diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md index 03236c3e5..55f7a1fb9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\addinutil.exe" and (not (tgt.process.image.path contains ":\Windows\System32\conhost.exe" or tgt.process.image.path contains ":\Windows\System32\werfault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\werfault.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md index 939461f35..f71dd7c9d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\appvlp.exe" and (not (tgt.process.image.path contains ":\Windows\SysWOW64\rundll32.exe" or tgt.process.image.path contains ":\Windows\System32\rundll32.exe")) and (not ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\msoasb.exe") or ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\SkypeSrv\") and tgt.process.image.path contains "\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\MSOUC.EXE"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md index 6ef3d42a3..c175b72bb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md index b1c3ff1ca..40bdac530 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\aspnet_compiler.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\notepad.exe") or (tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\AppData\Local\Roaming\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md index a2a3be8fa..1063dae98 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe" and (tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Local\Roaming\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains ":\Windows\System32\Tasks\" or tgt.process.cmdline contains ":\Windows\Tasks\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md index d3a073951..334893f26 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\at.exe" and tgt.process.cmdline contains "interactive")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md index 6ecab96c9..748f7751b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md index 92973f614..7fade6153 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\" or tgt.process.image.path contains "\AppData\Roaming\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\PerfLogs\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md index 6f050e2f5..9b70e6f5d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md index 93d2b409f..fe24fa8b0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\BitLockerToGo.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md index dee33cd8b..5c45b73d7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--remote-debugging-" and tgt.process.cmdline contains "--user-data-dir" and tgt.process.cmdline contains "--headless")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md index b31ee85c0..2ae74380f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md index 74d097584..dd8dc656e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and (tgt.process.cmdline contains "--headless" and tgt.process.cmdline contains "dump-dom" and tgt.process.cmdline contains "http"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md index 341ca09dd..d01d6edd5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md index 9c15e245e..b7113df2f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless" and (tgt.process.cmdline contains "://run.mocky" or tgt.process.cmdline contains "://mockbin"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md index 5dd16c47e..7333355a1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\wscript.exe") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md index c83540e9b..812c3b12d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "http" and (tgt.process.cmdline contains ".7z" or tgt.process.cmdline contains ".dat" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".ps1" or tgt.process.cmdline contains ".psm1" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md index 48198d5ef..307a0134d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --remote-debugging-" or (tgt.process.image.path contains "\firefox.exe" and tgt.process.cmdline contains " -start-debugger-server"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md index 84fa1e04c..0c2f27e79 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tor.exe" or tgt.process.image.path contains "\Tor Browser\Browser\firefox.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md index c4dbb9c62..2b58a765b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\calc.exe " or (tgt.process.image.path contains "\calc.exe" and (not (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\" or tgt.process.image.path contains ":\Windows\WinSxS\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md index 89446cd84..569e8aab9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\cmd.exe" and (src.process.cmdline contains " -c " or src.process.cmdline contains " /c " or src.process.cmdline contains " –c " or src.process.cmdline contains " —c " or src.process.cmdline contains " ―c " or src.process.cmdline contains " -r " or src.process.cmdline contains " /r " or src.process.cmdline contains " –r " or src.process.cmdline contains " —r " or src.process.cmdline contains " ―r " or src.process.cmdline contains " -k " or src.process.cmdline contains " /k " or src.process.cmdline contains " –k " or src.process.cmdline contains " —k " or src.process.cmdline contains " ―k ") and tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains "chcp" or tgt.process.cmdline contains "chcp " or tgt.process.cmdline contains "chcp "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md index 24ea303ac..d62760b82 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains " 936" or tgt.process.cmdline contains " 1258"))) | columns src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md index cd00d4773..4e8b7c0c0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cloudflared.exe" and (not (tgt.process.image.path contains ":\Program Files (x86)\cloudflared\" or tgt.process.image.path contains ":\Program Files\cloudflared\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md index 3042a5634..a5d36eecb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains "cleanup ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-connector-id "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md index 658d7f8e5..351c7d8ec 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains " run ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-credentials-contents " or tgt.process.cmdline contains "-credentials-file " or tgt.process.cmdline contains "-token "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md index 631d3397d..ad938a2e3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " –c " or tgt.process.cmdline contains " —c " or tgt.process.cmdline contains " ―c ") and (tgt.process.cmdline contains "curl " and tgt.process.cmdline contains "http" and tgt.process.cmdline contains "-o" and tgt.process.cmdline contains "&"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md index daeaddc6d..bc8a2b783 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "^^" or tgt.process.cmdline contains "^|^" or tgt.process.cmdline contains ",;," or tgt.process.cmdline contains ";;;;" or tgt.process.cmdline contains ";; ;;" or tgt.process.cmdline contains "(,(," or tgt.process.cmdline contains "%COMSPEC:~" or tgt.process.cmdline contains " c^m^d" or tgt.process.cmdline contains "^c^m^d" or tgt.process.cmdline contains " c^md" or tgt.process.cmdline contains " cm^d" or tgt.process.cmdline contains "^cm^d" or tgt.process.cmdline contains " s^et " or tgt.process.cmdline contains " s^e^t " or tgt.process.cmdline contains " se^t ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md index 863972c1e..ad46bea25 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "://" and tgt.process.cmdline contains "%AppData%"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md index c72ab2662..42aa1fda1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "mklink" and tgt.process.cmdline contains "HarddiskVolumeShadowCopy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md index 0974d30a7..fe4ed5261 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "cmd.exe/c" or tgt.process.cmdline contains "\cmd/c" or tgt.process.cmdline contains "\"cmd/c" or tgt.process.cmdline contains "cmd.exe/k" or tgt.process.cmdline contains "\cmd/k" or tgt.process.cmdline contains "\"cmd/k" or tgt.process.cmdline contains "cmd.exe/r" or tgt.process.cmdline contains "\cmd/r" or tgt.process.cmdline contains "\"cmd/r") or (tgt.process.cmdline contains "/cwhoami" or tgt.process.cmdline contains "/cpowershell" or tgt.process.cmdline contains "/cschtasks" or tgt.process.cmdline contains "/cbitsadmin" or tgt.process.cmdline contains "/ccertutil" or tgt.process.cmdline contains "/kwhoami" or tgt.process.cmdline contains "/kpowershell" or tgt.process.cmdline contains "/kschtasks" or tgt.process.cmdline contains "/kbitsadmin" or tgt.process.cmdline contains "/kcertutil") or (tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /r")) and (not ((tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /r ") or (tgt.process.cmdline contains "AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules" or tgt.process.cmdline contains "cmd.exe/c ." or tgt.process.cmdline="cmd.exe /c"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md index 2635ea0bf..106789383 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "type %windir%\system32\ntdll.dll" or tgt.process.cmdline contains "type %systemroot%\system32\ntdll.dll" or tgt.process.cmdline contains "type c:\windows\system32\ntdll.dll" or tgt.process.cmdline contains "\ntdll.dll > \\.\pipe\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md index 72072a10b..e5cb50e00 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ") and tgt.process.cmdline contains "Nul" and (tgt.process.cmdline contains " -f " or tgt.process.cmdline contains " /f " or tgt.process.cmdline contains " –f " or tgt.process.cmdline contains " —f " or tgt.process.cmdline contains " ―f " or tgt.process.cmdline contains " -q " or tgt.process.cmdline contains " /q " or tgt.process.cmdline contains " –q " or tgt.process.cmdline contains " —q " or tgt.process.cmdline contains " ―q ") and (tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "del "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md index 1e9370cd8..2e89d35a4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md index 06b593726..6c500b72d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\winlogon.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "Magnify.exe" or tgt.process.cmdline contains "Narrator.exe" or tgt.process.cmdline contains "DisplaySwitch.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md index 8bb45e596..3db84eeca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "/y " and tgt.process.cmdline contains "C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md index bf90de8c6..8d3e26671 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > \\") or (tgt.process.cmdline contains "type \\" and tgt.process.cmdline contains " > "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md index babdc7c3d..98dc48a73 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\ctfmon.exe" or src.process.image.path contains "\dllhost.exe" or src.process.image.path contains "\epad.exe" or src.process.image.path contains "\FlashPlayerUpdateService.exe" or src.process.image.path contains "\GoogleUpdate.exe" or src.process.image.path contains "\jucheck.exe" or src.process.image.path contains "\jusched.exe" or src.process.image.path contains "\LogonUI.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\SearchIndexer.exe" or src.process.image.path contains "\SearchProtocolHost.exe" or src.process.image.path contains "\SIHClient.exe" or src.process.image.path contains "\sihost.exe" or src.process.image.path contains "\slui.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\sppsvc.exe" or src.process.image.path contains "\taskhostw.exe" or src.process.image.path contains "\unsecapp.exe" or src.process.image.path contains "\WerFault.exe" or src.process.image.path contains "\wermgr.exe" or src.process.image.path contains "\wlanext.exe" or src.process.image.path contains "\WUDFHost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md index a97c26eb2..c3d2a58fe 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\cmstp.exe") | columns tgt.process.cmdline,src.process.cmdline,Details ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md index 5b5167278..0b2eaff3e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.integrityLevel="High" and (tgt.process.cmdline contains "conhost.exe" and tgt.process.cmdline contains "0xffffffff" and tgt.process.cmdline contains "-ForceV1"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md index a8ecf45d1..1495f0caf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.cmdline contains "conhost" and tgt.process.cmdline contains "/../../")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md index e25556176..a97095961 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\conhost.exe" and (src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\smss.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\userinit.exe" or src.process.image.path contains "\wininit.exe" or src.process.image.path contains "\winlogon.exe")) and (not (src.process.cmdline contains "-k apphost -s AppHostSvc" or src.process.cmdline contains "-k imgsvc" or src.process.cmdline contains "-k localService -p -s RemoteRegistry" or src.process.cmdline contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or src.process.cmdline contains "-k NetSvcs -p -s NcaSvc" or src.process.cmdline contains "-k netsvcs -p -s NetSetupSvc" or src.process.cmdline contains "-k netsvcs -p -s wlidsvc" or src.process.cmdline contains "-k NetworkService -p -s DoSvc" or src.process.cmdline contains "-k wsappx -p -s AppXSvc" or src.process.cmdline contains "-k wsappx -p -s ClipSVC")) and (not (src.process.cmdline contains "C:\Program Files (x86)\Dropbox\Client\" or src.process.cmdline contains "C:\Program Files\Dropbox\Client\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md index f9e95d6f3..c96065155 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csc.exe" and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\Windows\Temp\") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Pictures\")) or tgt.process.cmdline matches "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not ((src.process.image.path contains "C:\Program Files (x86)\" or src.process.image.path contains "C:\Program Files\") or src.process.image.path="C:\Windows\System32\sdiagnhost.exe" or src.process.image.path="C:\Windows\System32\inetsrv\w3wp.exe")) and (not ((src.process.image.path in ("C:\ProgramData\chocolatey\choco.exe","C:\ProgramData\chocolatey\tools\shimgen.exe")) or src.process.cmdline contains "\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" or (src.process.cmdline contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or src.process.cmdline contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or src.process.cmdline contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md index 252805239..299bb495d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\curl.exe" or tgt.process.displayName="The curl executable") and ((tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "C:\PerfLogs\" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Windows\Temp\") or (tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".gif" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".temp" or tgt.process.cmdline contains ".tmp" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs")) and (not (src.process.image.path="C:\Program Files\Git\usr\bin\sh.exe" and tgt.process.image.path="C:\Program Files\Git\mingw64\bin\curl.exe" and (tgt.process.cmdline contains "--silent --show-error --output " and tgt.process.cmdline contains "gfw-httpget-" and tgt.process.cmdline contains "AppData"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md index 6c970a3f7..89ed1d6e5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\DefaultPack.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md index 3a3b2aa45..18f83d5db 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\desktopimgdownldr.exe" and src.process.image.path contains "\desktopimgdownldr.exe" and tgt.process.cmdline contains "/lockscreenurl:http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md index 6a1159c00..638f694bc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /lockscreenurl:" and (not (tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".png"))) or (tgt.process.cmdline contains "reg delete" and tgt.process.cmdline contains "\PersonalizationCSP"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md index 5db684ff6..805f28b69 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -t msi-install " and tgt.process.cmdline contains " -i http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md index a417e166f..e32da274a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\AppData\Local\Apps\2.0\" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md index 01d327a1d..818473144 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\diskshadow.exe" and (tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md index 0a793e5ef..897c3ef1b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\DismHost.exe" and (src.process.cmdline contains "/Online" and src.process.cmdline contains "/Disable-Feature")) or (tgt.process.image.path contains "\Dism.exe" and (tgt.process.cmdline contains "/Online" and tgt.process.cmdline contains "/Disable-Feature")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md index 2836d3313..df481f2e7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VMwareXferlogs.exe" and (not tgt.process.image.path contains "C:\Program Files\VMware\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md index 38636bc31..df0b0c607 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dllhost.exe" and (tgt.process.cmdline in ("dllhost.exe","dllhost"))) and (not not (tgt.process.cmdline matches "\.*")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md index 8cd58ea53..87f916212 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\iodine.exe" or tgt.process.image.path contains "\dnscat2")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md index 5854017f3..8017889ef 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\dns.exe" and (not tgt.process.image.path contains "\conhost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md index 9477a9e9a..89970fbb9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/enumrecords" or tgt.process.cmdline contains "/enumzones" or tgt.process.cmdline contains "/ZonePrint" or tgt.process.cmdline contains "/info"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md index 22a646a86..773d11e71 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/config" and tgt.process.cmdline contains "/serverlevelplugindll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md index c36e61c33..ef1b36c2e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\dnx.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md index 2bf53ebb7..de79e060c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dtrace.exe" and tgt.process.cmdline contains "lkd(0)") or (tgt.process.cmdline contains "syscall:::return" and tgt.process.cmdline contains "lkd("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md index edf2f25d4..539db30f1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "esentutl" and tgt.process.cmdline contains " /p")) | columns tgt.process.user,tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md index 384e28a44..9e3bbc7f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\eventvwr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\WerFault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\WerFault.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md index ddcf9c4f6..aa70ac243 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\expand.exe" and (tgt.process.cmdline contains "-F:" or tgt.process.cmdline contains "/F:" or tgt.process.cmdline contains "–F:" or tgt.process.cmdline contains "—F:" or tgt.process.cmdline contains "―F:")) and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains ":\ProgramData" or tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\Temp" or tgt.process.cmdline contains ":\Windows\Temp") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\"))) and (not (src.process.image.path="C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" and tgt.process.cmdline contains "C:\ProgramData\Dell\UpdateService\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md index 9d041a4e5..6a0d99574 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or ((tgt.process.cmdline contains "explorer.exe") and (tgt.process.cmdline contains " -root," or tgt.process.cmdline contains " /root," or tgt.process.cmdline contains " –root," or tgt.process.cmdline contains " —root," or tgt.process.cmdline contains " ―root,")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md index 216617dd8..492f55266 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "shell:mycomputerfolder")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md index cc95b5714..247f49876 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "/NOUACCHECK") and (not (src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" or src.process.image.path="C:\Windows\System32\svchost.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md index 04870637e..ea2a0b0f6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ipconfig*|*find*" or tgt.process.cmdline="*net*|*find*" or tgt.process.cmdline="*netstat*|*find*" or tgt.process.cmdline="*ping*|*find*" or tgt.process.cmdline="*systeminfo*|*find*" or tgt.process.cmdline="*tasklist*|*find*" or tgt.process.cmdline="*whoami*|*find*")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md index b2c37a3da..fd8cc4e17 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.cmdline contains ".exe" or src.process.cmdline contains ".exe\"") and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "/c echo \"") and (not ((src.process.image.path contains ":\Windows\System32\" or src.process.image.path contains ":\Windows\SysWOW64\") and src.process.image.path contains "\forfiles.exe" and (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\") and tgt.process.image.path contains "\cmd.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md index 676db10bc..f6b2f06ce 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\format.com" and tgt.process.cmdline contains "/fs:") and (not (tgt.process.cmdline contains "/fs:exFAT" or tgt.process.cmdline contains "/fs:FAT" or tgt.process.cmdline contains "/fs:NTFS" or tgt.process.cmdline contains "/fs:ReFS" or tgt.process.cmdline contains "/fs:UDF")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md index d37e7791c..b5efe860e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\GfxDownloadWrapper.exe" and (tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://")) and (not tgt.process.cmdline contains "https://gameplayapi.intel.com/"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md index 7a0549887..13ebb18e7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\GoogleUpdate.exe" and (not ((tgt.process.image.path contains "\Google" or (tgt.process.image.path contains "\setup.exe" or tgt.process.image.path contains "chrome_updater.exe" or tgt.process.image.path contains "chrome_installer.exe")) or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md index 08066e30f..a0df62039 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -d " and tgt.process.cmdline contains "passphrase"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md index d66e836d9..20223afe3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "passphrase"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md index f8f1002ad..98eae4438 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GNU Privacy Guard (GnuPG)" or tgt.process.displayName="GnuPG’s OpenPGP tool") and tgt.process.cmdline contains "-passphrase" and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Roaming\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md index 46b9450f5..31585f019 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\gpresult.exe" and (tgt.process.cmdline contains "/z" or tgt.process.cmdline contains "/v"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md index 8a2057e6c..47d103b0b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\gup.exe" and tgt.process.image.path contains "\explorer.exe") and (not ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "\Notepad++\notepad++.exe") or src.process.image.path contains "\Notepad++\updater\" or not (tgt.process.cmdline matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md index a6834a838..081774a7c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\GUP.exe" and (not ((tgt.process.image.path contains "\Program Files\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\Program Files (x86)\Notepad++\updater\GUP.exe") or (tgt.process.image.path contains "\Users\" and (tgt.process.image.path contains "\AppData\Local\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\AppData\Roaming\Notepad++\updater\GUP.exe")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md index 425d352b1..4210f0b99 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\hh.exe" and (tgt.process.image.path contains "\CertReq.exe" or tgt.process.image.path contains "\CertUtil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\installutil.exe" or tgt.process.image.path contains "\MSbuild.exe" or tgt.process.image.path contains "\MSHTA.EXE" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md index 41e11fef6..7e06385ea 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --adcs " and tgt.process.cmdline contains " --port ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md index 4702b6a64..0a60d3a59 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName contains "SharpHound" or tgt.process.displayName contains "SharpHound" or (tgt.process.publisher contains "SpecterOps" or tgt.process.publisher contains "evil corp") or (tgt.process.image.path contains "\Bloodhound.exe" or tgt.process.image.path contains "\SharpHound.exe")) or (tgt.process.cmdline contains " -CollectionMethod All " or tgt.process.cmdline contains " --CollectionMethods Session " or tgt.process.cmdline contains " --Loop --Loopduration " or tgt.process.cmdline contains " --PortScanTimeout " or tgt.process.cmdline contains ".exe -c All -d " or tgt.process.cmdline contains "Invoke-Bloodhound" or tgt.process.cmdline contains "Get-BloodHoundData") or (tgt.process.cmdline contains " -JsonFolder " and tgt.process.cmdline contains " -ZipFileName ") or (tgt.process.cmdline contains " DCOnly " and tgt.process.cmdline contains " --NoSaveCache "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md index bde79c4e7..9fb35e2be 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains ".dll" and tgt.process.cmdline contains "StartNodeRelay")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md index eb81feb18..88bf0277b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd.exe /C whoami" and src.process.image.path contains "C:\Temp\") or ((src.process.image.path contains "\runonce.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.cmdline contains "cmd.exe /c echo" and tgt.process.cmdline contains "> \\.\pipe")) or ((src.process.cmdline contains "cmd.exe /C echo" and src.process.cmdline contains " > \\.\pipe") and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1") or (src.process.cmdline contains "/C whoami" and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md index 3dda212c4..d6c682b26 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-Sta" and tgt.process.cmdline contains "-Nop" and tgt.process.cmdline contains "-Window" and tgt.process.cmdline contains "Hidden") and (tgt.process.cmdline contains "-Command" or tgt.process.cmdline contains "-EncodedCommand")) or (tgt.process.cmdline contains "sv o (New-Object IO.MemorySteam);sv d " or tgt.process.cmdline contains "mshta file.hta" or tgt.process.cmdline contains "GruntHTTP" or tgt.process.cmdline contains "-EncodedCommand cwB2ACAAbwAgA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md index 3ddf56607..f9d7dc819 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\crackmapexec.exe" or tgt.process.cmdline contains " -M pe_inject " or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -x ") or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -H 'NTHASH'") or (tgt.process.cmdline contains " mssql " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -d ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -H " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -o ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " --local-auth")) or ((tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p ") and (tgt.process.cmdline contains " 10." and tgt.process.cmdline contains " 192.168." and tgt.process.cmdline contains "/24 ")))) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md index 25aadc2ba..b6c65e65d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*cmd.exe /Q /c * 1> \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > *\Temp\* 2>&1*" or tgt.process.cmdline contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or tgt.process.cmdline contains "powershell.exe -noni -nop -w 1 -enc ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md index 6de6a82d6..33843d5da 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "tasklist /fi " and tgt.process.cmdline contains "Imagename eq lsass.exe") and (tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd /k ") and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) or (tgt.process.cmdline contains "do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump" and tgt.process.cmdline contains "\Windows\Temp\" and tgt.process.cmdline contains " full" and tgt.process.cmdline contains "%%B") or (tgt.process.cmdline contains "tasklist /v /fo csv" and tgt.process.cmdline contains "findstr /i \"lsass\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md index 1f0869307..efd165677 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /am51" and tgt.process.cmdline contains " /password")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md index cfb3ed28e..0a3048cb9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -sta -NonI -W Hidden -Enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc " or tgt.process.cmdline contains " -NoP -NonI -W Hidden -enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc" or tgt.process.cmdline contains " -enc SQB" or tgt.process.cmdline contains " -nop -exec bypass -EncodedCommand ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md index 0eec8fe70..c82425ee4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)" or tgt.process.cmdline contains " -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md index cdafcf1fe..81cd1368c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ruby.exe" and (tgt.process.cmdline contains "-i " and tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md index 28a70b69d..0358798f1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.publisher="Cube0x0") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md index 581aa2f5a..d49881d70 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hashcat.exe" or (tgt.process.cmdline contains "-a " and tgt.process.cmdline contains "-m 1000 " and tgt.process.cmdline contains "-r "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md index 330bb0ecc..363679772 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\htran.exe" or tgt.process.image.path contains "\lcx.exe") or (tgt.process.cmdline contains ".exe -tran " or tgt.process.cmdline contains ".exe -slave "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md index 0d4346d7e..afe1521f4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p ") and (tgt.process.cmdline contains "^USER^" or tgt.process.cmdline contains "^PASS^"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md index 209a11979..e9d8ee070 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\mmc.exe" or src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\services.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/Q" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "\\127.0.0.1\" and tgt.process.cmdline contains "&1")) or ((src.process.cmdline contains "svchost.exe -k netsvcs" or src.process.cmdline contains "taskeng.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/C" and tgt.process.cmdline contains "Windows\Temp\" and tgt.process.cmdline contains "&1")))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md index 995e9336b..b95de071c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\goldenPac" or tgt.process.image.path contains "\karmaSMB" or tgt.process.image.path contains "\kintercept" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\rpcdump" or tgt.process.image.path contains "\samrdump" or tgt.process.image.path contains "\secretsdump" or tgt.process.image.path contains "\smbexec" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\wmiexec" or tgt.process.image.path contains "\wmipersist") or (tgt.process.image.path contains "\atexec_windows.exe" or tgt.process.image.path contains "\dcomexec_windows.exe" or tgt.process.image.path contains "\dpapi_windows.exe" or tgt.process.image.path contains "\findDelegation_windows.exe" or tgt.process.image.path contains "\GetADUsers_windows.exe" or tgt.process.image.path contains "\GetNPUsers_windows.exe" or tgt.process.image.path contains "\getPac_windows.exe" or tgt.process.image.path contains "\getST_windows.exe" or tgt.process.image.path contains "\getTGT_windows.exe" or tgt.process.image.path contains "\GetUserSPNs_windows.exe" or tgt.process.image.path contains "\ifmap_windows.exe" or tgt.process.image.path contains "\mimikatz_windows.exe" or tgt.process.image.path contains "\netview_windows.exe" or tgt.process.image.path contains "\nmapAnswerMachine_windows.exe" or tgt.process.image.path contains "\opdump_windows.exe" or tgt.process.image.path contains "\psexec_windows.exe" or tgt.process.image.path contains "\rdp_check_windows.exe" or tgt.process.image.path contains "\sambaPipe_windows.exe" or tgt.process.image.path contains "\smbclient_windows.exe" or tgt.process.image.path contains "\smbserver_windows.exe" or tgt.process.image.path contains "\sniff_windows.exe" or tgt.process.image.path contains "\sniffer_windows.exe" or tgt.process.image.path contains "\split_windows.exe" or tgt.process.image.path contains "\ticketer_windows.