥" or tgt.process.cmdline contains "🔥" or tgt.process.cmdline contains "🌪" or tgt.process.cmdline contains "🌈" or tgt.process.cmdline contains "☀️" or tgt.process.cmdline contains "🌤" or tgt.process.cmdline contains "⛅️" or tgt.process.cmdline contains "🌥" or tgt.process.cmdline contains "☁️" or tgt.process.cmdline contains "🌦" or tgt.process.cmdline contains "🌧" or tgt.process.cmdline contains "⛈" or tgt.process.cmdline contains "🌩" or tgt.process.cmdline contains "🌨" or tgt.process.cmdline contains "❄️" or tgt.process.cmdline contains "☃️" or tgt.process.cmdline contains "⛄️" or tgt.process.cmdline contains "🌬" or tgt.process.cmdline contains "💨" or tgt.process.cmdline contains "💧" or tgt.process.cmdline contains "💦" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "☔️" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🌊" or tgt.process.cmdline contains "🌫🍏" or tgt.process.cmdline contains "🍎" or tgt.process.cmdline contains "🍐" or tgt.process.cmdline contains "🍊" or tgt.process.cmdline contains "🍋" or tgt.process.cmdline contains "🍌" or tgt.process.cmdline contains "🍉" or tgt.process.cmdline contains "🍇" or tgt.process.cmdline contains "🍓" or tgt.process.cmdline contains "🫐" or tgt.process.cmdline contains "🍈" or tgt.process.cmdline contains "🍒" or tgt.process.cmdline contains "🍑" or tgt.process.cmdline contains "🥭" or tgt.process.cmdline contains "🍍" or tgt.process.cmdline contains "🥥" or tgt.process.cmdline contains "🥝" or tgt.process.cmdline contains "🍅" or tgt.process.cmdline contains "🍆" or tgt.process.cmdline contains "🥑" or tgt.process.cmdline contains "🥦" or tgt.process.cmdline contains "🥬" or tgt.process.cmdline contains "🥒" or tgt.process.cmdline contains "🌶" or tgt.process.cmdline contains "🫑" or tgt.process.cmdline contains "🌽" or tgt.process.cmdline contains "🥕" or tgt.process.cmdline contains "🫒" or tgt.process.cmdline contains "🧄" or tgt.process.cmdline contains "🧅" or tgt.process.cmdline contains "🥔" or tgt.process.cmdline contains "🍠" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🥐" or tgt.process.cmdline contains "🥯" or tgt.process.cmdline contains "🍞" or tgt.process.cmdline contains "🥖" or tgt.process.cmdline contains "🥨" or tgt.process.cmdline contains "🧀" or tgt.process.cmdline contains "🥚" or tgt.process.cmdline contains "🍳" or tgt.process.cmdline contains "🧈" or tgt.process.cmdline contains "🥞" or tgt.process.cmdline contains "🧇" or tgt.process.cmdline contains "🥓" or tgt.process.cmdline contains "🥩" or tgt.process.cmdline contains "🍗" or tgt.process.cmdline contains "🍖" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "🌭" or tgt.process.cmdline contains "🍔" or tgt.process.cmdline contains "🍟" or tgt.process.cmdline contains "🍕" or tgt.process.cmdline contains "🫓" or tgt.process.cmdline contains "🥪" or tgt.process.cmdline contains "🥙" or tgt.process.cmdline contains "🧆" or tgt.process.cmdline contains "🌮" or tgt.process.cmdline contains "🌯" or tgt.process.cmdline contains "🫔" or tgt.process.cmdline contains "🥗" or tgt.process.cmdline contains "🥘" or tgt.process.cmdline contains "🫕" or tgt.process.cmdline contains "🥫" or tgt.process.cmdline contains "🍝" or tgt.process.cmdline contains "🍜" or tgt.process.cmdline contains "🍲" or tgt.process.cmdline contains "🍛" or tgt.process.cmdline contains "🍣" or tgt.process.cmdline contains "🍱" or tgt.process.cmdline contains "🥟" or tgt.process.cmdline contains "🦪" or tgt.process.cmdline contains "🍤" or tgt.process.cmdline contains "🍙" or tgt.process.cmdline contains "🍚" or tgt.process.cmdline contains "🍘" or tgt.process.cmdline contains "🍥" or tgt.process.cmdline contains "🥠" or tgt.process.cmdline contains "🥮" or tgt.process.cmdline contains "🍢" or tgt.process.cmdline contains "🍡" or tgt.process.cmdline contains "🍧" or tgt.process.cmdline contains "🍨" or tgt.process.cmdline contains "🍦" or tgt.process.cmdline contains "🥧" or tgt.process.cmdline contains "🧁" or tgt.process.cmdline contains "🍰" or tgt.process.cmdline contains "🎂" or tgt.process.cmdline contains "🍮" or tgt.process.cmdline contains "🍭" or tgt.process.cmdline contains "🍬" or tgt.process.cmdline contains "🍫" or tgt.process.cmdline contains "🍿" or tgt.process.cmdline contains "🍩" or tgt.process.cmdline contains "🍪" or tgt.process.cmdline contains "🌰" or tgt.process.cmdline contains "🥜" or tgt.process.cmdline contains "🍯" or tgt.process.cmdline contains "🥛" or tgt.process.cmdline contains "🍼" or tgt.process.cmdline contains "🫖" or tgt.process.cmdline contains "☕️" or tgt.process.cmdline contains "🍵" or tgt.process.cmdline contains "🧃" or tgt.process.cmdline contains "🥤" or tgt.process.cmdline contains "🧋" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🍶" or tgt.process.cmdline contains "🍺" or tgt.process.cmdline contains "🍻" or tgt.process.cmdline contains "🥂" or tgt.process.cmdline contains "🍷" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🥃" or tgt.process.cmdline contains "🍸" or tgt.process.cmdline contains "🍹" or tgt.process.cmdline contains "🧉" or tgt.process.cmdline contains "🍾" or tgt.process.cmdline contains "🧊" or tgt.process.cmdline contains "🥄" or tgt.process.cmdline contains "🍴" or tgt.process.cmdline contains "🍽" or tgt.process.cmdline contains "🥣" or tgt.process.cmdline contains "🥡" or tgt.process.cmdline contains "🥢" or tgt.process.cmdline contains "🧂" or tgt.process.cmdline contains "⚽️" or tgt.process.cmdline contains "🏀" or tgt.process.cmdline contains "🏈" or tgt.process.cmdline contains "⚾️" or tgt.process.cmdline contains "🥎" or tgt.process.cmdline contains "🎾" or tgt.process.cmdline contains "🏐" or tgt.process.cmdline contains "🏉" or tgt.process.cmdline contains "🥏" or tgt.process.cmdline contains "🎱" or tgt.process.cmdline contains "🪀" or tgt.process.cmdline contains "🏓" or tgt.process.cmdline contains "🏸" or tgt.process.cmdline contains "🏒" or tgt.process.cmdline contains "🏑" or tgt.process.cmdline contains "🥍" or tgt.process.cmdline contains "🏏" or tgt.process.cmdline contains "🪃" or tgt.process.cmdline contains "🥅" or tgt.process.cmdline contains "⛳️" or tgt.process.cmdline contains "🪁" or tgt.process.cmdline contains "🏹" or tgt.process.cmdline contains "🎣" or tgt.process.cmdline contains "🤿" or tgt.process.cmdline contains "🥊" or tgt.process.cmdline contains "🥋" or tgt.process.cmdline contains "🎽" or tgt.process.cmdline contains "🛹" or tgt.process.cmdline contains "🛼" or tgt.process.cmdline contains "🛷" or tgt.process.cmdline contains "⛸" or tgt.process.cmdline contains "🥌" or tgt.process.cmdline contains "🎿" or tgt.process.cmdline contains "⛷" or tgt.process.cmdline contains "🏂" or tgt.process.cmdline contains "🪂" or tgt.process.cmdline contains "🏋️‍♀️" or tgt.process.cmdline contains "🏋️" or tgt.process.cmdline contains "🏋️‍♂️" or tgt.process.cmdline contains "🤼‍♀️" or tgt.process.cmdline contains "🤼" or tgt.process.cmdline contains "🤼‍♂️" or tgt.process.cmdline contains "🤸‍♀️" or tgt.process.cmdline contains "🤸" or tgt.process.cmdline contains "🤸‍♂️" or tgt.process.cmdline contains "⛹️‍♀️" or tgt.process.cmdline contains "⛹️" or tgt.process.cmdline contains "⛹️‍♂️" or tgt.process.cmdline contains "🤺" or tgt.process.cmdline contains "🤾‍♀️" or tgt.process.cmdline contains "🤾" or tgt.process.cmdline contains "🤾‍♂️" or tgt.process.cmdline contains "🏌️‍♀️" or tgt.process.cmdline contains "🏌️" or tgt.process.cmdline contains "🏌️‍♂️" or tgt.process.cmdline contains "🏇" or tgt.process.cmdline contains "🧘‍♀️" or tgt.process.cmdline contains "🧘" or tgt.process.cmdline contains "🧘‍♂️" or tgt.process.cmdline contains "🏄‍♀️" or tgt.process.cmdline contains "🏄" or tgt.process.cmdline contains "🏄‍♂️" or tgt.process.cmdline contains "🏊‍♀️" or tgt.process.cmdline contains "🏊" or tgt.process.cmdline contains "🏊‍♂️" or tgt.process.cmdline contains "🤽‍♀️" or tgt.process.cmdline contains "🤽" or tgt.process.cmdline contains "🤽‍♂️" or tgt.process.cmdline contains "🚣‍♀️" or tgt.process.cmdline contains "🚣" or tgt.process.cmdline contains "🚣‍♂️" or tgt.process.cmdline contains "🧗‍♀️" or tgt.process.cmdline contains "🧗" or tgt.process.cmdline contains "🧗‍♂️" or tgt.process.cmdline contains "🚵‍♀️" or tgt.process.cmdline contains "🚵" or tgt.process.cmdline contains "🚵‍♂️" or tgt.process.cmdline contains "🚴‍♀️" or tgt.process.cmdline contains "🚴" or tgt.process.cmdline contains "🚴‍♂️" or tgt.process.cmdline contains "🏆" or tgt.process.cmdline contains "🥇" or tgt.process.cmdline contains "🥈" or tgt.process.cmdline contains "🥉" or tgt.process.cmdline contains "🏅" or tgt.process.cmdline contains "🎖" or tgt.process.cmdline contains "🏵" or tgt.process.cmdline contains "🎗" or tgt.process.cmdline contains "🎫" or tgt.process.cmdline contains "🎟" or tgt.process.cmdline contains "🎪" or tgt.process.cmdline contains "🤹" or tgt.process.cmdline contains "🤹‍♂️" or tgt.process.cmdline contains "🤹‍♀️" or tgt.process.cmdline contains "🎭" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "🎨" or tgt.process.cmdline contains "🎬" or tgt.process.cmdline contains "🎤" or tgt.process.cmdline contains "🎧" or tgt.process.cmdline contains "🎼" or tgt.process.cmdline contains "🎹" or tgt.process.cmdline contains "🥁" or tgt.process.cmdline contains "🪘" or tgt.process.cmdline contains "🎷" or tgt.process.cmdline contains "🎺" or tgt.process.cmdline contains "🪗" or tgt.process.cmdline contains "🎸" or tgt.process.cmdline contains "🪕" or tgt.process.cmdline contains "🎻" or tgt.process.cmdline contains "🎲" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "🎯" or tgt.process.cmdline contains "🎳" or tgt.process.cmdline contains "🎮" or tgt.process.cmdline contains "🎰" or tgt.process.cmdline contains "🧩" or tgt.process.cmdline contains "🚗" or tgt.process.cmdline contains "🚕" or tgt.process.cmdline contains "🚙" or tgt.process.cmdline contains "🚌" or tgt.process.cmdline contains "🚎" or tgt.process.cmdline contains "🏎" or tgt.process.cmdline contains "🚓" or tgt.process.cmdline contains "🚑" or tgt.process.cmdline contains "🚒" or tgt.process.cmdline contains "🚐" or tgt.process.cmdline contains "🛻" or tgt.process.cmdline contains "🚚" or tgt.process.cmdline contains "🚛" or tgt.process.cmdline contains "🚜" or tgt.process.cmdline contains "🦯" or tgt.process.cmdline contains "🦽" or tgt.process.cmdline contains "🦼" or tgt.process.cmdline contains "🛴" or tgt.process.cmdline contains "🚲" or tgt.process.cmdline contains "🛵" or tgt.process.cmdline contains "🏍" or tgt.process.cmdline contains "🛺" or tgt.process.cmdline contains "🚨" or tgt.process.cmdline contains "🚔" or tgt.process.cmdline contains "🚍" or tgt.process.cmdline contains "🚘" or tgt.process.cmdline contains "🚖" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🚡" or tgt.process.cmdline contains "🚠" or tgt.process.cmdline contains "🚟" or tgt.process.cmdline contains "🚃" or tgt.process.cmdline contains "🚋" or tgt.process.cmdline contains "🚞" or tgt.process.cmdline contains "🚝" or tgt.process.cmdline contains "🚄" or tgt.process.cmdline contains "🚅" or tgt.process.cmdline contains "🚈" or tgt.process.cmdline contains "🚂" or tgt.process.cmdline contains "🚆" or tgt.process.cmdline contains "🚇" or tgt.process.cmdline contains "🚊" or tgt.process.cmdline contains "🚉" or tgt.process.cmdline contains "✈️" or tgt.process.cmdline contains "🛫" or tgt.process.cmdline contains "🛬" or tgt.process.cmdline contains "🛩" or tgt.process.cmdline contains "💺" or tgt.process.cmdline contains "🛰" or tgt.process.cmdline contains "🚀" or tgt.process.cmdline contains "🛸" or tgt.process.cmdline contains "🚁" or tgt.process.cmdline contains "🛶" or tgt.process.cmdline contains "⛵️" or tgt.process.cmdline contains "🚤" or tgt.process.cmdline contains "🛥" or tgt.process.cmdline contains "🛳" or tgt.process.cmdline contains "⛴" or tgt.process.cmdline contains "🚢" or tgt.process.cmdline contains "⚓️" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪝" or tgt.process.cmdline contains "⛽️" or tgt.process.cmdline contains "🚧" or tgt.process.cmdline contains "🚦" or tgt.process.cmdline contains "🚥" or tgt.process.cmdline contains "🚏" or tgt.process.cmdline contains "🗺" or tgt.process.cmdline contains "🗿" or tgt.process.cmdline contains "🗽" or tgt.process.cmdline contains "🗼" or tgt.process.cmdline contains "🏰" or tgt.process.cmdline contains "🏯" or tgt.process.cmdline contains "🏟" or tgt.process.cmdline contains "🎡" or tgt.process.cmdline contains "🎢" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🎠" or tgt.process.cmdline contains "⛲️" or tgt.process.cmdline contains "⛱" or tgt.process.cmdline contains "🏖" or tgt.process.cmdline contains "🏝" or tgt.process.cmdline contains "🏜" or tgt.process.cmdline contains "🌋" or tgt.process.cmdline contains "⛰" or tgt.process.cmdline contains "🏔" or tgt.process.cmdline contains "🗻" or tgt.process.cmdline contains "🏕" or tgt.process.cmdline contains "⛺️" or tgt.process.cmdline contains "🛖" or tgt.process.cmdline contains "🏠" or tgt.process.cmdline contains "🏡" or tgt.process.cmdline contains "🏘" or tgt.process.cmdline contains "🏚" or tgt.process.cmdline contains "🏗" or tgt.process.cmdline contains "🏭" or tgt.process.cmdline contains "🏢" or tgt.process.cmdline contains "🏬" or tgt.process.cmdline contains "🏣" or tgt.process.cmdline contains "🏤" or tgt.process.cmdline contains "🏥" or tgt.process.cmdline contains "🏦" or tgt.process.cmdline contains "🏨" or tgt.process.cmdline contains "🏪" or tgt.process.cmdline contains "🏫" or tgt.process.cmdline contains "🏩" or tgt.process.cmdline contains "💒" or tgt.process.cmdline contains "🏛" or tgt.process.cmdline contains "⛪️" or tgt.process.cmdline contains "🕌" or tgt.process.cmdline contains "🕍" or tgt.process.cmdline contains "🛕" or tgt.process.cmdline contains "🕋" or tgt.process.cmdline contains "⛩" or tgt.process.cmdline contains "🛤" or tgt.process.cmdline contains "🛣" or tgt.process.cmdline contains "🗾" or tgt.process.cmdline contains "🎑" or tgt.process.cmdline contains "🏞" or tgt.process.cmdline contains "🌅" or tgt.process.cmdline contains "🌄" or tgt.process.cmdline contains "🌠" or tgt.process.cmdline contains "🎇" or tgt.process.cmdline contains "🎆" or tgt.process.cmdline contains "🌇" or tgt.process.cmdline contains "🌆" or tgt.process.cmdline contains "🏙" or tgt.process.cmdline contains "🌃" or tgt.process.cmdline contains "🌌" or tgt.process.cmdline contains "🌉" or tgt.process.cmdline contains "🌁" or tgt.process.cmdline contains "⌚️" or tgt.process.cmdline contains "📱" or tgt.process.cmdline contains "📲" or tgt.process.cmdline contains "💻" or tgt.process.cmdline contains "⌨️" or tgt.process.cmdline contains "🖥" or tgt.process.cmdline contains "🖨" or tgt.process.cmdline contains "🖱" or tgt.process.cmdline contains "🖲" or tgt.process.cmdline contains "🕹" or tgt.process.cmdline contains "🗜" or tgt.process.cmdline contains "💽" or tgt.process.cmdline contains "💾" or tgt.process.cmdline contains "💿" or tgt.process.cmdline contains "📀" or tgt.process.cmdline contains "📼" or tgt.process.cmdline contains "📷" or tgt.process.cmdline contains "📸" or tgt.process.cmdline contains "📹" or tgt.process.cmdline contains "🎥" or tgt.process.cmdline contains "📽" or tgt.process.cmdline