Apply automatic changes

wikijm · Oct 27, 2024 · c0e83ba · c0e83ba
1 parent 20b9b32
commit c0e83ba
Show file tree

Hide file tree

Showing 555 changed files with 555 additions and 555 deletions.
diff --git a/... Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md b/... Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\addinutil.exe" and (not (tgt.process.image.path contains ":\Windows\System32\conhost.exe" or tgt.process.image.path contains ":\Windows\System32\werfault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\werfault.exe"))))
 ```
 

diff --git a/...Q - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md b/...Q - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\appvlp.exe" and (not (tgt.process.image.path contains ":\Windows\SysWOW64\rundll32.exe" or tgt.process.image.path contains ":\Windows\System32\rundll32.exe")) and (not ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\msoasb.exe") or ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\SkypeSrv\") and tgt.process.image.path contains "\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\MSOUC.EXE")))))
 ```
 

diff --git a/...ne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md b/...ne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe"))
 ```
 

diff --git a/...indows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md b/...indows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\aspnet_compiler.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\notepad.exe") or (tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\AppData\Local\Roaming\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\"))))
 ```
 

diff --git a/...e_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md b/...e_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe" and (tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Local\Roaming\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains ":\Windows\System32\Tasks\" or tgt.process.cmdline contains ":\Windows\Tasks\")))
 ```
 

diff --git a/...One_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md b/...One_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\at.exe" and tgt.process.cmdline contains "interactive"))
 ```
 

diff --git a/... - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md b/... - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none"))
 ```
 

diff --git a/...- Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md b/...- Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\" or tgt.process.image.path contains "\AppData\Roaming\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\PerfLogs\"))))
 ```
 

diff --git a/...Q - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md b/...Q - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe"))
 ```
 

diff --git a/...lOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md b/...lOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\BitLockerToGo.exe")
 ```
 

diff --git a/...dows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md b/...dows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--remote-debugging-" and tgt.process.cmdline contains "--user-data-dir" and tgt.process.cmdline contains "--headless"))
 ```
 

diff --git a/...- Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md b/...- Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless"))
 ```
 

diff --git a/... Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md b/... Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and (tgt.process.cmdline contains "--headless" and tgt.process.cmdline contains "dump-dom" and tgt.process.cmdline contains "http")))
 ```
 

diff --git a/... Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md b/... Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension="))
 ```
 

diff --git a/...- Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md b/...- Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless" and (tgt.process.cmdline contains "://run.mocky" or tgt.process.cmdline contains "://mockbin")))
 ```
 

diff --git a/...ows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md b/...ows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\wscript.exe") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension="))
 ```
 

diff --git a/...Q - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md b/...Q - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "http" and (tgt.process.cmdline contains ".7z" or tgt.process.cmdline contains ".dat" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".ps1" or tgt.process.cmdline contains ".psm1" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".zip")))
 ```
 

diff --git a/...ne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md b/...ne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --remote-debugging-" or (tgt.process.image.path contains "\firefox.exe" and tgt.process.cmdline contains " -start-debugger-server")))
 ```
 

diff --git a/...elOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md b/...elOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tor.exe" or tgt.process.image.path contains "\Tor Browser\Browser\firefox.exe"))
 ```
 

diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\calc.exe " or (tgt.process.image.path contains "\calc.exe" and (not (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\" or tgt.process.image.path contains ":\Windows\WinSxS\")))))
 ```
 

diff --git a/...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md b/...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\cmd.exe" and (src.process.cmdline contains " -c " or src.process.cmdline contains " /c " or src.process.cmdline contains " –c " or src.process.cmdline contains " —c " or src.process.cmdline contains " ―c " or src.process.cmdline contains " -r " or src.process.cmdline contains " /r " or src.process.cmdline contains " –r " or src.process.cmdline contains " —r " or src.process.cmdline contains " ―r " or src.process.cmdline contains " -k " or src.process.cmdline contains " /k " or src.process.cmdline contains " –k " or src.process.cmdline contains " —k " or src.process.cmdline contains " ―k ") and tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains "chcp" or tgt.process.cmdline contains "chcp " or tgt.process.cmdline contains "chcp  ")))
 ```
 

diff --git a/...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md b/...inelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains " 936" or tgt.process.cmdline contains " 1258"))) | columns src.process.cmdline
 ```
 