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md index 17bed58a0..9cfe5e32d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "clipboard]::" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "/r"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md index 0d8b9302a..697f62513 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline matches "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or tgt.process.cmdline matches "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or tgt.process.cmdline matches "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or tgt.process.cmdline matches "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or tgt.process.cmdline matches "\\*mdr\\*\\W\\s*\\)\\.Name" or tgt.process.cmdline matches "\\$VerbosePreference\\.ToString\\(" or tgt.process.cmdline matches "\\[String\\]\\s*\\$VerbosePreference")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md index 9757aa265..2f734325b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md index 785a3d99a..6c466db96 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md index 204aad4c4..75c4cb640 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "text.encoding]::ascii") and (tgt.process.cmdline contains "system.io.compression.deflatestream" or tgt.process.cmdline contains "system.io.streamreader" or tgt.process.cmdline contains "readtoend("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md index bf20a5d6f..bf8c47c64 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md index 5ef8f5384..1f29c6314 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md index c59be9e65..b2b65d033 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "set" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "vbscript:createobject" and tgt.process.cmdline contains ".run" and tgt.process.cmdline contains "(window.close)")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md index 1dd095dd7..64ffb2241 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "&&set" and tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "{0}" or tgt.process.cmdline contains "{1}" or tgt.process.cmdline contains "{2}" or tgt.process.cmdline contains "{3}" or tgt.process.cmdline contains "{4}" or tgt.process.cmdline contains "{5}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md index c184523b0..990e1a374 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" and src.process.cmdline contains ".bat") and ((tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "powershell.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "pwsh.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\attrib.exe" and (tgt.process.cmdline contains "+s" and tgt.process.cmdline contains "+h" and tgt.process.cmdline contains ".bat.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md index c6efa6a98..55dcc3fb0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\lazagne.exe" or ((tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Tmp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Users\Public\") and (tgt.process.cmdline contains ".exe all" or tgt.process.cmdline contains ".exe browsers" or tgt.process.cmdline contains ".exe chats" or tgt.process.cmdline contains ".exe databases" or tgt.process.cmdline contains ".exe games" or tgt.process.cmdline contains ".exe git" or tgt.process.cmdline contains ".exe mails" or tgt.process.cmdline contains ".exe maven" or tgt.process.cmdline contains ".exe memory" or tgt.process.cmdline contains ".exe multimedia" or tgt.process.cmdline contains ".exe sysadmin" or tgt.process.cmdline contains ".exe unused" or tgt.process.cmdline contains ".exe wifi" or tgt.process.cmdline contains ".exe windows")) or ((tgt.process.cmdline contains "all " or tgt.process.cmdline contains "browsers " or tgt.process.cmdline contains "chats " or tgt.process.cmdline contains "databases " or tgt.process.cmdline contains "games " or tgt.process.cmdline contains "git " or tgt.process.cmdline contains "mails " or tgt.process.cmdline contains "maven " or tgt.process.cmdline contains "memory " or tgt.process.cmdline contains "multimedia " or tgt.process.cmdline contains "php " or tgt.process.cmdline contains "svn " or tgt.process.cmdline contains "sysadmin " or tgt.process.cmdline contains "unused " or tgt.process.cmdline contains "wifi " or tgt.process.cmdline contains "windows ") and (tgt.process.cmdline contains "-oA" or tgt.process.cmdline contains "-oJ" or tgt.process.cmdline contains "-oN" or tgt.process.cmdline contains "-output" or tgt.process.cmdline contains "-password" or tgt.process.cmdline contains "-1Password" or tgt.process.cmdline contains "-apachedirectorystudio" or tgt.process.cmdline contains "-autologon" or tgt.process.cmdline contains "-ChromiumBased" or tgt.process.cmdline contains "-composer" or tgt.process.cmdline contains "-coreftp" or tgt.process.cmdline contains "-credfiles" or tgt.process.cmdline contains "-credman" or tgt.process.cmdline contains "-cyberduck" or tgt.process.cmdline contains "-dbvis" or tgt.process.cmdline contains "-EyeCon" or tgt.process.cmdline contains "-filezilla" or tgt.process.cmdline contains "-filezillaserver" or tgt.process.cmdline contains "-ftpnavigator" or tgt.process.cmdline contains "-galconfusion" or tgt.process.cmdline contains "-gitforwindows" or tgt.process.cmdline contains "-hashdump" or tgt.process.cmdline contains "-iisapppool" or tgt.process.cmdline contains "-IISCentralCertP" or tgt.process.cmdline contains "-kalypsomedia" or tgt.process.cmdline contains "-keepass" or tgt.process.cmdline contains "-keepassconfig" or tgt.process.cmdline contains "-lsa_secrets" or tgt.process.cmdline contains "-mavenrepositories" or tgt.process.cmdline contains "-memory_dump" or tgt.process.cmdline contains "-Mozilla" or tgt.process.cmdline contains "-mRemoteNG" or tgt.process.cmdline contains "-mscache" or tgt.process.cmdline contains "-opensshforwindows" or tgt.process.cmdline contains "-openvpn" or tgt.process.cmdline contains "-outlook" or tgt.process.cmdline contains "-pidgin" or tgt.process.cmdline contains "-postgresql" or tgt.process.cmdline contains "-psi-im" or tgt.process.cmdline contains "-puttycm" or tgt.process.cmdline contains "-pypykatz" or tgt.process.cmdline contains "-Rclone" or tgt.process.cmdline contains "-rdpmanager" or tgt.process.cmdline contains "-robomongo" or tgt.process.cmdline contains "-roguestale" or tgt.process.cmdline contains "-skype" or tgt.process.cmdline contains "-SQLDeveloper" or tgt.process.cmdline contains "-squirrel" or tgt.process.cmdline contains "-tortoise" or tgt.process.cmdline contains "-turba" or tgt.process.cmdline contains "-UCBrowser" or tgt.process.cmdline contains "-unattended" or tgt.process.cmdline contains "-vault" or tgt.process.cmdline contains "-vaultfiles" or tgt.process.cmdline contains "-vnc" or tgt.process.cmdline contains "-windows" or tgt.process.cmdline contains "-winscp" or tgt.process.cmdline contains "-wsl")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md index 86a935fe2..108b1df72 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\services.exe" and (((tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "echo" and tgt.process.cmdline contains "\pipe\") and (tgt.process.cmdline contains "cmd" or tgt.process.cmdline contains "%COMSPEC%")) or (tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains ".dll,a" and tgt.process.cmdline contains "/p:")) and (not tgt.process.cmdline contains "MpCmdRun"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md index 4a52961ab..b5d4e3662 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "DumpCreds" or tgt.process.cmdline contains "mimikatz") or (tgt.process.cmdline contains "::aadcookie" or tgt.process.cmdline contains "::detours" or tgt.process.cmdline contains "::memssp" or tgt.process.cmdline contains "::mflt" or tgt.process.cmdline contains "::ncroutemon" or tgt.process.cmdline contains "::ngcsign" or tgt.process.cmdline contains "::printnightmare" or tgt.process.cmdline contains "::skeleton" or tgt.process.cmdline contains "::preshutdown" or tgt.process.cmdline contains "::mstsc" or tgt.process.cmdline contains "::multirdp") or (tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "crypto::" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "process::" or tgt.process.cmdline contains "vault::"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md index 3001e48bb..ad42ee8f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "powershell.exe -NonI" and tgt.process.cmdline contains "/TN Updater /TR") and (tgt.process.cmdline contains "/SC ONLOGON" or tgt.process.cmdline contains "/SC DAILY /ST" or tgt.process.cmdline contains "/SC ONIDLE" or tgt.process.cmdline contains "/SC HOURLY"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md index ebe68aab5..bfd10dbc1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\pypykatz.exe" or tgt.process.image.path contains "\python.exe") and (tgt.process.cmdline contains "live" and tgt.process.cmdline contains "registry"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md index 97571dc5e..c78d35b97 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\QuarksPwDump.exe" or (tgt.process.cmdline in (" -dhl"," --dump-hash-local"," -dhdc"," --dump-hash-domain-cached"," --dump-bitlocker"," -dhd "," --dump-hash-domain ","--ntds-file")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md index 6a3cce422..550bf2aba 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "gthread-3.6.dll" or tgt.process.cmdline contains "\Windows\Temp\tmp.bat" or tgt.process.cmdline contains "sigcmm-2.4.dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md index b74d728bd..2ee65982f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "PetitPotam" or tgt.process.image.path contains "RottenPotato" or tgt.process.image.path contains "HotPotato" or tgt.process.image.path contains "JuicyPotato" or tgt.process.image.path contains "\just_dce_" or tgt.process.image.path contains "Juicy Potato" or tgt.process.image.path contains "\temp\rot.exe" or tgt.process.image.path contains "\Potato.exe" or tgt.process.image.path contains "\SpoolSample.exe" or tgt.process.image.path contains "\Responder.exe" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\LocalPotato") or (tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains " smbrelay" or tgt.process.cmdline contains " ntlmrelay" or tgt.process.cmdline contains "cme smb " or tgt.process.cmdline contains " /ntlm:NTLMhash " or tgt.process.cmdline contains "Invoke-PetitPotam" or tgt.process.cmdline="*.exe -t * -p *") or (tgt.process.cmdline contains ".exe -c \"{" and tgt.process.cmdline contains "}\" -z")) and (not (tgt.process.image.path contains "HotPotatoes6" or tgt.process.image.path contains "HotPotatoes7" or tgt.process.image.path contains "HotPotatoes ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md index a231d38d5..334d86538 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpChisel.exe" or tgt.process.displayName="SharpChisel")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md index 765d3fea3..bd6c5a79e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\SharPersist.exe" or tgt.process.displayName="SharPersist") or (tgt.process.cmdline contains " -t schtask -c " or tgt.process.cmdline contains " -t startupfolder -c ") or (tgt.process.cmdline contains " -t reg -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t service -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t schtask -c " and tgt.process.cmdline contains " -m add"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md index f7a8ee2aa..a8dd77697 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpEvtMute.exe" or tgt.process.displayName="SharpEvtMute" or (tgt.process.cmdline contains "--Filter \"rule " or tgt.process.cmdline contains "--Encoded --Filter \\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md index 866e90970..42b1c0b70 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpUp.exe" or tgt.process.displayName="SharpUp" or (tgt.process.cmdline contains "HijackablePaths" or tgt.process.cmdline contains "UnquotedServicePath" or tgt.process.cmdline contains "ProcessDLLHijack" or tgt.process.cmdline contains "ModifiableServiceBinaries" or tgt.process.cmdline contains "ModifiableScheduledTask" or tgt.process.cmdline contains "DomainGPPPassword" or tgt.process.cmdline contains "CachedGPPPassword"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md index 593b2ba1d..6520f53bb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -Inject " and (tgt.process.cmdline contains " -PayloadArgs " or tgt.process.cmdline contains " -PayloadFile ")) or ((tgt.process.cmdline contains " approve " or tgt.process.cmdline contains " create " or tgt.process.cmdline contains " check " or tgt.process.cmdline contains " delete ") and (tgt.process.cmdline contains " /payload:" or tgt.process.cmdline contains " /payload=" or tgt.process.cmdline contains " /updateid:" or tgt.process.cmdline contains " /updateid=")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md index 7fcf9889d..103d1e94d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.displayName contains "st2stager") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md index afd307608..8a0ffa422 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md index d5753930a..dab2fc1f2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --buildcache " or tgt.process.cmdline contains " --bhdump " or tgt.process.cmdline contains " --certdump " or tgt.process.cmdline contains " --dnsdump ") and (tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " --cachefilename " or tgt.process.cmdline contains " -o " or tgt.process.cmdline contains " --outputdirectory"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md index 2686a2286..e1e7aa2d3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Offline_Winpwn" or tgt.process.cmdline contains "WinPwn " or tgt.process.cmdline contains "WinPwn.exe" or tgt.process.cmdline contains "WinPwn.ps1")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md index 21a96706f..ed96cfc96 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md index e442dbb3f..9331e8210 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\xordump.exe" or (tgt.process.cmdline contains " -process lsass.exe " or tgt.process.cmdline contains " -m comsvcs " or tgt.process.cmdline contains " -m dbghelp " or tgt.process.cmdline contains " -m dbgcore "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md index fef383319..f3977d188 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip" and tgt.process.cmdline contains "/pass:" and tgt.process.cmdline contains "/user:") or (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md index 25c1d09d9..d95a6752a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\HOSTNAME.EXE") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md index de208df16..e601e940c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Hwp.exe" and tgt.process.image.path contains "\gbb.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md index 95d172bfc..84ffb96c2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hxtsr.exe" and (not (tgt.process.image.path contains ":\program files\windowsapps\microsoft.windowscommunicationsapps_" and tgt.process.image.path contains "\hxtsr.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md index db8ca6d89..a2064cdfe 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\w3wp.exe" and (tgt.process.cmdline contains "appcmd.exe add module" or (tgt.process.cmdline contains " system.enterpriseservices.internal.publish" and tgt.process.image.path contains "\powershell.exe") or (tgt.process.cmdline contains "gacutil" and tgt.process.cmdline contains " /I")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md index dde0105b8..437b348a7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and tgt.process.image.path contains "\ImagingDevices.exe") or src.process.image.path contains "\ImagingDevices.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md index 0143cca24..a8302f0aa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "InfDefaultInstall.exe " and tgt.process.cmdline contains ".inf")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md index 9af5d7d88..34a090281 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\InstallUtil.exe" and tgt.process.image.path contains "Microsoft.NET\Framework" and (tgt.process.cmdline contains "/logfile= " and tgt.process.cmdline contains "/LogToConsole=false"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md index f775b9f91..77f465555 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\keytool.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\query.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md index ae79dd279..05064e60c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\ManageEngine\ServiceDesk\" and src.process.image.path contains "\java.exe") and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe")) and (not ((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains " stop")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md index 00e1a2e58..a2f27bfc0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "transport=dt_socket,address=" and (tgt.process.cmdline contains "jre1." or tgt.process.cmdline contains "jdk1.")) and (not (tgt.process.cmdline contains "address=127.0.0.1" or tgt.process.cmdline contains "address=localhost")))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md index fad083f26..4c067bf60 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md index 070f04097..85c6c9ad1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not (src.process.image.path contains "build" and tgt.process.cmdline contains "build")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md index 6b46b4978..6801dd7f4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and src.process.cmdline contains "SysAidServer")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md index f705ae19f..db10b5dde 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " run run-cmd " and (not (src.process.image.path contains "\cleanapi.exe" or src.process.image.path contains "\kavremover.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md index 75268d816..3a6894a61 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\link.exe" and tgt.process.cmdline contains "LINK /") and (not ((src.process.image.path contains "C:\Program Files\Microsoft Visual Studio\" or src.process.image.path contains "C:\Program Files (x86)\Microsoft Visual Studio\") and (src.process.image.path contains "\VC\bin\" or src.process.image.path contains "\VC\Tools\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md index f42fde9b6..6ae25c496 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\CustomShellHost.exe" and (not tgt.process.image.path="C:\Windows\explorer.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md index 904bafa21..c16935ffc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\DeviceCredentialDeployment.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md index a80bc6690..10823ee04 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\devtoolslauncher.exe" and tgt.process.cmdline contains "LaunchForDeploy")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md index 5a2e6f67c..ae1af2e6b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md index 9000aa8ab..4e90549c7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains " \\" and tgt.process.cmdline contains ".cab")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md index 826cc88f4..83a531015 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "extrac32.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md index 80daee6cc..9157d3e40 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Launch-VsDevShell.ps1" and (tgt.process.cmdline contains "VsWherePath " or tgt.process.cmdline contains "VsInstallationPath "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md index eb61ffb3d..c3c621242 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /INJECTRUNNING " and (not src.process.image.path="C:\Windows\System32\AppVClient.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md index ac2fe56dc..29e225430 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "verb:sync" and tgt.process.cmdline contains "-source:RunCommand" and tgt.process.cmdline contains "-dest:runCommand") and tgt.process.image.path contains "\msdeploy.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md index 2cf8db897..f8cb14d97 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\msdt.exe" and tgt.process.cmdline contains "\WINDOWS\diagnostics\index\PCWDiagnostic.xml") and (tgt.process.cmdline contains " -af " or tgt.process.cmdline contains " /af ")) and (not src.process.image.path contains "\pcwrun.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md index 6c8fb0f68..1520307f4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\OpenWith.exe" and tgt.process.cmdline contains "/c")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md index 7cd1fc56a..fe4b7f0d7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcalua.exe" and tgt.process.cmdline contains " -a")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md index 87b96688b..55fdb3a83 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\pcwrun.exe") | columns ComputerName,tgt.process.user,src.process.cmdline,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md index d591ee9d5..1fde7234b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcwrun.exe" and tgt.process.cmdline contains "../")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md index e8cc60a21..f979f3e41 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and src.process.cmdline contains "\WindowsPowerShell\Modules\Pester\") and (src.process.cmdline contains "{ Invoke-Pester -EnableExit ;" or src.process.cmdline contains "{ Get-Help \""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md index 5545094f0..554f3f3ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Pester" and tgt.process.cmdline contains "Get-Help")) or ((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "pester" and tgt.process.cmdline contains ";")) and (tgt.process.cmdline contains "help" or tgt.process.cmdline contains "?")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md index 9a21b0277..01473dfcf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\PrintBrm.exe" and (tgt.process.cmdline contains " -f" and tgt.process.cmdline contains ".zip"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md index 88fa210df..7edc6b4dd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\pubprn.vbs" and tgt.process.cmdline contains "script:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md index 90203bddb..e8f773139 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\register_app.vbs" and tgt.process.cmdline contains "-register")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md index b957e7617..59643a3a7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\replace.exe" and (tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/a" or tgt.process.cmdline contains "–a" or tgt.process.cmdline contains "—a" or tgt.process.cmdline contains "―a"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md index 898d09cb2..b4e6cbf64 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\runexehelper.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md index dac383491..9c70d0d7c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Runscripthelper.exe" and tgt.process.cmdline contains "surfacecheck")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md index adb82bbe3..13df0dc43 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\")) and (src.process.cmdline contains "cmd.exe /c" and src.process.cmdline contains "RoamDiag.cmd" and src.process.cmdline contains "-outputpath"))) | columns TargetFilename,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md index 7b966b30b..804b30e04 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sftp.exe" and (tgt.process.cmdline contains " -D .." or tgt.process.cmdline contains " -D C:\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md index d6773b062..d83cead7f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-i" or tgt.process.cmdline contains "/install" or tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/add-driver" or tgt.process.cmdline contains ".inf") and tgt.process.image.path contains "\pnputil.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md index d818abf04..3c5fd558c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "grpconv.exe -o" or tgt.process.cmdline contains "grpconv -o")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md index 5be5dbca2..c823830e1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqldumper.exe" and (tgt.process.cmdline contains "0x0110" or tgt.process.cmdline contains "0x01100:40"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md index 95627314b..079ee4284 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SyncAppvPublishingServer.vbs" and tgt.process.cmdline contains ";")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md index 4ee7cc144..444a317d9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\tracker.exe" or tgt.process.displayName="Tracker") and (tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " /c ")) and (not (tgt.process.cmdline contains " /ERRORREPORT:PROMPT " or (src.process.image.path contains "\Msbuild\Current\Bin\MSBuild.exe" or src.process.image.path contains "\Msbuild\Current\Bin\amd64\MSBuild.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md index ac6ba39b5..ca22790d8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\tttracer.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md index e6b12599b..32814ef1a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "UtilityFunctions.ps1" or tgt.process.cmdline contains "RegSnapin ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md index e0d8561ae..6dda5ff0c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vbc.exe" and tgt.process.image.path contains "\cvtres.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md index d0347047f..f888ef675 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Windows\System32\lsass.exe" and tgt.process.image.path contains "\Windows\System32\lsass.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md index c39c45db7..02727df25 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\mftrace.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md index 63799d719..5a9e1ecd0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mmc.exe" and tgt.process.cmdline contains "-Embedding")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md index feb86a276..90ffe085a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\mmc.exe" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe") or tgt.process.image.path contains "\BITSADMIN"))) | columns tgt.process.cmdline,tgt.process.image.path,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md index b507b0d41..b4a2dd100 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\MpCmdRun.exe" or tgt.process.image.path contains "\NisSrv.exe") and (not (tgt.process.image.path contains "C:\Program Files (x86)\Windows Defender\" or tgt.process.image.path contains "C:\Program Files\Microsoft Security Client\" or tgt.process.image.path contains "C:\Program Files\Windows Defender\" or tgt.process.image.path contains "C:\ProgramData\Microsoft\Windows Defender\Platform\" or tgt.process.image.path contains "C:\Windows\WinSxS\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md index cefc74c42..660c17d5d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Wscript." and tgt.process.cmdline contains ".Shell" and tgt.process.cmdline contains ".Run")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md index 900ae5d7d..048cde636 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mshta.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md index 40e156c48..5360636b0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\mshta.exe" and (tgt.process.cmdline contains "vbscript" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".lnk" or tgt.process.cmdline contains ".xls" or tgt.process.cmdline contains ".doc" or tgt.process.cmdline contains ".zip" or tgt.process.cmdline contains ".dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md index 2ae7bd45a..f9e1fc86e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (src.process.cmdline contains "MsiExec.exe" and src.process.cmdline contains "-Embedding ")) and (not ((tgt.process.image.path contains ":\Windows\System32\cmd.exe" and tgt.process.cmdline contains "C:\Program Files\SplunkUniversalForwarder\bin\") or (tgt.process.cmdline contains "\DismFoDInstall.cmd" or (src.process.cmdline contains "\MsiExec.exe -Embedding " and src.process.cmdline contains "Global\MSI0000")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md index 303b80f73..0b4fcdd04 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\msiexec.exe" and (tgt.process.cmdline contains " -y" or tgt.process.cmdline contains " /y" or tgt.process.cmdline contains " –y" or tgt.process.cmdline contains " —y" or tgt.process.cmdline contains " ―y")) and (not (tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" /Y C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y C:\Windows\CCM\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md index 9996d43d0..696f46ccc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " msiexec" and tgt.process.cmdline contains "://")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md index f002e6edb..52ee4a65e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\msra.exe" and src.process.cmdline contains "msra.exe" and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\route.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\whoami.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md index 8168d3367..cf023940c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\wsl.exe")) and (not (src.process.image.path contains "C:\Program Files\Microsoft SQL Server\" and src.process.image.path contains "DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\cmd.exe\" ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md index e3f72bdd5..9d877be0f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and src.process.cmdline contains "VEEAMSQL") and (((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "-ex " or tgt.process.cmdline contains "bypass" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "copy ")) or (tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\whoami.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md index e09a97cf1..38a512b9a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "noconsentprompt" and tgt.process.cmdline contains "shadow:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md index 64f1f7302..1955b97ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\msxsl.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md index 3f964dda7..54b5d3e16 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\msxsl.exe" and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md index 6d600e4cd..3668a0a44 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\node.exe" and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " --eval ")) and (tgt.process.cmdline contains ".exec(" and tgt.process.cmdline contains "net.socket" and tgt.process.cmdline contains ".connect" and tgt.process.cmdline contains "child_process"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md index 0562c4a13..3ff6354bb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Adobe Creative Cloud Experience\libs\node.exe" and (not tgt.process.cmdline contains "Adobe Creative Cloud Experience\js"))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md index 317bcf9cd..5b8a5a5fb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "nslookup" and tgt.process.cmdline contains "_ldap._tcp.dc._msdcs.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md index fa03b365d..a4ae6a26c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\ntdsutil.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md index e4bba6326..ca9c4bb90 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\odbcconf.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md index 45eff022b..76f2f72f6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\onenote.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and (tgt.process.cmdline contains "\exported\" or tgt.process.cmdline contains "\onenoteofflinecache_files\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md index 67078da53..db74a5d10 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Outlook\Security\EnableUnsafeClientMailRules") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md index 2104afbbc..59b1d64dc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\Temporary Internet Files\Content.Outlook\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md index 6ba1f27a4..c671426b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\OUTLOOK.EXE" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\msbuild.exe" or tgt.process.image.path contains "\msdt.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md index ca40ef147..60ec66866 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\outlook.exe" and tgt.process.image.path contains "\\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md index e8c3ae6d1..8defa1cb8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WINWORD.EXE" or src.process.image.path contains "\EXCEL.EXE" or src.process.image.path contains "\POWERPNT.exe" or src.process.image.path contains "\MSPUB.exe" or src.process.image.path contains "\VISIO.exe" or src.process.image.path contains "\MSACCESS.exe" or src.process.image.path contains "\EQNEDT32.exe") and tgt.process.image.path contains "C:\users\" and tgt.process.image.path contains ".exe") and (not tgt.process.image.path contains "\Teams.