contains "🎞" or tgt.process.cmdline contains "📞" or tgt.process.cmdline contains "☎️" or tgt.process.cmdline contains "📟" or tgt.process.cmdline contains "📠" or tgt.process.cmdline contains "📺" or tgt.process.cmdline contains "📻" or tgt.process.cmdline contains "🎙" or tgt.process.cmdline contains "🎚" or tgt.process.cmdline contains "🎛" or tgt.process.cmdline contains "🧭" or tgt.process.cmdline contains "⏱" or tgt.process.cmdline contains "⏲" or tgt.process.cmdline contains "⏰" or tgt.process.cmdline contains "🕰" or tgt.process.cmdline contains "⌛️" or tgt.process.cmdline contains "⏳" or tgt.process.cmdline contains "📡" or tgt.process.cmdline contains "🔋" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🔌" or tgt.process.cmdline contains "💡" or tgt.process.cmdline contains "🔦" or tgt.process.cmdline contains "🕯" or tgt.process.cmdline contains "🪔" or tgt.process.cmdline contains "🧯" or tgt.process.cmdline contains "🛢" or tgt.process.cmdline contains "💸" or tgt.process.cmdline contains "💵" or tgt.process.cmdline contains "💴" or tgt.process.cmdline contains "💶" or tgt.process.cmdline contains "💷" or tgt.process.cmdline contains "🪙" or tgt.process.cmdline contains "💰" or tgt.process.cmdline contains "💳" or tgt.process.cmdline contains "💎" or tgt.process.cmdline contains "⚖️" or tgt.process.cmdline contains "🪜" or tgt.process.cmdline contains "🧰" or tgt.process.cmdline contains "🪛" or tgt.process.cmdline contains "🔧" or tgt.process.cmdline contains "🔨" or tgt.process.cmdline contains "⚒" or tgt.process.cmdline contains "🛠" or tgt.process.cmdline contains "⛏" or tgt.process.cmdline contains "🪚" or tgt.process.cmdline contains "🔩" or tgt.process.cmdline contains "⚙️" or tgt.process.cmdline contains "🪤" or tgt.process.cmdline contains "🧱" or tgt.process.cmdline contains "⛓" or tgt.process.cmdline contains "🧲" or tgt.process.cmdline contains "🔫" or tgt.process.cmdline contains "💣" or tgt.process.cmdline contains "🧨" or tgt.process.cmdline contains "🪓" or tgt.process.cmdline contains "🔪" or tgt.process.cmdline contains "🗡" or tgt.process.cmdline contains "⚔️" or tgt.process.cmdline contains "🛡" or tgt.process.cmdline contains "🚬" or tgt.process.cmdline contains "⚰️" or tgt.process.cmdline contains "🪦" or tgt.process.cmdline contains "⚱️" or tgt.process.cmdline contains "🏺" or tgt.process.cmdline contains "🔮" or tgt.process.cmdline contains "📿" or tgt.process.cmdline contains "🧿" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "💈" or tgt.process.cmdline contains "⚗️" or tgt.process.cmdline contains "🔭" or tgt.process.cmdline contains "🔬" or tgt.process.cmdline contains "🕳" or tgt.process.cmdline contains "🩹" or tgt.process.cmdline contains "🩺" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "💊" or tgt.process.cmdline contains "💉" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "🧬" or tgt.process.cmdline contains "🦠" or tgt.process.cmdline contains "🧫" or tgt.process.cmdline contains "🧪" or tgt.process.cmdline contains "🌡" or tgt.process.cmdline contains "🧹" or tgt.process.cmdline contains "🪠" or tgt.process.cmdline contains "🧺" or tgt.process.cmdline contains "🧻" or tgt.process.cmdline contains "🚽" or tgt.process.cmdline contains "🚰" or tgt.process.cmdline contains "🚿" or tgt.process.cmdline contains "🛁" or tgt.process.cmdline contains "🛀" or tgt.process.cmdline contains "🧼" or tgt.process.cmdline contains "🪥" or tgt.process.cmdline contains "🪒" or tgt.process.cmdline contains "🧽" or tgt.process.cmdline contains "🪣" or tgt.process.cmdline contains "🧴" or tgt.process.cmdline contains "🛎" or tgt.process.cmdline contains "🔑" or tgt.process.cmdline contains "🗝" or tgt.process.cmdline contains "🚪" or tgt.process.cmdline contains "🪑" or tgt.process.cmdline contains "🛋" or tgt.process.cmdline contains "🛏" or tgt.process.cmdline contains "🛌" or tgt.process.cmdline contains "🧸" or tgt.process.cmdline contains "🪆" or tgt.process.cmdline contains "🖼" or tgt.process.cmdline contains "🪞" or tgt.process.cmdline contains "🪟" or tgt.process.cmdline contains "🛍" or tgt.process.cmdline contains "🛒" or tgt.process.cmdline contains "🎁" or tgt.process.cmdline contains "🎈" or tgt.process.cmdline contains "🎏" or tgt.process.cmdline contains "🎀" or tgt.process.cmdline contains "🪄" or tgt.process.cmdline contains "🪅" or tgt.process.cmdline contains "🎊" or tgt.process.cmdline contains "🎉" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🎎" or tgt.process.cmdline contains "🏮" or tgt.process.cmdline contains "🎐" or tgt.process.cmdline contains "🧧" or tgt.process.cmdline contains "✉️" or tgt.process.cmdline contains "📩" or tgt.process.cmdline contains "📨" or tgt.process.cmdline contains "📧" or tgt.process.cmdline contains "💌" or tgt.process.cmdline contains "📥" or tgt.process.cmdline contains "📤" or tgt.process.cmdline contains "📦" or tgt.process.cmdline contains "🏷" or tgt.process.cmdline contains "🪧" or tgt.process.cmdline contains "📪" or tgt.process.cmdline contains "📫" or tgt.process.cmdline contains "📬" or tgt.process.cmdline contains "📭" or tgt.process.cmdline contains "📮" or tgt.process.cmdline contains "📯" or tgt.process.cmdline contains "📜" or tgt.process.cmdline contains "📃" or tgt.process.cmdline contains "📄" or tgt.process.cmdline contains "📑" or tgt.process.cmdline contains "🧾" or tgt.process.cmdline contains "📊" or tgt.process.cmdline contains "📈" or tgt.process.cmdline contains "📉" or tgt.process.cmdline contains "🗒" or tgt.process.cmdline contains "🗓" or tgt.process.cmdline contains "📆" or tgt.process.cmdline contains "📅" or tgt.process.cmdline contains "🗑" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "📇" or tgt.process.cmdline contains "🗃" or tgt.process.cmdline contains "🗳" or tgt.process.cmdline contains "🗄" or tgt.process.cmdline contains "📋" or tgt.process.cmdline contains "📁" or tgt.process.cmdline contains "📂" or tgt.process.cmdline contains "🗂" or tgt.process.cmdline contains "🗞" or tgt.process.cmdline contains "📰" or tgt.process.cmdline contains "📓" or tgt.process.cmdline contains "📔" or tgt.process.cmdline contains "📒" or tgt.process.cmdline contains "📕" or tgt.process.cmdline contains "📗" or tgt.process.cmdline contains "📘" or tgt.process.cmdline contains "📙" or tgt.process.cmdline contains "📚" or tgt.process.cmdline contains "📖" or tgt.process.cmdline contains "🔖" or tgt.process.cmdline contains "🧷" or tgt.process.cmdline contains "🔗" or tgt.process.cmdline contains "📎" or tgt.process.cmdline contains "🖇" or tgt.process.cmdline contains "📐" or tgt.process.cmdline contains "📏" or tgt.process.cmdline contains "🧮" or tgt.process.cmdline contains "📌" or tgt.process.cmdline contains "📍" or tgt.process.cmdline contains "✂️" or tgt.process.cmdline contains "🖊" or tgt.process.cmdline contains "🖋" or tgt.process.cmdline contains "✒️" or tgt.process.cmdline contains "🖌" or tgt.process.cmdline contains "🖍" or tgt.process.cmdline contains "📝" or tgt.process.cmdline contains "✏️" or tgt.process.cmdline contains "🔍" or tgt.process.cmdline contains "🔎" or tgt.process.cmdline contains "🔏" or tgt.process.cmdline contains "🔐" or tgt.process.cmdline contains "🔒" or tgt.process.cmdline contains "🔓❤️" or tgt.process.cmdline contains "🧡" or tgt.process.cmdline contains "💛" or tgt.process.cmdline contains "💚" or tgt.process.cmdline contains "💙" or tgt.process.cmdline contains "💜" or tgt.process.cmdline contains "🖤" or tgt.process.cmdline contains "🤍" or tgt.process.cmdline contains "🤎" or tgt.process.cmdline contains "❤️‍🔥" or tgt.process.cmdline contains "❤️‍🩹" or tgt.process.cmdline contains "💔" or tgt.process.cmdline contains "❣️" or tgt.process.cmdline contains "💕" or tgt.process.cmdline contains "💞" or tgt.process.cmdline contains "💓" or tgt.process.cmdline contains "💗" or tgt.process.cmdline contains "💖" or tgt.process.cmdline contains "💘" or tgt.process.cmdline contains "💝" or tgt.process.cmdline contains "💟" or tgt.process.cmdline contains "☮️" or tgt.process.cmdline contains "✝️" or tgt.process.cmdline contains "☪️" or tgt.process.cmdline contains "🕉" or tgt.process.cmdline contains "☸️" or tgt.process.cmdline contains "✡️" or tgt.process.cmdline contains "🔯" or tgt.process.cmdline contains "🕎" or tgt.process.cmdline contains "☯️" or tgt.process.cmdline contains "☦️" or tgt.process.cmdline contains "🛐" or tgt.process.cmdline contains "⛎" or tgt.process.cmdline contains "♈️" or tgt.process.cmdline contains "♉️" or tgt.process.cmdline contains "♊️" or tgt.process.cmdline contains "♋️" or tgt.process.cmdline contains "♌️" or tgt.process.cmdline contains "♍️" or tgt.process.cmdline contains "♎️" or tgt.process.cmdline contains "♏️" or tgt.process.cmdline contains "♐️" or tgt.process.cmdline contains "♑️" or tgt.process.cmdline contains "♒️" or tgt.process.cmdline contains "♓️" or tgt.process.cmdline contains "🆔" or tgt.process.cmdline contains "⚛️" or tgt.process.cmdline contains "🉑" or tgt.process.cmdline contains "☢️" or tgt.process.cmdline contains "☣️" or tgt.process.cmdline contains "📴" or tgt.process.cmdline contains "📳" or tgt.process.cmdline contains "🈶" or tgt.process.cmdline contains "🈚️" or tgt.process.cmdline contains "🈸" or tgt.process.cmdline contains "🈺" or tgt.process.cmdline contains "🈷️" or tgt.process.cmdline contains "✴️" or tgt.process.cmdline contains "🆚" or tgt.process.cmdline contains "💮" or tgt.process.cmdline contains "🉐" or tgt.process.cmdline contains "㊙️" or tgt.process.cmdline contains "㊗️" or tgt.process.cmdline contains "🈴" or tgt.process.cmdline contains "🈵" or tgt.process.cmdline contains "🈹" or tgt.process.cmdline contains "🈲" or tgt.process.cmdline contains "🅰️" or tgt.process.cmdline contains "🅱️" or tgt.process.cmdline contains "🆎" or tgt.process.cmdline contains "🆑" or tgt.process.cmdline contains "🅾️" or tgt.process.cmdline contains "🆘" or tgt.process.cmdline contains "❌" or tgt.process.cmdline contains "⭕️" or tgt.process.cmdline contains "🛑" or tgt.process.cmdline contains "⛔️" or tgt.process.cmdline contains "📛" or tgt.process.cmdline contains "🚫" or tgt.process.cmdline contains "💯" or tgt.process.cmdline contains "💢" or tgt.process.cmdline contains "♨️" or tgt.process.cmdline contains "🚷" or tgt.process.cmdline contains "🚯" or tgt.process.cmdline contains "🚳" or tgt.process.cmdline contains "🚱" or tgt.process.cmdline contains "🔞" or tgt.process.cmdline contains "📵" or tgt.process.cmdline contains "🚭" or tgt.process.cmdline contains "❗️" or tgt.process.cmdline contains "❕" or tgt.process.cmdline contains "❓" or tgt.process.cmdline contains "❔" or tgt.process.cmdline contains "‼️" or tgt.process.cmdline contains "⁉️" or tgt.process.cmdline contains "🔅" or tgt.process.cmdline contains "🔆" or tgt.process.cmdline contains "〽️" or tgt.process.cmdline contains "⚠️" or tgt.process.cmdline contains "🚸" or tgt.process.cmdline contains "🔱" or tgt.process.cmdline contains "⚜️" or tgt.process.cmdline contains "🔰" or tgt.process.cmdline contains "♻️" or tgt.process.cmdline contains "✅" or tgt.process.cmdline contains "🈯️" or tgt.process.cmdline contains "💹" or tgt.process.cmdline contains "❇️" or tgt.process.cmdline contains "✳️" or tgt.process.cmdline contains "❎" or tgt.process.cmdline contains "🌐" or tgt.process.cmdline contains "💠" or tgt.process.cmdline contains "Ⓜ️" or tgt.process.cmdline contains "🌀" or tgt.process.cmdline contains "💤" or tgt.process.cmdline contains "🏧" or tgt.process.cmdline contains "🚾" or tgt.process.cmdline contains "♿️" or tgt.process.cmdline contains "🅿️" or tgt.process.cmdline contains "🛗" or tgt.process.cmdline contains "🈳" or tgt.process.cmdline contains "🈂️" or tgt.process.cmdline contains "🛂" or tgt.process.cmdline contains "🛃" or tgt.process.cmdline contains "🛄" or tgt.process.cmdline contains "🛅" or tgt.process.cmdline contains "🚹" or tgt.process.cmdline contains "🚺" or tgt.process.cmdline contains "🚼" or tgt.process.cmdline contains "⚧" or tgt.process.cmdline contains "🚻" or tgt.process.cmdline contains "🚮" or tgt.process.cmdline contains "🎦" or tgt.process.cmdline contains "📶" or tgt.process.cmdline contains "🈁" or tgt.process.cmdline contains "🔣" or tgt.process.cmdline contains "ℹ️" or tgt.process.cmdline contains "🔤" or tgt.process.cmdline contains "🔡" or tgt.process.cmdline contains "🔠" or tgt.process.cmdline contains "🆖" or tgt.process.cmdline contains "🆗" or tgt.process.cmdline contains "🆙" or tgt.process.cmdline contains "🆒" or tgt.process.cmdline contains "🆕" or tgt.process.cmdline contains "🆓" or tgt.process.cmdline contains "0️⃣" or tgt.process.cmdline contains "1️⃣" or tgt.process.cmdline contains "2️⃣" or tgt.process.cmdline contains "3️⃣" or tgt.process.cmdline contains "4️⃣" or tgt.process.cmdline contains "5️⃣" or tgt.process.cmdline contains "6️⃣" or tgt.process.cmdline contains "7️⃣" or tgt.process.cmdline contains "8️⃣" or tgt.process.cmdline contains "9️⃣" or tgt.process.cmdline contains "🔟" or tgt.process.cmdline contains "🔢" or tgt.process.cmdline contains "#️⃣" or tgt.process.cmdline contains "️⃣" or tgt.process.cmdline contains "⏏️" or tgt.process.cmdline contains "▶️" or tgt.process.cmdline contains "⏸" or tgt.process.cmdline contains "⏯" or tgt.process.cmdline contains "⏹" or tgt.process.cmdline contains "⏺" or tgt.process.cmdline contains "⏭" or tgt.process.cmdline contains "⏮" or tgt.process.cmdline contains "⏩" or tgt.process.cmdline contains "⏪" or tgt.process.cmdline contains "⏫" or tgt.process.cmdline contains "⏬" or tgt.process.cmdline contains "◀️" or tgt.process.cmdline contains "🔼" or tgt.process.cmdline contains "🔽" or tgt.process.cmdline contains "➡️" or tgt.process.cmdline contains "⬅️" or tgt.process.cmdline contains "⬆️" or tgt.process.cmdline contains "⬇️" or tgt.process.cmdline contains "↗️" or tgt.process.cmdline contains "↘️" or tgt.process.cmdline contains "↙️" or tgt.process.cmdline contains "↖️" or tgt.process.cmdline contains "↕️" or tgt.process.cmdline contains "↔️" or tgt.process.cmdline contains "↪️" or tgt.process.cmdline contains "↩️" or tgt.process.cmdline contains "⤴️" or tgt.process.cmdline contains "⤵️" or tgt.process.cmdline contains "🔀" or tgt.process.cmdline contains "🔁" or tgt.process.cmdline contains "🔂" or tgt.process.cmdline contains "🔄" or tgt.process.cmdline contains "🔃" or tgt.process.cmdline contains "🎵" or tgt.process.cmdline contains "🎶" or tgt.process.cmdline contains "➕" or tgt.process.cmdline contains "➖" or tgt.process.cmdline contains "➗" or tgt.process.cmdline contains "✖️" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "♾" or tgt.process.cmdline contains "💲" or tgt.process.cmdline contains "💱" or tgt.process.cmdline contains "™️" or tgt.process.cmdline contains "©️" or tgt.process.cmdline contains "®️" or tgt.process.cmdline contains "〰️" or tgt.process.cmdline contains "➰" or tgt.process.cmdline contains "➿" or tgt.process.cmdline contains "🔚" or tgt.process.cmdline contains "🔙" or tgt.process.cmdline contains "🔛" or tgt.process.cmdline contains "🔝" or tgt.process.cmdline contains "🔜" or tgt.process.cmdline contains "✔️" or tgt.process.cmdline contains "☑️" or tgt.process.cmdline contains "🔘" or tgt.process.cmdline