diff --git a/... - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md b/... - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cloudflared.exe" and (not (tgt.process.image.path contains ":\Program Files (x86)\cloudflared\" or tgt.process.image.path contains ":\Program Files\cloudflared\"))))
 ```
 

diff --git a/...e_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md b/...e_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains "cleanup ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-connector-id ")))
 ```
 

diff --git a/...elOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md b/...elOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains " run ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-credentials-contents " or tgt.process.cmdline contains "-credentials-file " or tgt.process.cmdline contains "-token ")))
 ```
 

diff --git a/...PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md b/...PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " –c " or tgt.process.cmdline contains " —c " or tgt.process.cmdline contains " ―c ") and (tgt.process.cmdline contains "curl " and tgt.process.cmdline contains "http" and tgt.process.cmdline contains "-o" and tgt.process.cmdline contains "&")))
 ```
 

diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "^^" or tgt.process.cmdline contains "^|^" or tgt.process.cmdline contains ",;," or tgt.process.cmdline contains ";;;;" or tgt.process.cmdline contains ";; ;;" or tgt.process.cmdline contains "(,(," or tgt.process.cmdline contains "%COMSPEC:~" or tgt.process.cmdline contains " c^m^d" or tgt.process.cmdline contains "^c^m^d" or tgt.process.cmdline contains " c^md" or tgt.process.cmdline contains " cm^d" or tgt.process.cmdline contains "^cm^d" or tgt.process.cmdline contains " s^et " or tgt.process.cmdline contains " s^e^t " or tgt.process.cmdline contains " se^t "))
 ```
 

diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "://" and tgt.process.cmdline contains "%AppData%"))) | columns tgt.process.cmdline,src.process.cmdline
 ```
 

diff --git a/...s Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md b/...s Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "mklink" and tgt.process.cmdline contains "HarddiskVolumeShadowCopy"))
 ```
 

diff --git a/...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md b/...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "cmd.exe/c" or tgt.process.cmdline contains "\cmd/c" or tgt.process.cmdline contains "\"cmd/c" or tgt.process.cmdline contains "cmd.exe/k" or tgt.process.cmdline contains "\cmd/k" or tgt.process.cmdline contains "\"cmd/k" or tgt.process.cmdline contains "cmd.exe/r" or tgt.process.cmdline contains "\cmd/r" or tgt.process.cmdline contains "\"cmd/r") or (tgt.process.cmdline contains "/cwhoami" or tgt.process.cmdline contains "/cpowershell" or tgt.process.cmdline contains "/cschtasks" or tgt.process.cmdline contains "/cbitsadmin" or tgt.process.cmdline contains "/ccertutil" or tgt.process.cmdline contains "/kwhoami" or tgt.process.cmdline contains "/kpowershell" or tgt.process.cmdline contains "/kschtasks" or tgt.process.cmdline contains "/kbitsadmin" or tgt.process.cmdline contains "/kcertutil") or (tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /r")) and (not ((tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /r ") or (tgt.process.cmdline contains "AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules" or tgt.process.cmdline contains "cmd.exe/c ." or tgt.process.cmdline="cmd.exe /c")))))
 ```
 

diff --git a/...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md b/...elOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "type %windir%\system32\ntdll.dll" or tgt.process.cmdline contains "type %systemroot%\system32\ntdll.dll" or tgt.process.cmdline contains "type c:\windows\system32\ntdll.dll" or tgt.process.cmdline contains "\ntdll.dll > \\.\pipe\"))
 ```
 

diff --git a/...- Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md b/...- Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 26-10-2024 01:17:36):
+// Translated content (automatically translated on 27-10-2024 01:25:11):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ") and tgt.process.cmdline contains "Nul" and (tgt.process.cmdline contains " -f " or tgt.process.cmdline contains " /f " or tgt.process.cmdline contains " –f " or tgt.process.cmdline contains " —f " or tgt.process.cmdline contains " ―f " or tgt.process.cmdline contains " -q " or tgt.process.cmdline contains " /q " or tgt.process.cmdline contains " –q " or tgt.process.cmdline contains " —q " or tgt.process.cmdline contains " ―q ") and (tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "del ")))
 ```