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md index 6967e6cf2..32bed6050 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\PDQDeployRunner-" and ((tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\TEMP\" or tgt.process.image.path contains "\AppData\Local\Temp") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -encodedcommand " or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "http" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md index 8c0b762d3..d95788cc7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ping.exe" and tgt.process.cmdline contains "0x")) | columns src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md index 17ff9d5af..969d89019 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Command-line SSH, Telnet, and Rlogin client" and tgt.process.cmdline contains " -R ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md index 0f56c1a88..099e91baf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":127.0.0.1:3389") or ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":3389") and (tgt.process.cmdline contains " -P 443" or tgt.process.cmdline contains " -P 22")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md index 2f03021f5..823bdfd93 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "System.Management.Automation.AmsiUtils" and tgt.process.cmdline contains "amsiInitFailed") or (tgt.process.cmdline contains "[Ref].Assembly.GetType" and tgt.process.cmdline contains "SetValue($null,$true)" and tgt.process.cmdline contains "NonPublic,Static"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md index f97e5ec2c..84559a49a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "if(0){{{0}}}' -f $(0 -as [char]) +" or tgt.process.cmdline contains "#")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md index 02aee32c5..b23373919 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WindowsAudioDevice-Powershell-Cmdlet" or tgt.process.cmdline contains "Toggle-AudioDevice" or tgt.process.cmdline contains "Get-AudioDevice " or tgt.process.cmdline contains "Set-AudioDevice " or tgt.process.cmdline contains "Write-AudioDevice ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md index df8f12a11..124d8305f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IAAtAGIAeABvAHIAIAAwAHgA" or tgt.process.cmdline contains "AALQBiAHgAbwByACAAMAB4A" or tgt.process.cmdline contains "gAC0AYgB4AG8AcgAgADAAeA" or tgt.process.cmdline contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or tgt.process.cmdline contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or tgt.process.cmdline contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md index 935e84241..94971b875 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OjpGcm9tQmFzZTY0U3RyaW5n" or tgt.process.cmdline contains "o6RnJvbUJhc2U2NFN0cmluZ" or tgt.process.cmdline contains "6OkZyb21CYXNlNjRTdHJpbm" or (tgt.process.cmdline contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or tgt.process.cmdline contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or tgt.process.cmdline contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md index 9422e1a5b..fb56454c2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "SUVYIChb" or tgt.process.cmdline contains "lFWCAoW" or tgt.process.cmdline contains "JRVggKF" or tgt.process.cmdline contains "aWV4IChb" or tgt.process.cmdline contains "lleCAoW" or tgt.process.cmdline contains "pZXggKF" or tgt.process.cmdline contains "aWV4IChOZX" or tgt.process.cmdline contains "lleCAoTmV3" or tgt.process.cmdline contains "pZXggKE5ld" or tgt.process.cmdline contains "SUVYIChOZX" or tgt.process.cmdline contains "lFWCAoTmV3" or tgt.process.cmdline contains "JRVggKE5ld" or tgt.process.cmdline contains "SUVYKF" or tgt.process.cmdline contains "lFWChb" or tgt.process.cmdline contains "JRVgoW" or tgt.process.cmdline contains "aWV4KF" or tgt.process.cmdline contains "lleChb" or tgt.process.cmdline contains "pZXgoW" or tgt.process.cmdline contains "aWV4KE5ld" or tgt.process.cmdline contains "lleChOZX" or tgt.process.cmdline contains "pZXgoTmV3" or tgt.process.cmdline contains "SUVYKE5ld" or tgt.process.cmdline contains "lFWChOZX" or tgt.process.cmdline contains "JRVgoTmV3" or tgt.process.cmdline contains "SUVYKCgn" or tgt.process.cmdline contains "lFWCgoJ" or tgt.process.cmdline contains "JRVgoKC" or tgt.process.cmdline contains "aWV4KCgn" or tgt.process.cmdline contains "lleCgoJ" or tgt.process.cmdline contains "pZXgoKC") or (tgt.process.cmdline contains "SQBFAFgAIAAoAFsA" or tgt.process.cmdline contains "kARQBYACAAKABbA" or tgt.process.cmdline contains "JAEUAWAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAFsA" or tgt.process.cmdline contains "kAZQB4ACAAKABbA" or tgt.process.cmdline contains "pAGUAeAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kAZQB4ACAAKABOAGUAdw" or tgt.process.cmdline contains "pAGUAeAAgACgATgBlAHcA" or tgt.process.cmdline contains "SQBFAFgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kARQBYACAAKABOAGUAdw" or tgt.process.cmdline contains "JAEUAWAAgACgATgBlAHcA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md index 6b937f66e..5e69501cd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "QWRkLU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "BZGQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "U2V0LU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "TZXQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "YWRkLW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "hZGQtbXBwcmVmZXJlbmNlI" or tgt.process.cmdline contains "c2V0LW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "zZXQtbXBwcmVmZXJlbmNlI") or (tgt.process.cmdline contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md index b59cfe6aa..40e860186 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or tgt.process.cmdline contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or tgt.process.cmdline contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or tgt.process.cmdline contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or tgt.process.cmdline contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md index b42a83b72..6c3812ed6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA")) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md index 300290d6c..87e45c753 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SyncInvoke ") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md index daf9ae5c1..c9765c0d9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "LoadAssemblyFromPath " or tgt.process.cmdline contains "LoadAssemblyFromNS ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md index 244ad03b7..814edb542 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\powershell.exe" and tgt.process.cmdline contains " -nologo -windowstyle minimized -file ") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Windows\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md index 8ec68bed2..518319da8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md index 556671a86..8e5d2829c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "GZipStream" and tgt.process.cmdline contains "::Decompress")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md index 173101426..e6e117273 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains "DisableArchiveScanning " or tgt.process.cmdline contains "DisableRealtimeMonitoring " or tgt.process.cmdline contains "DisableIOAVProtection " or tgt.process.cmdline contains "DisableBehaviorMonitoring " or tgt.process.cmdline contains "DisableBlockAtFirstSeen " or tgt.process.cmdline contains "DisableCatchupFullScan " or tgt.process.cmdline contains "DisableCatchupQuickScan ") and (tgt.process.cmdline contains "$true" or tgt.process.cmdline contains " 1 ")) or ((tgt.process.cmdline contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or tgt.process.cmdline contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or tgt.process.cmdline contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or tgt.process.cmdline contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or tgt.process.cmdline contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or tgt.process.cmdline contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or tgt.process.cmdline contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or tgt.process.cmdline contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or tgt.process.cmdline contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or tgt.process.cmdline contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or tgt.process.cmdline contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") or (tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md index c874ea039..d89a27728 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains " -ExclusionPath " or tgt.process.cmdline contains " -ExclusionExtension " or tgt.process.cmdline contains " -ExclusionProcess " or tgt.process.cmdline contains " -ExclusionIpAddress "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md index 9c48e11df..2b7c87947 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -name IEHarden " and tgt.process.cmdline contains " -value 0 ") or (tgt.process.cmdline contains " -name DEPOff " and tgt.process.cmdline contains " -value 1 ") or (tgt.process.cmdline contains " -name DisableFirstRunCustomize " and tgt.process.cmdline contains " -value 2 "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md index e6cf93909..e18ccd496 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains " -version 2 " or tgt.process.cmdline contains " -versio 2 " or tgt.process.cmdline contains " -versi 2 " or tgt.process.cmdline contains " -vers 2 " or tgt.process.cmdline contains " -ver 2 " or tgt.process.cmdline contains " -ve 2 " or tgt.process.cmdline contains " -v 2 "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md index 643eedc13..96f018988 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[Type]::GetTypeFromCLSID(" and (tgt.process.cmdline contains "0002DF01-0000-0000-C000-000000000046" or tgt.process.cmdline contains "F6D90F16-9C73-11D3-B32E-00C04F990BB4" or tgt.process.cmdline contains "F5078F35-C551-11D3-89B9-0000F81FE221" or tgt.process.cmdline contains "88d96a0a-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "AFBA6B42-5692-48EA-8141-DC517DCF0EF1" or tgt.process.cmdline contains "AFB40FFD-B609-40A3-9828-F88BBE11E4E3" or tgt.process.cmdline contains "88d96a0b-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "2087c2f4-2cef-4953-a8ab-66779b670495" or tgt.process.cmdline contains "000209FF-0000-0000-C000-000000000046" or tgt.process.cmdline contains "00024500-0000-0000-C000-000000000046"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md index 72940ddde..c5a248a07 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "http://127.0.0.1" and tgt.process.cmdline contains "%{(IRM $_)}" and tgt.process.cmdline contains ".SubString.ToString()[67,72,64]-Join" and tgt.process.cmdline contains "Import-Module"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md index bfccb35cd..99dba168a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md index c638e8c83..0436b9e00 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "IWR ") and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "OutFile" and tgt.process.cmdline contains ".dll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md index dedf03c04..2ad4399d8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ") and (tgt.process.cmdline contains ";iex $" or tgt.process.cmdline contains "| IEX" or tgt.process.cmdline contains "|IEX " or tgt.process.cmdline contains "I`E`X" or tgt.process.cmdline contains "I`EX" or tgt.process.cmdline contains "IE`X" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "IEX (" or tgt.process.cmdline contains "IEX(" or tgt.process.cmdline contains "Invoke-Expression"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md index 69c7f82d4..a8ca1c5df 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-ADDBSidHistory" or tgt.process.cmdline contains "Add-ADNgcKey" or tgt.process.cmdline contains "Add-ADReplNgcKey" or tgt.process.cmdline contains "ConvertFrom-ADManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-GPPrefPassword" or tgt.process.cmdline contains "ConvertFrom-ManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-UnattendXmlPassword" or tgt.process.cmdline contains "ConvertFrom-UnicodePassword" or tgt.process.cmdline contains "ConvertTo-AADHash" or tgt.process.cmdline contains "ConvertTo-GPPrefPassword" or tgt.process.cmdline contains "ConvertTo-KerberosKey" or tgt.process.cmdline contains "ConvertTo-LMHash" or tgt.process.cmdline contains "ConvertTo-MsoPasswordHash" or tgt.process.cmdline contains "ConvertTo-NTHash" or tgt.process.cmdline contains "ConvertTo-OrgIdHash" or tgt.process.cmdline contains "ConvertTo-UnicodePassword" or tgt.process.cmdline contains "Disable-ADDBAccount" or tgt.process.cmdline contains "Enable-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBBackupKey" or tgt.process.cmdline contains "Get-ADDBDomainController" or tgt.process.cmdline contains "Get-ADDBGroupManagedServiceAccount" or tgt.process.cmdline contains "Get-ADDBKdsRootKey" or tgt.process.cmdline contains "Get-ADDBSchemaAttribute" or tgt.process.cmdline contains "Get-ADDBServiceAccount" or tgt.process.cmdline contains "Get-ADDefaultPasswordPolicy" or tgt.process.cmdline contains "Get-ADKeyCredential" or tgt.process.cmdline contains "Get-ADPasswordPolicy" or tgt.process.cmdline contains "Get-ADReplAccount" or tgt.process.cmdline contains "Get-ADReplBackupKey" or tgt.process.cmdline contains "Get-ADReplicationAccount" or tgt.process.cmdline contains "Get-ADSIAccount" or tgt.process.cmdline contains "Get-AzureADUserEx" or tgt.process.cmdline contains "Get-BootKey" or tgt.process.cmdline contains "Get-KeyCredential" or tgt.process.cmdline contains "Get-LsaBackupKey" or tgt.process.cmdline contains "Get-LsaPolicy" or tgt.process.cmdline contains "Get-SamPasswordPolicy" or tgt.process.cmdline contains "Get-SysKey" or tgt.process.cmdline contains "Get-SystemKey" or tgt.process.cmdline contains "New-ADDBRestoreFromMediaScript" or tgt.process.cmdline contains "New-ADKeyCredential" or tgt.process.cmdline contains "New-ADNgcKey" or tgt.process.cmdline contains "New-NTHashSet" or tgt.process.cmdline contains "Remove-ADDBObject" or tgt.process.cmdline contains "Save-DPAPIBlob" or tgt.process.cmdline contains "Set-ADAccountPasswordHash" or tgt.process.cmdline contains "Set-ADDBAccountPassword" or tgt.process.cmdline contains "Set-ADDBBootKey" or tgt.process.cmdline contains "Set-ADDBDomainController" or tgt.process.cmdline contains "Set-ADDBPrimaryGroup" or tgt.process.cmdline contains "Set-ADDBSysKey" or tgt.process.cmdline contains "Set-AzureADUserEx" or tgt.process.cmdline contains "Set-LsaPolicy" or tgt.process.cmdline contains "Set-SamAccountPasswordHash" or tgt.process.cmdline contains "Set-WinUserPasswordHash" or tgt.process.cmdline contains "Test-ADDBPasswordQuality" or tgt.process.cmdline contains "Test-ADPasswordQuality" or tgt.process.cmdline contains "Test-ADReplPasswordQuality" or tgt.process.cmdline contains "Test-PasswordQuality" or tgt.process.cmdline contains "Unlock-ADDBAccount" or tgt.process.cmdline contains "Write-ADNgcKey" or tgt.process.cmdline contains "Write-ADReplNgcKey")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md index 41b50048b..4d4ceb63d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Add-PSSnapin" and tgt.process.cmdline contains "Get-Recipient" and tgt.process.cmdline contains "-ExpandProperty" and tgt.process.cmdline contains "EmailAddresses" and tgt.process.cmdline contains "SmtpAddress" and tgt.process.cmdline contains "-hidetableheaders"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md index c81f8919d..b3ca96c3a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Enable-WindowsOptionalFeature" and tgt.process.cmdline contains "-Online" and tgt.process.cmdline contains "-FeatureName") and (tgt.process.cmdline contains "TelnetServer" or tgt.process.cmdline contains "Internet-Explorer-Optional-amd64" or tgt.process.cmdline contains "TFTP" or tgt.process.cmdline contains "SMB1Protocol" or tgt.process.cmdline contains "Client-ProjFS" or tgt.process.cmdline contains "Microsoft-Windows-Subsystem-Linux"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md index b3585f2bd..3ba975e85 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -enco" or tgt.process.cmdline contains " -ec ")) and (not (tgt.process.cmdline contains " -Encoding " or (src.process.image.path contains "C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or src.process.image.path contains "\gc_worker.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md index df003a21d..5fb83390f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-Expression " or tgt.process.cmdline contains "Invoke-Command " or tgt.process.cmdline contains "icm ") and (tgt.process.cmdline contains "cat " or tgt.process.cmdline contains "get-content " or tgt.process.cmdline contains "type ") and tgt.process.cmdline contains " -raw")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md index 24b2e3673..17bdaef21 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Export-PfxCertificate " or tgt.process.cmdline contains "Export-Certificate ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md index 0b4773d4f..2fd05a958 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::FromBase64String(") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md index ba28416be..2f943e50f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "FromBase64String" and tgt.process.cmdline contains "MemoryStream" and tgt.process.cmdline contains "H4sI")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md index ce3fc95df..9d7bf0a96 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Get-Clipboard") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md index 82ee60910..236cd39c5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-LocalGroupMember " and (tgt.process.cmdline contains "domain admins" or tgt.process.cmdline contains " administrator" or tgt.process.cmdline contains " administrateur" or tgt.process.cmdline contains "enterprise admins" or tgt.process.cmdline contains "Exchange Trusted Subsystem" or tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md index 0de9f7783..baa8ba69c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-Process lsas" or tgt.process.cmdline contains "ps lsas" or tgt.process.cmdline contains "gps lsas")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md index 4d205bccb..132cf4c73 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " | iex;" or tgt.process.cmdline contains " | iex " or tgt.process.cmdline contains " | iex}" or tgt.process.cmdline contains " | IEX ;" or tgt.process.cmdline contains " | IEX -Error" or tgt.process.cmdline contains " | IEX (new" or tgt.process.cmdline contains ");IEX ")) and (tgt.process.cmdline contains "::FromBase64String" or tgt.process.cmdline contains ".GetString([System.Convert]::")) or (tgt.process.cmdline contains ")|iex;$" or tgt.process.cmdline contains ");iex($" or tgt.process.cmdline contains ");iex $" or tgt.process.cmdline contains " | IEX | " or tgt.process.cmdline contains " | iex\\""))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md index 8d0e1eae4..59291b18c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Import-Certificate" and tgt.process.cmdline contains " -FilePath " and tgt.process.cmdline contains "Cert:\LocalMachine\Root") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains ":\Windows\TEMP\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md index 1926410d4..ad1148bee 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Import-Module \"$Env:Temp\" or tgt.process.cmdline contains "Import-Module '$Env:Temp\" or tgt.process.cmdline contains "Import-Module $Env:Temp\" or tgt.process.cmdline contains "Import-Module \"$Env:Appdata\" or tgt.process.cmdline contains "Import-Module '$Env:Appdata\" or tgt.process.cmdline contains "Import-Module $Env:Appdata\" or tgt.process.cmdline contains "Import-Module C:\Users\Public\" or tgt.process.cmdline contains "ipmo \"$Env:Temp\" or tgt.process.cmdline contains "ipmo '$Env:Temp\" or tgt.process.cmdline contains "ipmo $Env:Temp\" or tgt.process.cmdline contains "ipmo \"$Env:Appdata\" or tgt.process.cmdline contains "ipmo '$Env:Appdata\" or tgt.process.cmdline contains "ipmo $Env:Appdata\" or tgt.process.cmdline contains "ipmo C:\Users\Public\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md index a1384db8f..4513482d9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "[Convert]::FromBase64String") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-noni" and tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-ep" and tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-Enc") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "\software\") or (tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-noprofile" and tgt.process.cmdline contains "-windowstyle" and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "system.net.webclient" and tgt.process.cmdline contains ".download") or (tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object" and tgt.process.cmdline contains "Net.WebClient" and tgt.process.cmdline contains ".Download")) and (not (tgt.process.cmdline contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or tgt.process.cmdline contains "Write-ChocolateyWarning")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md index 5f54b6a89..f82b890c6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-MailboxExportRequest" and tgt.process.cmdline contains " -Mailbox " and tgt.process.cmdline contains " -FilePath \\")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md index 3920639ad..a3fcb81fa 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-Exfiltration" or tgt.process.cmdline contains "Add-Persistence" or tgt.process.cmdline contains "Add-RegBackdoor" or tgt.process.cmdline contains "Add-RemoteRegBackdoor" or tgt.process.cmdline contains "Add-ScrnSaveBackdoor" or tgt.process.cmdline contains "Check-VM" or tgt.process.cmdline contains "ConvertTo-Rc4ByteStream" or tgt.process.cmdline contains "Decrypt-Hash" or tgt.process.cmdline contains "Disable-ADIDNSNode" or tgt.process.cmdline contains "Disable-MachineAccount" or tgt.process.cmdline contains "Do-Exfiltration" or tgt.process.cmdline contains "Enable-ADIDNSNode" or tgt.process.cmdline contains "Enable-MachineAccount" or tgt.process.cmdline contains "Enabled-DuplicateToken" or tgt.process.cmdline contains "Exploit-Jboss" or tgt.process.cmdline contains "Export-ADR" or tgt.process.cmdline contains "Export-ADRCSV" or tgt.process.cmdline contains "Export-ADRExcel" or tgt.process.cmdline contains "Export-ADRHTML" or tgt.process.cmdline contains "Export-ADRJSON" or tgt.process.cmdline contains "Export-ADRXML" or tgt.process.cmdline contains "Find-Fruit" or tgt.process.cmdline contains "Find-GPOLocation" or tgt.process.cmdline contains "Find-TrustedDocuments" or tgt.process.cmdline contains "Get-ADIDNS" or tgt.process.cmdline contains "Get-ApplicationHost" or tgt.process.cmdline contains "Get-ChromeDump" or tgt.process.cmdline contains "Get-ClipboardContents" or tgt.process.cmdline contains "Get-FoxDump" or tgt.process.cmdline contains "Get-GPPPassword" or tgt.process.cmdline contains "Get-IndexedItem" or tgt.process.cmdline contains "Get-KerberosAESKey" or tgt.process.cmdline contains "Get-Keystrokes" or tgt.process.cmdline contains "Get-LSASecret" or tgt.process.cmdline contains "Get-MachineAccountAttribute" or tgt.process.cmdline contains "Get-MachineAccountCreator" or tgt.process.cmdline contains "Get-PassHashes" or tgt.process.cmdline contains "Get-RegAlwaysInstallElevated" or tgt.process.cmdline contains "Get-RegAutoLogon" or tgt.process.cmdline contains "Get-RemoteBootKey" or tgt.process.cmdline contains "Get-RemoteCachedCredential" or tgt.process.cmdline contains "Get-RemoteLocalAccountHash" or tgt.process.cmdline contains "Get-RemoteLSAKey" or tgt.process.cmdline contains "Get-RemoteMachineAccountHash" or tgt.process.cmdline contains "Get-RemoteNLKMKey" or tgt.process.cmdline contains "Get-RickAstley" or tgt.process.cmdline contains "Get-Screenshot" or tgt.process.cmdline contains "Get-SecurityPackages" or tgt.process.cmdline contains "Get-ServiceFilePermission" or tgt.process.cmdline contains "Get-ServicePermission" or tgt.process.cmdline contains "Get-ServiceUnquoted" or tgt.process.cmdline contains "Get-SiteListPassword" or tgt.process.cmdline contains "Get-System" or tgt.process.cmdline contains "Get-TimedScreenshot" or tgt.process.cmdline contains "Get-UnattendedInstallFile" or tgt.process.cmdline contains "Get-Unconstrained" or tgt.process.cmdline contains "Get-USBKeystrokes" or tgt.process.cmdline contains "Get-VaultCredential" or tgt.process.cmdline contains "Get-VulnAutoRun" or tgt.process.cmdline contains "Get-VulnSchTask" or tgt.process.cmdline contains "Grant-ADIDNSPermission" or tgt.process.cmdline contains "Gupt-Backdoor" or tgt.process.cmdline contains "HTTP-Login" or tgt.process.cmdline contains "Install-ServiceBinary" or tgt.process.cmdline contains "Install-SSP" or tgt.process.cmdline contains "Invoke-ACLScanner" or tgt.process.cmdline contains "Invoke-ADRecon" or tgt.process.cmdline contains "Invoke-ADSBackdoor" or tgt.process.cmdline contains "Invoke-AgentSmith" or tgt.process.cmdline contains "Invoke-AllChecks" or tgt.process.cmdline contains "Invoke-ARPScan" or tgt.process.cmdline contains "Invoke-AzureHound" or tgt.process.cmdline contains "Invoke-BackdoorLNK" or tgt.process.cmdline contains "Invoke-BadPotato" or tgt.process.cmdline contains "Invoke-BetterSafetyKatz" or tgt.process.cmdline contains "Invoke-BypassUAC" or tgt.process.cmdline contains "Invoke-Carbuncle" or tgt.process.cmdline contains "Invoke-Certify" or tgt.process.cmdline contains "Invoke-ConPtyShell" or tgt.process.cmdline contains "Invoke-CredentialInjection" or tgt.process.cmdline contains "Invoke-DAFT" or tgt.process.cmdline contains "Invoke-DCSync" or tgt.process.cmdline contains "Invoke-DinvokeKatz" or tgt.process.cmdline contains "Invoke-DllInjection" or tgt.process.cmdline contains "Invoke-DNSUpdate" or tgt.process.cmdline contains "Invoke-DomainPasswordSpray" or tgt.process.cmdline contains "Invoke-DowngradeAccount" or tgt.process.cmdline contains "Invoke-EgressCheck" or tgt.process.cmdline contains "Invoke-Eyewitness" or tgt.process.cmdline contains "Invoke-FakeLogonScreen" or tgt.process.cmdline contains "Invoke-Farmer" or tgt.process.cmdline contains "Invoke-Get-RBCD-Threaded" or tgt.process.cmdline contains "Invoke-Gopher" or tgt.process.cmdline contains "Invoke-Grouper" or tgt.process.cmdline contains "Invoke-HandleKatz" or tgt.process.cmdline contains "Invoke-ImpersonatedProcess" or tgt.process.cmdline contains "Invoke-ImpersonateSystem" or tgt.process.cmdline contains "Invoke-InteractiveSystemPowerShell" or tgt.process.cmdline contains "Invoke-Internalmonologue" or tgt.process.cmdline contains "Invoke-Inveigh" or tgt.process.cmdline contains "Invoke-InveighRelay" or tgt.process.cmdline contains "Invoke-KrbRelay" or tgt.process.cmdline contains "Invoke-LdapSignCheck" or tgt.process.cmdline contains "Invoke-Lockless" or tgt.process.cmdline contains "Invoke-MalSCCM" or tgt.process.cmdline contains "Invoke-Mimikatz" or tgt.process.cmdline contains "Invoke-Mimikittenz" or tgt.process.cmdline contains "Invoke-MITM6" or tgt.process.cmdline contains "Invoke-NanoDump" or tgt.process.cmdline contains "Invoke-NetRipper" or tgt.process.cmdline contains "Invoke-Nightmare" or tgt.process.cmdline contains "Invoke-NinjaCopy" or tgt.process.cmdline contains "Invoke-OfficeScrape" or tgt.process.cmdline contains "Invoke-OxidResolver" or tgt.process.cmdline contains "Invoke-P0wnedshell" or tgt.process.cmdline contains "Invoke-Paranoia" or tgt.process.cmdline contains "Invoke-PortScan" or tgt.process.cmdline contains "Invoke-PoshRatHttp" or tgt.process.cmdline contains "Invoke-PostExfil" or tgt.process.cmdline contains "Invoke-PowerDump" or tgt.process.cmdline contains "Invoke-PowerShellTCP" or tgt.process.cmdline contains "Invoke-PowerShellWMI" or tgt.process.cmdline contains "Invoke-PPLDump" or tgt.process.cmdline contains "Invoke-PsExec" or tgt.process.cmdline contains "Invoke-PSInject" or tgt.process.cmdline contains "Invoke-PsUaCme" or tgt.process.cmdline contains "Invoke-ReflectivePEInjection" or tgt.process.cmdline contains "Invoke-ReverseDNSLookup" or tgt.process.cmdline contains "Invoke-Rubeus" or tgt.process.cmdline contains "Invoke-RunAs" or tgt.process.cmdline contains "Invoke-SafetyKatz" or tgt.process.cmdline contains "Invoke-SauronEye" or tgt.process.cmdline contains "Invoke-SCShell" or tgt.process.cmdline contains "Invoke-Seatbelt" or tgt.process.cmdline contains "Invoke-ServiceAbuse" or tgt.process.cmdline contains "Invoke-ShadowSpray" or tgt.process.cmdline contains "Invoke-Sharp" or tgt.process.cmdline contains "Invoke-Shellcode" or tgt.process.cmdline contains "Invoke-SMBScanner" or tgt.process.cmdline contains "Invoke-Snaffler" or tgt.process.cmdline contains "Invoke-Spoolsample" or tgt.process.cmdline contains "Invoke-SpraySinglePassword" or tgt.process.cmdline contains "Invoke-SSHCommand" or tgt.process.cmdline contains "Invoke-StandIn" or tgt.process.cmdline contains "Invoke-StickyNotesExtract" or tgt.process.cmdline contains "Invoke-SystemCommand" or tgt.process.cmdline contains "Invoke-Tasksbackdoor" or tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains "Invoke-Thunderfox" or tgt.process.cmdline contains "Invoke-ThunderStruck" or tgt.process.cmdline contains "Invoke-TokenManipulation" or tgt.process.cmdline contains "Invoke-Tokenvator" or tgt.process.cmdline contains "Invoke-TotalExec" or tgt.process.cmdline contains "Invoke-UrbanBishop" or tgt.process.cmdline contains "Invoke-UserHunter" or tgt.process.cmdline contains "Invoke-VoiceTroll" or tgt.process.cmdline contains "Invoke-Whisker" or tgt.process.cmdline contains "Invoke-WinEnum" or tgt.process.cmdline contains "Invoke-winPEAS" or tgt.process.cmdline contains "Invoke-WireTap" or tgt.process.cmdline contains "Invoke-WmiCommand" or tgt.process.cmdline contains "Invoke-WMIExec" or tgt.process.cmdline contains "Invoke-WScriptBypassUAC" or tgt.process.cmdline contains "Invoke-Zerologon" or tgt.process.cmdline contains "MailRaider" or tgt.process.cmdline contains "New-ADIDNSNode" or tgt.process.cmdline contains "New-DNSRecordArray" or tgt.process.cmdline contains "New-HoneyHash" or tgt.process.cmdline contains "New-InMemoryModule" or tgt.process.cmdline contains "New-MachineAccount" or tgt.process.cmdline contains "New-SOASerialNumberArray" or tgt.process.cmdline contains "Out-Minidump" or tgt.process.cmdline contains "Port-Scan" or tgt.process.cmdline contains "PowerBreach" or tgt.process.cmdline contains "powercat " or tgt.process.cmdline contains "PowerUp" or tgt.process.cmdline contains "PowerView" or tgt.process.cmdline contains "Remove-ADIDNSNode" or tgt.process.cmdline contains "Remove-MachineAccount" or tgt.process.cmdline contains "Remove-Update" or tgt.process.cmdline contains "Rename-ADIDNSNode" or tgt.process.cmdline contains "Revoke-ADIDNSPermission" or tgt.process.cmdline contains "Set-ADIDNSNode" or tgt.process.cmdline contains "Set-MacAttribute" or tgt.process.cmdline contains "Set-MachineAccountAttribute" or tgt.process.cmdline contains "Set-Wallpaper" or tgt.process.cmdline contains "Show-TargetScreen" or tgt.process.cmdline contains "Start-CaptureServer" or tgt.process.cmdline contains "Start-Dnscat2" or tgt.process.cmdline contains "Start-WebcamRecorder" or tgt.process.cmdline contains "VolumeShadowCopyTools")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md index 140ff7c1e..d5a4f764e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Install-TransportAgent") | columns AssemblyPath ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md index dc6a2d21b..e291c3101 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "(WCHAR)0x") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md index 0ef8d54db..7becf51e2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "-f C:\Users\Public" or tgt.process.cmdline contains "-f \"C:\Users\Public" or tgt.process.cmdline contains "-f %Public%" or tgt.process.cmdline contains "-fi C:\Users\Public" or tgt.process.cmdline contains "-fi \"C:\Users\Public" or tgt.process.cmdline contains "-fi %Public%" or tgt.process.cmdline contains "-fil C:\Users\Public" or tgt.process.cmdline contains "-fil \"C:\Users\Public" or tgt.process.cmdline contains "-fil %Public%" or tgt.process.cmdline contains "-file C:\Users\Public" or tgt.process.cmdline contains "-file \"C:\Users\Public" or tgt.process.cmdline contains "-file %Public%"))) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md index 6c0f6bf2c..61a58b267 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisableme")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md index a3b0b04f3..590bd9004 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Remove-MpPreference" and (tgt.process.cmdline contains "-ControlledFolderAccessProtectedFolders " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Ids " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Actions " or tgt.process.cmdline contains "-CheckForSignaturesBeforeRunningScan "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md index e0cb22717..e4c84f06c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Get-Content" and tgt.process.cmdline contains "-Stream"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md index ea5042b0c..f6bf522d6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline matches "\\s-\\s*<")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md index 464e1c20b..985d49bf6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\HarddiskVolumeShadowCopy" and tgt.process.cmdline contains "System32\config\sam") and (tgt.process.cmdline contains "Copy-Item" or tgt.process.cmdline contains "cp $_." or tgt.process.cmdline contains "cpi $_." or tgt.process.cmdline contains "copy $_." or tgt.process.cmdline contains ".File]::Copy("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md index 9b2d6f73d..331ad0395 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not tgt.process.image.path contains "\Health Service State\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md index d6be2a7b5..574c79e99 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Get-WmiObject" or tgt.process.cmdline contains "gwmi" or tgt.process.cmdline contains "Get-CimInstance" or tgt.process.cmdline contains "gcim") and tgt.process.cmdline contains "Win32_ShadowCopy" and (tgt.process.cmdline contains ".Delete()" or tgt.process.cmdline contains "Remove-WmiObject" or tgt.process.cmdline contains "rwmi" or tgt.process.cmdline contains "Remove-CimInstance" or tgt.process.cmdline contains "rcim"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md index ace75fbc5..22c9cb34d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IEX ((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX (New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX(New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains " -command (New-Object System.Net.WebClient).DownloadFile(" or tgt.process.cmdline contains " -c (New-Object System.Net.WebClient).DownloadFile(")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md index ab053aca7..9d955159a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -windowstyle h " or tgt.process.cmdline contains " -windowstyl h" or tgt.process.cmdline contains " -windowsty h" or tgt.process.cmdline contains " -windowst h" or tgt.process.cmdline contains " -windows h" or tgt.process.cmdline contains " -windo h" or tgt.process.cmdline contains " -wind h" or tgt.process.cmdline contains " -win h" or tgt.process.cmdline contains " -wi h" or tgt.process.cmdline contains " -win h " or tgt.process.cmdline contains " -win hi " or tgt.process.cmdline contains " -win hid " or tgt.process.cmdline contains " -win hidd " or tgt.process.cmdline contains " -win hidde " or tgt.process.cmdline contains " -NoPr " or tgt.process.cmdline contains " -NoPro " or tgt.process.cmdline contains " -NoProf " or tgt.process.cmdline contains " -NoProfi " or tgt.process.cmdline contains " -NoProfil " or tgt.process.cmdline contains " -nonin " or tgt.process.cmdline contains " -nonint " or tgt.process.cmdline contains " -noninte " or tgt.process.cmdline contains " -noninter " or tgt.process.cmdline contains " -nonintera " or tgt.process.cmdline contains " -noninterac " or tgt.process.cmdline contains " -noninteract " or tgt.process.cmdline contains " -noninteracti " or tgt.process.cmdline contains " -noninteractiv " or tgt.process.cmdline contains " -ec " or tgt.process.cmdline contains " -encodedComman " or tgt.process.cmdline contains " -encodedComma " or tgt.process.cmdline contains " -encodedComm " or tgt.process.cmdline contains " -encodedCom " or tgt.process.cmdline contains " -encodedCo " or tgt.process.cmdline contains " -encodedC " or tgt.process.cmdline contains " -encoded " or tgt.process.cmdline contains " -encode " or tgt.process.cmdline contains " -encod " or tgt.process.cmdline contains " -enco " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -executionpolic " or tgt.process.cmdline contains " -executionpoli " or tgt.process.cmdline contains " -executionpol " or tgt.process.cmdline contains " -executionpo " or tgt.process.cmdline contains " -executionp " or tgt.process.cmdline contains " -execution bypass" or tgt.process.cmdline contains " -executio bypass" or tgt.process.cmdline contains " -executi bypass" or tgt.process.cmdline contains " -execut bypass" or tgt.process.cmdline contains " -execu bypass" or tgt.process.cmdline contains " -exec bypass" or tgt.process.cmdline contains " -exe bypass" or tgt.process.cmdline contains " -ex bypass" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " /windowstyle h " or tgt.process.cmdline contains " /windowstyl h" or tgt.process.cmdline contains " /windowsty h" or tgt.process.cmdline contains " /windowst h" or tgt.process.cmdline contains " /windows h" or tgt.process.cmdline contains " /windo h" or tgt.process.cmdline contains " /wind h" or tgt.process.cmdline contains " /win h" or tgt.process.cmdline contains " /wi h" or tgt.process.cmdline contains " /win h " or tgt.process.cmdline contains " /win hi " or tgt.process.cmdline contains " /win hid " or tgt.process.cmdline contains " /win hidd " or tgt.process.cmdline contains " /win hidde " or tgt.process.cmdline contains " /NoPr " or tgt.process.cmdline contains " /NoPro " or tgt.process.cmdline contains " /NoProf " or tgt.process.cmdline contains " /NoProfi " or tgt.process.cmdline contains " /NoProfil " or tgt.process.cmdline contains " /nonin " or tgt.process.cmdline contains " /nonint " or tgt.process.cmdline contains " /noninte " or tgt.process.cmdline contains " /noninter " or tgt.process.cmdline contains " /nonintera " or tgt.process.cmdline contains " /noninterac " or tgt.process.cmdline contains " /noninteract " or tgt.process.cmdline contains " /noninteracti " or tgt.process.cmdline contains " /noninteractiv " or tgt.process.cmdline contains " /ec " or tgt.process.cmdline contains " /encodedComman " or tgt.process.cmdline contains " /encodedComma " or tgt.process.cmdline contains " /encodedComm " or tgt.process.cmdline contains " /encodedCom " or tgt.process.cmdline contains " /encodedCo " or tgt.process.cmdline contains " /encodedC " or tgt.process.cmdline contains " /encoded " or tgt.process.cmdline contains " /encode " or tgt.process.cmdline contains " /encod " or tgt.process.cmdline contains " /enco " or tgt.process.cmdline contains " /en " or tgt.process.cmdline contains " /executionpolic " or tgt.process.cmdline contains " /executionpoli " or tgt.process.cmdline contains " /executionpol " or tgt.process.cmdline contains " /executionpo " or tgt.process.cmdline contains " /executionp " or tgt.process.cmdline contains " /execution bypass" or tgt.process.cmdline contains " /executio bypass" or tgt.process.cmdline contains " /executi bypass" or tgt.process.cmdline contains " /execut bypass" or tgt.process.cmdline contains " /execu bypass" or tgt.process.cmdline contains " /exec bypass" or tgt.process.cmdline contains " /exe bypass" or tgt.process.cmdline contains " /ex bypass" or tgt.process.cmdline contains " /ep bypass"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md index b141c8ef2..99a5dda7c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "powershell.exe" or tgt.process.cmdline contains "\powershell" or tgt.process.cmdline contains "\pwsh" or tgt.process.cmdline contains "pwsh.exe") and ((tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "\AppData\") and (tgt.process.cmdline contains "Local\" or tgt.process.cmdline contains "Roaming\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md index e6a997566..7b9a94ea9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".DownloadFile" and tgt.process.cmdline contains "System.Net.WebClient")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md index d200fc4a5..081ca07fc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline matches "\\w+`(\\w+|-|.)`[\\w+|\\s]" or tgt.process.cmdline matches ""(\\{\\d\\})+"\\s*-f" or tgt.process.cmdline matches "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not tgt.process.cmdline contains "${env:path}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md index 37e90f026..088c3790a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "X509Enrollment.CBinaryConverter" or tgt.process.cmdline contains "884e2002-217d-11da-b2a4-000e7bbb2b09")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md index f61a51956..f1efc1022 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath $env:TEMP*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*:\Windows\Temp\*")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md index 121277b22..7e0bded72 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\Microsoft.NodejsTools.PressAnyKey.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md index ba9b0cd2e..e5f1b5128 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\print.exe" and tgt.process.cmdline contains "print" and (tgt.process.cmdline contains "/D" and tgt.process.cmdline contains ".exe")) and (not tgt.process.cmdline contains "print.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md index 1bf5dfc0d..7151b99cc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and (not ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md index 76b55ae01..6c52c99b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md index efcf9d6db..0a688e400 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Psr.exe" and (tgt.process.cmdline contains "/start" or tgt.process.cmdline contains "-start"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md index c53bc7275..0941cd156 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\3proxy.exe" or tgt.process.displayName="3proxy - tiny proxy server" or tgt.process.cmdline contains ".exe -i127.0.0.1 -p")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md index a2cf58df3..443b4e71a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lockoutduration" or tgt.process.cmdline contains "lockoutthreshold" or tgt.process.cmdline contains "lockoutobservationwindow" or tgt.process.cmdline contains "maxpwdage" or tgt.process.cmdline contains "minpwdage" or tgt.process.cmdline contains "minpwdlength" or tgt.process.cmdline contains "pwdhistorylength" or tgt.process.cmdline contains "pwdproperties") or tgt.process.cmdline contains "-sc admincountdmp" or tgt.process.cmdline contains "-sc exchaddresses")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md index 0eb2f3418..761558877 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "domainlist" or tgt.process.cmdline contains "trustdmp" or tgt.process.cmdline contains "dcmodes" or tgt.process.cmdline contains "adinfo" or tgt.process.cmdline contains " dclist " or tgt.process.cmdline contains "computer_pwdnotreqd" or tgt.process.cmdline contains "objectcategory=" or tgt.process.cmdline contains "-subnets -f" or tgt.process.cmdline contains "name=\"Domain Admins\"" or tgt.process.cmdline contains "-sc u:" or tgt.process.cmdline contains "domainncs" or tgt.process.cmdline contains "dompol" or tgt.process.cmdline contains " oudmp " or tgt.process.cmdline contains "subnetdmp" or tgt.process.cmdline contains "gpodmp" or tgt.process.cmdline contains "fspdmp" or tgt.process.cmdline contains "users_noexpire" or tgt.process.cmdline contains "computers_active" or tgt.process.cmdline contains "computers_pwdnotreqd")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md index 3855dfd2a..3b2f1d956 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/EXEFilename" or tgt.process.cmdline contains "/CommandLine") and ((tgt.process.cmdline contains " /RunAs 8 " or tgt.process.cmdline contains " /RunAs 4 " or tgt.process.cmdline contains " /RunAs 10 " or tgt.process.cmdline contains " /RunAs 11 ") or (tgt.process.cmdline contains "/RunAs 8" or tgt.process.cmdline contains "/RunAs 4" or tgt.process.cmdline contains "/RunAs 10" or tgt.process.cmdline contains "/RunAs 11")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md index abeae2dae..56992a819 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chisel.exe" or ((tgt.process.cmdline contains "exe client " or tgt.process.cmdline contains "exe server ") and (tgt.process.cmdline contains "-socks5" or tgt.process.cmdline contains "-reverse" or tgt.process.cmdline contains " r:" or tgt.process.cmdline contains ":127.0.0.1:" or tgt.process.cmdline contains "-tls-skip-verify " or tgt.process.cmdline contains ":socks")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md index f3a48703c..94bb510f7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SepRemovalToolNative_x64.exe" or (tgt.process.image.path contains "\CATClean.exe" and tgt.process.cmdline contains "--uninstall") or (tgt.process.image.path contains "\NetInstaller.exe" and tgt.process.cmdline contains "-r") or (tgt.process.image.path contains "\WFPUnins.exe" and (tgt.process.cmdline contains "/uninstall" and tgt.process.cmdline contains "/enterprise")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md index a9dd81edd..e5d0d6ed7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csexec.exe" or tgt.process.displayName="csexec")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md index 9b297579e..0cf36eabd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DefenderCheck.exe" or tgt.process.displayName="DefenderCheck")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md index 4860a692a..6f2f247b4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ditsnap.exe" or tgt.process.cmdline contains "ditsnap.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md index 1f3089701..182ca68e4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName contains "Mouse Lock" or tgt.process.publisher contains "Misc314" or tgt.process.cmdline contains "Mouse Lock_")) | columns tgt.process.displayName,tgt.process.publisher,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md index db230e6ff..76ed2c4c1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\nc.exe" or tgt.process.image.path contains "\ncat.exe" or tgt.process.image.path contains "\netcat.exe") or (tgt.process.cmdline contains " -lvp " or tgt.process.cmdline contains " -lvnp" or tgt.process.cmdline contains " -l -v -p " or tgt.process.cmdline contains " -lv -p " or tgt.process.cmdline contains " -l --proxy-type http " or tgt.process.cmdline contains " -vnl --exec " or tgt.process.cmdline contains " -vnl -e " or tgt.process.cmdline contains " --lua-exec " or tgt.process.cmdline contains " --sh-exec "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md index 7989411e6..42d059118 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\netscan.exe" or tgt.process.displayName="Network Scanner" or tgt.process.displayName="Application for scanning networks")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md index 32be59fb5..cdd20ac82 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tcp 139" or tgt.process.cmdline contains " tcp 445" or tgt.process.cmdline contains " tcp 3389" or tgt.process.cmdline contains " tcp 5985" or tgt.process.cmdline contains " tcp 5986") or (tgt.process.cmdline contains " start " and tgt.process.cmdline contains "--all" and tgt.process.cmdline contains "--config" and tgt.process.cmdline contains ".yml") or (tgt.process.image.path contains "ngrok.exe" and (tgt.process.cmdline contains " tcp " or tgt.process.cmdline contains " http " or tgt.process.cmdline contains " authtoken ")) or (tgt.process.cmdline contains ".exe authtoken " or tgt.process.cmdline contains ".exe start --all"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md index 893f53206..0bb18cad7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " runassystem ") | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md index 64d562b4f..795f0430e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rcedit-x64.exe" or tgt.process.image.path contains "\rcedit-x86.exe") or tgt.process.displayName="Edit resources of exe" or tgt.process.displayName="rcedit") and tgt.process.cmdline contains "--set-" and (tgt.process.cmdline contains "OriginalFileName" or tgt.process.cmdline contains "CompanyName" or tgt.process.cmdline contains "FileDescription" or tgt.process.cmdline contains "ProductName" or tgt.process.cmdline contains "ProductVersion" or tgt.process.cmdline contains "LegalCopyright"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md index 5e7231af2..b3ef09974 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "--config " and tgt.process.cmdline contains "--no-check-certificate " and tgt.process.cmdline contains " copy ") or ((tgt.process.image.path contains "\rclone.exe" or tgt.process.displayName="Rsync for cloud storage") and (tgt.process.cmdline contains "pass" or tgt.process.cmdline contains "user" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "sync" or tgt.process.cmdline contains "config" or tgt.process.cmdline contains "lsd" or tgt.process.cmdline contains "remote" or tgt.process.cmdline contains "ls" or tgt.process.cmdline contains "mega" or tgt.process.cmdline contains "pcloud" or tgt.process.cmdline contains "ftp" or tgt.process.cmdline contains "ignore-existing" or tgt.process.cmdline contains "auto-confirm" or tgt.process.cmdline contains "transfers" or tgt.process.cmdline contains "multi-thread-streams" or tgt.process.cmdline contains "no-check-certificate ")))) | columns tgt.process.cmdline,src.process.cmdline,Details ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md index e9602b9c3..bf94d2a38 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /account=system " or tgt.process.cmdline contains " /account=ti ") and tgt.process.cmdline contains "/exec=")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md index 6ef3636d1..2c1931609 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Web Browser Password Viewer" or tgt.process.image.path contains "\WebBrowserPassView.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md index cb95253d7..348f41904 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\python.exe" and tgt.process.cmdline contains "adidnsdump")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md index 2c7fd1a6d..2a41c6b6d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "python.exe" or tgt.process.image.path contains "python3.exe" or tgt.process.image.path contains "python2.exe") and ((tgt.process.cmdline contains "import pty" and tgt.process.cmdline contains ".spawn(") or tgt.process.cmdline contains "from pty import spawn"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md index 4e0007f4f..35d84561e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-m 1M" or tgt.process.cmdline contains "-m 2M" or tgt.process.cmdline contains "-m 3M") and (tgt.process.cmdline contains "restrict=off" and tgt.process.cmdline contains "-netdev " and tgt.process.cmdline contains "connect=" and tgt.process.cmdline contains "-nographic")) and (not (tgt.process.cmdline contains " -cdrom " or tgt.process.cmdline contains " type=virt " or tgt.process.cmdline contains " -blockdev ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md index c874e262e..daf56bc6f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains ":\Windows\System32\query.exe" and (tgt.process.cmdline contains "session >" or tgt.process.cmdline contains "process >"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md index ef73ca4b5..23e33e60b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rar.exe" and tgt.process.cmdline contains " a ")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md index ac00615cf..616884807 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -hp" and (tgt.process.cmdline contains " -m" or tgt.process.cmdline contains " a "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md index debf1641b..84f346c7f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.displayName="Command line RAR") or (tgt.process.cmdline contains ".exe a " or tgt.process.cmdline contains " a -m")) and ((tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " -r ") and (tgt.process.cmdline="* *:\\*.*" or tgt.process.cmdline="* *:\\\*.*" or tgt.process.cmdline="* *:\$Recycle.bin\*" or tgt.process.cmdline="* *:\PerfLogs\*" or tgt.process.cmdline="* *:\Temp*" or tgt.process.cmdline="* *:\Users\Public\*" or tgt.process.cmdline="* *:\Windows\*" or tgt.process.cmdline contains " %public%")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md index ae458cfa2..546a5119e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "rasdial.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md index b50f55b52..0a6136836 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains " ADD " and tgt.process.cmdline contains "Software\Microsoft\Windows\CurrentVersion\Run")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md index 3e73b47c4..29e03618c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "REG" and tgt.process.cmdline contains "ADD" and tgt.process.cmdline contains "\SOFTWARE\Policies\Microsoft\FVE" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/f") and (tgt.process.cmdline contains "EnableBDEWithNoTPM" or tgt.process.cmdline contains "UseAdvancedStartup" or tgt.process.cmdline contains "UseTPM" or tgt.process.cmdline contains "UseTPMKey" or tgt.process.cmdline contains "UseTPMKeyPIN" or tgt.process.cmdline contains "RecoveryKeyMessageSource" or tgt.process.cmdline contains "UseTPMPIN" or tgt.process.cmdline contains "RecoveryKeyMessage"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md index 54ad00b73..ff37d184e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "scecli\0" and tgt.process.cmdline contains "reg add")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md index 37b1fa51e..4c2f71123 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" or tgt.process.cmdline contains "SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths") and (tgt.process.cmdline contains "ADD " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_DWORD " and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "0"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md index 58c153569..b021e0255 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and tgt.process.cmdline contains "add") and (tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Windows" or tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" or tgt.process.cmdline contains "\system\CurrentControlSet\Control\SafeBoot\AlternateShell"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md index 84a33e313..71b5e3bbf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add") and ((tgt.process.cmdline contains "d 4" and tgt.process.cmdline contains "v Start") and (tgt.process.cmdline contains "\AppIDSvc" or tgt.process.cmdline contains "\MsMpSvc" or tgt.process.cmdline contains "\NisSrv" or tgt.process.cmdline contains "\SecurityHealthService" or tgt.process.cmdline contains "\Sense" or tgt.process.cmdline contains "\UsoSvc" or tgt.process.cmdline contains "\WdBoot" or tgt.process.cmdline contains "\WdFilter" or tgt.process.cmdline contains "\WdNisDrv" or tgt.process.cmdline contains "\WdNisSvc" or tgt.process.cmdline contains "\WinDefend" or tgt.process.cmdline contains "\wscsvc" or tgt.process.cmdline contains "\wuauserv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md index 525bbbbdd..c7c67bb1a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains " query " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_SZ" and tgt.process.cmdline contains "/s")) and ((tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKLM") or (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKCU") or tgt.process.cmdline contains "HKCU\Software\SimonTatham\PuTTY\Sessions"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md index a3bcf2c0a..1bfbe903c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa\" and tgt.process.cmdline contains "DisableRestrictedAdmin")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md index 6ac6ef691..4cc4caf63 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Cryptography" and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "MachineGuid"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md index bad4024d6..ec88dea40 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "NoLMHash" and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md index de0af485c..40ca3c6a5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/ve " and tgt.process.cmdline contains "/d") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "DelegateExecute") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md index 295499a40..7d7d55b15 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "HKEY_CURRENT_USER\Control Panel\Desktop" or tgt.process.cmdline contains "HKCU\Control Panel\Desktop")) and ((tgt.process.cmdline contains "/v ScreenSaveActive" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 1" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaveTimeout" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaverIsSecure" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 0" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v SCRNSAVE.EXE" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains ".scr" and tgt.process.cmdline contains "/f")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md index 0357834d5..262b171a4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "add " and tgt.process.cmdline contains "SYSTEM\CurrentControlSet\Services\" and tgt.process.cmdline contains " ImagePath ")) and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " –d " or tgt.process.cmdline contains " —d " or tgt.process.cmdline contains " ―d "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md index 4ee60372d..2c8e034a6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "query" and tgt.process.cmdline contains "\software\" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "svcversion"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md index df585e4c5..12da1ff26 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Services\VSS\Diag" and tgt.process.cmdline contains "/d Disabled")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md index 938cac3d8..008166e27 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control" and tgt.process.cmdline contains "Write Protection" and tgt.process.cmdline contains "0" and tgt.process.cmdline contains "storage")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md index 96a57649c..ef19b79d9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\regedit.exe" and (src.process.image.path contains "\TrustedInstaller.exe" or src.process.image.path contains "\ProcessHacker.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md index 2065832b0..de1a19c2e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\register-cimprovider.exe" and (tgt.process.cmdline contains "-path" and tgt.process.cmdline contains "dll"))) | columns tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md index 5c1c02007..3d0ef8d79 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\Sessions" or tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\SshHostKeys\" or tgt.process.cmdline contains "\Software\Mobatek\MobaXterm\" or tgt.process.cmdline contains "\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin" or tgt.process.cmdline contains "\Software\Aerofox\FoxmailPreview" or tgt.process.cmdline contains "\Software\Aerofox\Foxmail\V3.1" or tgt.process.cmdline contains "\Software\IncrediMail\Identities" or tgt.process.cmdline contains "\Software\Qualcomm\Eudora\CommandLine" or tgt.process.cmdline contains "\Software\RimArts\B2\Settings" or tgt.process.cmdline contains "\Software\OpenVPN-GUI\configs" or tgt.process.cmdline contains "\Software\Martin Prikryl\WinSCP 2\Sessions" or tgt.process.cmdline contains "\Software\FTPWare\COREFTP\Sites" or tgt.process.cmdline contains "\Software\DownloadManager\Passwords" or tgt.process.cmdline contains "\Software\OpenSSH\Agent\Keys" or tgt.process.cmdline contains "\Software\TightVNC\Server" or tgt.process.cmdline contains "\Software\ORL\WinVNC3\Password" or tgt.process.cmdline contains "\Software\RealVNC\WinVNC4")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md index a84a5011b..462574bdc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" and tgt.process.cmdline contains "http" and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md index af50622b2..5349596f7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\CurrentVersion\Image File Execution Options\" and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "magnify.exe" or tgt.process.cmdline contains "narrator.exe" or tgt.process.cmdline contains "displayswitch.exe" or tgt.process.cmdline contains "atbroker.exe" or tgt.process.cmdline contains "HelpPane.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md index 034519eee..9c07c36c7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "UserInitMprLogonScript") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md index dbe210f4d..47862def8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Services\" and tgt.process.cmdline contains "\NetworkProvider")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md index 93580b4e3..58c4b8b0f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Office\" and tgt.process.cmdline contains "\Excel\Security" and tgt.process.cmdline contains "PythonFunctionWarnings") and tgt.process.cmdline contains " 0")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md index 58acfb524..6210b5744 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.integrityLevel="Medium" and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "services") and (tgt.process.cmdline contains "\ImagePath" or tgt.process.cmdline contains "\FailureCommand" or tgt.process.cmdline contains "\ServiceDll"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md index c4c2ea986..57a398086 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SOFTWARE\Microsoft\Provisioning\Commands\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md index ba2d052fa..868316702 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\ShellIds\Microsoft.PowerShell\ExecutionPolicy" or tgt.process.cmdline contains "\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy") and (tgt.process.cmdline contains "Bypass" or tgt.process.cmdline contains "RemoteSigned" or tgt.process.cmdline contains "Unrestricted"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md index 1bd1fba8c..ddd7407a6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/d 0"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md index 2bb224de4..3f69688e4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md index 1e5350530..c4c00f1f7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\regsvr32.exe" and (tgt.process.cmdline contains " -i:" or tgt.process.cmdline contains " /i:" or tgt.process.cmdline contains " –i:" or tgt.process.cmdline contains " —i:" or tgt.process.cmdline contains " ―i:")) and (not tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md index c32806c04..6c6273201 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\regsvr32.exe" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\werfault.exe" and tgt.process.cmdline contains " -u -p ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md index 44472b76c..b165c0c52 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell_ise.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\wscript.exe") and tgt.process.image.path contains "\regsvr32.exe") and (not (src.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains " /s C:\Windows\System32\RpcProxy\RpcProxy.dll")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md index 5e58cb21a..43ecd8f02 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md index 6803b37e1..986eb174c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "echo " and tgt.process.cmdline contains ".exe --set-password")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md index 14ea9af9f..f57b671a7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--install" and tgt.process.cmdline contains "--start-with-win" and tgt.process.cmdline contains "--silent")) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md index 9bf9b95a4..c0d8d2a30 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH") and (not (tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "Program Files (x86)\AnyDesk" or tgt.process.image.path contains "Program Files\AnyDesk")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md index de508fc39..65e05917a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="GoTo Opener" or tgt.process.displayName="GoTo Opener" or tgt.process.publisher="LogMeIn, Inc.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md index ed2b34c17..085d08701 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="LMIGuardianSvc" or tgt.process.displayName="LMIGuardianSvc" or tgt.process.publisher="LogMeIn, Inc.")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md index c7e3f8e2e..db1111ec9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\meshagent.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md index cb37fbd3d..c344faf95 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe") or tgt.process.displayName="Remote Utilities") and (not (tgt.process.image.path contains "C:\Program Files\Remote Utilities" or tgt.process.image.path contains "C:\Program Files (x86)\Remote Utilities")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md index 53ecf4462..6f082a1b6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="ScreenConnect Service" or tgt.process.displayName="ScreenConnect" or tgt.process.publisher="ScreenConnect Software")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md index 9d7100e9a..b075bd6e7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "e=Access&" and tgt.process.cmdline contains "y=Guest&" and tgt.process.cmdline contains "&p=" and tgt.process.cmdline contains "&c=" and tgt.process.cmdline contains "&k=")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md index 49265d612..c2047ee3f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains ":\Windows\TEMP\ScreenConnect\" and src.process.cmdline contains "run.cmd") and (tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wevtutil.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md index 9163f8f39..1dad09551 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\ScreenConnect.Service.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md index 84cdbadb9..16f271abf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\JWrapper-Remote Access\" or tgt.process.image.path contains "\JWrapper-Remote Support\") and tgt.process.image.path contains "\SimpleService.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md index 4cb2547cd..8cdb8fba8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="TeamViewer_Desktop.exe" and src.process.image.path="TeamViewer_Service.exe" and tgt.process.cmdline contains "TeamViewer_Desktop.exe --IPCport 5939 --Module 1")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md index 6e03e2a84..9df6509ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "time") or (tgt.process.image.path contains "\w32tm.exe" and tgt.process.cmdline contains "tz"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md index b04974c17..b6501a518 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName in ("Java Update Scheduler","Java(TM) Update Scheduler")) and (not tgt.process.image.path contains "\jusched.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md index a89fdeae0..984556301 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "DllRegisterServer" and (not tgt.process.image.path contains "\rundll32.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md index 1b371b1de..a0abddd3a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Remote Utilities" and (not (tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md index d756f9375..d05bbdb2e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rpcping.exe" and (tgt.process.cmdline contains "-s" or tgt.process.cmdline contains "/s" or tgt.process.cmdline contains "–s" or tgt.process.cmdline contains "—s" or tgt.process.cmdline contains "―s") and (((tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u") and (tgt.process.cmdline contains "NTLM")) or ((tgt.process.cmdline contains "-t" or tgt.process.cmdline contains "/t" or tgt.process.cmdline contains "–t" or tgt.process.cmdline contains "—t" or tgt.process.cmdline contains "―t") and (tgt.process.cmdline contains "ncacn_np"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md index 1b0351673..e4904f899 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains "Execute" and tgt.process.cmdline contains "RegRead" and tgt.process.cmdline contains "window.close")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md index ac5a87d64..6b7da5719 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\..