contains "🔴" or tgt.process.cmdline contains "🟠" or tgt.process.cmdline contains "🟡" or tgt.process.cmdline contains "🟢" or tgt.process.cmdline contains "🔵" or tgt.process.cmdline contains "🟣" or tgt.process.cmdline contains "⚫️" or tgt.process.cmdline contains "⚪️" or tgt.process.cmdline contains "🟤" or tgt.process.cmdline contains "🔺" or tgt.process.cmdline contains "🔻")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md index 1d751eacd..8fde8b12f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🔸" or tgt.process.cmdline contains "🔹" or tgt.process.cmdline contains "🔶" or tgt.process.cmdline contains "🔷" or tgt.process.cmdline contains "🔳" or tgt.process.cmdline contains "🔲" or tgt.process.cmdline contains "▪️" or tgt.process.cmdline contains "▫️" or tgt.process.cmdline contains "◾️" or tgt.process.cmdline contains "◽️" or tgt.process.cmdline contains "◼️" or tgt.process.cmdline contains "◻️" or tgt.process.cmdline contains "🟥" or tgt.process.cmdline contains "🟧" or tgt.process.cmdline contains "🟨" or tgt.process.cmdline contains "🟩" or tgt.process.cmdline contains "🟦" or tgt.process.cmdline contains "🟪" or tgt.process.cmdline contains "⬛️" or tgt.process.cmdline contains "⬜️" or tgt.process.cmdline contains "🟫" or tgt.process.cmdline contains "🔈" or tgt.process.cmdline contains "🔇" or tgt.process.cmdline contains "🔉" or tgt.process.cmdline contains "🔊" or tgt.process.cmdline contains "🔔" or tgt.process.cmdline contains "🔕" or tgt.process.cmdline contains "📣" or tgt.process.cmdline contains "📢" or tgt.process.cmdline contains "👁‍🗨" or tgt.process.cmdline contains "💬" or tgt.process.cmdline contains "💭" or tgt.process.cmdline contains "🗯" or tgt.process.cmdline contains "♠️" or tgt.process.cmdline contains "♣️" or tgt.process.cmdline contains "♥️" or tgt.process.cmdline contains "♦️" or tgt.process.cmdline contains "🃏" or tgt.process.cmdline contains "🎴" or tgt.process.cmdline contains "🀄️" or tgt.process.cmdline contains "🕐" or tgt.process.cmdline contains "🕑" or tgt.process.cmdline contains "🕒" or tgt.process.cmdline contains "🕓" or tgt.process.cmdline contains "🕔" or tgt.process.cmdline contains "🕕" or tgt.process.cmdline contains "🕖" or tgt.process.cmdline contains "🕗" or tgt.process.cmdline contains "🕘" or tgt.process.cmdline contains "🕙" or tgt.process.cmdline contains "🕚" or tgt.process.cmdline contains "🕛" or tgt.process.cmdline contains "🕜" or tgt.process.cmdline contains "🕝" or tgt.process.cmdline contains "🕞" or tgt.process.cmdline contains "🕟" or tgt.process.cmdline contains "🕠" or tgt.process.cmdline contains "🕡" or tgt.process.cmdline contains "🕢" or tgt.process.cmdline contains "🕣" or tgt.process.cmdline contains "🕤" or tgt.process.cmdline contains "🕥" or tgt.process.cmdline contains "🕦" or tgt.process.cmdline contains "🕧✢" or tgt.process.cmdline contains "✣" or tgt.process.cmdline contains "✤" or tgt.process.cmdline contains "✥" or tgt.process.cmdline contains "✦" or tgt.process.cmdline contains "✧" or tgt.process.cmdline contains "★" or tgt.process.cmdline contains "☆" or tgt.process.cmdline contains "✯" or tgt.process.cmdline contains "✡︎" or tgt.process.cmdline contains "✩" or tgt.process.cmdline contains "✪" or tgt.process.cmdline contains "✫" or tgt.process.cmdline contains "✬" or tgt.process.cmdline contains "✭" or tgt.process.cmdline contains "✮" or tgt.process.cmdline contains "✶" or tgt.process.cmdline contains "✷" or tgt.process.cmdline contains "✵" or tgt.process.cmdline contains "✸" or tgt.process.cmdline contains "✹" or tgt.process.cmdline contains "→" or tgt.process.cmdline contains "⇒" or tgt.process.cmdline contains "⟹" or tgt.process.cmdline contains "⇨" or tgt.process.cmdline contains "⇾" or tgt.process.cmdline contains "➾" or tgt.process.cmdline contains "⇢" or tgt.process.cmdline contains "☛" or tgt.process.cmdline contains "☞" or tgt.process.cmdline contains "➔" or tgt.process.cmdline contains "➜" or tgt.process.cmdline contains "➙" or tgt.process.cmdline contains "➛" or tgt.process.cmdline contains "➝" or tgt.process.cmdline contains "➞" or tgt.process.cmdline contains "♠︎" or tgt.process.cmdline contains "♣︎" or tgt.process.cmdline contains "♥︎" or tgt.process.cmdline contains "♦︎" or tgt.process.cmdline contains "♤" or tgt.process.cmdline contains "♧" or tgt.process.cmdline contains "♡" or tgt.process.cmdline contains "♢" or tgt.process.cmdline contains "♚" or tgt.process.cmdline contains "♛" or tgt.process.cmdline contains "♜" or tgt.process.cmdline contains "♝" or tgt.process.cmdline contains "♞" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "♔" or tgt.process.cmdline contains "♕" or tgt.process.cmdline contains "♖" or tgt.process.cmdline contains "♗" or tgt.process.cmdline contains "♘" or tgt.process.cmdline contains "♙" or tgt.process.cmdline contains "⚀" or tgt.process.cmdline contains "⚁" or tgt.process.cmdline contains "⚂" or tgt.process.cmdline contains "⚃" or tgt.process.cmdline contains "⚄" or tgt.process.cmdline contains "⚅" or tgt.process.cmdline contains "🂠" or tgt.process.cmdline contains "⚈" or tgt.process.cmdline contains "⚉" or tgt.process.cmdline contains "⚆" or tgt.process.cmdline contains "⚇" or tgt.process.cmdline contains "𓀀" or tgt.process.cmdline contains "𓀁" or tgt.process.cmdline contains "𓀂" or tgt.process.cmdline contains "𓀃" or tgt.process.cmdline contains "𓀄" or tgt.process.cmdline contains "𓀅" or tgt.process.cmdline contains "𓀆" or tgt.process.cmdline contains "𓀇" or tgt.process.cmdline contains "𓀈" or tgt.process.cmdline contains "𓀉" or tgt.process.cmdline contains "𓀊" or tgt.process.cmdline contains "𓀋" or tgt.process.cmdline contains "𓀌" or tgt.process.cmdline contains "𓀍" or tgt.process.cmdline contains "𓀎" or tgt.process.cmdline contains "𓀏" or tgt.process.cmdline contains "𓀐" or tgt.process.cmdline contains "𓀑" or tgt.process.cmdline contains "𓀒" or tgt.process.cmdline contains "𓀓" or tgt.process.cmdline contains "𓀔" or tgt.process.cmdline contains "𓀕" or tgt.process.cmdline contains "𓀖" or tgt.process.cmdline contains "𓀗" or tgt.process.cmdline contains "𓀘" or tgt.process.cmdline contains "𓀙" or tgt.process.cmdline contains "𓀚" or tgt.process.cmdline contains "𓀛" or tgt.process.cmdline contains "𓀜" or tgt.process.cmdline contains "𓀝🏳️" or tgt.process.cmdline contains "🏴" or tgt.process.cmdline contains "🏁" or tgt.process.cmdline contains "🚩" or tgt.process.cmdline contains "🏳️‍🌈" or tgt.process.cmdline contains "🏳️‍⚧️" or tgt.process.cmdline contains "🏴‍☠️" or tgt.process.cmdline contains "🇦🇫" or tgt.process.cmdline contains "🇦🇽" or tgt.process.cmdline contains "🇦🇱" or tgt.process.cmdline contains "🇩🇿" or tgt.process.cmdline contains "🇦🇸" or tgt.process.cmdline contains "🇦🇩" or tgt.process.cmdline contains "🇦🇴" or tgt.process.cmdline contains "🇦🇮" or tgt.process.cmdline contains "🇦🇶" or tgt.process.cmdline contains "🇦🇬" or tgt.process.cmdline contains "🇦🇷" or tgt.process.cmdline contains "🇦🇲" or tgt.process.cmdline contains "🇦🇼" or tgt.process.cmdline contains "🇦🇺" or tgt.process.cmdline contains "🇦🇹" or tgt.process.cmdline contains "🇦🇿" or tgt.process.cmdline contains "🇧🇸" or tgt.process.cmdline contains "🇧🇭" or tgt.process.cmdline contains "🇧🇩" or tgt.process.cmdline contains "🇧🇧" or tgt.process.cmdline contains "🇧🇾" or tgt.process.cmdline contains "🇧🇪" or tgt.process.cmdline contains "🇧🇿" or tgt.process.cmdline contains "🇧🇯" or tgt.process.cmdline contains "🇧🇲" or tgt.process.cmdline contains "🇧🇹" or tgt.process.cmdline contains "🇧🇴" or tgt.process.cmdline contains "🇧🇦" or tgt.process.cmdline contains "🇧🇼" or tgt.process.cmdline contains "🇧🇷" or tgt.process.cmdline contains "🇮🇴" or tgt.process.cmdline contains "🇻🇬" or tgt.process.cmdline contains "🇧🇳" or tgt.process.cmdline contains "🇧🇬" or tgt.process.cmdline contains "🇧🇫" or tgt.process.cmdline contains "🇧🇮" or tgt.process.cmdline contains "🇰🇭" or tgt.process.cmdline contains "🇨🇲" or tgt.process.cmdline contains "🇨🇦" or tgt.process.cmdline contains "🇮🇨" or tgt.process.cmdline contains "🇨🇻" or tgt.process.cmdline contains "🇧🇶" or tgt.process.cmdline contains "🇰🇾" or tgt.process.cmdline contains "🇨🇫" or tgt.process.cmdline contains "🇹🇩" or tgt.process.cmdline contains "🇨🇱" or tgt.process.cmdline contains "🇨🇳" or tgt.process.cmdline contains "🇨🇽" or tgt.process.cmdline contains "🇨🇨" or tgt.process.cmdline contains "🇨🇴" or tgt.process.cmdline contains "🇰🇲" or tgt.process.cmdline contains "🇨🇬" or tgt.process.cmdline contains "🇨🇩" or tgt.process.cmdline contains "🇨🇰" or tgt.process.cmdline contains "🇨🇷" or tgt.process.cmdline contains "🇨🇮" or tgt.process.cmdline contains "🇭🇷" or tgt.process.cmdline contains "🇨🇺" or tgt.process.cmdline contains "🇨🇼" or tgt.process.cmdline contains "🇨🇾" or tgt.process.cmdline contains "🇨🇿" or tgt.process.cmdline contains "🇩🇰" or tgt.process.cmdline contains "🇩🇯" or tgt.process.cmdline contains "🇩🇲" or tgt.process.cmdline contains "🇩🇴" or tgt.process.cmdline contains "🇪🇨" or tgt.process.cmdline contains "🇪🇬" or tgt.process.cmdline contains "🇸🇻" or tgt.process.cmdline contains "🇬🇶" or tgt.process.cmdline contains "🇪🇷" or tgt.process.cmdline contains "🇪🇪" or tgt.process.cmdline contains "🇪🇹" or tgt.process.cmdline contains "🇪🇺" or tgt.process.cmdline contains "🇫🇰" or tgt.process.cmdline contains "🇫🇴" or tgt.process.cmdline contains "🇫🇯" or tgt.process.cmdline contains "🇫🇮" or tgt.process.cmdline contains "🇫🇷" or tgt.process.cmdline contains "🇬🇫" or tgt.process.cmdline contains "🇵🇫" or tgt.process.cmdline contains "🇹🇫" or tgt.process.cmdline contains "🇬🇦" or tgt.process.cmdline contains "🇬🇲" or tgt.process.cmdline contains "🇬🇪" or tgt.process.cmdline contains "🇩🇪" or tgt.process.cmdline contains "🇬🇭" or tgt.process.cmdline contains "🇬🇮" or tgt.process.cmdline contains "🇬🇷" or tgt.process.cmdline contains "🇬🇱" or tgt.process.cmdline contains "🇬🇩" or tgt.process.cmdline contains "🇬🇵" or tgt.process.cmdline contains "🇬🇺" or tgt.process.cmdline contains "🇬🇹" or tgt.process.cmdline contains "🇬🇬" or tgt.process.cmdline contains "🇬🇳" or tgt.process.cmdline contains "🇬🇼" or tgt.process.cmdline contains "🇬🇾" or tgt.process.cmdline contains "🇭🇹" or tgt.process.cmdline contains "🇭🇳" or tgt.process.cmdline contains "🇭🇰" or tgt.process.cmdline contains "🇭🇺" or tgt.process.cmdline contains "🇮🇸" or tgt.process.cmdline contains "🇮🇳" or tgt.process.cmdline contains "🇮🇩" or tgt.process.cmdline contains "🇮🇷" or tgt.process.cmdline contains "🇮🇶" or tgt.process.cmdline contains "🇮🇪" or tgt.process.cmdline contains "🇮🇲" or tgt.process.cmdline contains "🇮🇱" or tgt.process.cmdline contains "🇮🇹" or tgt.process.cmdline contains "🇯🇲" or tgt.process.cmdline contains "🇯🇵" or tgt.process.cmdline contains "🎌" or tgt.process.cmdline contains "🇯🇪" or tgt.process.cmdline contains "🇯🇴" or tgt.process.cmdline contains "🇰🇿" or tgt.process.cmdline contains "🇰🇪" or tgt.process.cmdline contains "🇰🇮" or tgt.process.cmdline contains "🇽🇰" or tgt.process.cmdline contains "🇰🇼" or tgt.process.cmdline contains "🇰🇬" or tgt.process.cmdline contains "🇱🇦" or tgt.process.cmdline contains "🇱🇻" or tgt.process.cmdline contains "🇱🇧" or tgt.process.cmdline contains "🇱🇸" or tgt.process.cmdline contains "🇱🇷" or tgt.process.cmdline contains "🇱🇾" or tgt.process.cmdline contains "🇱🇮" or tgt.process.cmdline contains "🇱🇹" or tgt.process.cmdline contains "🇱🇺" or tgt.process.cmdline contains "🇲🇴" or tgt.process.cmdline contains "🇲🇰" or tgt.process.cmdline contains "🇲🇬" or tgt.process.cmdline contains "🇲🇼" or tgt.process.cmdline contains "🇲🇾" or tgt.process.cmdline contains "🇲🇻" or tgt.process.cmdline contains "🇲🇱" or tgt.process.cmdline contains "🇲🇹" or tgt.process.cmdline contains "🇲🇭" or tgt.process.cmdline contains "🇲🇶" or tgt.process.cmdline contains "🇲🇷" or tgt.process.cmdline contains "🇲🇺" or tgt.process.cmdline contains "🇾🇹" or tgt.process.cmdline contains "🇲🇽" or tgt.process.cmdline contains "🇫🇲" or tgt.process.cmdline contains "🇲🇩" or tgt.process.cmdline contains "🇲🇨" or tgt.process.cmdline contains "🇲🇳" or tgt.process.cmdline contains "🇲🇪" or tgt.process.cmdline contains "🇲🇸" or tgt.process.cmdline contains "🇲🇦" or tgt.process.cmdline contains "🇲🇿" or tgt.process.cmdline contains "🇲🇲" or tgt.process.cmdline contains "🇳🇦" or tgt.process.cmdline contains "🇳🇷" or tgt.process.cmdline contains "🇳🇵" or tgt.process.cmdline contains "🇳🇱" or tgt.process.cmdline contains "🇳🇨" or tgt.process.cmdline contains "🇳🇿" or tgt.process.cmdline contains "🇳🇮" or tgt.process.cmdline contains "🇳🇪" or tgt.process.cmdline contains "🇳🇬" or tgt.process.cmdline contains "🇳🇺" or tgt.process.cmdline contains "🇳🇫" or tgt.process.cmdline contains "🇰🇵" or tgt.process.cmdline contains "🇲🇵" or tgt.process.cmdline contains "🇳🇴" or tgt.process.cmdline contains "🇴🇲" or tgt.process.cmdline contains "🇵🇰" or tgt.process.cmdline contains "🇵🇼" or tgt.process.cmdline contains "🇵🇸" or tgt.process.cmdline contains "🇵🇦" or tgt.process.cmdline contains "🇵🇬" or tgt.process.cmdline contains "🇵🇾" or tgt.process.cmdline contains "🇵🇪" or tgt.process.cmdline contains "🇵🇭" or tgt.process.cmdline contains "🇵🇳" or tgt.process.cmdline contains "🇵🇱" or tgt.process.cmdline contains "🇵🇹" or tgt.process.cmdline contains "🇵🇷" or tgt.process.cmdline contains "🇶🇦" or tgt.process.cmdline contains "🇷🇪" or tgt.process.cmdline contains "🇷🇴" or tgt.process.cmdline contains "🇷🇺" or tgt.process.cmdline contains "🇷🇼" or tgt.process.cmdline contains "🇼🇸" or tgt.process.cmdline contains "🇸🇲" or tgt.process.cmdline contains "🇸🇦" or tgt.process.cmdline contains "🇸🇳" or tgt.process.cmdline contains "🇷🇸" or tgt.process.cmdline contains "🇸🇨" or tgt.process.cmdline contains "🇸🇱" or tgt.process.cmdline contains "🇸🇬" or tgt.process.cmdline contains "🇸🇽" or tgt.process.cmdline contains "🇸🇰" or tgt.process.cmdline contains "🇸🇮" or tgt.process.cmdline contains "🇬🇸" or tgt.process.cmdline contains "🇸🇧" or tgt.process.cmdline contains "🇸🇴" or tgt.process.cmdline contains "🇿🇦" or tgt.process.cmdline contains "🇰🇷" or tgt.process.cmdline contains "🇸🇸" or tgt.process.cmdline contains "🇪🇸" or tgt.process.cmdline contains "🇱🇰" or tgt.process.cmdline contains "🇧🇱" or tgt.process.cmdline contains "🇸🇭" or tgt.process.cmdline contains "🇰🇳" or tgt.process.cmdline contains "🇱🇨" or tgt.process.cmdline contains "🇵🇲" or tgt.process.cmdline contains "🇻🇨" or tgt.process.cmdline contains "🇸🇩" or tgt.process.cmdline contains "🇸🇷" or tgt.process.cmdline contains "🇸🇿" or tgt.process.cmdline contains "🇸🇪" or tgt.process.cmdline contains "🇨🇭" or tgt.process.cmdline contains "🇸🇾" or tgt.process.cmdline contains "🇹🇼" or tgt.process.cmdline contains "🇹🇯" or tgt.process.cmdline contains "🇹🇿" or tgt.process.cmdline contains "🇹🇭" or tgt.process.cmdline contains "🇹🇱" or tgt.process.cmdline contains "🇹🇬" or tgt.process.cmdline contains "🇹🇰" or tgt.process.cmdline contains "🇹🇴" or tgt.process.cmdline contains "🇹🇹" or tgt.process.cmdline contains "🇹🇳" or tgt.process.cmdline contains "🇹🇷" or tgt.process.cmdline contains "🇹🇲" or tgt.process.cmdline contains "🇹🇨" or tgt.process.cmdline contains "🇹🇻" or tgt.process.cmdline contains "🇻🇮" or tgt.process.cmdline contains "🇺🇬" or tgt.process.cmdline contains "🇺🇦" or tgt.process.cmdline contains "🇦🇪" or tgt.process.cmdline contains "🇬🇧" or tgt.process.cmdline contains "🏴󠁧󠁢󠁥󠁮󠁧󠁿" or tgt.process.cmdline contains "🏴󠁧󠁢󠁳󠁣󠁴󠁿" or tgt.process.cmdline contains "🏴󠁧󠁢󠁷󠁬󠁳󠁿" or tgt.process.cmdline contains "🇺🇳" or tgt.process.cmdline contains "🇺🇸" or tgt.process.cmdline contains "🇺🇾" or tgt.process.cmdline contains "🇺🇿" or tgt.process.cmdline contains "🇻🇺" or tgt.process.cmdline contains "🇻🇦" or tgt.process.cmdline contains "🇻🇪" or tgt.process.cmdline contains "🇻🇳" or tgt.process.cmdline contains "🇼🇫" or tgt.process.cmdline contains "🇪🇭" or tgt.process.cmdline contains "🇾🇪" or tgt.process.cmdline contains "🇿🇲" or tgt.process.cmdline contains "🇿🇼🫠" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🫤" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🤝🏻" or tgt.process.cmdline contains "🤝🏼" or tgt.process.cmdline contains "🤝🏽" or tgt.process.cmdline contains "🤝🏾" or tgt.process.cmdline contains "🤝🏿" or tgt.process.cmdline contains "🫱🏻‍🫲🏼" or tgt.process.cmdline contains "🫱🏻‍🫲🏽" or tgt.process.cmdline contains "🫱🏻‍🫲🏾" or tgt.process.cmdline contains "🫱🏻‍🫲🏿" or tgt.process.cmdline contains "🫱🏼‍🫲🏻" or tgt.process.cmdline contains "🫱🏼‍🫲🏽" or tgt.process.cmdline contains "🫱🏼‍🫲🏾" or tgt.process.cmdline contains "🫱🏼‍🫲🏿" or tgt.process.cmdline contains "🫱🏽‍🫲🏻" or tgt.process.cmdline contains "🫱🏽‍🫲🏼" or tgt.process.cmdline contains "🫱🏽‍🫲🏾" or tgt.process.cmdline contains "🫱🏽‍🫲🏿" or tgt.process.cmdline contains "🫱🏾‍🫲🏻" or tgt.process.cmdline contains "🫱🏾‍🫲🏼" or tgt.process.cmdline contains "🫱🏾‍🫲🏽" or tgt.process.cmdline contains "🫱🏾‍🫲🏿" or tgt.process.cmdline contains "🫱🏿‍🫲🏻" or tgt.process.cmdline contains "🫱🏿‍🫲🏼" or tgt.process.cmdline contains "🫱🏿‍🫲🏽" or tgt.process.cmdline contains "🫱🏿‍🫲🏾" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "😮‍💨" or tgt.process.cmdline contains "😵‍💫" or tgt.process.cmdline contains "😶‍🌫️" or tgt.process.cmdline contains "❤️‍🔥" or tgt.process.cmdline contains "❤️‍🩹" or tgt.process.cmdline contains "🧔‍♀️" or tgt.process.cmdline contains "🧔🏻‍♀️" or tgt.process.cmdline contains "🧔🏼‍♀️" or tgt.process.cmdline contains "🧔🏽‍♀️" or tgt.process.cmdline contains "🧔🏾‍♀️" or tgt.process.cmdline contains "🧔🏿‍♀️" or tgt.process.cmdline contains "🧔‍♂️" or tgt.process.cmdline contains "🧔🏻‍♂️" or tgt.process.cmdline contains "🧔🏼‍♂️" or tgt.process.cmdline contains "🧔🏽‍♂️" or tgt.process.cmdline contains "🧔🏾‍♂️" or tgt.process.cmdline contains "🧔🏿‍♂️" or tgt.process.cmdline contains "💑🏻" or tgt.process.cmdline contains "💑🏼" or tgt.process.cmdline contains "💑🏽" or tgt.process.cmdline contains "💑🏾" or tgt.process.cmdline contains "💑🏿" or tgt.process.cmdline contains "💏🏻" or tgt.process.cmdline contains "💏🏼" or tgt.process.cmdline contains "💏🏽" or tgt.process.cmdline contains "💏🏾" or tgt.process.cmdline contains "💏🏿" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏿" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏾")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md index 90ab8d776..ff950e272 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "COMPlus_ETWEnabled" or tgt.process.cmdline contains "COMPlus_ETWFlags")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md index 5cf7e74ab..94ce48822 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cl" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "clear-log" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "sl" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "set-log" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "logman" and tgt.process.cmdline contains "update" and tgt.process.cmdline contains "trace" and tgt.process.cmdline contains "--p" and tgt.process.cmdline contains "-ets") or tgt.process.cmdline contains "Remove-EtwTraceProvider" or (tgt.process.cmdline contains "Set-EtwTraceProvider" and tgt.process.cmdline contains "0x11"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md index 6f58c04bb..bb596535a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\wevtutil.exe" and (tgt.process.cmdline contains "clear-log " or tgt.process.cmdline contains " cl " or tgt.process.cmdline contains "set-log " or tgt.process.cmdline contains " sl " or tgt.process.cmdline contains "lfn:")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Clear-EventLog " or tgt.process.cmdline contains "Remove-EventLog " or tgt.process.cmdline contains "Limit-EventLog " or tgt.process.cmdline contains "Clear-WinEvent ")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wmic.exe") and tgt.process.cmdline contains "ClearEventLog")) and (not ((src.process.image.path in ("C:\Windows\SysWOW64\msiexec.exe","C:\Windows\System32\msiexec.exe")) and tgt.process.cmdline contains " sl ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md index 8234d8cb2..8f4ec624b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains ":\Users\Public\" and ((tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md index 43dedc580..f0ab6407b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\Perflogs\" or tgt.process.image.path contains ":\Users\All Users\" or tgt.process.image.path contains ":\Users\Default\" or tgt.process.image.path contains ":\Users\NetworkService\" or tgt.process.image.path contains ":\Windows\addins\" or tgt.process.image.path contains ":\Windows\debug\" or tgt.process.image.path contains ":\Windows\Fonts\" or tgt.process.image.path contains ":\Windows\Help\" or tgt.process.image.path contains ":\Windows\IME\" or tgt.process.image.path contains ":\Windows\Media\" or tgt.process.image.path contains ":\Windows\repair\" or tgt.process.image.path contains ":\Windows\security\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\" or tgt.process.image.path contains "$Recycle.bin" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Intel\Logs\" or tgt.process.image.path contains "\RSA\MachineKeys\") and (not (tgt.process.image.path contains "C:\Users\Public\IBM\ClientSolutions\Start_Programs\" or (tgt.process.image.path contains "C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\" and tgt.process.image.path contains "\CitrixReceiverUpdater.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md index 224a49b02..300d18a6c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "gatherNetworkInfo.vbs" and (not (tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md index 66a248704..cc408af51 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::$index_allocation") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md index 89873b3e2..8a00f06d4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "type" or tgt.process.cmdline contains "file createnew" or tgt.process.cmdline contains "cacls") and tgt.process.cmdline contains "C:\Windows\Fonts\" and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh" or tgt.process.cmdline contains ".reg" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl" or tgt.process.cmdline contains ".inf" or tgt.process.cmdline contains ".cpl" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".msi" or tgt.process.cmdline contains ".vbs"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md index 1ed2d2add..a66a87dae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "А" or tgt.process.cmdline contains "В" or tgt.process.cmdline contains "Е" or tgt.process.cmdline contains "К" or tgt.process.cmdline contains "М" or tgt.process.cmdline contains "Н" or tgt.process.cmdline contains "О" or tgt.process.cmdline contains "Р" or tgt.process.cmdline contains "С" or tgt.process.cmdline contains "Т" or tgt.process.cmdline contains "Х" or tgt.process.cmdline contains "Ѕ" or tgt.process.cmdline contains "І" or tgt.process.cmdline contains "Ј" or tgt.process.cmdline contains "Ү" or tgt.process.cmdline contains "Ӏ" or tgt.process.cmdline contains "Ԍ" or tgt.process.cmdline contains "Ԛ" or tgt.process.cmdline contains "Ԝ" or tgt.process.cmdline contains "Α" or tgt.process.cmdline contains "Β" or tgt.process.cmdline contains "Ε" or tgt.process.cmdline contains "Ζ" or tgt.process.cmdline contains "Η" or tgt.process.cmdline contains "Ι" or tgt.process.cmdline contains "Κ" or tgt.process.cmdline contains "Μ" or tgt.process.cmdline contains "Ν" or tgt.process.cmdline contains "Ο" or tgt.process.cmdline contains "Ρ" or tgt.process.cmdline contains "Τ" or tgt.process.cmdline contains "Υ" or tgt.process.cmdline contains "Χ") or (tgt.process.cmdline contains "а" or tgt.process.cmdline contains "е" or tgt.process.cmdline contains "о" or tgt.process.cmdline contains "р" or tgt.process.cmdline contains "с" or tgt.process.cmdline contains "х" or tgt.process.cmdline contains "ѕ" or tgt.process.cmdline contains "і" or tgt.process.cmdline contains "ӏ" or tgt.process.cmdline contains "ј" or tgt.process.cmdline contains "һ" or tgt.process.cmdline contains "ԁ" or tgt.process.cmdline contains "ԛ" or tgt.process.cmdline contains "ԝ" or tgt.process.cmdline contains "ο"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md index a15cd6f8e..14f295b4d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((not tgt.process.image.path contains "\") and (not (not (tgt.process.image.path matches "\.*") or (tgt.process.image.path in ("-","")) or ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or (tgt.process.cmdline in ("Registry","MemCompression","vmmem"))))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md index a95c72895..dfa33e9e4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "TVqQAAMAAAAEAAAA" or tgt.process.cmdline contains "TVpQAAIAAAAEAA8A" or tgt.process.cmdline contains "TVqAAAEAAAAEABAA" or tgt.process.cmdline contains "TVoAAAAAAAAAAAAA" or tgt.process.cmdline contains "TVpTAQEAAAAEAAAA")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md index 200c1c7ad..58e6cb780 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "AddSecurityPackage" or tgt.process.cmdline contains "AdjustTokenPrivileges" or tgt.process.cmdline contains "Advapi32" or tgt.process.cmdline contains "CloseHandle" or tgt.process.cmdline contains "CreateProcessWithToken" or tgt.process.cmdline contains "CreatePseudoConsole" or tgt.process.cmdline contains "CreateRemoteThread" or tgt.process.cmdline contains "CreateThread" or tgt.process.cmdline contains "CreateUserThread" or tgt.process.cmdline contains "DangerousGetHandle" or tgt.process.cmdline contains "DuplicateTokenEx" or tgt.process.cmdline contains "EnumerateSecurityPackages" or tgt.process.cmdline contains "FreeHGlobal" or tgt.process.cmdline contains "FreeLibrary" or tgt.process.cmdline contains "GetDelegateForFunctionPointer" or tgt.process.cmdline contains "GetLogonSessionData" or tgt.process.cmdline contains "GetModuleHandle" or tgt.process.cmdline contains "GetProcAddress" or tgt.process.cmdline contains "GetProcessHandle" or tgt.process.cmdline contains "GetTokenInformation" or tgt.process.cmdline contains "ImpersonateLoggedOnUser" or tgt.process.cmdline contains "kernel32" or tgt.process.cmdline contains "LoadLibrary" or tgt.process.cmdline contains "memcpy" or tgt.process.cmdline contains "MiniDumpWriteDump" or tgt.process.cmdline contains "ntdll" or tgt.process.cmdline contains "OpenDesktop" or tgt.process.cmdline contains "OpenProcess" or tgt.process.cmdline contains "OpenProcessToken" or tgt.process.cmdline contains "OpenThreadToken" or tgt.process.cmdline contains "OpenWindowStation" or tgt.process.cmdline contains "PtrToString" or tgt.process.cmdline contains "QueueUserApc" or tgt.process.cmdline contains "ReadProcessMemory" or tgt.process.cmdline contains "RevertToSelf" or tgt.process.cmdline contains "RtlCreateUserThread" or tgt.process.cmdline contains "secur32" or tgt.process.cmdline contains "SetThreadToken" or tgt.process.cmdline contains "VirtualAlloc" or tgt.process.cmdline contains "VirtualFree" or tgt.process.cmdline contains "VirtualProtect" or tgt.process.cmdline contains "WaitForSingleObject" or tgt.process.cmdline contains "WriteInt32" or tgt.process.cmdline contains "WriteProcessMemory" or tgt.process.cmdline contains "ZeroFreeGlobalAllocUnicode") and (not (tgt.process.image.path contains "\MpCmdRun.exe" and tgt.process.cmdline contains "GetLoadLibraryWAddress32")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md index f629e68c0..adb7df4b0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "eyJ0eXAiOi" or tgt.process.cmdline contains "eyJhbGciOi" or tgt.process.cmdline contains " eyJ0eX" or tgt.process.cmdline contains " \"eyJ0eX\"" or tgt.process.cmdline contains " 'eyJ0eX'" or tgt.process.cmdline contains " eyJhbG" or tgt.process.cmdline contains " \"eyJhbG\"" or tgt.process.cmdline contains " 'eyJhbG'")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md index c32ea6ed9..d1aa82c18 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains " /c" and tgt.process.cmdline contains "dir " and tgt.process.cmdline contains "\Users\")) and (not tgt.process.cmdline contains " rmdir ")) or (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "user") and (not (tgt.process.cmdline contains "/domain" or tgt.process.cmdline contains "/add" or tgt.process.cmdline contains "/delete" or tgt.process.cmdline contains "/active" or tgt.process.cmdline contains "/expires" or tgt.process.cmdline contains "/passwordreq" or tgt.process.cmdline contains "/scriptpath" or tgt.process.cmdline contains "/times" or tgt.process.cmdline contains "/workstations"))) or ((tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\quser.exe" or tgt.process.image.path contains "\qwinsta.exe") or (tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "useraccount" and tgt.process.cmdline contains "get")) or (tgt.process.image.path contains "\cmdkey.exe" and tgt.process.cmdline contains " /l")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md index 1ad426d5b..8f6d27db5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lsass.dmp" or tgt.process.cmdline contains "lsass.zip" or tgt.process.cmdline contains "lsass.rar" or tgt.process.cmdline contains "Andrew.dmp" or tgt.process.cmdline contains "Coredump.dmp" or tgt.process.cmdline contains "NotLSASS.zip" or tgt.process.cmdline contains "lsass_2" or tgt.process.cmdline contains "lsassdump" or tgt.process.cmdline contains "lsassdmp") or (tgt.process.cmdline contains "lsass" and tgt.process.cmdline contains ".dmp") or (tgt.process.cmdline contains "SQLDmpr" and tgt.process.cmdline contains ".mdmp") or (tgt.process.cmdline contains "nanodump" and tgt.process.cmdline contains ".dmp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md index bf50305ac..460cf4f5e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ms-appinstaller://*source=*" and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md index 5404061e3..bdd572e91 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ipconfig /all" or tgt.process.cmdline contains "netsh interface show interface" or tgt.process.cmdline contains "arp -a" or tgt.process.cmdline contains "nbtstat -n" or tgt.process.cmdline contains "net config" or tgt.process.cmdline contains "route print")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md index c1405f1ba..220ccaf64 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "for " or tgt.process.cmdline contains "foreach ") and (tgt.process.cmdline contains "nslookup" or tgt.process.cmdline contains "ping"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md index d2ef5f151..41f5ced27 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\tshark.exe" and tgt.process.cmdline contains "-i") or tgt.process.image.path contains "\windump.