\" and tgt.process.cmdline contains "mshtml") and (tgt.process.cmdline contains "#135" or tgt.process.cmdline contains "RunHTMLApplication"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md index e649a4dda..57155e182 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\rundll32.exe" or tgt.process.cmdline contains "\rundll32.exe\"" or tgt.process.cmdline contains "\rundll32") and (not (src.process.image.path contains "\AppData\Local\" or src.process.image.path contains "\Microsoft\Edge\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md index 4d6442aec..cc38e1034 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\RECYCLER\" or tgt.process.image.path contains ":\SystemVolumeInformation\") or (tgt.process.image.path contains "C:\Windows\Tasks\" or tgt.process.image.path contains "C:\Windows\debug\" or tgt.process.image.path contains "C:\Windows\fonts\" or tgt.process.image.path contains "C:\Windows\help\" or tgt.process.image.path contains "C:\Windows\drivers\" or tgt.process.image.path contains "C:\Windows\addins\" or tgt.process.image.path contains "C:\Windows\cursors\" or tgt.process.image.path contains "C:\Windows\system32\tasks\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md index 6b6ec7d95..b5b242f46 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\runonce.exe" and src.process.image.path contains "\rundll32.exe" and (src.process.cmdline contains "setupapi.dll" and src.process.cmdline contains "InstallHinfSection"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md index 5240da941..326bfeb2d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\rundll32.exe" and tgt.process.image.path contains "\explorer.exe") and (not src.process.cmdline contains "\shell32.dll,Control_RunDLL"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md index b5ff86e33..778063926 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "javascript:" and tgt.process.cmdline contains ".RegisterXLL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURLA") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "FileProtocolHandler") or (tgt.process.cmdline contains "zipfldr.dll" and tgt.process.cmdline contains "RouteTheCall") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "Control_RunDLL") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "ShellExec_RunDLL") or (tgt.process.cmdline contains "mshtml.dll" and tgt.process.cmdline contains "PrintHTML") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieframe.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "shdocvw.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "syssetup.dll" and tgt.process.cmdline contains "SetupInfObjectInstallAction") or (tgt.process.cmdline contains "setupapi.dll" and tgt.process.cmdline contains "InstallHinfSection") or (tgt.process.cmdline contains "pcwutl.dll" and tgt.process.cmdline contains "LaunchApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbShortcut") or (tgt.process.cmdline contains "scrobj.dll" and tgt.process.cmdline contains "GenerateTypeLib" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "shimgvw.dll" and tgt.process.cmdline contains "ImageView_Fullscreen" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "comsvcs.dll" and tgt.process.cmdline contains "MiniDump")) and (not (tgt.process.cmdline contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (src.process.image.path="C:\Windows\System32\control.exe" and src.process.cmdline contains ".cpl" and (tgt.process.cmdline contains "Shell32.dll" and tgt.process.cmdline contains "Control_RunDLL" and tgt.process.cmdline contains ".cpl")) or (src.process.image.path="C:\Windows\System32\control.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\Windows\System32\" and tgt.process.cmdline contains ".cpl\","))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md index 96fb2ec88..00d6223f9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ShellExec_RunDLL" and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "odbcconf" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "iex" or tgt.process.cmdline contains "comspec"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md index fe0f04b16..5439896ae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "apphelp.dll") and (tgt.process.cmdline contains "ShimFlushCache" or tgt.process.cmdline contains "#250")) or ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "kernel32.dll") and (tgt.process.cmdline contains "BaseFlushAppcompatCache" or tgt.process.cmdline contains "#46")))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md index 384e4b15d..0f996b74b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and (tgt.process.cmdline contains ".sys," or tgt.process.cmdline contains ".sys "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md index 6adf57996..bca1694c0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\svchost.exe" and src.process.cmdline contains "-s WebClient" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "C:\windows\system32\davclnt.dll,DavSetCookie" and tgt.process.cmdline matches "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") and (not (tgt.process.cmdline contains "://10." or tgt.process.cmdline contains "://192.168." or tgt.process.cmdline contains "://172.16." or tgt.process.cmdline contains "://172.17." or tgt.process.cmdline contains "://172.18." or tgt.process.cmdline contains "://172.19." or tgt.process.cmdline contains "://172.20." or tgt.process.cmdline contains "://172.21." or tgt.process.cmdline contains "://172.22." or tgt.process.cmdline contains "://172.23." or tgt.process.cmdline contains "://172.24." or tgt.process.cmdline contains "://172.25." or tgt.process.cmdline contains "://172.26." or tgt.process.cmdline contains "://172.27." or tgt.process.cmdline contains "://172.28." or tgt.process.cmdline contains "://172.29." or tgt.process.cmdline contains "://172.30." or tgt.process.cmdline contains "://172.31." or tgt.process.cmdline contains "://127." or tgt.process.cmdline contains "://169.254.")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md index 7ff3bb08b..c039ca592 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline in ("rundll32.exe","rundll32"))) | columns ComputerName,SubjectUserName,tgt.process.cmdline,tgt.process.image.path,src.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md index c676b0b03..e6bf430f0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\runonce.exe" or tgt.process.displayName="Run Once Wrapper") and (tgt.process.cmdline contains "/AlternateShellStartup" or tgt.process.cmdline contains "/r"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md index bcce6e540..5089a2c05 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sc.exe" and tgt.process.integrityLevel="Medium") and ((tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") or (tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md index 9125a0055..d842676c1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md index fa74926f8..7e356c882 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" or tgt.process.cmdline contains "config") and (tgt.process.cmdline contains "binPath" and tgt.process.cmdline contains "type" and tgt.process.cmdline contains "kernel"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md index 7d5f08cda..b5aab0cb6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md index 865c1109b..286504441 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "config " and tgt.process.cmdline contains "binpath=") or (tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command=")) or (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "FailureCommand") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "ImagePath")) and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin$" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh$" or tgt.process.cmdline contains ".reg$" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md index 98bd6e201..e6ce1432c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "/RU" and tgt.process.cmdline contains "/TR" and tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\") and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "TeamViewer_.exe") and tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/TN TVInstallRestore")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md index 775ba8a9c..b56a9477e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /Change " and tgt.process.cmdline contains " /TN ")) and (tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\WINDOWS\Temp\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Perflogs\" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%") and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "bash.exe" or tgt.process.cmdline contains "bash " or tgt.process.cmdline contains "scrcons" or tgt.process.cmdline contains "wmic " or tgt.process.cmdline contains "wmic.exe" or tgt.process.cmdline contains "forfiles" or tgt.process.cmdline contains "scriptrunner" or tgt.process.cmdline contains "hh.exe" or tgt.process.cmdline contains "hh "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md index 622a7a9a4..65ee6403c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (not (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md index f07fcf1a4..3f397f48b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /create " and tgt.process.cmdline contains " /sc once " and tgt.process.cmdline contains "\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md index 5e00d616a..59e878dc8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "/tn") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md index ad7358ff6..985ab528e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /delete " and tgt.process.cmdline contains "/tn \*" and tgt.process.cmdline contains " /f"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md index 16dcf8b15..eb77bf436 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Change" and tgt.process.cmdline contains "/TN" and tgt.process.cmdline contains "/disable") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md index a95d4ef8d..7e7b1bb43 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\Users\Public" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%")) or (src.process.cmdline contains "\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\Users\Public" or tgt.process.cmdline contains "%Public%"))) and (not (((tgt.process.cmdline contains "update_task.xml" or tgt.process.cmdline contains "/Create /TN TVInstallRestore /TR") or src.process.cmdline contains "unattended.ini") or (tgt.process.cmdline contains "/Create /Xml \"C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\.CR." and tgt.process.cmdline contains "Avira_Security_Installation.xml") or ((tgt.process.cmdline contains "/Create /F /TN" and tgt.process.cmdline contains "/Xml " and tgt.process.cmdline contains "\AppData\Local\Temp\is-" and tgt.process.cmdline contains "Avira_") and (tgt.process.cmdline contains ".tmp\UpdateFallbackTask.xml" or tgt.process.cmdline contains ".tmp\WatchdogServiceControlManagerTimeout.xml" or tgt.process.cmdline contains ".tmp\SystrayAutostart.xml" or tgt.process.cmdline contains ".tmp\MaintenanceTask.xml")) or (tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "/Create /TN \"klcp_update\" /XML " and tgt.process.cmdline contains "\klcp_update_task.xml"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md index ec5957976..ca43591e5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (tgt.process.cmdline contains "/TN \"{" or tgt.process.cmdline contains "/TN '{" or tgt.process.cmdline contains "/TN {") and (tgt.process.cmdline contains "}\"" or tgt.process.cmdline contains "}'" or tgt.process.cmdline contains "} "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md index a31e99c67..26ee0fe56 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\WINDOWS\System32\svchost.exe" and (src.process.cmdline contains "-k netsvcs" and src.process.cmdline contains "-s Schedule") and (tgt.process.cmdline contains " -windowstyle hidden" or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " -noni"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md index 1b3b7b72b..89657c815 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (((tgt.process.cmdline contains "/sc minute " or tgt.process.cmdline contains "/ru system ") and (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r ")) or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -w hidden " or tgt.process.cmdline contains " bypass " or tgt.process.cmdline contains " IEX" or tgt.process.cmdline contains ".DownloadData" or tgt.process.cmdline contains ".DownloadFile" or tgt.process.cmdline contains ".DownloadString" or tgt.process.cmdline contains "/c start /min " or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "mshta http" or tgt.process.cmdline contains "mshta.exe http") or ((tgt.process.cmdline contains ":\ProgramData\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%") and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "curl" or tgt.process.cmdline contains "wscript"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md index 43dbf4431..b8a01c9f1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /change " or tgt.process.cmdline contains " /create ")) and tgt.process.cmdline contains "/ru " and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/TN TVInstallRestore" and tgt.process.cmdline contains "\TeamViewer_.exe")) or (tgt.process.cmdline contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or tgt.process.cmdline contains ":\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe" or tgt.process.cmdline contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md index 42023c8a1..3b5dec667 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\scrcons.exe" and (tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\msbuild.exe"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md index b1c3919e5..beffcad63 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\sdclt.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md index a544d6ef6..ff86f71ae 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sdiagnhost.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\taskkill.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\calc.exe")) and (not ((tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "bits") or (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "-noprofile -" or tgt.process.cmdline contains "-noprofile")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md index 705330d92..b9797b189 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Serv-U.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md index 207a25f5e..7e150389e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\setres.exe" and tgt.process.image.path contains "\choice") and (not (tgt.process.image.path contains "C:\Windows\System32\choice.exe" or tgt.process.image.path contains "C:\Windows\SysWOW64\choice.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md index a213c8bb1..cdd4e2163 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and (tgt.process.cmdline contains "/r " or tgt.process.cmdline contains "/s "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md index 403d168e7..6c0f8a906 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and tgt.process.cmdline contains "/l")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md index 0c4fcd6d3..fd8bd23c1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\sigverif.exe" and (not (tgt.process.image.path in ("C:\Windows\System32\WerFault.exe","C:\Windows\SysWOW64\WerFault.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md index d84beab77..150047d68 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\SndVol.exe" and (not (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains " shell32.dll,Control_RunDLL ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md index db45d06f9..cb3163aac 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SoundRecorder.exe" and tgt.process.cmdline contains "/FILE")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md index ffd5bb744..b5db9ad0b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\splwow64.exe" and tgt.process.cmdline contains "splwow64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md index dbdd66c3e..a2cd3eaa1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "VeeamBackup" and tgt.process.cmdline contains "From ")) and (tgt.process.cmdline contains "BackupRepositories" or tgt.process.cmdline contains "Backups" or tgt.process.cmdline contains "Credentials" or tgt.process.cmdline contains "HostCreds" or tgt.process.cmdline contains "SmbFileShares" or tgt.process.cmdline contains "Ssh_creds" or tgt.process.cmdline contains "VSphereInfo"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md index 6ef894468..2a837707c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "SELECT" and tgt.process.cmdline contains "TOP" and tgt.process.cmdline contains "[VeeamBackup].[dbo].[Credentials]"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md index 240b1363b..9be55c187 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "\User Data\" or tgt.process.cmdline contains "\Opera Software\" or tgt.process.cmdline contains "\ChromiumViewer\") and (tgt.process.cmdline contains "Login Data" or tgt.process.cmdline contains "Cookies" or tgt.process.cmdline contains "Web Data" or tgt.process.cmdline contains "History" or tgt.process.cmdline contains "Bookmarks"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md index 859575d92..e81264b90 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "cookies.sqlite" or tgt.process.cmdline contains "places.sqlite"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md index e5d9878b7..897b4d708 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains " --download " or tgt.process.cmdline contains " --update " or tgt.process.cmdline contains " --updateRollback=") and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md index 7f2dfa5ba..294e5c9f6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--processStartAndWait" or tgt.process.cmdline contains "--createShortcut")) and (not ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Discord\Update.exe" and tgt.process.cmdline contains " --processStart" and tgt.process.cmdline contains "Discord.exe") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\GitHubDesktop\Update.exe" and tgt.process.cmdline contains "GitHubDesktop.exe") and (tgt.process.cmdline contains "--createShortcut" or tgt.process.cmdline contains "--processStartAndWait")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Microsoft\Teams\Update.exe" and tgt.process.cmdline contains "Teams.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\yammerdesktop\Update.exe" and tgt.process.cmdline contains "Yammer.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md index 83b0f2adf..d7cbd0dde 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " /R " or tgt.process.cmdline contains " –R " or tgt.process.cmdline contains " —R " or tgt.process.cmdline contains " ―R "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md index e2216e94f..cbe29b8eb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\System32\OpenSSH\sshd.exe" or (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains "ProxyCommand=" or (tgt.process.cmdline contains "PermitLocalCommand" and tgt.process.cmdline contains "LocalCommand"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md index 0cb0881a9..585904cbc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and tgt.process.cmdline contains ":3389")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md index aa65017e3..c6144cc21 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\amazon-ssm-agent.exe" and (tgt.process.cmdline contains "-register " and tgt.process.cmdline contains "-code " and tgt.process.cmdline contains "-id " and tgt.process.cmdline contains "-region "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md index eea552f75..f56cb0ed0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\stordiag.exe" and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\fltmc.exe")) and (not (src.process.image.path contains "c:\windows\system32\" or src.process.image.path contains "c:\windows\syswow64\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md index 30afc7a3b..1cb1164cd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ntvdm.exe" or tgt.process.image.path contains "\csrstub.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md index 30088eebb..bbc49634d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains " administrators " or tgt.process.cmdline contains " administrateur"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md index 9c2808fff..d51c20c74 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Group Policy Creator Owners" or tgt.process.cmdline contains "Schema Admins"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md index 8e973f04b..0fe70ba3d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md index 8e5ff0839..6212c4465 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "txt:" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > ") or (tgt.process.cmdline contains "makecab " and tgt.process.cmdline contains ".cab") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains " export ") or (tgt.process.cmdline contains "regedit " and tgt.process.cmdline contains " /E ") or (tgt.process.cmdline contains "esentutl " and tgt.process.cmdline contains " /y " and tgt.process.cmdline contains " /d " and tgt.process.cmdline contains " /o ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md index b3992dc6f..297302e29 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\Windows\Installer\" and tgt.process.image.path contains "msi") and tgt.process.image.path contains "tmp") or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.integrityLevel="System")) and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and (not (src.process.image.path="C:\Windows\System32\services.exe" or (tgt.process.cmdline contains "\system32\msiexec.exe /V" or src.process.cmdline contains "\system32\msiexec.exe /V") or src.process.image.path contains "C:\ProgramData\Sophos\" or src.process.image.path contains "C:\ProgramData\Avira\" or (src.process.image.path contains "C:\Program Files\Avast Software\" or src.process.image.path contains "C:\Program Files (x86)\Avast Software\") or (src.process.image.path contains "C:\Program Files\Google\Update\" or src.process.image.path contains "C:\Program Files (x86)\Google\Update\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md index 1854ecda2..7bf2b2d65 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "C:\Program Files\WindowsApps\" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Base64")) and (not (src.process.image.path contains ":\Program Files\WindowsApps\Microsoft.WindowsTerminal" and src.process.image.path contains "\WindowsTerminal.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\pwsh.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md index c51116a85..a0a594c48 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".SettingContent-ms" and (not tgt.process.cmdline contains "immersivecontrolpanel"))) | columns ParentProcess,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md index 82711d766..c6e55f95f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\Winrar.exe" or src.process.image.path contains "\7zFM.exe" or src.process.image.path contains "\peazip.exe") and (tgt.process.image.path contains "\isoburn.exe" or tgt.process.image.path contains "\PowerISO.exe" or tgt.process.image.path contains "\ImgBurn.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md index f4200a756..f85cfbf3d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\WerFault.exe" and tgt.process.cmdline contains "WerFault.exe") or (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or (tgt.process.image.path contains "\regsvcs.exe" and tgt.process.cmdline contains "regsvcs.exe") or (tgt.process.image.path contains "\regasm.exe" and tgt.process.cmdline contains "regasm.exe") or (tgt.process.image.path contains "\regsvr32.exe" and tgt.process.cmdline contains "regsvr32.exe")) and (not ((src.process.image.path contains "\AppData\Local\Microsoft\EdgeUpdate\Install\{" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or ((src.process.image.path contains "\AppData\Local\BraveSoftware\Brave-Browser\Application\" or src.process.image.path contains "\AppData\Local\Google\Chrome\Application\") and src.process.image.path contains "\Installer\setup.exe" and src.process.cmdline contains "--uninstall " and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md index ce876ad29..4af219760 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "Acrobat Reader" or src.process.image.path contains "Microsoft Office" or src.process.image.path contains "PDF Reader") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\firefox.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\maxthon.exe" or tgt.process.image.path contains "\seamonkey.exe" or tgt.process.image.path contains "\vivaldi.exe" or tgt.process.image.path contains "") and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md index 273981303..66458378f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "h^t^t^p" or tgt.process.cmdline contains "h\"t\"t\"p")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md index e98639331..96a378420 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Windows\" and (tgt.process.cmdline contains "\..\Windows\" or tgt.process.cmdline contains "\..\System32\" or tgt.process.cmdline contains "\..\..\")) or tgt.process.cmdline contains ".exe\..\") and (not (tgt.process.cmdline contains "\Google\Drive\googledrivesync.exe\..\" or tgt.process.cmdline contains "\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md index bb3ed9dac..5b5086047 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --cpu-priority=" or tgt.process.cmdline contains "--donate-level=0" or tgt.process.cmdline contains " -o pool." or tgt.process.cmdline contains " --nicehash" or tgt.process.cmdline contains " --algo=rx/0 " or tgt.process.cmdline contains "stratum+tcp://" or tgt.process.cmdline contains "stratum+udp://" or tgt.process.cmdline contains "LS1kb25hdGUtbGV2ZWw9" or tgt.process.cmdline contains "0tZG9uYXRlLWxldmVsP" or tgt.process.cmdline contains "tLWRvbmF0ZS1sZXZlbD" or tgt.process.cmdline contains "c3RyYXR1bSt0Y3A6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdGNwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3RjcDovL" or tgt.process.cmdline contains "c3RyYXR1bSt1ZHA6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdWRwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3VkcDovL") and (not (tgt.process.cmdline contains " pool.c " or tgt.process.cmdline contains " pool.o " or tgt.process.cmdline contains "gcc -")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md index 51540a410..a19db62ff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl ") and (tgt.process.cmdline contains " -ur" and tgt.process.cmdline contains " -me" and tgt.process.cmdline contains " -b" and tgt.process.cmdline contains " POST ")) or ((tgt.process.image.path contains "\curl.exe" and tgt.process.cmdline contains "--ur") and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " --data ")) or (tgt.process.image.path contains "\wget.exe" and (tgt.process.cmdline contains "--post-data" or tgt.process.cmdline contains "--post-file"))) and ((tgt.process.cmdline contains "Get-Content" or tgt.process.cmdline contains "GetBytes" or tgt.process.cmdline contains "hostname" or tgt.process.cmdline contains "ifconfig" or tgt.process.cmdline contains "ipconfig" or tgt.process.cmdline contains "net view" or tgt.process.cmdline contains "netstat" or tgt.process.cmdline contains "nltest" or tgt.process.cmdline contains "qprocess" or tgt.process.cmdline contains "sc query" or tgt.process.cmdline contains "systeminfo" or tgt.process.cmdline contains "tasklist" or tgt.process.cmdline contains "ToBase64String" or tgt.process.cmdline contains "whoami") or (tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > " and tgt.process.cmdline contains " C:\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md index 3a560e04f..825d2f459 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "taskkill " and tgt.process.cmdline contains "RaccineSettings.exe") or (tgt.process.cmdline contains "reg.exe" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "Raccine Tray") or (tgt.process.cmdline contains "schtasks" and tgt.process.cmdline contains "/DELETE" and tgt.process.cmdline contains "Raccine Rules Updater"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md index 51f25f588..2db58d193 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ".doc.exe" or tgt.process.image.path contains ".docx.exe" or tgt.process.image.path contains ".xls.exe" or tgt.process.image.path contains ".xlsx.exe" or tgt.process.image.path contains ".ppt.exe" or tgt.process.image.path contains ".pptx.exe" or tgt.process.image.path contains ".rtf.exe" or tgt.process.image.path contains ".pdf.exe" or tgt.process.image.path contains ".txt.exe" or tgt.process.image.path contains " .exe" or tgt.process.image.path contains "______.exe" or tgt.process.image.path contains ".doc.js" or tgt.process.image.path contains ".docx.js" or tgt.process.image.path contains ".xls.js" or tgt.process.image.path contains ".xlsx.js" or tgt.process.image.path contains ".ppt.js" or tgt.process.image.path contains ".pptx.js" or tgt.process.image.path contains ".rtf.js" or tgt.process.image.path contains ".pdf.js" or tgt.process.image.path contains ".txt.js") and (tgt.process.cmdline contains ".doc.exe" or tgt.process.cmdline contains ".docx.exe" or tgt.process.cmdline contains ".xls.exe" or tgt.process.cmdline contains ".xlsx.exe" or tgt.process.cmdline contains ".ppt.exe" or tgt.process.cmdline contains ".pptx.exe" or tgt.process.cmdline contains ".rtf.exe" or tgt.process.cmdline contains ".pdf.exe" or tgt.process.cmdline contains ".txt.exe" or tgt.process.cmdline contains " .exe" or tgt.process.cmdline contains "______.exe" or tgt.process.cmdline contains ".doc.js" or tgt.process.cmdline contains ".docx.js" or tgt.process.cmdline contains ".xls.js" or tgt.process.cmdline contains ".xlsx.js" or tgt.process.cmdline contains ".ppt.js" or tgt.process.cmdline contains ".pptx.js" or tgt.process.cmdline contains ".rtf.js" or tgt.process.cmdline contains ".pdf.js" or tgt.process.cmdline contains ".txt.js"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md index 067ae6f79..f4e4f768a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains ".doc.lnk" or src.process.image.path contains ".docx.lnk" or src.process.image.path contains ".xls.lnk" or src.process.image.path contains ".xlsx.lnk" or src.process.image.path contains ".ppt.lnk" or src.process.image.path contains ".pptx.lnk" or src.process.image.path contains ".rtf.lnk" or src.process.image.path contains ".pdf.lnk" or src.process.image.path contains ".txt.lnk" or src.process.image.path contains ".doc.js" or src.process.image.path contains ".docx.js" or src.process.image.path contains ".xls.js" or src.process.image.path contains ".xlsx.js" or src.process.image.path contains ".ppt.js" or src.process.image.path contains ".pptx.js" or src.process.image.path contains ".rtf.js" or src.process.image.path contains ".pdf.js" or src.process.image.path contains ".txt.js") or (src.process.cmdline contains ".doc.lnk" or src.process.cmdline contains ".docx.lnk" or src.process.cmdline contains ".xls.lnk" or src.process.cmdline contains ".xlsx.lnk" or src.process.cmdline contains ".ppt.lnk" or src.process.cmdline contains ".pptx.lnk" or src.process.cmdline contains ".rtf.lnk" or src.process.cmdline contains ".pdf.lnk" or src.process.cmdline contains ".txt.lnk" or src.process.cmdline contains ".doc.js" or src.process.cmdline contains ".docx.js" or src.process.cmdline contains ".xls.js" or src.process.cmdline contains ".xlsx.js" or src.process.cmdline contains ".ppt.js" or src.process.cmdline contains ".pptx.js" or src.process.cmdline contains ".rtf.js" or src.process.cmdline contains ".pdf.js" or src.process.cmdline contains ".txt.js"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md index 5802c576e..2a1873aa5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\wget.exe") or (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains ".DownloadString(")) and (tgt.process.cmdline contains "https://attachment.outlook.live.net/owa/" or tgt.process.cmdline contains "https://onenoteonlinesync.onenote.com/onenoteonlinesync/"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md index cb763c479..5c75b6b7b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DumpStack.log" or tgt.process.cmdline contains " -o DumpStack.log")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md index 5b1260624..74a9fec37 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\chrome.exe" or src.process.image.path contains "\discord.exe" or src.process.image.path contains "\GitHubDesktop.exe" or src.process.image.path contains "\keybase.exe" or src.process.image.path contains "\msedge.exe" or src.process.image.path contains "\msedgewebview2.exe" or src.process.image.path contains "\msteams.exe" or src.process.image.path contains "\slack.exe" or src.process.image.path contains "\teams.exe") and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\Windows\Temp\")) and (not (src.process.image.path contains "\Discord.exe" and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "\NVSMI\nvidia-smi.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md index 37f7cf6f4..50f027e19 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\explorer.