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md index dd8cf6717..fce44fcff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md index 2a215a199..3e2cb9b06 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains ".bin" or tgt.process.image.path contains ".cgi" or tgt.process.image.path contains ".com" or tgt.process.image.path contains ".exe" or tgt.process.image.path contains ".scr" or tgt.process.image.path contains ".tmp")) and (not ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or tgt.process.image.path contains ":\Windows\Installer\MSI" or tgt.process.image.path contains ":\Windows\System32\DriverStore\FileRepository\" or (tgt.process.image.path contains ":\Config.Msi\" and (tgt.process.image.path contains ".rbf" or tgt.process.image.path contains ".rbs")) or (src.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\Temp\") or tgt.process.image.path contains ":\$Extend\$Deleted\" or (tgt.process.image.path in ("-","")) or not (tgt.process.image.path matches "\.*"))) and (not (src.process.image.path contains ":\ProgramData\Avira\" or (tgt.process.image.path contains "NVIDIA\NvBackend\" and tgt.process.image.path contains ".dat") or ((tgt.process.image.path contains ":\Program Files (x86)\WINPAKPRO\" or tgt.process.image.path contains ":\Program Files\WINPAKPRO\") and tgt.process.image.path contains ".ngn") or (tgt.process.image.path contains ":\Program Files (x86)\MyQ\Server\pcltool.dll" or tgt.process.image.path contains ":\Program Files\MyQ\Server\pcltool.dll") or (tgt.process.image.path contains "\AppData\Local\Packages\" and tgt.process.image.path contains "\LocalState\rootfs\") or tgt.process.image.path contains "\LZMA_EXE" or tgt.process.image.path contains ":\Program Files\Mozilla Firefox\" or (src.process.image.path="C:\Windows\System32\services.exe" and tgt.process.image.path contains "com.docker.service"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md index 0a035131e..d1ca6979e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add") or (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "set-itemproperty" or tgt.process.cmdline contains " sp " or tgt.process.cmdline contains "new-itemproperty")) and (tgt.process.integrityLevel="Medium" and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "Services") and (tgt.process.cmdline contains "ImagePath" or tgt.process.cmdline contains "FailureCommand" or tgt.process.cmdline contains "ServiceDLL")))) | columns EventID,tgt.process.integrityLevel,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md index a5674bb16..fd2c7a4dd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\NTDSDump.exe" or tgt.process.image.path contains "\NTDSDumpEx.exe") or (tgt.process.cmdline contains "ntds.dit" and tgt.process.cmdline contains "system.hiv") or tgt.process.cmdline contains "NTDSgrab.ps1") or (tgt.process.cmdline contains "ac i ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "/c copy " and tgt.process.cmdline contains "\windows\ntds\ntds.dit") or (tgt.process.cmdline contains "activate instance ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "ntds.dit")) or (tgt.process.cmdline contains "ntds.dit" and ((src.process.image.path contains "\apache" or src.process.image.path contains "\tomcat" or src.process.image.path contains "\AppData\" or src.process.image.path contains "\Temp\" or src.process.image.path contains "\Public\" or src.process.image.path contains "\PerfLogs\") or (tgt.process.image.path contains "\apache" or tgt.process.image.path contains "\tomcat" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Temp\" or tgt.process.image.path contains "\Public\" or tgt.process.image.path contains "\PerfLogs\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md index 75c0d584d..17b1cb52d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Win32_NTEventlogFile" and (tgt.process.cmdline contains ".BackupEventlog(" or tgt.process.cmdline contains ".ChangeSecurityPermissions(" or tgt.process.cmdline contains ".ChangeSecurityPermissionsEx(" or tgt.process.cmdline contains ".ClearEventLog(" or tgt.process.cmdline contains ".Delete(" or tgt.process.cmdline contains ".DeleteEx(" or tgt.process.cmdline contains ".Rename(" or tgt.process.cmdline contains ".TakeOwnerShip(" or tgt.process.cmdline contains ".TakeOwnerShipEx("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md index 5c7290e4d..171a1996f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1\" or tgt.process.cmdline contains "~2\") and (not ((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe","C:\Program Files\GPSoftware\Directory Opus\dopus.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or src.process.image.path contains "\veam.backup.shell.exe" or src.process.image.path contains "\winget.exe" or src.process.image.path contains "\Everything\Everything.exe") or src.process.image.path contains "\AppData\Local\Temp\WinGet\" or (tgt.process.cmdline contains "\appdata\local\webex\webex64\meetings\wbxreport.exe" or tgt.process.cmdline contains "C:\Program Files\Git\post-install.bat" or tgt.process.cmdline contains "C:\Program Files\Git\cmd\scalar.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md index 558faea45..369e1fe4b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1\" or tgt.process.image.path contains "~2\") and (not (((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.displayName="InstallShield (R)" or tgt.process.displayName="InstallShield (R) Setup Engine" or tgt.process.publisher="InstallShield Software Corporation") or ((tgt.process.image.path contains "\AppData\" and tgt.process.image.path contains "\Temp\") or (tgt.process.image.path contains "~1\unzip.exe" or tgt.process.image.path contains "~1\7zG.exe")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md index 95c753387..bde687145 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1.exe" or tgt.process.cmdline contains "~1.bat" or tgt.process.cmdline contains "~1.msi" or tgt.process.cmdline contains "~1.vbe" or tgt.process.cmdline contains "~1.vbs" or tgt.process.cmdline contains "~1.dll" or tgt.process.cmdline contains "~1.ps1" or tgt.process.cmdline contains "~1.js" or tgt.process.cmdline contains "~1.hta" or tgt.process.cmdline contains "~2.exe" or tgt.process.cmdline contains "~2.bat" or tgt.process.cmdline contains "~2.msi" or tgt.process.cmdline contains "~2.vbe" or tgt.process.cmdline contains "~2.vbs" or tgt.process.cmdline contains "~2.dll" or tgt.process.cmdline contains "~2.ps1" or tgt.process.cmdline contains "~2.js" or tgt.process.cmdline contains "~2.hta") and (not ((src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.cmdline contains "C:\xampp\vcredist\VCREDI~1.EXE")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md index 40e7f4a50..cfc591732 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1.bat" or tgt.process.image.path contains "~1.dll" or tgt.process.image.path contains "~1.exe" or tgt.process.image.path contains "~1.hta" or tgt.process.image.path contains "~1.js" or tgt.process.image.path contains "~1.msi" or tgt.process.image.path contains "~1.ps1" or tgt.process.image.path contains "~1.tmp" or tgt.process.image.path contains "~1.vbe" or tgt.process.image.path contains "~1.vbs" or tgt.process.image.path contains "~2.bat" or tgt.process.image.path contains "~2.dll" or tgt.process.image.path contains "~2.exe" or tgt.process.image.path contains "~2.hta" or tgt.process.image.path contains "~2.js" or tgt.process.image.path contains "~2.msi" or tgt.process.image.path contains "~2.ps1" or tgt.process.image.path contains "~2.tmp" or tgt.process.image.path contains "~2.vbe" or tgt.process.image.path contains "~2.vbs") and (not src.process.image.path="C:\Windows\explorer.exe") and (not (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or tgt.process.image.path="C:\PROGRA~1\WinZip\WZPREL~1.EXE" or tgt.process.image.path contains "\VCREDI~1.EXE")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md index 045fca51e..839383d33 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "DownloadFile" or tgt.process.cmdline contains "DownloadString") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md index 56350707c..9729f0eb2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\arp.exe") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md index 3a4b5aa0b..398450009 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\minesweeper.exe" or src.process.image.path contains "\winver.exe" or src.process.image.path contains "\bitsadmin.exe") or ((src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\certutil.exe" or src.process.image.path contains "\eventvwr.exe" or src.process.image.path contains "\calc.exe" or src.process.image.path contains "\notepad.exe") and (not ((tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\wermgr.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\mmc.exe" or tgt.process.image.path contains "\win32calc.exe" or tgt.process.image.path contains "\notepad.exe") or not (tgt.process.image.path matches "\.*")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md index 9bac56b16..222703423 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -u system " or tgt.process.cmdline contains " --user system " or tgt.process.cmdline contains " -u NT" or tgt.process.cmdline contains " -u \"NT" or tgt.process.cmdline contains " -u 'NT" or tgt.process.cmdline contains " --system " or tgt.process.cmdline contains " -u administrator ") and (tgt.process.cmdline contains " -c cmd" or tgt.process.cmdline contains " -c \"cmd" or tgt.process.cmdline contains " -c powershell" or tgt.process.cmdline contains " -c \"powershell" or tgt.process.cmdline contains " --command cmd" or tgt.process.cmdline contains " --command powershell" or tgt.process.cmdline contains " -c whoami" or tgt.process.cmdline contains " -c wscript" or tgt.process.cmdline contains " -c cscript"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md index 7b0ee7810..bd75fd698 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\lsaiso.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe") and (not (((src.process.image.path contains "\SavService.exe" or src.process.image.path contains "\ngen.exe") or (src.process.image.path contains "\System32\" or src.process.image.path contains "\SysWOW64\")) or ((src.process.image.path contains "\Windows Defender\" or src.process.image.path contains "\Microsoft Security Client\") and src.process.image.path contains "\MsMpEng.exe") or (not (src.process.image.path matches "\.*") or src.process.image.path="-"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md index ab0954d6c..4a1cead18 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\CVE-202" or tgt.process.image.path contains "\CVE202") or (tgt.process.image.path contains "\poc.exe" or tgt.process.image.path contains "\artifact.exe" or tgt.process.image.path contains "\artifact64.exe" or tgt.process.image.path contains "\artifact_protected.exe" or tgt.process.image.path contains "\artifact32.exe" or tgt.process.image.path contains "\artifact32big.exe" or tgt.process.image.path contains "obfuscated.exe" or tgt.process.image.path contains "obfusc.exe" or tgt.process.image.path contains "\meterpreter")) or (tgt.process.cmdline contains "inject.ps1" or tgt.process.cmdline contains "Invoke-CVE" or tgt.process.cmdline contains "pupy.ps1" or tgt.process.cmdline contains "payload.ps1" or tgt.process.cmdline contains "beacon.ps1" or tgt.process.cmdline contains "PowerView.ps1" or tgt.process.cmdline contains "bypass.ps1" or tgt.process.cmdline contains "obfuscated.ps1" or tgt.process.cmdline contains "obfusc.ps1" or tgt.process.cmdline contains "obfus.ps1" or tgt.process.cmdline contains "obfs.ps1" or tgt.process.cmdline contains "evil.ps1" or tgt.process.cmdline contains "MiniDogz.ps1" or tgt.process.cmdline contains "_enc.ps1" or tgt.process.cmdline contains "\shell.ps1" or tgt.process.cmdline contains "\rshell.ps1" or tgt.process.cmdline contains "revshell.ps1" or tgt.process.cmdline contains "\av.ps1" or tgt.process.cmdline contains "\av_test.ps1" or tgt.process.cmdline contains "adrecon.ps1" or tgt.process.cmdline contains "mimikatz.ps1" or tgt.process.cmdline contains "\PowerUp_" or tgt.process.cmdline contains "powerup.ps1" or tgt.process.cmdline contains "\Temp\a.ps1" or tgt.process.cmdline contains "\Temp\p.ps1" or tgt.process.cmdline contains "\Temp\1.ps1" or tgt.process.cmdline contains "Hound.ps1" or tgt.process.cmdline contains "encode.ps1" or tgt.process.cmdline contains "powercat.ps1"))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md index a6a7b5d59..171da4a00 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "RECYCLERS.BIN\" or tgt.process.image.path contains "RECYCLER.BIN\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md index bbe47b116..49888432e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ">" and (tgt.process.cmdline contains "\\127.0.0.1\admin$\" or tgt.process.cmdline contains "\\localhost\admin$\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md index 2df848d28..a39fb0801 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":3389" and (tgt.process.cmdline contains " -L " or tgt.process.cmdline contains " -P " or tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " -pw " or tgt.process.cmdline contains " -ssh "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md index 81c10838b..87df796fe 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "‮") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md index 6e1b45558..b84f24622 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains "\Windows\Temp" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\Temp" or tgt.process.cmdline contains "%TEMP%" or tgt.process.cmdline contains "%TMP%" or tgt.process.cmdline contains "%LocalAppData%\Temp")) and (not (tgt.process.cmdline contains " >" or tgt.process.cmdline contains "Out-File" or tgt.process.cmdline contains "ConvertTo-Json" or tgt.process.cmdline contains "-WindowStyle hidden -Verb runAs" or tgt.process.cmdline contains "\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md index f9717711f..9ec349e0d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" and (tgt.process.cmdline contains "\NTDS.dit" or tgt.process.cmdline contains "\SYSTEM" or tgt.process.cmdline contains "\SECURITY"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md index a14808d1b..5dd5884ab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath=")) or (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md index b6af3653c..d2d4fdb3a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\$Recycle.bin" or tgt.process.image.path contains "\Users\All Users\" or tgt.process.image.path contains "\Users\Default\" or tgt.process.image.path contains "\Users\Contacts\" or tgt.process.image.path contains "\Users\Searches\" or tgt.process.image.path contains "C:\Perflogs\" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Windows\Fonts\" or tgt.process.image.path contains "\Windows\IME\" or tgt.process.image.path contains "\Windows\addins\") and (src.process.image.path contains "\services.exe" or src.process.image.path contains "\svchost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md index f27c2c175..b577e4dba 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\regsvr32.exe") and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\mshta.exe")) and (not (tgt.process.image.path contains "\ccmcache\" or (src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1" or src.process.cmdline contains "\nessus_") or tgt.process.cmdline contains "\nessus_" or (src.process.image.path contains "\mshta.exe" and tgt.process.image.path contains "\mshta.exe" and (src.process.cmdline contains "C:\MEM_Configmgr_" and src.process.cmdline contains "\splash.hta" and src.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}") and (tgt.process.cmdline contains "C:\MEM_Configmgr_" and tgt.process.cmdline contains "\SMSSETUP\BIN\" and tgt.process.cmdline contains "\autorun.hta" and tgt.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}")))))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path,tgt.process.image.path,src.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md index 26a216871..1aa13390f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":\Windows\Sysnative\" or tgt.process.image.path contains ":\Windows\Sysnative\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md index d2e51613a..19f2194f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\atbroker.exe" or tgt.process.image.path contains "\audiodg.exe" or tgt.process.image.path contains "\bcdedit.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certreq.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmstp.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\consent.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\dashost.exe" or tgt.process.image.path contains "\defrag.exe" or tgt.process.image.path contains "\dfrgui.exe" or tgt.process.image.path contains "\dism.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\dllhst3g.exe" or tgt.process.image.path contains "\dwm.exe" or tgt.process.image.path contains "\eventvwr.exe" or tgt.process.image.path contains "\logonui.exe" or tgt.process.image.path contains "\LsaIso.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\ntoskrnl.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\runonce.exe" or tgt.process.image.path contains "\RuntimeBroker.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\sihost.exe" or tgt.process.image.path contains "\smartscreen.exe" or tgt.process.image.path contains "\smss.exe" or tgt.process.image.path contains "\spoolsv.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\Taskmgr.exe" or tgt.process.image.path contains "\userinit.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe" or tgt.process.image.path contains "\winver.exe" or tgt.process.image.path contains "\wlanext.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wsmprovhost.exe") and (not ((tgt.process.image.path contains "C:\$WINDOWS.~BT\" or tgt.process.image.path contains "C:\$WinREAgent\" or tgt.process.image.path contains "C:\Windows\SoftwareDistribution\" or tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SystemTemp\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\uus\" or tgt.process.image.path contains "C:\Windows\WinSxS\") or (tgt.process.image.path in ("C:\Program Files\PowerShell\7\pwsh.exe","C:\Program Files\PowerShell\7-preview\pwsh.exe")) or (tgt.process.image.path contains "C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux" and tgt.process.image.path contains "\wsl.exe"))) and (not tgt.process.image.path contains "\SystemRoot\System32\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md index f26b26e95..3ce85f278 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel="System" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /urlcache " or tgt.process.cmdline contains " -urlcache " or tgt.process.cmdline="* -e* JAB*" or tgt.process.cmdline="* -e* SUVYI*" or tgt.process.cmdline="* -e* SQBFAFgA*" or tgt.process.cmdline="* -e* aWV4I*" or tgt.process.cmdline="* -e* IAB*" or tgt.process.cmdline="* -e* PAA*" or tgt.process.cmdline="* -e* aQBlAHgA*" or tgt.process.cmdline contains "vssadmin delete shadows" or tgt.process.cmdline contains "reg SAVE HKLM" or tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains "Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "event::clear" or tgt.process.cmdline contains "event::drop" or tgt.process.cmdline contains "id::modify" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "misc::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "sid::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "vault::cred" or tgt.process.cmdline contains "vault::list" or tgt.process.cmdline contains " p::d " or tgt.process.cmdline contains ";iex(" or tgt.process.cmdline contains "MiniDump" or tgt.process.cmdline contains "net user "))) and (not (tgt.process.cmdline contains "ping 127.0.0.1 -n" or (tgt.process.image.path contains "\PING.EXE" and src.process.cmdline contains "\DismFoDInstall.cmd") or src.process.image.path contains ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or ((src.process.image.path contains ":\Program Files (x86)\Java\" or src.process.image.path contains ":\Program Files\Java\") and src.process.image.path contains "\bin\javaws.exe" and (tgt.process.image.path contains ":\Program Files (x86)\Java\" or tgt.process.image.path contains ":\Program Files\Java\") and tgt.process.image.path contains "\bin\jp2launcher.exe" and tgt.process.cmdline contains " -ma "))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md index 527ea06c8..2cc29cde3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SYSVOL\" and tgt.process.cmdline contains "\policies\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md index 95544f3be..99666ea54 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo " or tgt.process.cmdline contains "copy " or tgt.process.cmdline contains "type " or tgt.process.cmdline contains "file createnew") and (tgt.process.cmdline contains " C:\Windows\System32\Tasks\" or tgt.process.cmdline contains " C:\Windows\SysWow64\Tasks\"))) | columns tgt.process.cmdline,ParentProcess ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md index 7b90c3894..108708fea 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vsjitdebugger.exe" and (not (tgt.process.image.path="*\vsimmersiveactivatehelper*.exe" or tgt.process.image.path contains "\devenv.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md index daf2f6ae0..8e5f53ba4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "123456789" or tgt.process.cmdline contains "123123qwE" or tgt.process.cmdline contains "Asd123.aaaa" or tgt.process.cmdline contains "Decryptme" or tgt.process.cmdline contains "P@ssw0rd!" or tgt.process.cmdline contains "Pass8080" or tgt.process.cmdline contains "password123" or tgt.process.cmdline contains "test@202")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md index a82c08239..921081d10 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[System.Net.WebRequest]::create" or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "Invoke-RestMethod" or tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "Net.WebClient" or tgt.process.cmdline contains "Resume-BitsTransfer" or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "WinHttp.WinHttpRequest")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md index f8dda45e0..bcf1698b4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains ".exe whoami") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md index 78def3ba5..9f285884e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\control.exe" and src.process.image.path contains "\WorkFolders.exe") and (not tgt.process.image.path="C:\Windows\System32\control.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md index bd0ac511e..0aa6a831a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "svchost.exe" and tgt.process.image.path contains "\svchost.exe") and (not ((src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\rpcnetp.exe") or not (tgt.process.cmdline matches "\.*"))))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md index 5e4a8e42f..e0deb44b4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains "\svchost.exe" and src.process.cmdline contains "termsvcs") and (not ((tgt.process.image.path contains "\rdpclip.exe" or tgt.process.image.path contains ":\Windows\System32\csrss.exe" or tgt.process.image.path contains ":\Windows\System32\wininit.exe" or tgt.process.image.path contains ":\Windows\System32\winlogon.exe") or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md index 13f40bc0f..864caa38b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\svchost.exe" and (not ((src.process.image.path contains "\Mrt.exe" or src.process.image.path contains "\MsMpEng.exe" or src.process.image.path contains "\ngen.exe" or src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\TiWorker.exe") or not (src.process.image.path matches "\.*") or (src.process.image.path in ("-","")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md index 93d02a8bd..d48023940 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -accepteula" or tgt.process.cmdline contains " /accepteula" or tgt.process.cmdline contains " –accepteula" or tgt.process.cmdline contains " —accepteula" or tgt.process.cmdline contains " ―accepteula")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md index ec5fc06eb..e716de420 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md index 7bc5aeede..bba801c91 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "copy procdump" or tgt.process.cmdline contains "move procdump") or ((tgt.process.cmdline contains "copy " and tgt.process.cmdline contains ".dmp ") and (tgt.process.cmdline contains "2.dmp" or tgt.process.cmdline contains "lsass" or tgt.process.cmdline contains "out.dmp")) or (tgt.process.cmdline contains "copy lsass.exe_" or tgt.process.cmdline contains "move lsass.exe_"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md index f52c66bbc..683adcfd4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains " /ma " or tgt.process.cmdline contains " –ma " or tgt.process.cmdline contains " —ma " or tgt.process.cmdline contains " ―ma ") and tgt.process.cmdline contains " ls")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md index b0a2ab85a..6143dfc05 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (tgt.process.cmdline contains "psexec" or tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "accepteula"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md index 4490cfbb2..ebce67374 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "accepteula" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " \\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md index be1b88bd8..ce408d5c3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\PSEXESVC.exe" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md index 3f6d302fd..095c34b9d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (not (tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "PsExec" or tgt.process.cmdline contains "accepteula")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md index d5df53cb3..288636ddb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-c" or tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "–c" or tgt.process.cmdline contains "—c" or tgt.process.cmdline contains "―c"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md index f7dd8d9b4..b1b789cfd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md index 3e50c0a1e..af057476e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\accesschk.exe" or tgt.process.image.path contains "\accesschk64.exe" or tgt.process.image.path contains "\AccessEnum.exe" or tgt.process.image.path contains "\ADExplorer.exe" or tgt.process.image.path contains "\ADExplorer64.exe" or tgt.process.image.path contains "\ADInsight.exe" or tgt.process.image.path contains "\ADInsight64.exe" or tgt.process.image.path contains "\adrestore.exe" or tgt.process.image.path contains "\adrestore64.exe" or tgt.process.image.path contains "\Autologon.exe" or tgt.process.image.path contains "\Autologon64.exe" or tgt.process.image.path contains "\Autoruns.exe" or tgt.process.image.path contains "\Autoruns64.exe" or tgt.process.image.path contains "\autorunsc.exe" or tgt.process.image.path contains "\autorunsc64.exe" or tgt.process.image.path contains "\Bginfo.exe" or tgt.process.image.path contains "\Bginfo64.exe" or tgt.process.image.path contains "\Cacheset.exe" or tgt.process.image.path contains "\Cacheset64.exe" or tgt.process.image.path contains "\Clockres.exe" or tgt.process.image.path contains "\Clockres64.exe" or tgt.process.image.path contains "\Contig.exe" or tgt.process.image.path contains "\Contig64.exe" or tgt.process.image.path contains "\Coreinfo.exe" or tgt.process.image.path contains "\Coreinfo64.exe" or tgt.process.image.path contains "\CPUSTRES.EXE" or tgt.process.image.path contains "\CPUSTRES64.EXE" or tgt.process.image.path contains "\ctrl2cap.exe" or tgt.process.image.path contains "\Dbgview.exe" or tgt.process.image.path contains "\dbgview64.exe" or tgt.process.image.path contains "\Desktops.exe" or tgt.process.image.path contains "\Desktops64.exe" or tgt.process.image.path contains "\disk2vhd.exe" or tgt.process.image.path contains "\disk2vhd64.exe" or tgt.process.image.path contains "\diskext.exe" or tgt.process.image.path contains "\diskext64.exe" or tgt.process.image.path contains "\Diskmon.exe" or tgt.process.image.path contains "\Diskmon64.exe" or tgt.process.image.path contains "\DiskView.exe" or tgt.process.image.path contains "\DiskView64.exe" or tgt.process.image.path contains "\du.exe" or tgt.process.image.path contains "\du64.exe" or tgt.process.image.path contains "\efsdump.exe" or tgt.process.image.path contains "\FindLinks.exe" or tgt.process.image.path contains "\FindLinks64.exe" or tgt.process.image.path contains "\handle.exe" or tgt.process.image.path contains "\handle64.exe" or tgt.process.image.path contains "\hex2dec.exe" or tgt.process.image.path contains "\hex2dec64.exe" or tgt.process.image.path contains "\junction.exe" or tgt.process.image.path contains "\junction64.exe" or tgt.process.image.path contains "\ldmdump.exe" or tgt.process.image.path contains "\listdlls.exe" or tgt.process.image.path contains "\listdlls64.exe" or tgt.process.image.path contains "\livekd.exe" or tgt.process.image.path contains "\livekd64.exe" or tgt.process.image.path contains "\loadOrd.exe" or tgt.process.image.path contains "\loadOrd64.exe" or tgt.process.image.path contains "\loadOrdC.exe" or tgt.process.image.path contains "\loadOrdC64.exe" or tgt.process.image.path contains "\logonsessions.exe" or tgt.process.image.path contains "\logonsessions64.exe" or tgt.process.image.path contains "\movefile.exe" or tgt.process.image.path contains "\movefile64.exe" or tgt.process.image.path contains "\notmyfault.exe" or tgt.process.image.path contains "\notmyfault64.exe" or tgt.process.image.path contains "\notmyfaultc.exe" or tgt.process.image.path contains "\notmyfaultc64.exe" or tgt.process.image.path contains "\ntfsinfo.exe" or tgt.process.image.path contains "\ntfsinfo64.exe" or tgt.process.image.path contains "\pendmoves.exe" or tgt.process.image.path contains "\pendmoves64.exe" or tgt.process.image.path contains "\pipelist.exe" or tgt.process.image.path contains "\pipelist64.exe" or tgt.process.image.path contains "\portmon.