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".lnk"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md index 6fcd0d2b4..cd3bf3f19 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "😀" or tgt.process.cmdline contains "😃" or tgt.process.cmdline contains "😄" or tgt.process.cmdline contains "😁" or tgt.process.cmdline contains "😆" or tgt.process.cmdline contains "😅" or tgt.process.cmdline contains "😂" or tgt.process.cmdline contains "🤣" or tgt.process.cmdline contains "🥲" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "☺️" or tgt.process.cmdline contains "😊" or tgt.process.cmdline contains "😇" or tgt.process.cmdline contains "🙂" or tgt.process.cmdline contains "🙃" or tgt.process.cmdline contains "😉" or tgt.process.cmdline contains "😌" or tgt.process.cmdline contains "😍" or tgt.process.cmdline contains "🥰" or tgt.process.cmdline contains "😘" or tgt.process.cmdline contains "😗" or tgt.process.cmdline contains "😙" or tgt.process.cmdline contains "😚" or tgt.process.cmdline contains "😋" or tgt.process.cmdline contains "😛" or tgt.process.cmdline contains "😝" or tgt.process.cmdline contains "😜" or tgt.process.cmdline contains "🤪" or tgt.process.cmdline contains "🤨" or tgt.process.cmdline contains "🧐" or tgt.process.cmdline contains "🤓" or tgt.process.cmdline contains "😎" or tgt.process.cmdline contains "🥸" or tgt.process.cmdline contains "🤩" or tgt.process.cmdline contains "🥳" or tgt.process.cmdline contains "😏" or tgt.process.cmdline contains "😒" or tgt.process.cmdline contains "😞" or tgt.process.cmdline contains "😔" or tgt.process.cmdline contains "😟" or tgt.process.cmdline contains "😕" or tgt.process.cmdline contains "🙁" or tgt.process.cmdline contains "☹️" or tgt.process.cmdline contains "😣" or tgt.process.cmdline contains "😖" or tgt.process.cmdline contains "😫" or tgt.process.cmdline contains "😩" or tgt.process.cmdline contains "🥺" or tgt.process.cmdline contains "😢" or tgt.process.cmdline contains "😭" or tgt.process.cmdline contains "😮‍💨" or tgt.process.cmdline contains "😤" or tgt.process.cmdline contains "😠" or tgt.process.cmdline contains "😡" or tgt.process.cmdline contains "🤬" or tgt.process.cmdline contains "🤯" or tgt.process.cmdline contains "😳" or tgt.process.cmdline contains "🥵" or tgt.process.cmdline contains "🥶" or tgt.process.cmdline contains "😱" or tgt.process.cmdline contains "😨" or tgt.process.cmdline contains "😰" or tgt.process.cmdline contains "😥" or tgt.process.cmdline contains "😓" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🤗" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🤔" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🤭" or tgt.process.cmdline contains "🤫" or tgt.process.cmdline contains "🤥" or tgt.process.cmdline contains "😶" or tgt.process.cmdline contains "😶‍🌫️" or tgt.process.cmdline contains "😐" or tgt.process.cmdline contains "😑" or tgt.process.cmdline contains "😬" or tgt.process.cmdline contains "🫠" or tgt.process.cmdline contains "🙄" or tgt.process.cmdline contains "😯" or tgt.process.cmdline contains "😦" or tgt.process.cmdline contains "😧" or tgt.process.cmdline contains "😮" or tgt.process.cmdline contains "😲" or tgt.process.cmdline contains "🥱" or tgt.process.cmdline contains "😴" or tgt.process.cmdline contains "🤤" or tgt.process.cmdline contains "😪" or tgt.process.cmdline contains "😵" or tgt.process.cmdline contains "😵‍💫" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🤐" or tgt.process.cmdline contains "🥴" or tgt.process.cmdline contains "🤢" or tgt.process.cmdline contains "🤮" or tgt.process.cmdline contains "🤧" or tgt.process.cmdline contains "😷" or tgt.process.cmdline contains "🤒" or tgt.process.cmdline contains "🤕" or tgt.process.cmdline contains "🤑" or tgt.process.cmdline contains "🤠" or tgt.process.cmdline contains "😈" or tgt.process.cmdline contains "👿" or tgt.process.cmdline contains "👹" or tgt.process.cmdline contains "👺" or tgt.process.cmdline contains "🤡" or tgt.process.cmdline contains "💩" or tgt.process.cmdline contains "👻" or tgt.process.cmdline contains "💀" or tgt.process.cmdline contains "☠️" or tgt.process.cmdline contains "👽" or tgt.process.cmdline contains "👾" or tgt.process.cmdline contains "🤖" or tgt.process.cmdline contains "🎃" or tgt.process.cmdline contains "😺" or tgt.process.cmdline contains "😸" or tgt.process.cmdline contains "😹" or tgt.process.cmdline contains "😻" or tgt.process.cmdline contains "😼" or tgt.process.cmdline contains "😽" or tgt.process.cmdline contains "🙀" or tgt.process.cmdline contains "😿" or tgt.process.cmdline contains "😾" or tgt.process.cmdline contains "👋" or tgt.process.cmdline contains "🤚" or tgt.process.cmdline contains "🖐" or tgt.process.cmdline contains "✋" or tgt.process.cmdline contains "🖖" or tgt.process.cmdline contains "👌" or tgt.process.cmdline contains "🤌" or tgt.process.cmdline contains "🤏" or tgt.process.cmdline contains "✌️" or tgt.process.cmdline contains "🤞" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🤟" or tgt.process.cmdline contains "🤘" or tgt.process.cmdline contains "🤙" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "👈" or tgt.process.cmdline contains "👉" or tgt.process.cmdline contains "👆" or tgt.process.cmdline contains "🖕" or tgt.process.cmdline contains "👇" or tgt.process.cmdline contains "☝️" or tgt.process.cmdline contains "👍" or tgt.process.cmdline contains "👎" or tgt.process.cmdline contains "✊" or tgt.process.cmdline contains "👊" or tgt.process.cmdline contains "🤛" or tgt.process.cmdline contains "🤜" or tgt.process.cmdline contains "👏" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🙌" or tgt.process.cmdline contains "👐" or tgt.process.cmdline contains "🤲" or tgt.process.cmdline contains "🤝" or tgt.process.cmdline contains "🙏" or tgt.process.cmdline contains "✍️" or tgt.process.cmdline contains "💪" or tgt.process.cmdline contains "🦾" or tgt.process.cmdline contains "🦵" or tgt.process.cmdline contains "🦿" or tgt.process.cmdline contains "🦶" or tgt.process.cmdline contains "👣" or tgt.process.cmdline contains "👂" or tgt.process.cmdline contains "🦻" or tgt.process.cmdline contains "👃" or tgt.process.cmdline contains "🫀" or tgt.process.cmdline contains "🫁" or tgt.process.cmdline contains "🧠" or tgt.process.cmdline contains "🦷" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "👀" or tgt.process.cmdline contains "👁" or tgt.process.cmdline contains "👅" or tgt.process.cmdline contains "👄" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "💋" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "👶" or tgt.process.cmdline contains "👧" or tgt.process.cmdline contains "🧒" or tgt.process.cmdline contains "👦" or tgt.process.cmdline contains "👩" or tgt.process.cmdline contains "🧑" or tgt.process.cmdline contains "👨" or tgt.process.cmdline contains "👩‍🦱" or tgt.process.cmdline contains "🧑‍🦱" or tgt.process.cmdline contains "👨‍🦱" or tgt.process.cmdline contains "👩‍🦰" or tgt.process.cmdline contains "🧑‍🦰" or tgt.process.cmdline contains "👨‍🦰" or tgt.process.cmdline contains "👱‍♀️" or tgt.process.cmdline contains "👱" or tgt.process.cmdline contains "👱‍♂️" or tgt.process.cmdline contains "👩‍🦳" or tgt.process.cmdline contains "🧑‍🦳" or tgt.process.cmdline contains "👨‍🦳" or tgt.process.cmdline contains "👩‍🦲" or tgt.process.cmdline contains "🧑‍🦲" or tgt.process.cmdline contains "👨‍🦲" or tgt.process.cmdline contains "🧔‍♀️" or tgt.process.cmdline contains "🧔" or tgt.process.cmdline contains "🧔‍♂️" or tgt.process.cmdline contains "👵" or tgt.process.cmdline contains "🧓" or tgt.process.cmdline contains "👴" or tgt.process.cmdline contains "👲" or tgt.process.cmdline contains "👳‍♀️" or tgt.process.cmdline contains "👳" or tgt.process.cmdline contains "👳‍♂️" or tgt.process.cmdline contains "🧕" or tgt.process.cmdline contains "👮‍♀️" or tgt.process.cmdline contains "👮" or tgt.process.cmdline contains "👮‍♂️" or tgt.process.cmdline contains "👷‍♀️" or tgt.process.cmdline contains "👷" or tgt.process.cmdline contains "👷‍♂️" or tgt.process.cmdline contains "💂‍♀️" or tgt.process.cmdline contains "💂" or tgt.process.cmdline contains "💂‍♂️" or tgt.process.cmdline contains "🕵️‍♀️" or tgt.process.cmdline contains "🕵️" or tgt.process.cmdline contains "🕵️‍♂️" or tgt.process.cmdline contains "👩‍⚕️" or tgt.process.cmdline contains "🧑‍⚕️" or tgt.process.cmdline contains "👨‍⚕️" or tgt.process.cmdline contains "👩‍🌾" or tgt.process.cmdline contains "🧑‍🌾" or tgt.process.cmdline contains "👨‍🌾" or tgt.process.cmdline contains "👩‍🍳" or tgt.process.cmdline contains "🧑‍🍳" or tgt.process.cmdline contains "👨‍🍳" or tgt.process.cmdline contains "👩‍🎓" or tgt.process.cmdline contains "🧑‍🎓" or tgt.process.cmdline contains "👨‍🎓" or tgt.process.cmdline contains "👩‍🎤" or tgt.process.cmdline contains "🧑‍🎤" or tgt.process.cmdline contains "👨‍🎤" or tgt.process.cmdline contains "👩‍🏫" or tgt.process.cmdline contains "🧑‍🏫" or tgt.process.cmdline contains "👨‍🏫" or tgt.process.cmdline contains "👩‍🏭" or tgt.process.cmdline contains "🧑‍🏭" or tgt.process.cmdline contains "👨‍🏭" or tgt.process.cmdline contains "👩‍💻" or tgt.process.cmdline contains "🧑‍💻" or tgt.process.cmdline contains "👨‍💻" or tgt.process.cmdline contains "👩‍💼" or tgt.process.cmdline contains "🧑‍💼" or tgt.process.cmdline contains "👨‍💼" or tgt.process.cmdline contains "👩‍🔧" or tgt.process.cmdline contains "🧑‍🔧" or tgt.process.cmdline contains "👨‍🔧" or tgt.process.cmdline contains "👩‍🔬" or tgt.process.cmdline contains "🧑‍🔬" or tgt.process.cmdline contains "👨‍🔬" or tgt.process.cmdline contains "👩‍🎨" or tgt.process.cmdline contains "🧑‍🎨" or tgt.process.cmdline contains "👨‍🎨" or tgt.process.cmdline contains "👩‍🚒" or tgt.process.cmdline contains "🧑‍🚒" or tgt.process.cmdline contains "👨‍🚒" or tgt.process.cmdline contains "👩‍✈️" or tgt.process.cmdline contains "🧑‍✈️" or tgt.process.cmdline contains "👨‍✈️" or tgt.process.cmdline contains "👩‍🚀" or tgt.process.cmdline contains "🧑‍🚀" or tgt.process.cmdline contains "👨‍🚀" or tgt.process.cmdline contains "👩‍⚖️" or tgt.process.cmdline contains "🧑‍⚖️" or tgt.process.cmdline contains "👨‍⚖️" or tgt.process.cmdline contains "👰‍♀️" or tgt.process.cmdline contains "👰" or tgt.process.cmdline contains "👰‍♂️" or tgt.process.cmdline contains "🤵‍♀️" or tgt.process.cmdline contains "🤵" or tgt.process.cmdline contains "🤵‍♂️" or tgt.process.cmdline contains "👸" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🤴" or tgt.process.cmdline contains "🥷" or tgt.process.cmdline contains "🦸‍♀️" or tgt.process.cmdline contains "🦸" or tgt.process.cmdline contains "🦸‍♂️" or tgt.process.cmdline contains "🦹‍♀️" or tgt.process.cmdline contains "🦹" or tgt.process.cmdline contains "🦹‍♂️" or tgt.process.cmdline contains "🤶" or tgt.process.cmdline contains "🧑‍🎄" or tgt.process.cmdline contains "🎅" or tgt.process.cmdline contains "🧙‍♀️" or tgt.process.cmdline contains "🧙" or tgt.process.cmdline contains "🧙‍♂️" or tgt.process.cmdline contains "🧝‍♀️" or tgt.process.cmdline contains "🧝" or tgt.process.cmdline contains "🧝‍♂️" or tgt.process.cmdline contains "🧛‍♀️" or tgt.process.cmdline contains "🧛" or tgt.process.cmdline contains "🧛‍♂️" or tgt.process.cmdline contains "🧟‍♀️" or tgt.process.cmdline contains "🧟" or tgt.process.cmdline contains "🧟‍♂️" or tgt.process.cmdline contains "🧞‍♀️" or tgt.process.cmdline contains "🧞" or tgt.process.cmdline contains "🧞‍♂️" or tgt.process.cmdline contains "🧜‍♀️" or tgt.process.cmdline contains "🧜" or tgt.process.cmdline contains "🧜‍♂️" or tgt.process.cmdline contains "🧚‍♀️" or tgt.process.cmdline contains "🧚" or tgt.process.cmdline contains "🧚‍♂️" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "👼" or tgt.process.cmdline contains "🤰" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🤱" or tgt.process.cmdline contains "👩‍🍼" or tgt.process.cmdline contains "🧑‍🍼" or tgt.process.cmdline contains "👨‍🍼" or tgt.process.cmdline contains "🙇‍♀️" or tgt.process.cmdline contains "🙇" or tgt.process.cmdline contains "🙇‍♂️" or tgt.process.cmdline contains "💁‍♀️" or tgt.process.cmdline contains "💁" or tgt.process.cmdline contains "💁‍♂️" or tgt.process.cmdline contains "🙅‍♀️" or tgt.process.cmdline contains "🙅" or tgt.process.cmdline contains "🙅‍♂️" or tgt.process.cmdline contains "🙆‍♀️" or tgt.process.cmdline contains "🙆" or tgt.process.cmdline contains "🙆‍♂️" or tgt.process.cmdline contains "🙋‍♀️" or tgt.process.cmdline contains "🙋" or tgt.process.cmdline contains "🙋‍♂️" or tgt.process.cmdline contains "🧏‍♀️" or tgt.process.cmdline contains "🧏" or tgt.process.cmdline contains "🧏‍♂️" or tgt.process.cmdline contains "🤦‍♀️" or tgt.process.cmdline contains "🤦" or tgt.process.cmdline contains "🤦‍♂️" or tgt.process.cmdline contains "🤷‍♀️" or tgt.process.cmdline contains "🤷" or tgt.process.cmdline contains "🤷‍♂️" or tgt.process.cmdline contains "🙎‍♀️" or tgt.process.cmdline contains "🙎" or tgt.process.cmdline contains "🙎‍♂️" or tgt.process.cmdline contains "🙍‍♀️" or tgt.process.cmdline contains "🙍" or tgt.process.cmdline contains "🙍‍♂️" or tgt.process.cmdline contains "💇‍♀️" or tgt.process.cmdline contains "💇" or tgt.process.cmdline contains "💇‍♂️" or tgt.process.cmdline contains "💆‍♀️" or tgt.process.cmdline contains "💆" or tgt.process.cmdline contains "💆‍♂️" or tgt.process.cmdline contains "🧖‍♀️" or tgt.process.cmdline contains "🧖" or tgt.process.cmdline contains "🧖‍♂️" or tgt.process.cmdline contains "💅" or tgt.process.cmdline contains "💃" or tgt.process.cmdline contains "🕺" or tgt.process.cmdline contains "👯‍♀️" or tgt.process.cmdline contains "👯" or tgt.process.cmdline contains "👯‍♂️" or tgt.process.cmdline contains "🕴" or tgt.process.cmdline contains "👩‍🦽" or tgt.process.cmdline contains "🧑‍🦽" or tgt.process.cmdline contains "👨‍🦽" or tgt.process.cmdline contains "👩‍🦼" or tgt.process.cmdline contains "🧑‍🦼" or tgt.process.cmdline contains "👨‍🦼" or tgt.process.cmdline contains "🚶‍♀️" or tgt.process.cmdline contains "🚶" or tgt.process.cmdline contains "🚶‍♂️" or tgt.process.cmdline contains "👩‍🦯" or tgt.process.cmdline contains "🧑‍🦯" or tgt.process.cmdline contains "👨‍🦯" or tgt.process.cmdline contains "🧎‍♀️" or tgt.process.cmdline contains "🧎" or tgt.process.cmdline contains "🧎‍♂️" or tgt.process.cmdline contains "🏃‍♀️" or tgt.process.cmdline contains "🏃" or tgt.process.cmdline contains "🏃‍♂️" or tgt.process.cmdline contains "🧍‍♀️" or tgt.process.cmdline contains "🧍" or tgt.process.cmdline contains "🧍‍♂️" or tgt.process.cmdline contains "👭" or tgt.process.cmdline contains "🧑‍🤝‍🧑" or tgt.process.cmdline contains "👬" or tgt.process.cmdline contains "👫" or tgt.process.cmdline contains "👩‍❤️‍👩" or tgt.process.cmdline contains "💑" or tgt.process.cmdline contains "👨‍❤️‍👨" or tgt.process.cmdline contains "👩‍❤️‍👨" or tgt.process.cmdline contains "👩‍❤️‍💋‍👩" or tgt.process.cmdline contains "💏" or tgt.process.cmdline contains "👨‍❤️‍💋‍👨" or tgt.process.cmdline contains "👩‍❤️‍💋‍👨" or tgt.process.cmdline contains "👪" or tgt.process.cmdline contains "👨‍👩‍👦" or tgt.process.cmdline contains "👨‍👩‍👧" or tgt.process.cmdline contains "👨‍👩‍👧‍👦" or tgt.process.cmdline contains "👨‍👩‍👦‍👦" or tgt.process.cmdline contains "👨‍👩‍👧‍👧" or tgt.process.cmdline contains "👨‍👨‍👦" or tgt.process.cmdline contains "👨‍👨‍👧" or tgt.process.cmdline contains "👨‍👨‍👧‍👦" or tgt.process.cmdline contains "👨‍👨‍👦‍👦" or tgt.process.cmdline contains "👨‍👨‍👧‍👧" or tgt.process.cmdline contains "👩‍👩‍👦" or tgt.process.cmdline contains "👩‍👩‍👧" or tgt.process.cmdline contains "👩‍👩‍👧‍👦" or tgt.process.cmdline contains "👩‍👩‍👦‍👦" or tgt.process.cmdline contains "👩‍👩‍👧‍👧" or tgt.process.cmdline contains "👨‍👦" or tgt.process.cmdline contains "👨‍👦‍👦" or tgt.process.cmdline contains "👨‍👧" or tgt.process.cmdline contains "👨‍👧‍👦" or tgt.process.cmdline contains "👨‍👧‍👧" or tgt.process.cmdline contains "👩‍👦" or tgt.process.cmdline contains "👩‍👦‍👦" or tgt.process.cmdline contains "👩‍👧" or tgt.process.cmdline contains "👩‍👧‍👦" or tgt.process.cmdline contains "👩‍👧‍👧" or tgt.process.cmdline contains "🗣" or tgt.process.cmdline contains "👤" or tgt.process.cmdline contains "👥" or tgt.process.cmdline contains "🫂" or tgt.process.cmdline contains "🧳" or tgt.process.cmdline contains "🌂" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🧵" or tgt.process.cmdline contains "🪡" or tgt.process.cmdline contains "🪢" or tgt.process.cmdline contains "🧶" or tgt.process.cmdline contains "👓" or tgt.process.cmdline contains "🕶" or tgt.process.cmdline contains "🥽" or tgt.process.cmdline contains "🥼" or tgt.process.cmdline contains "🦺" or tgt.process.cmdline contains "👔" or tgt.process.cmdline contains "👕" or tgt.process.cmdline contains "👖" or tgt.process.cmdline contains "🧣" or tgt.process.cmdline contains "🧤" or tgt.process.cmdline contains "🧥" or tgt.process.cmdline contains "🧦" or tgt.process.cmdline contains "👗" or tgt.process.cmdline contains "👘" or tgt.process.cmdline contains "🥻" or tgt.process.cmdline contains "🩴" or tgt.process.cmdline contains "🩱" or tgt.process.cmdline contains "🩲" or tgt.process.cmdline contains "🩳" or tgt.process.cmdline contains "👙" or tgt.process.cmdline contains "👚" or tgt.process.cmdline contains "👛" or tgt.process.cmdline contains "👜" or tgt.process.cmdline contains "👝" or tgt.process.cmdline contains "🎒" or tgt.process.cmdline contains "👞" or tgt.process.cmdline contains "👟" or tgt.process.cmdline contains "🥾" or tgt.process.cmdline contains "🥿" or tgt.process.cmdline contains "👠" or tgt.process.cmdline contains "👡" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "👢" or tgt.process.cmdline contains "👑" or tgt.process.cmdline contains "👒" or tgt.process.cmdline contains "🎩" or tgt.process.cmdline contains "🎓" or tgt.process.cmdline contains "🧢" or tgt.process.cmdline contains "⛑" or tgt.process.cmdline contains "🪖" or tgt.process.cmdline contains "💄" or tgt.process.cmdline contains "💍" or tgt.process.cmdline contains "💼" or tgt.process.cmdline contains "👋🏻" or tgt.process.cmdline contains "🤚🏻" or tgt.process.cmdline contains "🖐🏻" or tgt.process.cmdline contains "✋🏻" or tgt.process.cmdline contains "🖖🏻" or tgt.process.cmdline contains "👌🏻" or tgt.process.cmdline contains "🤌🏻" or tgt.process.cmdline contains "🤏🏻" or tgt.process.cmdline contains "✌🏻" or tgt.process.cmdline contains "🤞🏻" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🤟🏻" or tgt.process.cmdline contains "🤘🏻" or tgt.process.cmdline contains "🤙🏻" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "👈🏻" or tgt.process.cmdline contains "👉🏻" or tgt.process.cmdline contains "👆🏻" or tgt.process.cmdline contains "🖕🏻" or tgt.process.cmdline contains "👇🏻" or tgt.process.cmdline contains "☝🏻" or tgt.process.cmdline contains "👍🏻" or tgt.process.cmdline contains "👎🏻" or tgt.process.cmdline contains "✊🏻" or tgt.process.cmdline contains "👊🏻" or tgt.process.cmdline contains "🤛🏻" or tgt.process.cmdline contains "🤜🏻" or tgt.process.cmdline contains "👏🏻" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🙌🏻" or tgt.process.cmdline contains "👐🏻" or tgt.process.cmdline contains "🤲🏻" or tgt.process.cmdline contains "🙏🏻" or tgt.process.cmdline contains "✍🏻" or tgt.process.cmdline contains "💪🏻" or tgt.process.cmdline contains "🦵🏻" or tgt.process.cmdline contains "🦶🏻" or tgt.process.cmdline contains "👂🏻" or tgt.process.cmdline contains "🦻🏻" or tgt.process.cmdline contains "👃🏻" or tgt.process.cmdline contains "👶🏻" or tgt.process.cmdline contains "👧🏻" or tgt.process.cmdline contains "🧒🏻" or tgt.process.cmdline contains "👦🏻" or tgt.process.cmdline contains "👩🏻" or tgt.process.cmdline contains "🧑🏻" or tgt.process.cmdline contains "👨🏻" or tgt.process.cmdline contains "👩🏻‍🦱" or tgt.process.cmdline contains "🧑🏻‍🦱" or tgt.process.cmdline contains "👨🏻‍🦱" or tgt.process.cmdline contains "👩🏻‍🦰" or tgt.process.cmdline contains "🧑🏻‍🦰" or tgt.process.cmdline contains "👨🏻‍🦰" or tgt.process.cmdline contains "👱🏻‍♀️" or tgt.process.cmdline contains "👱🏻" or tgt.process.cmdline contains "👱🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍🦳" or tgt.process.cmdline contains "🧑🏻‍🦳" or tgt.process.cmdline contains "👨🏻‍🦳" or tgt.process.cmdline contains "👩🏻‍🦲" or tgt.process.cmdline contains "🧑🏻‍🦲" or tgt.process.cmdline contains "👨🏻‍🦲" or tgt.process.cmdline contains "🧔🏻‍♀️" or tgt.process.cmdline contains "🧔🏻" or tgt.process.cmdline contains "🧔🏻‍♂️" or tgt.process.cmdline contains "👵🏻" or tgt.process.cmdline contains "🧓🏻" or tgt.process.cmdline contains "👴🏻" or tgt.process.cmdline contains "👲🏻" or tgt.process.cmdline contains "👳🏻‍♀️" or tgt.process.cmdline contains "👳🏻" or tgt.process.cmdline contains "👳🏻‍♂️" or tgt.process.cmdline contains "🧕🏻" or tgt.process.cmdline contains "👮🏻‍♀️" or tgt.process.cmdline contains "👮🏻" or tgt.process.cmdline contains "👮🏻‍♂️" or tgt.process.cmdline contains "👷🏻‍♀️" or tgt.process.cmdline contains "👷🏻" or tgt.process.cmdline contains "👷🏻‍♂️" or tgt.process.cmdline contains "💂🏻‍♀️" or tgt.process.cmdline contains "💂🏻" or tgt.process.cmdline contains "💂🏻‍♂️" or tgt.process.cmdline contains "🕵🏻‍♀️" or tgt.process.cmdline contains "🕵🏻" or tgt.process.cmdline contains "🕵🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍⚕️" or tgt.process.cmdline contains "🧑🏻‍⚕️" or tgt.process.cmdline contains "👨🏻‍⚕️" or tgt.process.cmdline contains "👩🏻‍🌾" or tgt.process.cmdline contains "🧑🏻‍🌾" or tgt.process.cmdline contains "👨🏻‍🌾" or tgt.process.cmdline contains "👩🏻‍🍳" or tgt.process.cmdline contains "🧑🏻‍🍳" or tgt.process.cmdline contains "👨🏻‍🍳" or tgt.process.cmdline contains "👩🏻‍🎓" or tgt.process.cmdline contains "🧑🏻‍🎓" or tgt.process.cmdline contains "👨🏻‍🎓" or tgt.process.cmdline contains "👩🏻‍🎤" or tgt.process.cmdline contains "🧑🏻‍🎤" or tgt.process.cmdline contains "👨🏻‍🎤" or tgt.process.cmdline contains "👩🏻‍🏫" or tgt.process.cmdline contains "🧑🏻‍🏫" or tgt.process.cmdline contains "👨🏻‍🏫" or tgt.process.cmdline contains "👩🏻‍🏭" or tgt.process.cmdline contains "🧑🏻‍🏭" or tgt.process.cmdline contains "👨🏻‍🏭" or tgt.process.cmdline contains "👩🏻‍💻" or tgt.process.cmdline contains "🧑🏻‍💻" or tgt.process.cmdline contains "👨🏻‍💻" or tgt.process.cmdline contains "👩🏻‍💼" or tgt.process.cmdline contains "🧑🏻‍💼" or tgt.process.cmdline contains "👨🏻‍💼" or tgt.process.cmdline contains "👩🏻‍🔧" or tgt.process.cmdline contains "🧑🏻‍🔧" or tgt.process.cmdline contains "👨🏻‍🔧" or tgt.process.cmdline contains "👩🏻‍🔬" or tgt.process.cmdline contains "🧑🏻‍🔬" or tgt.process.cmdline contains "👨🏻‍🔬" or tgt.process.cmdline contains "👩🏻‍🎨" or tgt.process.cmdline contains "🧑🏻‍🎨" or tgt.process.cmdline contains "👨🏻‍🎨" or tgt.process.cmdline contains "👩🏻‍🚒" or tgt.process.cmdline contains "🧑🏻‍🚒" or tgt.process.cmdline contains "👨🏻‍🚒" or tgt.process.cmdline contains "👩🏻‍✈️" or tgt.process.cmdline contains "🧑🏻‍✈️" or tgt.process.cmdline contains "👨🏻‍✈️" or tgt.process.cmdline contains "👩🏻‍🚀" or tgt.process.cmdline contains "🧑🏻‍🚀" or tgt.process.cmdline contains "👨🏻‍🚀" or tgt.process.cmdline contains "👩🏻‍⚖️" or tgt.process.cmdline contains "🧑🏻‍⚖️" or tgt.process.cmdline contains "👨🏻‍⚖️" or tgt.process.cmdline contains "👰🏻‍♀️" or tgt.process.cmdline contains "👰🏻" or tgt.process.cmdline contains "👰🏻‍♂️" or tgt.process.cmdline contains "🤵🏻‍♀️" or tgt.process.cmdline contains "🤵🏻" or tgt.process.cmdline contains "🤵🏻‍♂️" or tgt.process.cmdline contains "👸🏻" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🤴🏻" or tgt.process.cmdline contains "🥷🏻" or tgt.process.cmdline contains "🦸🏻‍♀️" or tgt.process.cmdline contains "🦸🏻" or tgt.process.cmdline contains "🦸🏻‍♂️" or tgt.process.cmdline contains "🦹🏻‍♀️" or tgt.process.cmdline contains "🦹🏻" or tgt.process.cmdline contains "🦹🏻‍♂️" or tgt.process.cmdline contains "🤶🏻" or tgt.process.cmdline contains "🧑🏻‍🎄" or tgt.process.cmdline contains "🎅🏻" or tgt.process.cmdline contains "🧙🏻‍♀️" or tgt.process.cmdline contains "🧙🏻" or tgt.process.cmdline contains "🧙🏻‍♂️" or tgt.process.cmdline contains "🧝🏻‍♀️" or tgt.process.cmdline contains "🧝🏻" or tgt.process.cmdline contains "🧝🏻‍♂️" or tgt.process.cmdline contains "🧛🏻‍♀️" or tgt.process.cmdline contains "🧛🏻" or tgt.process.cmdline contains "🧛🏻‍♂️" or tgt.process.cmdline contains "🧜🏻‍♀️" or tgt.process.cmdline contains "🧜🏻" or tgt.process.cmdline contains "🧜🏻‍♂️" or tgt.process.cmdline contains "🧚🏻‍♀️" or tgt.process.cmdline contains "🧚🏻" or tgt.process.cmdline contains "🧚🏻‍♂️" or tgt.process.cmdline contains "👼🏻" or tgt.process.cmdline contains "🤰🏻" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🤱🏻" or tgt.process.cmdline contains "👩🏻‍🍼" or tgt.process.cmdline contains "🧑🏻‍🍼" or tgt.process.cmdline contains "👨🏻‍🍼" or tgt.process.cmdline contains "🙇🏻‍♀️" or tgt.process.cmdline contains "🙇🏻" or tgt.process.cmdline contains "🙇🏻‍♂️" or tgt.process.cmdline contains "💁🏻‍♀️" or tgt.process.cmdline contains "💁🏻" or tgt.process.cmdline contains "💁🏻‍♂️" or tgt.process.cmdline contains "🙅🏻‍♀️" or tgt.process.cmdline contains "🙅🏻" or tgt.process.cmdline contains "🙅🏻‍♂️" or tgt.process.cmdline contains "🙆🏻‍♀️" or tgt.process.cmdline contains "🙆🏻" or tgt.process.cmdline contains "🙆🏻‍♂️" or tgt.process.cmdline contains "🙋🏻‍♀️" or tgt.process.cmdline contains "🙋🏻" or tgt.process.cmdline contains "🙋🏻‍♂️" or tgt.process.cmdline contains "🧏🏻‍♀️" or tgt.process.cmdline contains "🧏🏻" or tgt.process.cmdline contains "🧏🏻‍♂️" or tgt.process.cmdline contains "🤦🏻‍♀️" or tgt.process.cmdline contains "🤦🏻" or tgt.process.cmdline contains "🤦🏻‍♂️" or tgt.process.cmdline contains "🤷🏻‍♀️" or tgt.process.cmdline contains "🤷🏻" or tgt.process.cmdline contains "🤷🏻‍♂️" or tgt.process.cmdline contains "🙎🏻‍♀️" or tgt.process.cmdline contains "🙎🏻" or tgt.process.cmdline contains "🙎🏻‍♂️" or tgt.process.cmdline contains "🙍🏻‍♀️" or tgt.process.cmdline contains "🙍🏻" or tgt.process.cmdline contains "🙍🏻‍♂️" or tgt.process.cmdline contains "💇🏻‍♀️" or tgt.process.cmdline contains "💇🏻" or tgt.process.cmdline contains "💇🏻‍♂️" or tgt.process.cmdline contains "💆🏻‍♀️" or tgt.process.cmdline contains "💆🏻" or tgt.process.cmdline contains "💆🏻‍♂️" or tgt.process.cmdline contains "🧖🏻‍♀️" or tgt.process.cmdline contains "🧖🏻" or tgt.process.cmdline contains "🧖🏻‍♂️" or tgt.process.cmdline contains "💃🏻" or tgt.process.cmdline contains "🕺🏻" or tgt.process.cmdline contains "🕴🏻" or tgt.process.cmdline contains "👩🏻‍🦽" or tgt.process.cmdline contains "🧑🏻‍🦽" or tgt.process.cmdline contains "👨🏻‍🦽" or tgt.process.cmdline contains "👩🏻‍🦼" or tgt.process.cmdline contains "🧑🏻‍🦼" or tgt.process.cmdline contains "👨🏻‍🦼" or tgt.process.cmdline contains "🚶🏻‍♀️" or tgt.process.cmdline contains "🚶🏻" or tgt.process.cmdline contains "🚶🏻‍♂️" or tgt.process.cmdline contains "👩🏻‍🦯" or tgt.process.cmdline contains "🧑🏻‍🦯" or tgt.process.cmdline contains "👨🏻‍🦯" or tgt.process.cmdline contains "🧎🏻‍♀️" or tgt.process.cmdline contains "🧎🏻" or tgt.process.cmdline contains "🧎🏻‍♂️" or tgt.process.cmdline contains "🏃🏻‍♀️" or tgt.process.cmdline contains "🏃🏻" or tgt.process.cmdline contains "🏃🏻‍♂️" or tgt.process.cmdline contains "🧍🏻‍♀️" or tgt.process.cmdline contains "🧍🏻" or tgt.process.cmdline contains "🧍🏻‍♂️" or tgt.process.cmdline contains "👭🏻" or tgt.process.cmdline contains "🧑🏻‍🤝‍🧑🏻" or tgt.process.cmdline contains "👬🏻" or tgt.process.cmdline contains "👫🏻" or tgt.process.cmdline contains "🧗🏻‍♀️" or tgt.process.cmdline contains "🧗🏻" or tgt.process.cmdline contains "🧗🏻‍♂️" or tgt.process.cmdline contains "🏇🏻" or tgt.process.cmdline contains "🏂🏻" or tgt.process.cmdline contains "🏌🏻‍♀️" or tgt.process.cmdline contains "🏌🏻" or tgt.process.cmdline contains "🏌🏻‍♂️" or tgt.process.cmdline contains "🏄🏻‍♀️" or tgt.process.cmdline contains "🏄🏻" or tgt.process.cmdline contains "🏄🏻‍♂️" or tgt.process.cmdline contains "🚣🏻‍♀️" or tgt.process.cmdline contains "🚣🏻" or tgt.process.cmdline contains "🚣🏻‍♂️" or tgt.process.cmdline contains "🏊🏻‍♀️" or tgt.process.cmdline contains "🏊🏻" or tgt.process.cmdline contains "🏊🏻‍♂️" or tgt.process.cmdline contains "⛹🏻‍♀️" or tgt.process.cmdline contains "⛹🏻" or tgt.process.cmdline contains "⛹🏻‍♂️" or tgt.process.cmdline contains "🏋🏻‍♀️" or tgt.process.cmdline contains "🏋🏻" or tgt.process.cmdline contains "🏋🏻‍♂️" or tgt.process.cmdline contains "🚴🏻‍♀️" or tgt.process.cmdline contains "🚴🏻" or tgt.process.cmdline contains "🚴🏻‍♂️" or tgt.process.cmdline contains "🚵🏻‍♀️" or tgt.process.cmdline contains "🚵🏻" or tgt.process.cmdline contains "🚵🏻‍♂️" or tgt.process.cmdline contains "🤸🏻‍♀️" or tgt.process.cmdline contains "🤸🏻" or tgt.process.cmdline contains "🤸🏻‍♂️" or tgt.process.cmdline contains "🤽🏻‍♀️" or tgt.process.cmdline contains "🤽🏻" or tgt.process.cmdline contains "🤽🏻‍♂️" or tgt.process.cmdline contains "🤾🏻‍♀️" or tgt.process.cmdline contains "🤾🏻" or tgt.process.cmdline contains "🤾🏻‍♂️" or tgt.process.cmdline contains "🤹🏻‍♀️" or tgt.process.cmdline contains "🤹🏻" or tgt.process.cmdline contains "🤹🏻‍♂️" or tgt.process.cmdline contains "🧘🏻‍♀️" or tgt.process.cmdline contains "🧘🏻" or tgt.process.cmdline contains "🧘🏻‍♂️" or tgt.process.cmdline contains "🛀🏻" or tgt.process.cmdline contains "🛌🏻" or tgt.process.cmdline contains "👋🏼" or tgt.process.cmdline contains "🤚🏼" or tgt.process.cmdline contains "🖐🏼" or tgt.process.cmdline contains "✋🏼" or tgt.process.cmdline contains "🖖🏼" or tgt.process.cmdline contains "👌🏼" or tgt.process.cmdline contains "🤌🏼" or tgt.process.cmdline contains "🤏🏼" or tgt.process.cmdline contains "✌🏼" or tgt.process.cmdline contains "🤞🏼" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🤟🏼" or tgt.process.cmdline contains "🤘🏼" or tgt.process.cmdline contains "🤙🏼" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "👈🏼" or tgt.process.cmdline contains "👉🏼" or tgt.process.cmdline contains "👆🏼" or tgt.process.cmdline contains "🖕🏼" or tgt.process.cmdline contains "👇🏼" or tgt.process.cmdline contains "☝🏼" or tgt.process.cmdline contains "👍🏼" or tgt.process.cmdline contains "👎🏼" or tgt.process.cmdline contains "✊🏼" or tgt.process.cmdline contains "👊🏼" or tgt.process.cmdline contains "🤛🏼" or tgt.process.cmdline contains "🤜🏼" or tgt.process.cmdline contains "👏🏼" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🙌🏼" or tgt.process.cmdline contains "👐🏼" or tgt.process.cmdline contains "🤲🏼" or tgt.process.cmdline contains "🙏🏼" or tgt.process.cmdline contains "✍🏼" or tgt.process.cmdline contains "💪🏼" or tgt.process.cmdline contains "🦵🏼" or tgt.process.cmdline contains "🦶🏼" or tgt.process.cmdline contains "👂🏼" or tgt.process.cmdline contains "🦻🏼" or tgt.process.cmdline contains "👃🏼" or tgt.process.cmdline contains "👶🏼" or tgt.process.cmdline contains "👧🏼" or tgt.process.cmdline contains "🧒🏼" or tgt.process.cmdline contains "👦🏼" or tgt.process.cmdline contains "👩🏼" or tgt.process.cmdline contains "🧑🏼" or tgt.process.cmdline contains "👨🏼" or tgt.process.cmdline contains "👩🏼‍🦱" or tgt.process.cmdline contains "🧑🏼‍🦱" or tgt.process.cmdline contains "👨🏼‍🦱" or tgt.process.cmdline contains "👩🏼‍🦰" or tgt.process.cmdline contains "🧑🏼‍🦰" or tgt.process.cmdline contains "👨🏼‍🦰" or tgt.process.cmdline contains "👱🏼‍♀️" or tgt.process.cmdline contains "👱🏼" or tgt.process.cmdline contains "👱🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍🦳" or tgt.process.cmdline contains "🧑🏼‍🦳" or tgt.process.cmdline contains "👨🏼‍🦳" or tgt.process.cmdline contains "👩🏼‍🦲" or tgt.process.cmdline contains "🧑🏼‍🦲" or tgt.process.cmdline contains "👨🏼‍🦲" or tgt.process.cmdline contains "🧔🏼‍♀️" or tgt.process.cmdline contains "🧔🏼" or tgt.process.cmdline contains "🧔🏼‍♂️" or tgt.process.cmdline contains "👵🏼" or tgt.process.cmdline contains "🧓🏼" or tgt.process.cmdline contains "👴🏼" or tgt.process.cmdline contains "👲🏼" or tgt.process.cmdline contains "👳🏼‍♀️" or tgt.process.cmdline contains "👳🏼" or tgt.process.cmdline contains "👳🏼‍♂️" or tgt.process.cmdline contains "🧕🏼" or tgt.process.cmdline contains "👮🏼‍♀️" or tgt.process.cmdline contains "👮🏼" or tgt.process.cmdline contains "👮🏼‍♂️" or tgt.process.cmdline contains "👷🏼‍♀️" or tgt.process.cmdline contains "👷🏼" or tgt.process.cmdline contains "👷🏼‍♂️" or tgt.process.cmdline contains "💂🏼‍♀️" or tgt.process.cmdline contains "💂🏼" or tgt.process.cmdline contains "💂🏼‍♂️" or tgt.process.cmdline contains "🕵🏼‍♀️" or tgt.process.cmdline contains "🕵🏼" or tgt.process.cmdline contains "🕵🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍⚕️" or tgt.process.cmdline contains "🧑🏼‍⚕️" or tgt.process.cmdline contains "👨🏼‍⚕️" or tgt.process.cmdline contains "👩🏼‍🌾" or tgt.process.cmdline contains "🧑🏼‍🌾" or tgt.process.cmdline contains "👨🏼‍🌾" or tgt.process.cmdline contains "👩🏼‍🍳" or tgt.process.cmdline contains "🧑🏼‍🍳" or tgt.process.cmdline contains "👨🏼‍🍳" or tgt.process.cmdline contains "👩🏼‍🎓" or tgt.process.cmdline contains "🧑🏼‍🎓" or tgt.process.cmdline contains "👨🏼‍🎓" or tgt.process.cmdline contains "👩🏼‍🎤" or tgt.process.cmdline contains "🧑🏼‍🎤" or tgt.process.cmdline contains "👨🏼‍🎤" or tgt.process.cmdline contains "👩🏼‍🏫" or tgt.process.cmdline contains "🧑🏼‍🏫" or tgt.process.cmdline contains "👨🏼‍🏫" or tgt.process.cmdline contains "👩🏼‍🏭" or tgt.process.cmdline contains "🧑🏼‍🏭" or tgt.process.cmdline contains "👨🏼‍🏭" or tgt.process.cmdline contains "👩🏼‍💻" or tgt.process.cmdline contains "🧑🏼‍💻" or tgt.process.cmdline contains "👨🏼‍💻" or tgt.process.cmdline contains "👩🏼‍💼" or tgt.process.cmdline contains "🧑🏼‍💼" or tgt.process.cmdline contains "👨🏼‍💼" or tgt.process.cmdline contains "👩🏼‍🔧" or tgt.process.cmdline contains "🧑🏼‍🔧" or tgt.process.cmdline contains "👨🏼‍🔧" or tgt.process.cmdline contains "👩🏼‍🔬" or tgt.process.cmdline contains "🧑🏼‍🔬" or tgt.process.cmdline contains "👨🏼‍🔬" or tgt.process.cmdline contains "👩🏼‍🎨" or tgt.process.cmdline contains "🧑🏼‍🎨" or tgt.process.cmdline contains "👨🏼‍🎨" or tgt.process.cmdline contains "👩🏼‍🚒" or tgt.process.cmdline contains "🧑🏼‍🚒" or tgt.process.cmdline contains "👨🏼‍🚒" or tgt.process.cmdline contains "👩🏼‍✈️" or tgt.process.cmdline contains "🧑🏼‍✈️" or tgt.process.cmdline contains "👨🏼‍✈️" or tgt.process.cmdline contains "👩🏼‍🚀" or tgt.process.cmdline contains "🧑🏼‍🚀" or tgt.process.cmdline contains "👨🏼‍🚀" or tgt.process.cmdline contains "👩🏼‍⚖️" or tgt.process.cmdline contains "🧑🏼‍⚖️" or tgt.process.cmdline contains "👨🏼‍⚖️" or tgt.process.cmdline contains "👰🏼‍♀️" or tgt.process.cmdline contains "👰🏼" or tgt.process.cmdline contains "👰🏼‍♂️" or tgt.process.cmdline contains "🤵🏼‍♀️" or tgt.process.cmdline contains "🤵🏼" or tgt.process.cmdline contains "🤵🏼‍♂️" or tgt.process.cmdline contains "👸🏼" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🤴🏼" or tgt.process.cmdline contains "🥷🏼" or tgt.process.cmdline contains "🦸🏼‍♀️" or tgt.process.cmdline contains "🦸🏼" or tgt.process.cmdline contains "🦸🏼‍♂️" or tgt.process.cmdline contains "🦹🏼‍♀️" or tgt.process.cmdline contains "🦹🏼" or tgt.process.cmdline contains "🦹🏼‍♂️" or tgt.process.cmdline contains "🤶🏼" or tgt.process.cmdline contains "🧑🏼‍🎄" or tgt.process.cmdline contains "🎅🏼" or tgt.process.cmdline contains "🧙🏼‍♀️" or tgt.process.cmdline contains "🧙🏼" or tgt.process.cmdline contains "🧙🏼‍♂️" or tgt.process.cmdline contains "🧝🏼‍♀️" or tgt.process.cmdline contains "🧝🏼" or tgt.process.cmdline contains "🧝🏼‍♂️" or tgt.process.cmdline contains "🧛🏼‍♀️" or tgt.process.cmdline contains "🧛🏼" or tgt.process.cmdline contains "🧛🏼‍♂️" or tgt.process.cmdline contains "🧜🏼‍♀️" or tgt.process.cmdline contains "🧜🏼" or tgt.process.cmdline contains "🧜🏼‍♂️" or tgt.process.cmdline contains "🧚🏼‍♀️" or tgt.process.cmdline contains "🧚🏼" or tgt.process.cmdline contains "🧚🏼‍♂️" or tgt.process.cmdline contains "👼🏼" or tgt.process.cmdline contains "🤰🏼" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🤱🏼" or tgt.process.cmdline contains "👩🏼‍🍼" or tgt.process.cmdline contains "🧑🏼‍🍼" or tgt.process.cmdline contains "👨🏼‍🍼" or tgt.process.cmdline contains "🙇🏼‍♀️" or tgt.process.cmdline contains "🙇🏼" or tgt.process.cmdline contains "🙇🏼‍♂️" or tgt.process.cmdline contains "💁🏼‍♀️" or tgt.process.cmdline contains "💁🏼" or tgt.process.cmdline contains "💁🏼‍♂️" or tgt.process.cmdline contains "🙅🏼‍♀️" or tgt.process.cmdline contains "🙅🏼" or tgt.process.cmdline contains "🙅🏼‍♂️" or tgt.process.cmdline contains "🙆🏼‍♀️" or tgt.process.cmdline contains "🙆🏼" or tgt.process.cmdline contains "🙆🏼‍♂️" or tgt.process.cmdline contains "🙋🏼‍♀️" or tgt.process.cmdline contains "🙋🏼" or tgt.process.cmdline contains "🙋🏼‍♂️" or tgt.process.cmdline contains "🧏🏼‍♀️" or tgt.process.cmdline contains "🧏🏼" or tgt.process.cmdline contains "🧏🏼‍♂️" or tgt.process.cmdline contains "🤦🏼‍♀️" or tgt.process.cmdline contains "🤦🏼" or tgt.process.cmdline contains "🤦🏼‍♂️" or tgt.process.cmdline contains "🤷🏼‍♀️")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md index f14931cb2..3c849cb0a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🤷🏼" or tgt.process.cmdline contains "🤷🏼‍♂️" or tgt.process.cmdline contains "🙎🏼‍♀️" or tgt.process.cmdline contains "🙎🏼" or tgt.process.cmdline contains "🙎🏼‍♂️" or tgt.process.cmdline contains "🙍🏼‍♀️" or tgt.process.cmdline contains "🙍🏼" or tgt.process.cmdline contains "🙍🏼‍♂️" or tgt.process.cmdline contains "💇🏼‍♀️" or tgt.process.cmdline contains "💇🏼" or tgt.process.cmdline contains "💇🏼‍♂️" or tgt.process.cmdline contains "💆🏼‍♀️" or tgt.process.cmdline contains "💆🏼" or tgt.process.cmdline contains "💆🏼‍♂️" or tgt.process.cmdline contains "🧖🏼‍♀️" or tgt.process.cmdline contains "🧖🏼" or tgt.process.cmdline contains "🧖🏼‍♂️" or tgt.process.cmdline contains "💃🏼" or tgt.process.cmdline contains "🕺🏼" or tgt.process.cmdline contains "🕴🏼" or tgt.process.cmdline contains "👩🏼‍🦽" or tgt.process.cmdline contains "🧑🏼‍🦽" or tgt.process.cmdline contains "👨🏼‍🦽" or tgt.process.cmdline contains "👩🏼‍🦼" or tgt.process.cmdline contains "🧑🏼‍🦼" or tgt.process.cmdline contains "👨🏼‍🦼" or tgt.process.cmdline contains "🚶🏼‍♀️" or tgt.process.cmdline contains "🚶🏼" or tgt.process.cmdline contains "🚶🏼‍♂️" or tgt.process.cmdline contains "👩🏼‍🦯" or tgt.process.cmdline contains "🧑🏼‍🦯" or tgt.process.cmdline contains "👨🏼‍🦯" or tgt.process.cmdline contains "🧎🏼‍♀️" or tgt.process.cmdline contains "🧎🏼" or tgt.process.cmdline contains "🧎🏼‍♂️" or tgt.process.cmdline contains "🏃🏼‍♀️" or tgt.process.cmdline contains "🏃🏼" or tgt.process.cmdline contains "🏃🏼‍♂️" or tgt.process.cmdline contains "🧍🏼‍♀️" or tgt.process.cmdline contains "🧍🏼" or tgt.process.cmdline contains "🧍🏼‍♂️" or tgt.process.cmdline contains "👭🏼" or tgt.process.cmdline contains "🧑🏼‍🤝‍🧑🏼" or tgt.process.cmdline contains "👬🏼" or tgt.process.cmdline contains "👫🏼" or tgt.process.cmdline contains "🧗🏼‍♀️" or tgt.process.cmdline contains "🧗🏼" or tgt.process.cmdline contains "🧗🏼‍♂️" or tgt.process.cmdline contains "🏇🏼" or tgt.process.cmdline contains "🏂🏼" or tgt.process.cmdline contains "🏌🏼‍♀️" or tgt.process.cmdline contains "🏌🏼" or tgt.process.cmdline contains "🏌🏼‍♂️" or tgt.process.cmdline contains "🏄🏼‍♀️" or tgt.process.cmdline contains "🏄🏼" or tgt.process.cmdline contains "🏄🏼‍♂️" or tgt.process.cmdline contains "🚣🏼‍♀️" or tgt.process.cmdline contains "🚣🏼" or tgt.process.cmdline contains "🚣🏼‍♂️" or tgt.process.cmdline contains "🏊🏼‍♀️" or tgt.process.cmdline contains "🏊🏼" or tgt.process.cmdline contains "🏊🏼‍♂️" or tgt.process.cmdline contains "⛹🏼‍♀️" or tgt.process.cmdline contains "⛹🏼" or tgt.process.cmdline contains "⛹🏼‍♂️" or tgt.process.cmdline contains "🏋🏼‍♀️" or tgt.process.cmdline contains "🏋🏼" or tgt.process.cmdline contains "🏋🏼‍♂️" or tgt.process.cmdline contains "🚴🏼‍♀️" or tgt.process.cmdline contains "🚴🏼" or tgt.process.cmdline contains "🚴🏼‍♂️" or tgt.process.cmdline contains "🚵🏼‍♀️" or tgt.process.cmdline contains "🚵🏼" or tgt.process.cmdline contains "🚵🏼‍♂️" or tgt.process.cmdline contains "🤸🏼‍♀️" or tgt.process.cmdline contains "🤸🏼" or tgt.process.cmdline contains "🤸🏼‍♂️" or tgt.process.cmdline contains "🤽🏼‍♀️" or tgt.process.cmdline contains "🤽🏼" or tgt.process.cmdline contains "🤽🏼‍♂️" or tgt.process.cmdline contains "🤾🏼‍♀️" or tgt.process.cmdline contains "🤾🏼" or tgt.process.cmdline contains "🤾🏼‍♂️" or tgt.process.cmdline contains "🤹🏼‍♀️" or tgt.process.cmdline contains "🤹🏼" or tgt.process.cmdline contains "🤹🏼‍♂️" or tgt.process.cmdline contains "🧘🏼‍♀️" or tgt.process.cmdline contains "🧘🏼" or tgt.process.cmdline contains "🧘🏼‍♂️" or tgt.process.cmdline contains "🛀🏼" or tgt.process.cmdline contains "🛌🏼" or tgt.process.cmdline contains "👋🏽" or tgt.process.cmdline contains "🤚🏽" or tgt.process.cmdline contains "🖐🏽" or tgt.process.cmdline contains "✋🏽" or tgt.process.cmdline contains "🖖🏽" or tgt.process.cmdline contains "👌🏽" or tgt.process.cmdline contains "🤌🏽" or tgt.process.cmdline contains "🤏🏽" or tgt.process.cmdline contains "✌🏽" or tgt.process.cmdline contains "🤞🏽" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🤟🏽" or tgt.process.cmdline contains "🤘🏽" or tgt.process.cmdline contains "🤙🏽" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "👈🏽" or tgt.process.cmdline contains "👉🏽" or tgt.process.cmdline contains "👆🏽" or tgt.process.cmdline contains "🖕🏽" or tgt.process.cmdline contains "👇🏽" or tgt.process.cmdline contains "☝🏽" or tgt.process.cmdline contains "👍🏽" or tgt.process.cmdline contains "👎🏽" or tgt.process.cmdline contains "✊🏽" or tgt.process.cmdline contains "👊🏽" or tgt.process.cmdline contains "🤛🏽" or tgt.process.cmdline contains "🤜🏽" or tgt.process.cmdline contains "👏🏽" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🙌🏽" or tgt.process.cmdline contains "👐🏽" or tgt.process.cmdline contains "🤲🏽" or tgt.process.cmdline contains "🙏🏽" or tgt.process.cmdline contains "✍🏽" or tgt.process.cmdline contains "💪🏽" or tgt.process.cmdline contains "🦵🏽" or tgt.process.cmdline contains "🦶🏽" or tgt.process.cmdline contains "👂🏽" or tgt.process.cmdline contains "🦻🏽" or tgt.process.cmdline contains "👃🏽" or tgt.process.cmdline contains "👶🏽" or tgt.process.cmdline contains "👧🏽" or tgt.process.cmdline contains "🧒🏽" or tgt.process.cmdline contains "👦🏽" or tgt.process.cmdline contains "👩🏽" or tgt.process.cmdline contains "🧑🏽" or tgt.process.cmdline contains "👨🏽" or tgt.process.cmdline contains "👩🏽‍🦱" or tgt.process.cmdline contains "🧑🏽‍🦱" or tgt.process.cmdline contains "👨🏽‍🦱" or tgt.process.cmdline contains "👩🏽‍🦰" or tgt.process.cmdline contains "🧑🏽‍🦰" or tgt.process.cmdline contains "👨🏽‍🦰" or tgt.process.cmdline contains "👱🏽‍♀️" or tgt.process.cmdline contains "👱🏽" or tgt.process.cmdline contains "👱🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍🦳" or tgt.process.cmdline contains "🧑🏽‍🦳" or tgt.process.cmdline contains "👨🏽‍🦳" or tgt.process.cmdline contains "👩🏽‍🦲" or tgt.process.cmdline contains "🧑🏽‍🦲" or tgt.process.cmdline contains "👨🏽‍🦲" or tgt.process.cmdline contains "🧔🏽‍♀️" or tgt.process.cmdline contains "🧔🏽" or tgt.process.cmdline contains "🧔🏽‍♂️" or tgt.process.cmdline contains "👵🏽" or tgt.process.cmdline contains "🧓🏽" or tgt.process.cmdline contains "👴🏽" or tgt.process.cmdline contains "👲🏽" or tgt.process.cmdline contains "👳🏽‍♀️" or tgt.process.cmdline contains "👳🏽" or tgt.process.cmdline contains "👳🏽‍♂️" or tgt.process.cmdline contains "🧕🏽" or tgt.process.cmdline contains "👮🏽‍♀️" or tgt.process.cmdline contains "👮🏽" or tgt.process.cmdline contains "👮🏽‍♂️" or tgt.process.cmdline contains "👷🏽‍♀️" or tgt.process.cmdline contains "👷🏽" or tgt.process.cmdline contains "👷🏽‍♂️" or tgt.process.cmdline contains "💂🏽‍♀️" or tgt.process.cmdline contains "💂🏽" or tgt.process.cmdline contains "💂🏽‍♂️" or tgt.process.cmdline contains "🕵🏽‍♀️" or tgt.process.cmdline contains "🕵🏽" or tgt.process.cmdline contains "🕵🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍⚕️" or tgt.process.cmdline contains "🧑🏽‍⚕️" or tgt.process.cmdline contains "👨🏽‍⚕️" or tgt.process.cmdline contains "👩🏽‍🌾" or tgt.process.cmdline contains "🧑🏽‍🌾" or tgt.process.cmdline contains "👨🏽‍🌾" or tgt.process.cmdline contains "👩🏽‍🍳" or tgt.process.cmdline contains "🧑🏽‍🍳" or tgt.process.cmdline contains "👨🏽‍🍳" or tgt.process.cmdline contains "👩🏽‍🎓" or tgt.process.cmdline contains "🧑🏽‍🎓" or tgt.process.cmdline contains "👨🏽‍🎓" or tgt.process.cmdline contains "👩🏽‍🎤" or tgt.process.cmdline contains "🧑🏽‍🎤" or tgt.process.cmdline contains "👨🏽‍🎤" or tgt.process.cmdline contains "👩🏽‍🏫" or tgt.process.cmdline contains "🧑🏽‍🏫" or tgt.process.cmdline contains "👨🏽‍🏫" or tgt.process.cmdline contains "👩🏽‍🏭" or tgt.process.cmdline contains "🧑🏽‍🏭" or tgt.process.cmdline contains "👨🏽‍🏭" or tgt.process.cmdline contains "👩🏽‍💻" or tgt.process.cmdline contains "🧑🏽‍💻" or tgt.process.cmdline contains "👨🏽‍💻" or tgt.process.cmdline contains "👩🏽‍💼" or tgt.process.cmdline contains "🧑🏽‍💼" or tgt.process.cmdline contains "👨🏽‍💼" or tgt.process.cmdline contains "👩🏽‍🔧" or tgt.process.cmdline contains "🧑🏽‍🔧" or tgt.process.cmdline contains "👨🏽‍🔧" or tgt.process.cmdline contains "👩🏽‍🔬" or tgt.process.cmdline contains "🧑🏽‍🔬" or tgt.process.cmdline contains "👨🏽‍🔬" or tgt.process.cmdline contains "👩🏽‍🎨" or tgt.process.cmdline contains "🧑🏽‍🎨" or tgt.process.cmdline contains "👨🏽‍🎨" or tgt.process.cmdline contains "👩🏽‍🚒" or tgt.process.cmdline contains "🧑🏽‍🚒" or tgt.process.cmdline contains "👨🏽‍🚒" or tgt.process.cmdline contains "👩🏽‍✈️" or tgt.process.cmdline contains "🧑🏽‍✈️" or tgt.process.cmdline contains "👨🏽‍✈️" or tgt.process.cmdline contains "👩🏽‍🚀" or tgt.process.cmdline contains "🧑🏽‍🚀" or tgt.process.cmdline contains "👨🏽‍🚀" or tgt.process.cmdline contains "👩🏽‍⚖️" or tgt.process.cmdline contains "🧑🏽‍⚖️" or tgt.process.cmdline contains "👨🏽‍⚖️" or tgt.process.cmdline contains "👰🏽‍♀️" or tgt.process.cmdline contains "👰🏽" or tgt.process.cmdline contains "👰🏽‍♂️" or tgt.process.cmdline contains "🤵🏽‍♀️" or tgt.process.cmdline contains "🤵🏽" or tgt.process.cmdline contains "🤵🏽‍♂️" or tgt.process.cmdline contains "👸🏽" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🤴🏽" or tgt.process.cmdline contains "🥷🏽" or tgt.process.cmdline contains "🦸🏽‍♀️" or tgt.process.cmdline contains "🦸🏽" or tgt.process.cmdline contains "🦸🏽‍♂️" or tgt.process.cmdline contains "🦹🏽‍♀️" or tgt.process.cmdline contains "🦹🏽" or tgt.process.cmdline contains "🦹🏽‍♂️" or tgt.process.cmdline contains "🤶🏽" or tgt.process.cmdline contains "🧑🏽‍🎄" or tgt.process.cmdline contains "🎅🏽" or tgt.process.cmdline contains "🧙🏽‍♀️" or tgt.process.cmdline contains "🧙🏽" or tgt.process.cmdline contains "🧙🏽‍♂️" or tgt.process.cmdline contains "🧝🏽‍♀️" or tgt.process.cmdline contains "🧝🏽" or tgt.process.cmdline contains "🧝🏽‍♂️" or tgt.process.cmdline contains "🧛🏽‍♀️" or tgt.process.cmdline contains "🧛🏽" or tgt.process.cmdline contains "🧛🏽‍♂️" or tgt.process.cmdline contains "🧜🏽‍♀️" or tgt.process.cmdline contains "🧜🏽" or tgt.process.cmdline contains "🧜🏽‍♂️" or tgt.process.cmdline contains "🧚🏽‍♀️" or tgt.process.cmdline contains "🧚🏽" or tgt.process.cmdline contains "🧚🏽‍♂️" or tgt.process.cmdline contains "👼🏽" or tgt.process.cmdline contains "🤰🏽" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🤱🏽" or tgt.process.cmdline contains "👩🏽‍🍼" or tgt.process.cmdline contains "🧑🏽‍🍼" or tgt.process.cmdline contains "👨🏽‍🍼" or tgt.process.cmdline contains "🙇🏽‍♀️" or tgt.process.cmdline contains "🙇🏽" or tgt.process.cmdline contains "🙇🏽‍♂️" or tgt.process.cmdline contains "💁🏽‍♀️" or tgt.process.cmdline contains "💁🏽" or tgt.process.cmdline contains "💁🏽‍♂️" or tgt.process.cmdline contains "🙅🏽‍♀️" or tgt.process.cmdline contains "🙅🏽" or tgt.process.cmdline contains "🙅🏽‍♂️" or tgt.process.cmdline contains "🙆🏽‍♀️" or tgt.process.cmdline contains "🙆🏽" or tgt.process.cmdline contains "🙆🏽‍♂️" or tgt.process.cmdline contains "🙋🏽‍♀️" or tgt.process.cmdline contains "🙋🏽" or tgt.process.cmdline contains "🙋🏽‍♂️" or tgt.process.cmdline contains "🧏🏽‍♀️" or tgt.process.cmdline contains "🧏🏽" or tgt.process.cmdline contains "🧏🏽‍♂️" or tgt.process.cmdline contains "🤦🏽‍♀️" or tgt.process.cmdline contains "🤦🏽" or tgt.process.cmdline contains "🤦🏽‍♂️" or tgt.process.cmdline contains "🤷🏽‍♀️" or tgt.process.cmdline contains "🤷🏽" or tgt.process.cmdline contains "🤷🏽‍♂️" or tgt.process.cmdline contains "🙎🏽‍♀️" or tgt.process.cmdline contains "🙎🏽" or tgt.process.cmdline contains "🙎🏽‍♂️" or tgt.process.cmdline contains "🙍🏽‍♀️" or tgt.process.cmdline contains "🙍🏽" or tgt.process.cmdline contains "🙍🏽‍♂️" or tgt.process.cmdline contains "💇🏽‍♀️" or tgt.process.cmdline contains "💇🏽" or tgt.process.cmdline contains "💇🏽‍♂️" or tgt.process.cmdline contains "💆🏽‍♀️" or tgt.process.cmdline contains "💆🏽" or tgt.process.cmdline contains "💆🏽‍♂️" or tgt.process.cmdline contains "🧖🏽‍♀️" or tgt.process.cmdline contains "🧖🏽" or tgt.process.cmdline contains "🧖🏽‍♂️" or tgt.process.cmdline contains "💃🏽" or tgt.process.cmdline contains "🕺🏽" or tgt.process.cmdline contains "🕴🏽" or tgt.process.cmdline contains "👩🏽‍🦽" or tgt.process.cmdline contains "🧑🏽‍🦽" or tgt.process.cmdline contains "👨🏽‍🦽" or tgt.process.cmdline contains "👩🏽‍🦼" or tgt.process.cmdline contains "🧑🏽‍🦼" or tgt.process.cmdline contains "👨🏽‍🦼" or tgt.process.cmdline contains "🚶🏽‍♀️" or tgt.process.cmdline contains "🚶🏽" or tgt.process.cmdline contains "🚶🏽‍♂️" or tgt.process.cmdline contains "👩🏽‍🦯" or tgt.process.cmdline contains "🧑🏽‍🦯" or tgt.process.cmdline contains "👨🏽‍🦯" or tgt.process.cmdline contains "🧎🏽‍♀️" or tgt.process.cmdline contains "🧎🏽" or tgt.process.cmdline contains "🧎🏽‍♂️" or tgt.process.cmdline contains "🏃🏽‍♀️" or tgt.process.cmdline contains "🏃🏽" or tgt.process.cmdline contains "🏃🏽‍♂️" or tgt.process.cmdline contains "🧍🏽‍♀️" or tgt.process.cmdline contains "🧍🏽" or tgt.process.cmdline contains "🧍🏽‍♂️" or tgt.process.cmdline contains "👭🏽" or tgt.process.cmdline contains "🧑🏽‍🤝‍🧑🏽" or tgt.process.cmdline contains "👬🏽" or tgt.process.cmdline contains "👫🏽" or tgt.process.cmdline contains "🧗🏽‍♀️" or tgt.process.cmdline contains "🧗🏽" or tgt.process.cmdline contains "🧗🏽‍♂️" or tgt.process.cmdline contains "🏇🏽" or tgt.process.cmdline contains "🏂🏽" or tgt.process.cmdline contains "🏌🏽‍♀️" or tgt.process.cmdline contains "🏌🏽" or tgt.process.cmdline contains "🏌🏽‍♂️" or tgt.process.cmdline contains "🏄🏽‍♀️" or tgt.process.cmdline contains "🏄🏽" or tgt.process.cmdline contains "🏄🏽‍♂️" or tgt.process.cmdline contains "🚣🏽‍♀️" or tgt.process.cmdline contains "🚣🏽" or tgt.process.cmdline contains "🚣🏽‍♂️" or tgt.process.cmdline contains "🏊🏽‍♀️" or tgt.process.cmdline contains "🏊🏽" or tgt.process.cmdline contains "🏊🏽‍♂️" or tgt.process.cmdline contains "⛹🏽‍♀️" or tgt.process.cmdline contains "⛹🏽" or tgt.process.cmdline contains "⛹🏽‍♂️" or tgt.process.cmdline contains "🏋🏽‍♀️" or tgt.process.cmdline contains "🏋🏽" or tgt.process.cmdline contains "🏋🏽‍♂️" or tgt.process.cmdline contains "🚴🏽‍♀️" or tgt.process.cmdline contains "🚴🏽" or tgt.process.cmdline contains "🚴🏽‍♂️" or tgt.process.cmdline contains "🚵🏽‍♀️" or tgt.process.cmdline contains "🚵🏽" or tgt.process.cmdline contains "🚵🏽‍♂️" or tgt.process.cmdline contains "🤸🏽‍♀️" or tgt.process.cmdline contains "🤸🏽" or tgt.process.cmdline contains "🤸🏽‍♂️" or tgt.process.cmdline contains "🤽🏽‍♀️" or tgt.process.cmdline contains "🤽🏽" or tgt.process.cmdline contains "🤽🏽‍♂️" or tgt.process.cmdline contains "🤾🏽‍♀️" or tgt.process.cmdline contains "🤾🏽" or tgt.process.cmdline contains "🤾🏽‍♂️" or tgt.process.cmdline contains "🤹🏽‍♀️" or tgt.process.cmdline contains "🤹🏽" or tgt.process.cmdline contains "🤹🏽‍♂️" or tgt.process.cmdline contains "🧘🏽‍♀️" or tgt.process.cmdline contains "🧘🏽" or tgt.process.cmdline contains "🧘🏽‍♂️" or tgt.process.cmdline contains "🛀🏽" or tgt.process.cmdline contains "🛌🏽" or tgt.process.cmdline contains "👋🏾" or tgt.process.cmdline contains "🤚🏾" or tgt.process.cmdline contains "🖐🏾" or tgt.process.cmdline contains "✋🏾" or tgt.process.cmdline contains "🖖🏾" or tgt.process.cmdline contains "👌🏾" or tgt.process.cmdline contains "🤌🏾" or tgt.process.cmdline contains "🤏🏾" or tgt.process.cmdline contains "✌🏾" or tgt.process.cmdline contains "🤞🏾" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🤟🏾" or tgt.process.cmdline contains "🤘🏾" or tgt.process.cmdline contains "🤙🏾" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "👈🏾" or tgt.process.cmdline contains "👉🏾" or tgt.process.cmdline contains "👆🏾" or tgt.process.cmdline contains "🖕🏾" or tgt.process.cmdline contains "👇🏾" or tgt.process.cmdline contains "☝🏾" or tgt.process.cmdline contains "👍🏾" or tgt.process.cmdline contains "👎🏾" or tgt.process.cmdline contains "✊🏾" or tgt.process.cmdline contains "👊🏾" or tgt.process.cmdline contains "🤛🏾" or tgt.process.cmdline contains "🤜🏾" or tgt.process.cmdline contains "👏🏾" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🙌🏾" or tgt.process.cmdline contains "👐🏾" or tgt.process.cmdline contains "🤲🏾" or tgt.process.cmdline contains "🙏🏾" or tgt.process.cmdline contains "✍🏾" or tgt.process.cmdline contains "💪🏾" or tgt.process.cmdline contains "🦵🏾" or tgt.process.cmdline contains "🦶🏾" or tgt.process.cmdline contains "👂🏾" or tgt.process.cmdline contains "🦻🏾" or tgt.process.cmdline contains "👃🏾" or tgt.process.cmdline contains "👶🏾" or tgt.process.cmdline contains "👧🏾" or tgt.process.cmdline contains "🧒🏾" or tgt.process.cmdline contains "👦🏾" or tgt.process.cmdline contains "👩🏾" or tgt.process.cmdline contains "🧑🏾" or tgt.process.cmdline contains "👨🏾" or tgt.process.cmdline contains "👩🏾‍🦱" or tgt.process.cmdline contains "🧑🏾‍🦱" or tgt.process.cmdline contains "👨🏾‍🦱" or tgt.process.cmdline contains "👩🏾‍🦰" or tgt.process.cmdline contains "🧑🏾‍🦰" or tgt.process.cmdline contains "👨🏾‍🦰" or tgt.process.cmdline contains "👱🏾‍♀️" or tgt.process.cmdline contains "👱🏾" or tgt.process.cmdline contains "👱🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍🦳" or tgt.process.cmdline contains "🧑🏾‍🦳" or tgt.process.cmdline contains "👨🏾‍🦳" or tgt.process.cmdline contains "👩🏾‍🦲" or tgt.process.cmdline contains "🧑🏾‍🦲" or tgt.process.cmdline contains "👨🏾‍🦲" or tgt.process.cmdline contains "🧔🏾‍♀️" or tgt.process.cmdline contains "🧔🏾" or tgt.process.cmdline contains "🧔🏾‍♂️" or tgt.process.cmdline contains "👵🏾" or tgt.process.cmdline contains "🧓🏾" or tgt.process.cmdline contains "👴🏾" or tgt.process.cmdline contains "👲🏾" or tgt.process.cmdline contains "👳🏾‍♀️" or tgt.process.cmdline contains "👳🏾" or tgt.process.cmdline contains "👳🏾‍♂️" or tgt.process.cmdline contains "🧕🏾" or tgt.process.cmdline contains "👮🏾‍♀️" or tgt.process.cmdline contains "👮🏾" or tgt.process.cmdline contains "👮🏾‍♂️" or tgt.process.cmdline contains "👷🏾‍♀️" or tgt.process.cmdline contains "👷🏾" or tgt.process.cmdline contains "👷🏾‍♂️" or tgt.process.cmdline contains "💂🏾‍♀️" or tgt.process.cmdline contains "💂🏾" or tgt.process.cmdline contains "💂🏾‍♂️" or tgt.process.cmdline contains "🕵🏾‍♀️" or tgt.process.cmdline contains "🕵🏾" or tgt.process.cmdline contains "🕵🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍⚕️" or tgt.process.cmdline contains "🧑🏾‍⚕️" or tgt.process.cmdline contains "👨🏾‍⚕️" or tgt.process.cmdline contains "👩🏾‍🌾" or tgt.process.cmdline contains "🧑🏾‍🌾" or tgt.process.cmdline contains "👨🏾‍🌾" or tgt.process.cmdline contains "👩🏾‍🍳" or tgt.process.cmdline contains "🧑🏾‍🍳" or tgt.process.cmdline contains "👨🏾‍🍳" or tgt.process.cmdline contains "👩🏾‍🎓" or tgt.process.cmdline contains "🧑🏾‍🎓" or tgt.process.cmdline contains "👨🏾‍🎓" or tgt.process.cmdline contains "👩🏾‍🎤" or tgt.process.cmdline contains "🧑🏾‍🎤" or tgt.process.cmdline contains "👨🏾‍🎤" or tgt.process.cmdline contains "👩🏾‍🏫" or tgt.process.cmdline contains "🧑🏾‍🏫" or tgt.process.cmdline contains "👨🏾‍🏫" or tgt.process.cmdline contains "👩🏾‍🏭" or tgt.process.cmdline contains "🧑🏾‍🏭" or tgt.process.cmdline contains "👨🏾‍🏭" or tgt.process.cmdline contains "👩🏾‍💻" or tgt.process.cmdline contains "🧑🏾‍💻" or tgt.process.cmdline contains "👨🏾‍💻" or tgt.process.cmdline contains "👩🏾‍💼" or tgt.process.cmdline contains "🧑🏾‍💼" or tgt.process.cmdline contains "👨🏾‍💼" or tgt.process.cmdline contains "👩🏾‍🔧" or tgt.process.cmdline contains "🧑🏾‍🔧" or tgt.process.cmdline contains "👨🏾‍🔧" or tgt.process.cmdline contains "👩🏾‍🔬" or tgt.process.cmdline contains "🧑🏾‍🔬" or tgt.process.cmdline contains "👨🏾‍🔬" or tgt.process.cmdline contains "👩🏾‍🎨" or tgt.process.cmdline contains "🧑🏾‍🎨" or tgt.process.cmdline contains "👨🏾‍🎨" or tgt.process.cmdline contains "👩🏾‍🚒" or tgt.process.cmdline contains "🧑🏾‍🚒" or tgt.process.cmdline contains "👨🏾‍🚒" or tgt.process.cmdline contains "👩🏾‍✈️" or tgt.process.cmdline contains "🧑🏾‍✈️" or tgt.process.cmdline contains "👨🏾‍✈️" or tgt.process.cmdline contains "👩🏾‍🚀" or tgt.process.cmdline contains "🧑🏾‍🚀" or tgt.process.cmdline contains "👨🏾‍🚀" or tgt.process.cmdline contains "👩🏾‍⚖️" or tgt.process.cmdline contains "🧑🏾‍⚖️" or tgt.process.cmdline contains "👨🏾‍⚖️" or tgt.process.cmdline contains "👰🏾‍♀️" or tgt.process.cmdline contains "👰🏾" or tgt.process.cmdline contains "👰🏾‍♂️" or tgt.process.cmdline contains "🤵🏾‍♀️" or tgt.process.cmdline contains "🤵🏾" or tgt.process.cmdline contains "🤵🏾‍♂️" or tgt.process.cmdline contains "👸🏾" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🤴🏾" or tgt.process.cmdline contains "🥷🏾" or tgt.process.cmdline contains "🦸🏾‍♀️" or tgt.process.cmdline contains "🦸🏾" or tgt.process.cmdline contains "🦸🏾‍♂️" or tgt.process.cmdline contains "🦹🏾‍♀️" or tgt.process.cmdline contains "🦹🏾" or tgt.process.cmdline contains "🦹🏾‍♂️" or tgt.process.cmdline contains "🤶🏾" or tgt.process.cmdline contains "🧑🏾‍🎄" or tgt.process.cmdline contains "🎅🏾" or tgt.process.cmdline contains "🧙🏾‍♀️" or tgt.process.cmdline contains "🧙🏾" or tgt.process.cmdline contains "🧙🏾‍♂️" or tgt.process.cmdline contains "🧝🏾‍♀️" or tgt.process.cmdline contains "🧝🏾" or tgt.process.cmdline contains "🧝🏾‍♂️" or tgt.process.cmdline contains "🧛🏾‍♀️" or tgt.process.cmdline contains "🧛🏾" or tgt.process.cmdline contains "🧛🏾‍♂️" or tgt.process.cmdline contains "🧜🏾‍♀️" or tgt.process.cmdline contains "🧜🏾" or tgt.process.cmdline contains "🧜🏾‍♂️" or tgt.process.cmdline contains "🧚🏾‍♀️" or tgt.process.cmdline contains "🧚🏾" or tgt.process.cmdline contains "🧚🏾‍♂️" or tgt.process.cmdline contains "👼🏾" or tgt.process.cmdline contains "🤰🏾" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🤱🏾" or tgt.process.cmdline contains "👩🏾‍🍼" or tgt.process.cmdline contains "🧑🏾‍🍼" or tgt.process.cmdline contains "👨🏾‍🍼" or tgt.process.cmdline contains "🙇🏾‍♀️" or tgt.process.cmdline contains "🙇🏾" or tgt.process.cmdline contains "🙇🏾‍♂️" or tgt.process.cmdline contains "💁🏾‍♀️" or tgt.process.cmdline contains "💁🏾" or tgt.process.cmdline contains "💁🏾‍♂️" or tgt.process.cmdline contains "🙅🏾‍♀️" or tgt.process.cmdline contains "🙅🏾" or tgt.process.cmdline contains "🙅🏾‍♂️" or tgt.process.cmdline contains "🙆🏾‍♀️" or tgt.process.cmdline contains "🙆🏾" or tgt.process.cmdline contains "🙆🏾‍♂️" or tgt.process.cmdline contains "🙋🏾‍♀️" or tgt.process.cmdline contains "🙋🏾" or tgt.process.cmdline contains "🙋🏾‍♂️" or tgt.process.cmdline contains "🧏🏾‍♀️" or tgt.process.cmdline contains "🧏🏾" or tgt.process.cmdline contains "🧏🏾‍♂️" or tgt.process.cmdline contains "🤦🏾‍♀️" or tgt.process.cmdline contains "🤦🏾" or tgt.process.cmdline contains "🤦🏾‍♂️" or tgt.process.cmdline contains "🤷🏾‍♀️" or tgt.process.cmdline contains "🤷🏾" or tgt.process.cmdline contains "🤷🏾‍♂️" or tgt.process.cmdline contains "🙎🏾‍♀️" or tgt.process.cmdline contains "🙎🏾" or tgt.process.cmdline contains "🙎🏾‍♂️" or tgt.process.cmdline contains "🙍🏾‍♀️" or tgt.process.cmdline contains "🙍🏾" or tgt.process.cmdline contains "🙍🏾‍♂️" or tgt.process.cmdline contains "💇🏾‍♀️" or tgt.process.cmdline contains "💇🏾" or tgt.process.cmdline contains "💇🏾‍♂️" or tgt.process.cmdline contains "💆🏾‍♀️" or tgt.process.cmdline contains "💆🏾" or tgt.process.cmdline contains "💆🏾‍♂️" or tgt.process.cmdline contains "🧖🏾‍♀️" or tgt.process.cmdline contains "🧖🏾" or tgt.process.cmdline contains "🧖🏾‍♂️" or tgt.process.cmdline contains "💃🏾" or tgt.process.cmdline contains "🕺🏾" or tgt.process.cmdline contains "👩🏾‍🦽" or tgt.process.cmdline contains "🧑🏾‍🦽" or tgt.process.cmdline contains "👨🏾‍🦽" or tgt.process.cmdline contains "👩🏾‍🦼" or tgt.process.cmdline contains "🧑🏾‍🦼" or tgt.process.cmdline contains "👨🏾‍🦼" or tgt.process.cmdline contains "🚶🏾‍♀️" or tgt.process.cmdline contains "🚶🏾" or tgt.process.cmdline contains "🚶🏾‍♂️" or tgt.process.cmdline contains "👩🏾‍🦯" or tgt.process.cmdline contains "🧑🏾‍🦯" or tgt.process.cmdline contains "👨🏾‍🦯" or tgt.process.cmdline contains "🧎🏾‍♀️" or tgt.process.cmdline contains "🧎🏾" or tgt.process.cmdline contains "🧎🏾‍♂️" or tgt.process.cmdline contains "🏃🏾‍♀️" or tgt.process.cmdline contains "🏃🏾" or tgt.process.cmdline contains "🏃🏾‍♂️" or tgt.process.cmdline contains "🧍🏾‍♀️" or tgt.process.cmdline contains "🧍🏾" or tgt.process.cmdline contains "🧍🏾‍♂️" or tgt.process.cmdline contains "👭🏾" or tgt.process.cmdline contains "🧑🏾‍🤝‍🧑🏾" or tgt.process.cmdline contains "👬🏾" or tgt.process.cmdline contains "👫🏾" or tgt.process.cmdline contains "🧗🏾‍♀️" or tgt.process.cmdline contains "🧗🏾" or tgt.process.cmdline contains "🧗🏾‍♂️" or tgt.process.cmdline contains "🏇🏾" or tgt.process.cmdline contains "🏂🏾" or tgt.process.cmdline contains "🏌🏾‍♀️" or tgt.process.cmdline contains "🏌🏾" or tgt.process.cmdline contains "🏌🏾‍♂️" or tgt.process.cmdline contains "🏄🏾‍♀️" or tgt.process.cmdline contains "🏄🏾" or tgt.process.cmdline contains "🏄🏾‍♂️" or tgt.process.cmdline contains "🚣🏾‍♀️" or tgt.process.cmdline contains "🚣🏾" or tgt.process.cmdline contains "🚣🏾‍♂️" or tgt.process.cmdline contains "🏊🏾‍♀️" or tgt.process.cmdline contains "🏊🏾" or tgt.process.cmdline contains "🏊🏾‍♂️" or tgt.process.cmdline contains "⛹🏾‍♀️" or tgt.process.cmdline contains "⛹🏾" or tgt.process.cmdline contains "⛹🏾‍♂️" or tgt.process.cmdline contains "🏋🏾‍♀️" or tgt.process.cmdline contains "🏋🏾" or tgt.process.cmdline contains "🏋🏾‍♂️" or tgt.process.cmdline contains "🚴🏾‍♀️" or tgt.process.cmdline contains "🚴🏾" or tgt.process.cmdline contains "🚴🏾‍♂️" or tgt.process.cmdline contains "🚵🏾‍♀️" or tgt.process.cmdline contains "🚵🏾" or tgt.process.cmdline contains "🚵🏾‍♂️" or tgt.process.cmdline contains "🤸🏾‍♀️" or tgt.process.cmdline contains "🤸🏾" or tgt.process.cmdline contains "🤸🏾‍♂️" or tgt.process.cmdline contains "🤽🏾‍♀️" or tgt.process.cmdline contains "🤽🏾" or tgt.process.cmdline contains "🤽🏾‍♂️" or tgt.process.cmdline contains "🤾🏾‍♀️" or tgt.process.cmdline contains "🤾🏾" or tgt.process.cmdline contains "🤾🏾‍♂️" or tgt.process.cmdline contains "🤹🏾‍♀️" or tgt.process.cmdline contains "🤹🏾" or tgt.process.cmdline contains "🤹🏾‍♂️" or tgt.process.cmdline contains "🧘🏾‍♀️" or tgt.process.cmdline contains "🧘🏾" or tgt.process.cmdline contains "🧘🏾‍♂️" or tgt.process.cmdline contains "🛀🏾" or tgt.process.cmdline contains "🛌🏾" or tgt.process.cmdline contains "👋🏿" or tgt.process.cmdline contains "🤚🏿" or tgt.process.cmdline contains "🖐🏿" or tgt.process.cmdline contains "✋🏿" or tgt.process.cmdline contains "🖖🏿" or tgt.process.cmdline contains "👌🏿" or tgt.process.cmdline contains "🤌🏿" or tgt.process.cmdline contains "🤏🏿" or tgt.process.cmdline contains "✌🏿" or tgt.process.cmdline contains "🤞🏿" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🤟🏿" or tgt.process.cmdline contains "🤘🏿" or tgt.process.cmdline contains "🤙🏿" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "👈🏿" or tgt.process.cmdline contains "👉🏿" or tgt.process.cmdline contains "👆🏿" or tgt.process.cmdline contains "🖕🏿" or tgt.process.cmdline contains "👇🏿" or tgt.process.cmdline contains "☝🏿" or tgt.process.cmdline contains "👍🏿" or tgt.process.cmdline contains "👎🏿" or tgt.process.cmdline contains "✊🏿" or tgt.process.cmdline contains "👊🏿" or tgt.process.cmdline contains "🤛🏿" or tgt.process.cmdline contains "🤜🏿" or tgt.process.cmdline contains "👏🏿" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🙌🏿" or tgt.process.cmdline contains "👐🏿" or tgt.process.cmdline contains "🤲🏿" or tgt.process.cmdline contains "🙏🏿" or tgt.process.cmdline contains "✍🏿" or tgt.process.cmdline contains "🤳🏿" or tgt.process.cmdline contains "💪🏿" or tgt.process.cmdline contains "🦵🏿" or tgt.process.cmdline contains "🦶🏿" or tgt.process.cmdline contains "👂🏿" or tgt.process.cmdline contains "🦻🏿" or tgt.process.cmdline contains "👃🏿" or tgt.process.cmdline contains "👶🏿" or tgt.process.cmdline contains "👧🏿" or tgt.process.cmdline contains "🧒🏿" or tgt.process.cmdline contains "👦🏿" or tgt.process.cmdline contains "👩🏿" or tgt.process.cmdline contains "🧑🏿" or tgt.process.cmdline contains "👨🏿" or tgt.process.cmdline contains "👩🏿‍🦱" or tgt.process.cmdline contains "🧑🏿‍🦱" or tgt.process.cmdline contains "👨🏿‍🦱" or tgt.process.cmdline contains "👩🏿‍🦰" or tgt.process.cmdline contains "🧑🏿‍🦰" or tgt.process.cmdline contains "👨🏿‍🦰" or tgt.process.cmdline contains "👱🏿‍♀️" or tgt.process.cmdline contains "👱🏿" or tgt.process.cmdline contains "👱🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍🦳" or tgt.process.cmdline contains "🧑🏿‍🦳" or tgt.process.cmdline contains "👨🏿‍🦳" or tgt.process.cmdline contains "👩🏿‍🦲" or tgt.process.cmdline contains "🧑🏿‍🦲" or tgt.process.cmdline contains "👨🏿‍🦲" or tgt.process.cmdline contains "🧔🏿‍♀️" or tgt.process.cmdline contains "🧔🏿" or tgt.process.cmdline contains "🧔🏿‍♂️" or tgt.process.cmdline contains "👵🏿" or tgt.process.cmdline contains "🧓🏿" or tgt.process.cmdline contains "👴🏿" or tgt.process.cmdline contains "👲🏿" or tgt.process.cmdline contains "👳🏿‍♀️" or tgt.process.cmdline contains "👳🏿" or tgt.process.cmdline contains "👳🏿‍♂️" or tgt.process.cmdline contains "🧕🏿" or tgt.process.cmdline contains "👮🏿‍♀️" or tgt.process.cmdline contains "👮🏿" or tgt.process.cmdline contains "👮🏿‍♂️" or tgt.process.cmdline contains "👷🏿‍♀️" or tgt.process.cmdline contains "👷🏿" or tgt.process.cmdline contains "👷🏿‍♂️" or tgt.process.cmdline contains "💂🏿‍♀️" or tgt.process.cmdline contains "💂🏿" or tgt.process.cmdline contains "💂🏿‍♂️" or tgt.process.cmdline contains "🕵🏿‍♀️" or tgt.process.cmdline contains "🕵🏿" or tgt.process.cmdline contains "🕵🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍⚕️" or tgt.process.cmdline contains "🧑🏿‍⚕️" or tgt.process.cmdline contains "👨🏿‍⚕️" or tgt.process.cmdline contains "👩🏿‍🌾" or tgt.process.cmdline contains "🧑🏿‍🌾" or tgt.process.cmdline contains "👨🏿‍🌾" or tgt.process.cmdline contains "👩🏿‍🍳" or tgt.process.cmdline contains "🧑🏿‍🍳" or tgt.process.cmdline contains "👨🏿‍🍳" or tgt.process.cmdline contains "👩🏿‍🎓" or tgt.process.cmdline contains "🧑🏿‍🎓" or tgt.process.cmdline contains "👨🏿‍🎓" or tgt.process.cmdline contains "👩🏿‍🎤" or tgt.process.cmdline contains "🧑🏿‍🎤" or tgt.process.cmdline contains "👨🏿‍🎤" or tgt.process.cmdline contains "👩🏿‍🏫" or tgt.process.cmdline contains "🧑🏿‍🏫" or tgt.process.cmdline contains "👨🏿‍🏫" or tgt.process.cmdline contains "👩🏿‍🏭" or tgt.process.cmdline contains "🧑🏿‍🏭" or tgt.process.cmdline contains "👨🏿‍🏭" or tgt.process.cmdline contains "👩🏿‍💻" or tgt.process.cmdline contains "🧑🏿‍💻" or tgt.process.cmdline contains "👨🏿‍💻" or tgt.process.cmdline contains "👩🏿‍💼" or tgt.process.cmdline contains "🧑🏿‍💼" or tgt.process.cmdline contains "👨🏿‍💼" or tgt.process.cmdline contains "👩🏿‍🔧" or tgt.process.cmdline contains "🧑🏿‍🔧" or tgt.process.cmdline contains "👨🏿‍🔧" or tgt.process.cmdline contains "👩🏿‍🔬" or tgt.process.cmdline contains "🧑🏿‍🔬" or tgt.process.cmdline contains "👨🏿‍🔬" or tgt.process.cmdline contains "👩🏿‍🎨" or tgt.process.cmdline contains "🧑🏿‍🎨" or tgt.process.cmdline contains "👨🏿‍🎨" or tgt.process.cmdline contains "👩🏿‍🚒" or tgt.process.cmdline contains "🧑🏿‍🚒" or tgt.process.cmdline contains "👨🏿‍🚒" or tgt.process.cmdline contains "👩🏿‍✈️" or tgt.process.cmdline contains "🧑🏿‍✈️" or tgt.process.cmdline contains "👨🏿‍✈️" or tgt.process.cmdline contains "👩🏿‍🚀" or tgt.process.cmdline contains "🧑🏿‍🚀" or tgt.process.cmdline contains "👨🏿‍🚀" or tgt.process.cmdline contains "👩🏿‍⚖️" or tgt.process.cmdline contains "🧑🏿‍⚖️" or tgt.process.cmdline contains "👨🏿‍⚖️" or tgt.process.cmdline contains "👰🏿‍♀️" or tgt.process.cmdline contains "👰🏿" or tgt.process.cmdline contains "👰🏿‍♂️" or tgt.process.cmdline contains "🤵🏿‍♀️" or tgt.process.cmdline contains "🤵🏿" or tgt.process.cmdline contains "🤵🏿‍♂️" or tgt.process.cmdline contains "👸🏿" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🤴🏿" or tgt.process.cmdline contains "🥷🏿" or tgt.process.cmdline contains "🦸🏿‍♀️" or tgt.process.cmdline contains "🦸🏿" or tgt.process.cmdline contains "🦸🏿‍♂️" or tgt.process.cmdline contains "🦹🏿‍♀️" or tgt.process.cmdline contains "🦹🏿" or tgt.process.cmdline contains "🦹🏿‍♂️" or tgt.process.cmdline contains "🤶🏿" or tgt.process.cmdline contains "🧑🏿‍🎄" or tgt.process.cmdline contains "🎅🏿" or tgt.process.cmdline contains "🧙🏿‍♀️" or tgt.process.cmdline contains "🧙🏿" or tgt.process.cmdline contains "🧙🏿‍♂️" or tgt.process.cmdline contains "🧝🏿‍♀️" or tgt.process.cmdline contains "🧝🏿" or tgt.process.cmdline contains "🧝🏿‍♂️" or tgt.process.cmdline contains "🧛🏿‍♀️" or tgt.process.cmdline contains "🧛🏿" or tgt.process.cmdline contains "🧛🏿‍♂️" or tgt.process.cmdline contains "🧜🏿‍♀️" or tgt.process.cmdline contains "🧜🏿" or tgt.process.cmdline contains "🧜🏿‍♂️" or tgt.process.cmdline contains "🧚🏿‍♀️" or tgt.process.cmdline contains "🧚🏿" or tgt.process.cmdline contains "🧚🏿‍♂️" or tgt.process.cmdline contains "👼🏿" or tgt.process.cmdline contains "🤰🏿" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🤱🏿" or tgt.process.cmdline contains "👩🏿‍🍼" or tgt.process.cmdline contains "🧑🏿‍🍼" or tgt.process.cmdline contains "👨🏿‍🍼" or tgt.process.cmdline contains "🙇🏿‍♀️" or tgt.process.cmdline contains "🙇🏿" or tgt.process.cmdline contains "🙇🏿‍♂️" or tgt.process.cmdline contains "💁🏿‍♀️" or tgt.process.cmdline contains "💁🏿" or tgt.process.cmdline contains "💁🏿‍♂️" or tgt.process.cmdline contains "🙅🏿‍♀️" or tgt.process.cmdline contains "🙅🏿" or tgt.process.cmdline contains "🙅🏿‍♂️" or tgt.process.cmdline contains "🙆🏿‍♀️" or tgt.process.cmdline contains "🙆🏿" or tgt.process.cmdline contains "🙆🏿‍♂️" or tgt.process.cmdline contains "🙋🏿‍♀️" or tgt.process.cmdline contains "🙋🏿" or tgt.process.cmdline contains "🙋🏿‍♂️" or tgt.process.cmdline contains "🧏🏿‍♀️" or tgt.process.cmdline contains "🧏🏿" or tgt.process.cmdline contains "🧏🏿‍♂️" or tgt.process.cmdline contains "🤦🏿‍♀️" or tgt.process.cmdline contains "🤦🏿" or tgt.process.cmdline contains "🤦🏿‍♂️" or tgt.process.cmdline contains "🤷🏿‍♀️" or tgt.process.cmdline contains "🤷🏿" or tgt.process.cmdline contains "🤷🏿‍♂️" or tgt.process.cmdline contains "🙎🏿‍♀️" or tgt.process.cmdline contains "🙎🏿" or tgt.process.cmdline contains "🙎🏿‍♂️" or tgt.process.cmdline contains "🙍🏿‍♀️" or tgt.process.cmdline contains "🙍🏿" or tgt.process.cmdline contains "🙍🏿‍♂️" or tgt.process.cmdline contains "💇🏿‍♀️" or tgt.process.cmdline contains "💇🏿" or tgt.process.cmdline contains "💇🏿‍♂️" or tgt.process.cmdline contains "💆🏿‍♀️" or tgt.process.cmdline contains "💆🏿" or tgt.process.cmdline contains "💆🏿‍♂️" or tgt.process.cmdline contains "🧖🏿‍♀️" or tgt.process.cmdline contains "🧖🏿" or tgt.process.cmdline contains "🧖🏿‍♂️" or tgt.process.cmdline contains "💃🏿" or tgt.process.cmdline contains "🕺🏿" or tgt.process.cmdline contains "🕴🏿" or tgt.process.cmdline contains "👩🏿‍🦽" or tgt.process.cmdline contains "🧑🏿‍🦽" or tgt.process.cmdline contains "👨🏿‍🦽" or tgt.process.cmdline contains "👩🏿‍🦼" or tgt.process.cmdline contains "🧑🏿‍🦼" or tgt.process.cmdline contains "👨🏿‍🦼" or tgt.process.cmdline contains "🚶🏿‍♀️" or tgt.process.cmdline contains "🚶🏿" or tgt.process.cmdline contains "🚶🏿‍♂️" or tgt.process.cmdline contains "👩🏿‍🦯" or tgt.process.cmdline contains "🧑🏿‍🦯" or tgt.process.cmdline contains "👨🏿‍🦯" or tgt.process.cmdline contains "🧎🏿‍♀️" or tgt.process.cmdline contains "🧎🏿" or tgt.process.cmdline contains "🧎🏿‍♂️" or tgt.process.cmdline contains "🏃🏿‍♀️" or tgt.process.cmdline contains "🏃🏿" or tgt.process.cmdline contains "🏃🏿‍♂️" or tgt.process.cmdline contains "🧍🏿‍♀️" or tgt.process.cmdline contains "🧍🏿" or tgt.process.cmdline contains "🧍🏿‍♂️" or tgt.process.cmdline contains "👭🏿" or tgt.process.cmdline contains "🧑🏿‍🤝‍🧑🏿" or tgt.process.cmdline contains "👬🏿" or tgt.process.cmdline contains "👫🏿" or tgt.process.cmdline contains "🧗🏿‍♀️" or tgt.process.cmdline contains "🧗🏿" or tgt.process.cmdline contains "🧗🏿‍♂️" or tgt.process.cmdline contains "🏇🏿" or tgt.process.cmdline contains "🏂🏿" or tgt.process.cmdline contains "🏌🏿‍♀️" or tgt.process.cmdline contains "🏌🏿" or tgt.process.cmdline contains "🏌🏿‍♂️" or tgt.process.cmdline contains "🏄🏿‍♀️" or tgt.process.cmdline contains "🏄🏿" or tgt.process.cmdline contains "🏄🏿‍♂️" or