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe" or tgt.process.image.path contains "\procexp.exe" or tgt.process.image.path contains "\procexp64.exe" or tgt.process.image.path contains "\Procmon.exe" or tgt.process.image.path contains "\Procmon64.exe" or tgt.process.image.path contains "\psExec.exe" or tgt.process.image.path contains "\psExec64.exe" or tgt.process.image.path contains "\psfile.exe" or tgt.process.image.path contains "\psfile64.exe" or tgt.process.image.path contains "\psGetsid.exe" or tgt.process.image.path contains "\psGetsid64.exe" or tgt.process.image.path contains "\psInfo.exe" or tgt.process.image.path contains "\psInfo64.exe" or tgt.process.image.path contains "\pskill.exe" or tgt.process.image.path contains "\pskill64.exe" or tgt.process.image.path contains "\pslist.exe" or tgt.process.image.path contains "\pslist64.exe" or tgt.process.image.path contains "\psLoggedon.exe" or tgt.process.image.path contains "\psLoggedon64.exe" or tgt.process.image.path contains "\psloglist.exe" or tgt.process.image.path contains "\psloglist64.exe" or tgt.process.image.path contains "\pspasswd.exe" or tgt.process.image.path contains "\pspasswd64.exe" or tgt.process.image.path contains "\psping.exe" or tgt.process.image.path contains "\psping64.exe" or tgt.process.image.path contains "\psService.exe" or tgt.process.image.path contains "\psService64.exe" or tgt.process.image.path contains "\psshutdown.exe" or tgt.process.image.path contains "\psshutdown64.exe" or tgt.process.image.path contains "\pssuspend.exe" or tgt.process.image.path contains "\pssuspend64.exe" or tgt.process.image.path contains "\RAMMap.exe" or tgt.process.image.path contains "\RDCMan.exe" or tgt.process.image.path contains "\RegDelNull.exe" or tgt.process.image.path contains "\RegDelNull64.exe" or tgt.process.image.path contains "\regjump.exe" or tgt.process.image.path contains "\ru.exe" or tgt.process.image.path contains "\ru64.exe" or tgt.process.image.path contains "\sdelete.exe" or tgt.process.image.path contains "\sdelete64.exe" or tgt.process.image.path contains "\ShareEnum.exe" or tgt.process.image.path contains "\ShareEnum64.exe" or tgt.process.image.path contains "\shellRunas.exe" or tgt.process.image.path contains "\sigcheck.exe" or tgt.process.image.path contains "\sigcheck64.exe" or tgt.process.image.path contains "\streams.exe" or tgt.process.image.path contains "\streams64.exe" or tgt.process.image.path contains "\strings.exe" or tgt.process.image.path contains "\strings64.exe" or tgt.process.image.path contains "\sync.exe" or tgt.process.image.path contains "\sync64.exe" or tgt.process.image.path contains "\Sysmon.exe" or tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\tcpvcon.exe" or tgt.process.image.path contains "\tcpvcon64.exe" or tgt.process.image.path contains "\tcpview.exe" or tgt.process.image.path contains "\tcpview64.exe" or tgt.process.image.path contains "\Testlimit.exe" or tgt.process.image.path contains "\Testlimit64.exe" or tgt.process.image.path contains "\vmmap.exe" or tgt.process.image.path contains "\vmmap64.exe" or tgt.process.image.path contains "\Volumeid.exe" or tgt.process.image.path contains "\Volumeid64.exe" or tgt.process.image.path contains "\whois.exe" or tgt.process.image.path contains "\whois64.exe" or tgt.process.image.path contains "\Winobj.exe" or tgt.process.image.path contains "\Winobj64.exe" or tgt.process.image.path contains "\ZoomIt.exe" or tgt.process.image.path contains "\ZoomIt64.exe") and (not ((tgt.process.publisher in ("Sysinternals - www.sysinternals.com","Sysinternals")) or not (tgt.process.publisher matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md index 9b8bc68d8..53db56d22 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sysprep.exe" and tgt.process.cmdline contains "\AppData\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md index 3eb353f33..c95a7f9ab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\takeown.exe" and (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "/r"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md index 8a7ff6f4a..fdbc2cf67 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tapinstall.exe" and (not ((tgt.process.image.path contains ":\Program Files\Avast Software\SecureLine VPN\" or tgt.process.image.path contains ":\Program Files (x86)\Avast Software\SecureLine VPN\") or tgt.process.image.path contains ":\Program Files\OpenVPN Connect\drivers\tap\" or tgt.process.image.path contains ":\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md index 0e83d83dc..0602d1de1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "taskkill" and tgt.process.cmdline contains " /F " and tgt.process.cmdline contains " /IM " and tgt.process.cmdline contains "ccSvcHst.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md index f64a9969c..c21def3a6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\taskmgr.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md index 8c3829ea0..8f9b5f008 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\taskmgr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\resmon.exe" or tgt.process.image.path contains ":\Windows\System32\Taskmgr.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md index 4c298f061..e06864953 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Teams\Cookies" or tgt.process.cmdline contains "\Microsoft\Teams\Local Storage\leveldb") and (not tgt.process.image.path contains "\Microsoft\Teams\current\Teams.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md index 85760094b..586c922bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\tscon.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md index f8d6aa7c5..bbbf53061 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " /dest:rdp-tcp#") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md index 6482e35e3..15f4b64ad 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\changepk.exe" and src.process.image.path contains "\slui.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md index 8ab66397f..8a533c626 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\"\system32\cleanmgr.exe /autoclean /d C:" and src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md index 8a64197d4..8524091bd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and (src.process.cmdline contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or src.process.cmdline contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or src.process.cmdline contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or src.process.cmdline contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or src.process.cmdline contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md index a780f791e..6517c93a8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel in ("High","System")) and tgt.process.image.path="C:\Windows\System32\ComputerDefaults.exe") and (not (src.process.image.path contains ":\Windows\System32" or src.process.image.path contains ":\Program Files")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md index 037c7dbca..21cbd4432 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\consent.exe" and tgt.process.image.path contains "\werfault.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md index 1866bc429..d2c527b77 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "C:\Users\" and src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "\DismHost.exe") and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md index 076d85251..9b047f6ed 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Event Viewer\RecentViews" or tgt.process.cmdline contains "\EventV~1\RecentViews") and tgt.process.cmdline contains ">")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md index f7130b516..e2c3a2176 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\fodhelper.exe") | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md index 98c426f17..a3500ea75 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\mmc.exe" and src.process.cmdline contains "WF.msc") and (not tgt.process.image.path contains "\WerFault.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md index 0dc7e540c..39d08bf06 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and src.process.cmdline contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md index 3141839cc..23c3027af 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\ieinstal.exe" and tgt.process.image.path contains "\AppData\Local\Temp\" and tgt.process.image.path contains "consent.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md index d7153b558..64c42081b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\AppData\Local\Temp\pkgmgr.exe" and tgt.process.cmdline="\"C:\Windows\system32\msconfig.exe\" -5")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md index 22afde834..04e414da4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\"C:\Windows\system32\wusa.exe\" /quiet C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\update.msu" and (tgt.process.integrityLevel in ("High","System"))) or (src.process.cmdline="\"C:\Windows\system32\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\Windows\system32\pe386\" /ignorecheck" and (tgt.process.integrityLevel in ("High","System")) and (tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "\dismhost.exe {") and tgt.process.image.path contains "\DismHost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md index 3bbfe6ee5..8c1c60011 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\pkgmgr.exe" and tgt.process.image.path contains "\dism.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md index 097df2df4..74398c19c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "sdclt.exe" and tgt.process.integrityLevel="High")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md index 5418dab4b..5b7ae3483 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "C:\Windows \System32\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md index a9431ca92..2e9a45a1f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\AppData\Local\Temp\system32\winsat.exe" and src.process.cmdline contains "C:\Windows \system32\winsat.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md index e979acac2..cc0474f9e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path="C:\Program Files\Windows Media Player\osk.exe" and (tgt.process.integrityLevel in ("High","System"))) or (tgt.process.image.path="C:\Windows\System32\cmd.exe" and src.process.cmdline="\"C:\Windows\system32\mmc.exe\" \"C:\Windows\system32\eventvwr.msc\" /s" and (tgt.process.integrityLevel in ("High","System"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md index f77e65605..9151aa209 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsreset.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md index 56659b0d5..87fe27b78 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "-autoreconnect " and tgt.process.cmdline contains "-connect " and tgt.process.cmdline contains "-id:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md index 7776cd6b8..0153b7d87 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\WindowsSensor.exe" and tgt.process.cmdline contains " /uninstall" and tgt.process.cmdline contains " /quiet")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md index 72eb39372..e90875efe 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\userinit.exe" and (not tgt.process.image.path contains ":\WINDOWS\explorer.exe") and (not ((tgt.process.cmdline contains "netlogon.bat" or tgt.process.cmdline contains "UsrLogon.cmd") or tgt.process.cmdline="PowerShell.exe" or (tgt.process.image.path contains ":\Windows\System32\proquota.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\proquota.exe") or (tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\System32\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\System32\icast.exe") or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md index 02b7f9523..39454e6a3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "VBoxRT.dll,RTR3Init" or tgt.process.cmdline contains "VBoxC.dll" or tgt.process.cmdline contains "VBoxDrv.sys") or (tgt.process.cmdline contains "startvm" or tgt.process.cmdline contains "controlvm"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md index 85b9a38d3..d93389d68 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VBoxDrvInst.exe" and (tgt.process.cmdline contains "driver" and tgt.process.cmdline contains "executeinf"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md index 021ce24aa..ec30f3264 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\code.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe") or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-Expressions" or tgt.process.cmdline contains "IEX" or tgt.process.cmdline contains "Invoke-Command" or tgt.process.cmdline contains "ICM" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript")) or (tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md index eaf0912b7..f0db81ade 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\servers\Stable-" and src.process.image.path contains "\server\node.exe" and src.process.cmdline contains ".vscode-server") and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline contains "\terminal\browser\media\shellIntegration.ps1") or (tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\bash.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md index a1d4e7150..28bfc2f88 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "tunnel " and tgt.process.cmdline contains "service" and tgt.process.cmdline contains "internal-run" and tgt.process.cmdline contains "tunnel-service.log")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md index 37e00dd18..7cd086c57 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\vsls-agent.exe" and tgt.process.cmdline contains "--agentExtensionPath") and (not tgt.process.cmdline contains "Microsoft.VisualStudio.LiveShare.Agent."))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md index af6e674fd..a2aa377e9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe") and (not (tgt.process.image.path contains "C:\Windows\WinSxS\" or tgt.process.image.path contains "C:\Program Files\Windows Mail\" or tgt.process.image.path contains "C:\Program Files (x86)\Windows Mail\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md index 21206d928..86eb34cf1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe")) or (src.process.image.path contains "\wab.exe" or src.process.image.path contains "\wabmig.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md index 596f3f333..15626e770 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\explorer.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and tgt.process.cmdline contains "\DavWWWRoot\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md index aac9d97db..525ea4aeb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\w3wp.exe") and (tgt.process.cmdline contains "&ipconfig&echo" or tgt.process.cmdline contains "&quser&echo" or tgt.process.cmdline contains "&whoami&echo" or tgt.process.cmdline contains "&c:&echo" or tgt.process.cmdline contains "&cd&echo" or tgt.process.cmdline contains "&dir&echo" or tgt.process.cmdline contains "&echo [E]" or tgt.process.cmdline contains "&echo [S]"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md index 414579ed0..958e8d8ce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "catalina.jar" or tgt.process.cmdline contains "CATALINA_HOME"))) and ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "comsvcs") or (tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " a " and tgt.process.cmdline contains " -m") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " user " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " localgroup " and tgt.process.cmdline contains " administrators " and tgt.process.cmdline contains "/add") or (tgt.process.image.path contains "\ntdsutil.exe" or tgt.process.image.path contains "\ldifde.exe" or tgt.process.image.path contains "\adfind.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\Nanodump.exe" or tgt.process.image.path contains "\vssadmin.exe" or tgt.process.image.path contains "\fsutil.exe") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains " sekurlsa" or tgt.process.cmdline contains ".dmp full" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "process call create" or tgt.process.cmdline contains "reg save " or tgt.process.cmdline contains "whoami /priv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md index d72601e7f..dd655f0fc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\php.exe" or src.process.image.path contains "\tomcat.exe" or src.process.image.path contains "\UMWorkerProcess.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_TomcatService.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.cmdline contains "CATALINA_HOME" or src.process.cmdline contains "catalina.home" or src.process.cmdline contains "catalina.jar"))) and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\at.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dsget.exe" or tgt.process.image.path contains "\hostname.exe" or tgt.process.image.path contains "\nbtstat.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netdom.exe" or tgt.process.image.path contains "\netsh.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ntdutil.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\qprocess.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\qwinsta.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sc.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wusa.exe") and (not ((src.process.image.path contains "\java.exe" and tgt.process.cmdline contains "Windows\system32\cmd.exe /c C:\ManageEngine\ADManager \"Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") or (src.process.image.path contains "\java.exe" and (tgt.process.cmdline contains "sc query" and tgt.process.cmdline contains "ADManager Plus")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md index a72783cb9..5f1dbf570 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "CATALINA_HOME" or tgt.process.cmdline contains "catalina.jar"))) and (tgt.process.cmdline contains "perl --help" or tgt.process.cmdline contains "perl -h" or tgt.process.cmdline contains "python --help" or tgt.process.cmdline contains "python -h" or tgt.process.cmdline contains "python3 --help" or tgt.process.cmdline contains "python3 -h" or tgt.process.cmdline contains "wget --help"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md index 6b0cea1bb..f4b150ca5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wermgr.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\ipconfig.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "C:\Windows\system32\WerConCpl.dll" and tgt.process.cmdline contains "LaunchErcApp ") and (tgt.process.cmdline contains "-queuereporting" or tgt.process.cmdline contains "-responsepester"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md index 857f6774e..b4e155dfd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wermgr.exe" and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\WinSxS\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md index 1f72d07f3..030c528f9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WindowsTerminal.exe" or src.process.image.path contains "\wt.exe") and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\csc.exe") or (tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Windows\TEMP\") or (tgt.process.cmdline contains " iex " or tgt.process.cmdline contains " icm" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Import-Module " or tgt.process.cmdline contains "ipmo " or tgt.process.cmdline contains "DownloadString(" or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " /k " or tgt.process.cmdline contains " /r "))) and (not ((tgt.process.cmdline contains "Import-Module" and tgt.process.cmdline contains "Microsoft.VisualStudio.DevShell.dll" and tgt.process.cmdline contains "Enter-VsDevShell") or (tgt.process.cmdline contains "\AppData\Local\Packages\Microsoft.WindowsTerminal_" and tgt.process.cmdline contains "\LocalState\settings.json") or (tgt.process.cmdline contains "C:\Program Files\Microsoft Visual Studio\" and tgt.process.cmdline contains "\Common7\Tools\VsDevCmd.bat"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md index 20de287ac..a8e5f228c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (tgt.process.cmdline contains ".dmp" or tgt.process.cmdline contains ".dump" or tgt.process.cmdline contains ".hdmp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md index b96a51d7c..046c682a9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (not (tgt.process.image.path contains "\UnRAR.exe" or (tgt.process.image.path contains ":\Program Files (x86)\WinRAR\" or tgt.process.image.path contains ":\Program Files\WinRAR\"))) and (not tgt.process.image.path contains ":\Windows\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md index 620013b43..9f88bfee7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "winrm" and ((tgt.process.cmdline contains "format:pretty" or tgt.process.cmdline contains "format:\"pretty\"" or tgt.process.cmdline contains "format:\"text\"" or tgt.process.cmdline contains "format:text") and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md index c6c771636..e0a615b65 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsmprovhost.exe" or src.process.image.path contains "\wsmprovhost.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md index dbbefdf41..bc965e4df 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wsmprovhost.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md index 4f48eddd4..7b7468906 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "winzip.exe" or tgt.process.cmdline contains "winzip64.exe") and tgt.process.cmdline contains "-s\"" and (tgt.process.cmdline contains " -min " or tgt.process.cmdline contains " -a "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md index 271a426cf..f90a718f2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\EdgeTransport.exe" and (not (tgt.process.image.path="C:\Windows\System32\conhost.exe" or (tgt.process.image.path contains "C:\Program Files\Microsoft\Exchange Server\" and tgt.process.image.path contains "\Bin\OleConverter.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md index c190cda19..fbe2e7880 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="C:\WINDOWS\system32\wbem\scrcons.exe" and src.process.image.path="C:\Windows\System32\svchost.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md index 2991c60a0..017428c34 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ActiveScriptEventConsumer" and tgt.process.cmdline contains " CREATE ")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md index 995b09561..05a1d8eb0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "process " and tgt.process.cmdline contains "call " and tgt.process.cmdline contains "create ") and (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "%temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md index 9f46bdfff..20de1e035 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "product where " and tgt.process.cmdline contains "call" and tgt.process.cmdline contains "uninstall" and tgt.process.cmdline contains "/nointeractive") or ((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "caption like ") and (tgt.process.cmdline contains "call delete" or tgt.process.cmdline contains "call terminate")) or (tgt.process.cmdline contains "process " and tgt.process.cmdline contains "where " and tgt.process.cmdline contains "delete")) and (tgt.process.cmdline contains "%carbon%" or tgt.process.cmdline contains "%cylance%" or tgt.process.cmdline contains "%endpoint%" or tgt.process.cmdline contains "%eset%" or tgt.process.cmdline contains "%malware%" or tgt.process.cmdline contains "%Sophos%" or tgt.process.cmdline contains "%symantec%" or tgt.process.cmdline contains "Antivirus" or tgt.process.cmdline contains "AVG " or tgt.process.cmdline contains "Carbon Black" or tgt.process.cmdline contains "CarbonBlack" or tgt.process.cmdline contains "Cb Defense Sensor 64-bit" or tgt.process.cmdline contains "Crowdstrike Sensor" or tgt.process.cmdline contains "Cylance " or tgt.process.cmdline contains "Dell Threat Defense" or tgt.process.cmdline contains "DLP Endpoint" or tgt.process.cmdline contains "Endpoint Detection" or tgt.process.cmdline contains "Endpoint Protection" or tgt.process.cmdline contains "Endpoint Security" or tgt.process.cmdline contains "Endpoint Sensor" or tgt.process.cmdline contains "ESET File Security" or tgt.process.cmdline contains "LogRhythm System Monitor Service" or tgt.process.cmdline contains "Malwarebytes" or tgt.process.cmdline contains "McAfee Agent" or tgt.process.cmdline contains "Microsoft Security Client" or tgt.process.cmdline contains "Sophos Anti-Virus" or tgt.process.cmdline contains "Sophos AutoUpdate" or tgt.process.cmdline contains "Sophos Credential Store" or tgt.process.cmdline contains "Sophos Management Console" or tgt.process.cmdline contains "Sophos Management Database" or tgt.process.cmdline contains "Sophos Management Server" or tgt.process.cmdline contains "Sophos Remote Management System" or tgt.process.cmdline contains "Sophos Update Manager" or tgt.process.cmdline contains "Threat Protection" or tgt.process.cmdline contains "VirusScan" or tgt.process.cmdline contains "Webroot SecureAnywhere" or tgt.process.cmdline contains "Windows Defender"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md index 37156218a..7511442a7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "-format" or tgt.process.cmdline contains "/format" or tgt.process.cmdline contains "–format" or tgt.process.cmdline contains "—format" or tgt.process.cmdline contains "―format")) and (not (tgt.process.cmdline contains "Format:List" or tgt.process.cmdline contains "Format:htable" or tgt.process.cmdline contains "Format:hform" or tgt.process.cmdline contains "Format:table" or tgt.process.cmdline contains "Format:mof" or tgt.process.cmdline contains "Format:value" or tgt.process.cmdline contains "Format:rawxml" or tgt.process.cmdline contains "Format:xml" or tgt.process.cmdline contains "Format:csv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md index 1b862fc66..30032b65e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wbem\WmiPrvSE.exe" and ((tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\verclsid.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript"))) and (not (tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\WmiPrvSE.exe" or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.cmdline contains "/i "))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md index 7b0e12e67..6215e08fc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path="C:\Windows\System32\wpbbin.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md index cc20d3a46..a0bfb7eab 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\") and (tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".jse" or tgt.process.cmdline contains ".vba" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".wsf"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md index 3301aaf46..1a61ecceb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\rundll32.exe" or ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and ((tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec")))) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "UpdatePerUserSystemParameters" or tgt.process.cmdline contains "PrintUIEntry" or tgt.process.cmdline contains "ClearMyTracksByProcess"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md index 43c48a0a5..c233d6b8f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wsl.exe" or src.process.image.path contains "\wslhost.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "C:\Windows\Temp\" or tgt.process.image.path contains "C:\Temp\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md index 0fff87c8c..bbfbf6213 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path matches "[a-zA-Z]:\\\\" and tgt.process.image.path contains "\\wsl.localhost")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md index 1560bb904..fa2889f33 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wusa.exe" and tgt.process.cmdline contains "/extract:") and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\Appdata\Local\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md index 5fc2e7c9a..daf3ba20a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wusa.exe" and ((src.process.image.path contains ":\Perflogs\" or src.process.image.path contains ":\Users\Public\" or src.process.image.path contains ":\Windows\Temp\" or src.process.image.path contains "\Appdata\Local\Temp\" or src.process.image.path contains "\Temporary Internet") or ((src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favorites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favourites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Contacts\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Pictures\"))) and (not tgt.process.cmdline contains ".msu"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md index ba59c305b..eb3f86a43 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 09-10-2024 01:18:40): +// Translated content (automatically translated on 10-10-2024 01:18:36): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="RunWizard" and tgt.process.cmdline matches "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}")) ```