tgt.process.cmdline contains "🚣🏿‍♀️" or tgt.process.cmdline contains "🚣🏿" or tgt.process.cmdline contains "🚣🏿‍♂️" or tgt.process.cmdline contains "🏊🏿‍♀️" or tgt.process.cmdline contains "🏊🏿" or tgt.process.cmdline contains "🏊🏿‍♂️" or tgt.process.cmdline contains "⛹🏿‍♀️" or tgt.process.cmdline contains "⛹🏿" or tgt.process.cmdline contains "⛹🏿‍♂️" or tgt.process.cmdline contains "🏋🏿‍♀️" or tgt.process.cmdline contains "🏋🏿" or tgt.process.cmdline contains "🏋🏿‍♂️" or tgt.process.cmdline contains "🚴🏿‍♀️" or tgt.process.cmdline contains "🚴🏿" or tgt.process.cmdline contains "🚴🏿‍♂️" or tgt.process.cmdline contains "🚵🏿‍♀️" or tgt.process.cmdline contains "🚵🏿" or tgt.process.cmdline contains "🚵🏿‍♂️" or tgt.process.cmdline contains "🤸🏿‍♀️" or tgt.process.cmdline contains "🤸🏿" or tgt.process.cmdline contains "🤸🏿‍♂️" or tgt.process.cmdline contains "🤽🏿‍♀️" or tgt.process.cmdline contains "🤽🏿" or tgt.process.cmdline contains "🤽🏿‍♂️" or tgt.process.cmdline contains "🤾🏿‍♀️" or tgt.process.cmdline contains "🤾🏿" or tgt.process.cmdline contains "🤾🏿‍♂️" or tgt.process.cmdline contains "🤹🏿‍♀️" or tgt.process.cmdline contains "🤹🏿" or tgt.process.cmdline contains "🤹🏿‍♂️" or tgt.process.cmdline contains "🧘🏿‍♀️" or tgt.process.cmdline contains "🧘🏿" or tgt.process.cmdline contains "🧘🏿‍♂️" or tgt.process.cmdline contains "🛀🏿" or tgt.process.cmdline contains "🛌🏿" or tgt.process.cmdline contains "🐶" or tgt.process.cmdline contains "🐱" or tgt.process.cmdline contains "🐭" or tgt.process.cmdline contains "🐹" or tgt.process.cmdline contains "🐰" or tgt.process.cmdline contains "🦊" or tgt.process.cmdline contains "🐻" or tgt.process.cmdline contains "🐼" or tgt.process.cmdline contains "🐻‍❄️" or tgt.process.cmdline contains "🐨" or tgt.process.cmdline contains "🐯" or tgt.process.cmdline contains "🦁" or tgt.process.cmdline contains "🐮" or tgt.process.cmdline contains "🐷" or tgt.process.cmdline contains "🐽" or tgt.process.cmdline contains "🐸" or tgt.process.cmdline contains "🐵" or tgt.process.cmdline contains "🙈" or tgt.process.cmdline contains "🙉" or tgt.process.cmdline contains "🙊" or tgt.process.cmdline contains "🐒" or tgt.process.cmdline contains "🐔" or tgt.process.cmdline contains "🐧" or tgt.process.cmdline contains "🐦" or tgt.process.cmdline contains "🐤" or tgt.process.cmdline contains "🐣" or tgt.process.cmdline contains "🐥")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md index c3c6a9462..8b7d51116 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🦆" or tgt.process.cmdline contains "🦅" or tgt.process.cmdline contains "🦉" or tgt.process.cmdline contains "🦇" or tgt.process.cmdline contains "🐺" or tgt.process.cmdline contains "🐗" or tgt.process.cmdline contains "🐴" or tgt.process.cmdline contains "🦄" or tgt.process.cmdline contains "🐝" or tgt.process.cmdline contains "🪱" or tgt.process.cmdline contains "🐛" or tgt.process.cmdline contains "🦋" or tgt.process.cmdline contains "🐌" or tgt.process.cmdline contains "🐞" or tgt.process.cmdline contains "🐜" or tgt.process.cmdline contains "🪰" or tgt.process.cmdline contains "🪲" or tgt.process.cmdline contains "🪳" or tgt.process.cmdline contains "🦟" or tgt.process.cmdline contains "🦗" or tgt.process.cmdline contains "🕷" or tgt.process.cmdline contains "🕸" or tgt.process.cmdline contains "🦂" or tgt.process.cmdline contains "🐢" or tgt.process.cmdline contains "🐍" or tgt.process.cmdline contains "🦎" or tgt.process.cmdline contains "🦖" or tgt.process.cmdline contains "🦕" or tgt.process.cmdline contains "🐙" or tgt.process.cmdline contains "🦑" or tgt.process.cmdline contains "🦐" or tgt.process.cmdline contains "🦞" or tgt.process.cmdline contains "🦀" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🐡" or tgt.process.cmdline contains "🐠" or tgt.process.cmdline contains "🐟" or tgt.process.cmdline contains "🐬" or tgt.process.cmdline contains "🐳" or tgt.process.cmdline contains "🐋" or tgt.process.cmdline contains "🦈" or tgt.process.cmdline contains "🐊" or tgt.process.cmdline contains "🐅" or tgt.process.cmdline contains "🐆" or tgt.process.cmdline contains "🦓" or tgt.process.cmdline contains "🦍" or tgt.process.cmdline contains "🦧" or tgt.process.cmdline contains "🦣" or tgt.process.cmdline contains "🐘" or tgt.process.cmdline contains "🦛" or tgt.process.cmdline contains "🦏" or tgt.process.cmdline contains "🐪" or tgt.process.cmdline contains "🐫" or tgt.process.cmdline contains "🦒" or tgt.process.cmdline contains "🦘" or tgt.process.cmdline contains "🦬" or tgt.process.cmdline contains "🐃" or tgt.process.cmdline contains "🐂" or tgt.process.cmdline contains "🐄" or tgt.process.cmdline contains "🐎" or tgt.process.cmdline contains "🐖" or tgt.process.cmdline contains "🐏" or tgt.process.cmdline contains "🐑" or tgt.process.cmdline contains "🦙" or tgt.process.cmdline contains "🐐" or tgt.process.cmdline contains "🦌" or tgt.process.cmdline contains "🐕" or tgt.process.cmdline contains "🐩" or tgt.process.cmdline contains "🦮" or tgt.process.cmdline contains "🐕‍🦺" or tgt.process.cmdline contains "🐈" or tgt.process.cmdline contains "🐈‍⬛" or tgt.process.cmdline contains "🪶" or tgt.process.cmdline contains "🐓" or tgt.process.cmdline contains "🦃" or tgt.process.cmdline contains "🦤" or tgt.process.cmdline contains "🦚" or tgt.process.cmdline contains "🦜" or tgt.process.cmdline contains "🦢" or tgt.process.cmdline contains "🦩" or tgt.process.cmdline contains "🕊" or tgt.process.cmdline contains "🐇" or tgt.process.cmdline contains "🦝" or tgt.process.cmdline contains "🦨" or tgt.process.cmdline contains "🦡" or tgt.process.cmdline contains "🦫" or tgt.process.cmdline contains "🦦" or tgt.process.cmdline contains "🦥" or tgt.process.cmdline contains "🐁" or tgt.process.cmdline contains "🐀" or tgt.process.cmdline contains "🐿" or tgt.process.cmdline contains "🦔" or tgt.process.cmdline contains "🐾" or tgt.process.cmdline contains "🐉" or tgt.process.cmdline contains "🐲" or tgt.process.cmdline contains "🌵" or tgt.process.cmdline contains "🎄" or tgt.process.cmdline contains "🌲" or tgt.process.cmdline contains "🌳" or tgt.process.cmdline contains "🌴" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🪵" or tgt.process.cmdline contains "🌱" or tgt.process.cmdline contains "🌿" or tgt.process.cmdline contains "☘️" or tgt.process.cmdline contains "🍀" or tgt.process.cmdline contains "🎍" or tgt.process.cmdline contains "🪴" or tgt.process.cmdline contains "🎋" or tgt.process.cmdline contains "🍃" or tgt.process.cmdline contains "🍂" or tgt.process.cmdline contains "🍁" or tgt.process.cmdline contains "🍄" or tgt.process.cmdline contains "🐚" or tgt.process.cmdline contains "🪨" or tgt.process.cmdline contains "🌾" or tgt.process.cmdline contains "💐" or tgt.process.cmdline contains "🌷" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🌹" or tgt.process.cmdline contains "🥀" or tgt.process.cmdline contains "🌺" or tgt.process.cmdline contains "🌸" or tgt.process.cmdline contains "🌼" or tgt.process.cmdline contains "🌻" or tgt.process.cmdline contains "🌞" or tgt.process.cmdline contains "🌝" or tgt.process.cmdline contains "🌛" or tgt.process.cmdline contains "🌜" or tgt.process.cmdline contains "🌚" or tgt.process.cmdline contains "🌕" or tgt.process.cmdline contains "🌖" or tgt.process.cmdline contains "🌗" or tgt.process.cmdline contains "🌘" or tgt.process.cmdline contains "🌑" or tgt.process.cmdline contains "🌒" or tgt.process.cmdline contains "🌓" or tgt.process.cmdline contains "🌔" or tgt.process.cmdline contains "🌙" or tgt.process.cmdline contains "🌎" or tgt.process.cmdline contains "🌍" or tgt.process.cmdline contains "🌏" or tgt.process.cmdline contains "🪐" or tgt.process.cmdline contains "💫" or tgt.process.cmdline contains "⭐️" or tgt.process.cmdline contains "🌟" or tgt.process.cmdline contains "✨" or tgt.process.cmdline contains "⚡️" or tgt.process.cmdline contains "☄️" or tgt.process.cmdline contains "💥" or tgt.process.cmdline contains "🔥" or tgt.process.cmdline contains "🌪" or tgt.process.cmdline contains "🌈" or tgt.process.cmdline contains "☀️" or tgt.process.cmdline contains "🌤" or tgt.process.cmdline contains "⛅️" or tgt.process.cmdline contains "🌥" or tgt.process.cmdline contains "☁️" or tgt.process.cmdline contains "🌦" or tgt.process.cmdline contains "🌧" or tgt.process.cmdline contains "⛈" or tgt.process.cmdline contains "🌩" or tgt.process.cmdline contains "🌨" or tgt.process.cmdline contains "❄️" or tgt.process.cmdline contains "☃️" or tgt.process.cmdline contains "⛄️" or tgt.process.cmdline contains "🌬" or tgt.process.cmdline contains "💨" or tgt.process.cmdline contains "💧" or tgt.process.cmdline contains "💦" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "☔️" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🌊" or tgt.process.cmdline contains "🌫🍏" or tgt.process.cmdline contains "🍎" or tgt.process.cmdline contains "🍐" or tgt.process.cmdline contains "🍊" or tgt.process.cmdline contains "🍋" or tgt.process.cmdline contains "🍌" or tgt.process.cmdline contains "🍉" or tgt.process.cmdline contains "🍇" or tgt.process.cmdline contains "🍓" or tgt.process.cmdline contains "🫐" or tgt.process.cmdline contains "🍈" or tgt.process.cmdline contains "🍒" or tgt.process.cmdline contains "🍑" or tgt.process.cmdline contains "🥭" or tgt.process.cmdline contains "🍍" or tgt.process.cmdline contains "🥥" or tgt.process.cmdline contains "🥝" or tgt.process.cmdline contains "🍅" or tgt.process.cmdline contains "🍆" or tgt.process.cmdline contains "🥑" or tgt.process.cmdline contains "🥦" or tgt.process.cmdline contains "🥬" or tgt.process.cmdline contains "🥒" or tgt.process.cmdline contains "🌶" or tgt.process.cmdline contains "🫑" or tgt.process.cmdline contains "🌽" or tgt.process.cmdline contains "🥕" or tgt.process.cmdline contains "🫒" or tgt.process.cmdline contains "🧄" or tgt.process.cmdline contains "🧅" or tgt.process.cmdline contains "🥔" or tgt.process.cmdline contains "🍠" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🥐" or tgt.process.cmdline contains "🥯" or tgt.process.cmdline contains "🍞" or tgt.process.cmdline contains "🥖" or tgt.process.cmdline contains "🥨" or tgt.process.cmdline contains "🧀" or tgt.process.cmdline contains "🥚" or tgt.process.cmdline contains "🍳" or tgt.process.cmdline contains "🧈" or tgt.process.cmdline contains "🥞" or tgt.process.cmdline contains "🧇" or tgt.process.cmdline contains "🥓" or tgt.process.cmdline contains "🥩" or tgt.process.cmdline contains "🍗" or tgt.process.cmdline contains "🍖" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "🌭" or tgt.process.cmdline contains "🍔" or tgt.process.cmdline contains "🍟" or tgt.process.cmdline contains "🍕" or tgt.process.cmdline contains "🫓" or tgt.process.cmdline contains "🥪" or tgt.process.cmdline contains "🥙" or tgt.process.cmdline contains "🧆" or tgt.process.cmdline contains "🌮" or tgt.process.cmdline contains "🌯" or tgt.process.cmdline contains "🫔" or tgt.process.cmdline contains "🥗" or tgt.process.cmdline contains "🥘" or tgt.process.cmdline contains "🫕" or tgt.process.cmdline contains "🥫" or tgt.process.cmdline contains "🍝" or tgt.process.cmdline contains "🍜" or tgt.process.cmdline contains "🍲" or tgt.process.cmdline contains "🍛" or tgt.process.cmdline contains "🍣" or tgt.process.cmdline contains "🍱" or tgt.process.cmdline contains "🥟" or tgt.process.cmdline contains "🦪" or tgt.process.cmdline contains "🍤" or tgt.process.cmdline contains "🍙" or tgt.process.cmdline contains "🍚" or tgt.process.cmdline contains "🍘" or tgt.process.cmdline contains "🍥" or tgt.process.cmdline contains "🥠" or tgt.process.cmdline contains "🥮" or tgt.process.cmdline contains "🍢" or tgt.process.cmdline contains "🍡" or tgt.process.cmdline contains "🍧" or tgt.process.cmdline contains "🍨" or tgt.process.cmdline contains "🍦" or tgt.process.cmdline contains "🥧" or tgt.process.cmdline contains "🧁" or tgt.process.cmdline contains "🍰" or tgt.process.cmdline contains "🎂" or tgt.process.cmdline contains "🍮" or tgt.process.cmdline contains "🍭" or tgt.process.cmdline contains "🍬" or tgt.process.cmdline contains "🍫" or tgt.process.cmdline contains "🍿" or tgt.process.cmdline contains "🍩" or tgt.process.cmdline contains "🍪" or tgt.process.cmdline contains "🌰" or tgt.process.cmdline contains "🥜" or tgt.process.cmdline contains "🍯" or tgt.process.cmdline contains "🥛" or tgt.process.cmdline contains "🍼" or tgt.process.cmdline contains "🫖" or tgt.process.cmdline contains "☕️" or tgt.process.cmdline contains "🍵" or tgt.process.cmdline contains "🧃" or tgt.process.cmdline contains "🥤" or tgt.process.cmdline contains "🧋" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🍶" or tgt.process.cmdline contains "🍺" or tgt.process.cmdline contains "🍻" or tgt.process.cmdline contains "🥂" or tgt.process.cmdline contains "🍷" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🥃" or tgt.process.cmdline contains "🍸" or tgt.process.cmdline contains "🍹" or tgt.process.cmdline contains "🧉" or tgt.process.cmdline contains "🍾" or tgt.process.cmdline contains "🧊" or tgt.process.cmdline contains "🥄" or tgt.process.cmdline contains "🍴" or tgt.process.cmdline contains "🍽" or tgt.process.cmdline contains "🥣" or tgt.process.cmdline contains "🥡" or tgt.process.cmdline contains "🥢" or tgt.process.cmdline contains "🧂" or tgt.process.cmdline contains "⚽️" or tgt.process.cmdline contains "🏀" or tgt.process.cmdline contains "🏈" or tgt.process.cmdline contains "⚾️" or tgt.process.cmdline contains "🥎" or tgt.process.cmdline contains "🎾" or tgt.process.cmdline contains "🏐" or tgt.process.cmdline contains "🏉" or tgt.process.cmdline contains "🥏" or tgt.process.cmdline contains "🎱" or tgt.process.cmdline contains "🪀" or tgt.process.cmdline contains "🏓" or tgt.process.cmdline contains "🏸" or tgt.process.cmdline contains "🏒" or tgt.process.cmdline contains "🏑" or tgt.process.cmdline contains "🥍" or tgt.process.cmdline contains "🏏" or tgt.process.cmdline contains "🪃" or tgt.process.cmdline contains "🥅" or tgt.process.cmdline contains "⛳️" or tgt.process.cmdline contains "🪁" or tgt.process.cmdline contains "🏹" or tgt.process.cmdline contains "🎣" or tgt.process.cmdline contains "🤿" or tgt.process.cmdline contains "🥊" or tgt.process.cmdline contains "🥋" or tgt.process.cmdline contains "🎽" or tgt.process.cmdline contains "🛹" or tgt.process.cmdline contains "🛼" or tgt.process.cmdline contains "🛷" or tgt.process.cmdline contains "⛸" or tgt.process.cmdline contains "🥌" or tgt.process.cmdline contains "🎿" or tgt.process.cmdline contains "⛷" or tgt.process.cmdline contains "🏂" or tgt.process.cmdline contains "🪂" or tgt.process.cmdline contains "🏋️‍♀️" or tgt.process.cmdline contains "🏋️" or tgt.process.cmdline contains "🏋️‍♂️" or tgt.process.cmdline contains "🤼‍♀️" or tgt.process.cmdline contains "🤼" or tgt.process.cmdline contains "🤼‍♂️" or tgt.process.cmdline contains "🤸‍♀️" or tgt.process.cmdline contains "🤸" or tgt.process.cmdline contains "🤸‍♂️" or tgt.process.cmdline contains "⛹️‍♀️" or tgt.process.cmdline contains "⛹️" or tgt.process.cmdline contains "⛹️‍♂️" or tgt.process.cmdline contains "🤺" or tgt.process.cmdline contains "🤾‍♀️" or tgt.process.cmdline contains "🤾" or tgt.process.cmdline contains "🤾‍♂️" or tgt.process.cmdline contains "🏌️‍♀️" or tgt.process.cmdline contains "🏌️" or tgt.process.cmdline contains "🏌️‍♂️" or tgt.process.cmdline contains "🏇" or tgt.process.cmdline contains "🧘‍♀️" or tgt.process.cmdline contains "🧘" or tgt.process.cmdline contains "🧘‍♂️" or tgt.process.cmdline contains "🏄‍♀️" or tgt.process.cmdline contains "🏄" or tgt.process.cmdline contains "🏄‍♂️" or tgt.process.cmdline contains "🏊‍♀️" or tgt.process.cmdline contains "🏊" or tgt.process.cmdline contains "🏊‍♂️" or tgt.process.cmdline contains "🤽‍♀️" or tgt.process.cmdline contains "🤽" or tgt.process.cmdline contains "🤽‍♂️" or tgt.process.cmdline contains "🚣‍♀️" or tgt.process.cmdline contains "🚣" or tgt.process.cmdline contains "🚣‍♂️" or tgt.process.cmdline contains "🧗‍♀️" or tgt.process.cmdline contains "🧗" or tgt.process.cmdline contains "🧗‍♂️" or tgt.process.cmdline contains "🚵‍♀️" or tgt.process.cmdline contains "🚵" or tgt.process.cmdline contains "🚵‍♂️" or tgt.process.cmdline contains "🚴‍♀️" or tgt.process.cmdline contains "🚴" or tgt.process.cmdline contains "🚴‍♂️" or tgt.process.cmdline contains "🏆" or tgt.process.cmdline contains "🥇" or tgt.process.cmdline contains "🥈" or tgt.process.cmdline contains "🥉" or tgt.process.cmdline contains "🏅" or tgt.process.cmdline contains "🎖" or tgt.process.cmdline contains "🏵" or tgt.process.cmdline contains "🎗" or tgt.process.cmdline contains "🎫" or tgt.process.cmdline contains "🎟" or tgt.process.cmdline contains "🎪" or tgt.process.cmdline contains "🤹" or tgt.process.cmdline contains "🤹‍♂️" or tgt.process.cmdline contains "🤹‍♀️" or tgt.process.cmdline contains "🎭" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "🎨" or tgt.process.cmdline contains "🎬" or tgt.process.cmdline contains "🎤" or tgt.process.cmdline contains "🎧" or tgt.process.cmdline contains "🎼" or tgt.process.cmdline contains "🎹" or tgt.process.cmdline contains "🥁" or tgt.process.cmdline contains "🪘" or tgt.process.cmdline contains "🎷" or tgt.process.cmdline contains "🎺" or tgt.process.cmdline contains "🪗" or tgt.process.cmdline contains "🎸" or tgt.process.cmdline contains "🪕" or tgt.process.cmdline contains "🎻" or tgt.process.cmdline contains "🎲" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "🎯" or tgt.process.cmdline contains "🎳" or tgt.process.cmdline contains "🎮" or tgt.process.cmdline contains "🎰" or tgt.process.cmdline contains "🧩" or tgt.process.cmdline contains "🚗" or tgt.process.cmdline contains "🚕" or tgt.process.cmdline contains "🚙" or tgt.process.cmdline contains "🚌" or tgt.process.cmdline contains "🚎" or tgt.process.cmdline contains "🏎" or tgt.process.cmdline contains "🚓" or tgt.process.cmdline contains "🚑" or tgt.process.cmdline contains "🚒" or tgt.process.cmdline contains "🚐" or tgt.process.cmdline contains "🛻" or tgt.process.cmdline contains "🚚" or tgt.process.cmdline contains "🚛" or tgt.process.cmdline contains "🚜" or tgt.process.cmdline contains "🦯" or tgt.process.cmdline contains "🦽" or tgt.process.cmdline contains "🦼" or tgt.process.cmdline contains "🛴" or tgt.process.cmdline contains "🚲" or tgt.process.cmdline contains "🛵" or tgt.process.cmdline contains "🏍" or tgt.process.cmdline contains "🛺" or tgt.process.cmdline contains "🚨" or tgt.process.cmdline contains "🚔" or tgt.process.cmdline contains "🚍" or tgt.process.cmdline contains "🚘" or tgt.process.cmdline contains "🚖" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🚡" or tgt.process.cmdline contains "🚠" or tgt.process.cmdline contains "🚟" or tgt.process.cmdline contains "🚃" or tgt.process.cmdline contains "🚋" or tgt.process.cmdline contains "🚞" or tgt.process.cmdline contains "🚝" or tgt.process.cmdline contains "🚄" or tgt.process.cmdline contains "🚅" or tgt.process.cmdline contains "🚈" or tgt.process.cmdline contains "🚂" or tgt.process.cmdline contains "🚆" or tgt.process.cmdline contains "🚇" or tgt.process.cmdline contains "🚊" or tgt.process.cmdline contains "🚉" or tgt.process.cmdline contains "✈️" or tgt.process.cmdline contains "🛫" or tgt.process.cmdline contains "🛬" or tgt.process.cmdline contains "🛩" or tgt.process.cmdline contains "💺" or tgt.process.cmdline contains "🛰" or tgt.process.cmdline contains "🚀" or tgt.process.cmdline contains "🛸" or tgt.process.cmdline contains "🚁" or tgt.process.cmdline contains "🛶" or tgt.process.cmdline contains "⛵️" or tgt.process.cmdline contains "🚤" or tgt.process.cmdline contains "🛥" or tgt.process.cmdline contains "🛳" or tgt.process.cmdline contains "⛴" or tgt.process.cmdline contains "🚢" or tgt.process.cmdline contains "⚓️" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪝" or tgt.process.cmdline contains "⛽️" or tgt.process.cmdline contains "🚧" or tgt.process.cmdline contains "🚦" or tgt.process.cmdline contains "🚥" or tgt.process.cmdline contains "🚏" or tgt.process.cmdline contains "🗺" or tgt.process.cmdline contains "🗿" or tgt.process.cmdline contains "🗽" or tgt.process.cmdline contains "🗼" or tgt.process.cmdline contains "🏰" or tgt.process.cmdline contains "🏯" or tgt.process.cmdline contains "🏟" or tgt.process.cmdline contains "🎡" or tgt.process.cmdline contains "🎢" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🎠" or tgt.process.cmdline contains "⛲️" or tgt.process.cmdline contains "⛱" or tgt.process.cmdline contains "🏖" or tgt.process.cmdline contains "🏝" or tgt.process.cmdline contains "🏜" or tgt.process.cmdline contains "🌋" or tgt.process.cmdline contains "⛰" or tgt.process.cmdline contains "🏔" or tgt.process.cmdline contains "🗻" or tgt.process.cmdline contains "🏕" or tgt.process.cmdline contains "⛺️" or tgt.process.cmdline contains "🛖" or tgt.process.cmdline contains "🏠" or tgt.process.cmdline contains "🏡" or tgt.process.cmdline contains "🏘" or tgt.process.cmdline contains "🏚" or tgt.process.cmdline contains "🏗" or tgt.process.cmdline contains "🏭" or tgt.process.cmdline contains "🏢" or tgt.process.cmdline contains "🏬" or tgt.process.cmdline contains "🏣" or tgt.process.cmdline contains "🏤" or tgt.process.cmdline contains "🏥" or tgt.process.cmdline contains "🏦" or tgt.process.cmdline contains "🏨" or tgt.process.cmdline contains "🏪" or tgt.process.cmdline contains "🏫" or tgt.process.cmdline contains "🏩" or tgt.process.cmdline contains "💒" or tgt.process.cmdline contains "🏛" or tgt.process.cmdline contains "⛪️" or tgt.process.cmdline contains "🕌" or tgt.process.cmdline contains "🕍" or tgt.process.cmdline contains "🛕" or tgt.process.cmdline contains "🕋" or tgt.process.cmdline contains "⛩" or tgt.process.cmdline contains "🛤" or tgt.process.cmdline contains "🛣" or tgt.process.cmdline contains "🗾" or tgt.process.cmdline contains "🎑" or tgt.process.cmdline contains "🏞" or tgt.process.cmdline contains "🌅" or tgt.process.cmdline contains "🌄" or tgt.process.cmdline contains "🌠" or tgt.process.cmdline contains "🎇" or tgt.process.cmdline contains "🎆" or tgt.process.cmdline contains "🌇" or tgt.process.cmdline contains "🌆" or tgt.process.cmdline contains "🏙" or tgt.process.cmdline contains "🌃" or tgt.process.cmdline contains "🌌" or tgt.process.cmdline contains "🌉" or tgt.process.cmdline contains "🌁" or tgt.process.cmdline contains "⌚️" or tgt.process.cmdline contains "📱" or tgt.process.cmdline contains "📲" or tgt.process.cmdline contains "💻" or tgt.process.cmdline contains "⌨️" or tgt.process.cmdline contains "🖥" or tgt.process.cmdline contains "🖨" or tgt.process.cmdline contains "🖱" or tgt.process.cmdline contains "🖲" or tgt.process.cmdline contains "🕹" or tgt.process.cmdline contains "🗜" or tgt.process.cmdline contains "💽" or tgt.process.cmdline contains "💾" or tgt.process.cmdline contains "💿" or tgt.process.cmdline contains "📀" or tgt.process.cmdline contains "📼" or tgt.process.cmdline contains "📷" or tgt.process.cmdline contains "📸" or tgt.process.cmdline contains "📹" or tgt.process.cmdline contains "🎥" or tgt.process.cmdline contains "📽" or tgt.process.cmdline contains "🎞" or tgt.process.cmdline contains "📞" or tgt.process.cmdline contains "☎️" or tgt.process.cmdline contains "📟" or tgt.process.cmdline contains "📠" or tgt.process.cmdline contains "📺" or tgt.process.cmdline contains "📻" or tgt.process.cmdline contains "🎙" or tgt.process.cmdline contains "🎚" or tgt.process.cmdline contains "🎛" or tgt.process.cmdline contains "🧭" or tgt.process.cmdline contains "⏱" or tgt.process.cmdline contains "⏲" or tgt.process.cmdline contains "⏰" or tgt.process.cmdline contains "🕰" or tgt.process.cmdline contains "⌛️" or tgt.process.cmdline contains "⏳" or tgt.process.cmdline contains "📡" or tgt.process.cmdline contains "🔋" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🔌" or tgt.process.cmdline contains "💡" or tgt.process.cmdline contains "🔦" or tgt.process.cmdline contains "🕯" or tgt.process.cmdline contains "🪔" or tgt.process.cmdline contains "🧯" or tgt.process.cmdline contains "🛢" or tgt.process.cmdline contains "💸" or tgt.process.cmdline contains "💵" or tgt.process.cmdline contains "💴" or tgt.process.cmdline contains "💶" or tgt.process.cmdline contains "💷" or tgt.process.cmdline contains "🪙" or tgt.process.cmdline contains "💰" or tgt.process.cmdline contains "💳" or tgt.process.cmdline contains "💎" or tgt.process.cmdline contains "⚖️" or tgt.process.cmdline contains "🪜" or tgt.process.cmdline contains "🧰" or tgt.process.cmdline contains "🪛" or tgt.process.cmdline contains "🔧" or tgt.process.cmdline contains "🔨" or tgt.process.cmdline contains "⚒" or tgt.process.cmdline contains "🛠" or tgt.process.cmdline contains "⛏" or tgt.process.cmdline contains "🪚" or tgt.process.cmdline contains "🔩" or tgt.process.cmdline contains "⚙️" or tgt.process.cmdline contains "🪤" or tgt.process.cmdline contains "🧱" or tgt.process.cmdline contains "⛓" or tgt.process.cmdline contains "🧲" or tgt.process.cmdline contains "🔫" or tgt.process.cmdline contains "💣" or tgt.process.cmdline contains "🧨" or tgt.process.cmdline contains "🪓" or tgt.process.cmdline contains "🔪" or tgt.process.cmdline contains "🗡" or tgt.process.cmdline contains "⚔️" or tgt.process.cmdline contains "🛡" or tgt.process.cmdline contains "🚬" or tgt.process.cmdline contains "⚰️" or tgt.process.cmdline contains "🪦" or tgt.process.cmdline contains "⚱️" or tgt.process.cmdline contains "🏺" or tgt.process.cmdline contains "🔮" or tgt.process.cmdline contains "📿" or tgt.process.cmdline contains "🧿" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "💈" or tgt.process.cmdline contains "⚗️" or tgt.process.cmdline contains "🔭" or tgt.process.cmdline contains "🔬" or tgt.process.cmdline contains "🕳" or tgt.process.cmdline contains "🩹" or tgt.process.cmdline contains "🩺" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "💊" or tgt.process.cmdline contains "💉" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "🧬" or tgt.process.cmdline contains "🦠" or tgt.process.cmdline contains "🧫" or tgt.process.cmdline contains "🧪" or tgt.process.cmdline contains "🌡" or tgt.process.cmdline contains "🧹" or tgt.process.cmdline contains "🪠" or tgt.process.cmdline contains "🧺" or tgt.process.cmdline contains "🧻" or tgt.process.cmdline contains "🚽" or tgt.process.cmdline contains "🚰" or tgt.process.cmdline contains "🚿" or tgt.process.cmdline contains "🛁" or tgt.process.cmdline contains "🛀" or tgt.process.cmdline contains "🧼" or tgt.process.cmdline contains "🪥" or tgt.process.cmdline contains "🪒" or tgt.process.cmdline contains "🧽" or tgt.process.cmdline contains "🪣" or tgt.process.cmdline contains "🧴" or tgt.process.cmdline contains "🛎" or tgt.process.cmdline contains "🔑" or tgt.process.cmdline contains "🗝" or tgt.process.cmdline contains "🚪" or tgt.process.cmdline contains "🪑" or tgt.process.cmdline contains "🛋" or tgt.process.cmdline contains "🛏" or tgt.process.cmdline contains "🛌" or tgt.process.cmdline contains "🧸" or tgt.process.cmdline contains "🪆" or tgt.process.cmdline contains "🖼" or tgt.process.cmdline contains "🪞" or tgt.process.cmdline contains "🪟" or tgt.process.cmdline contains "🛍" or tgt.process.cmdline contains "🛒" or tgt.process.cmdline contains "🎁" or tgt.process.cmdline contains "🎈" or tgt.process.cmdline contains "🎏" or tgt.process.cmdline contains "🎀" or tgt.process.cmdline contains "🪄" or tgt.process.cmdline contains "🪅" or tgt.process.cmdline contains "🎊" or tgt.process.cmdline contains "🎉" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🎎" or tgt.process.cmdline contains "🏮" or tgt.process.cmdline contains "🎐" or tgt.process.cmdline contains "🧧" or tgt.process.cmdline contains "✉️" or tgt.process.cmdline contains "📩" or tgt.process.cmdline contains "📨" or tgt.process.cmdline contains "📧" or tgt.process.cmdline contains "💌" or tgt.process.cmdline contains "📥" or tgt.process.cmdline contains "📤" or tgt.process.cmdline contains "📦" or tgt.process.cmdline contains "🏷" or tgt.process.cmdline contains "🪧" or tgt.process.cmdline contains "📪" or tgt.process.cmdline contains "📫" or tgt.process.cmdline contains "📬" or tgt.process.cmdline contains "📭" or tgt.process.cmdline contains "📮" or tgt.process.cmdline contains "📯" or tgt.process.cmdline contains "📜" or tgt.process.cmdline contains "📃" or tgt.process.cmdline contains "📄" or tgt.process.cmdline contains "📑" or tgt.process.cmdline contains "🧾" or tgt.process.cmdline contains "📊" or tgt.process.cmdline contains "📈" or tgt.process.cmdline contains "📉" or tgt.process.cmdline contains "🗒" or tgt.process.cmdline contains "🗓" or tgt.process.cmdline contains "📆" or tgt.process.cmdline contains "📅" or tgt.process.cmdline contains "🗑" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "📇" or tgt.process.cmdline contains "🗃" or tgt.process.cmdline contains "🗳" or tgt.process.cmdline contains "🗄" or tgt.process.cmdline contains "📋" or tgt.process.cmdline contains "📁" or tgt.process.cmdline contains "📂" or tgt.process.cmdline contains "🗂" or tgt.process.cmdline contains "🗞" or tgt.process.cmdline contains "📰" or tgt.process.cmdline contains "📓" or tgt.process.cmdline contains "📔" or tgt.process.cmdline contains "📒" or tgt.process.cmdline contains "📕" or tgt.process.cmdline contains "📗" or tgt.process.cmdline contains "📘" or tgt.process.cmdline contains "📙" or tgt.process.cmdline contains "📚" or tgt.process.cmdline contains "📖" or tgt.process.cmdline contains "🔖" or tgt.process.cmdline contains "🧷" or tgt.process.cmdline contains "🔗" or tgt.process.cmdline contains "📎" or tgt.process.cmdline contains "🖇" or tgt.process.cmdline contains "📐" or tgt.process.cmdline contains "📏" or tgt.process.cmdline contains "🧮" or tgt.process.cmdline contains "📌" or tgt.process.cmdline contains "📍" or tgt.process.cmdline contains "✂️" or tgt.process.cmdline contains "🖊" or tgt.process.cmdline contains "🖋" or tgt.process.cmdline contains "✒️" or tgt.process.cmdline contains "🖌" or tgt.process.cmdline contains "🖍" or tgt.process.cmdline contains "📝" or tgt.process.cmdline contains "✏️" or tgt.process.cmdline contains "🔍" or tgt.process.cmdline contains "🔎" or tgt.process.cmdline contains "🔏" or tgt.process.cmdline contains "🔐" or tgt.process.cmdline contains "🔒" or tgt.process.cmdline contains "🔓❤️" or tgt.process.cmdline contains "🧡" or tgt.process.cmdline contains "💛" or tgt.process.cmdline contains "💚" or tgt.process.cmdline contains "💙" or tgt.process.cmdline contains "💜" or tgt.process.cmdline contains "🖤" or tgt.process.cmdline contains "🤍" or tgt.process.cmdline contains "🤎" or tgt.process.cmdline contains "❤️‍🔥" or tgt.process.cmdline contains "❤️‍🩹" or tgt.process.cmdline contains "💔" or tgt.process.cmdline contains "❣️" or tgt.process.cmdline contains "💕" or tgt.process.cmdline contains "💞" or tgt.process.cmdline contains "💓" or tgt.process.cmdline contains "💗" or tgt.process.cmdline contains "💖" or tgt.process.cmdline contains "💘" or tgt.process.cmdline contains "💝" or tgt.process.cmdline contains "💟" or tgt.process.cmdline contains "☮️" or tgt.process.cmdline contains "✝️" or tgt.process.cmdline contains "☪️" or tgt.process.cmdline contains "🕉" or tgt.process.cmdline contains "☸️" or tgt.process.cmdline contains "✡️" or tgt.process.cmdline contains "🔯" or tgt.process.cmdline contains "🕎" or tgt.process.cmdline contains "☯️" or tgt.process.cmdline contains "☦️" or tgt.process.cmdline contains "🛐" or tgt.process.cmdline contains "⛎" or tgt.process.cmdline contains "♈️" or tgt.process.cmdline contains "♉️" or tgt.process.cmdline contains "♊️" or tgt.process.cmdline contains "♋️" or tgt.process.cmdline contains "♌️" or tgt.process.cmdline contains "♍️" or tgt.process.cmdline contains "♎️" or tgt.process.cmdline contains "♏️" or tgt.process.cmdline contains "♐️" or tgt.process.cmdline contains "♑️" or tgt.process.cmdline contains "♒️" or tgt.process.cmdline contains "♓️" or tgt.process.cmdline contains "🆔" or tgt.process.cmdline contains "⚛️" or tgt.process.cmdline contains "🉑" or tgt.process.cmdline contains "☢️" or tgt.process.cmdline contains "☣️" or tgt.process.cmdline contains "📴" or tgt.process.cmdline contains "📳" or tgt.process.cmdline contains "🈶" or tgt.process.cmdline contains "🈚️" or tgt.process.cmdline contains "🈸" or tgt.process.cmdline contains "🈺" or tgt.process.cmdline contains "🈷️" or tgt.process.cmdline contains "✴️" or tgt.process.cmdline contains "🆚" or tgt.process.cmdline contains "💮" or tgt.process.cmdline contains "🉐" or tgt.process.cmdline contains "㊙️" or tgt.process.cmdline contains "㊗️" or tgt.process.cmdline contains "🈴" or tgt.process.cmdline contains "🈵" or tgt.process.cmdline contains "🈹" or tgt.process.cmdline contains "🈲" or tgt.process.cmdline contains "🅰️" or tgt.process.cmdline contains "🅱️" or tgt.process.cmdline contains "🆎" or tgt.process.cmdline contains "🆑" or tgt.process.cmdline contains "🅾️" or tgt.process.cmdline contains "🆘" or tgt.process.cmdline contains "❌" or tgt.process.cmdline contains "⭕️" or tgt.process.cmdline contains "🛑" or tgt.process.cmdline contains "⛔️" or tgt.process.cmdline contains "📛" or tgt.process.cmdline contains "🚫" or tgt.process.cmdline contains "💯" or tgt.process.cmdline contains "💢" or tgt.process.cmdline contains "♨️" or tgt.process.cmdline contains "🚷" or tgt.process.cmdline contains "🚯" or tgt.process.cmdline contains "🚳" or tgt.process.cmdline contains "🚱" or tgt.process.cmdline contains "🔞" or tgt.process.cmdline contains "📵" or tgt.process.cmdline contains "🚭" or tgt.process.cmdline contains "❗️" or tgt.process.cmdline contains "❕" or tgt.process.cmdline contains "❓" or tgt.process.cmdline contains "❔" or tgt.process.cmdline contains "‼️" or tgt.process.cmdline contains "⁉️" or tgt.process.cmdline contains "🔅" or tgt.process.cmdline contains "🔆" or tgt.process.cmdline contains "〽️" or tgt.process.cmdline contains "⚠️" or tgt.process.cmdline contains "🚸" or tgt.process.cmdline contains "🔱" or tgt.process.cmdline contains "⚜️" or tgt.process.cmdline contains "🔰" or tgt.process.cmdline contains "♻️" or tgt.process.cmdline contains "✅" or tgt.process.cmdline contains "🈯️" or tgt.process.cmdline contains "💹" or tgt.process.cmdline contains "❇️" or tgt.process.cmdline contains "✳️" or tgt.process.cmdline contains "❎" or tgt.process.cmdline contains "🌐" or tgt.process.cmdline contains "💠" or tgt.process.cmdline contains "Ⓜ️" or tgt.process.cmdline contains "🌀" or tgt.process.cmdline contains "💤" or tgt.process.cmdline contains "🏧" or tgt.process.cmdline contains "🚾" or tgt.process.cmdline contains "♿️" or tgt.process.cmdline contains "🅿️" or tgt.process.cmdline contains "🛗" or tgt.process.cmdline contains "🈳" or tgt.process.cmdline contains "🈂️" or tgt.process.cmdline contains "🛂" or tgt.process.cmdline contains "🛃" or tgt.process.cmdline contains "🛄" or tgt.process.cmdline contains "🛅" or tgt.process.cmdline contains "🚹" or tgt.process.cmdline contains "🚺" or tgt.process.cmdline contains "🚼" or tgt.process.cmdline contains "⚧" or tgt.process.cmdline contains "🚻" or tgt.process.cmdline contains "🚮" or tgt.process.cmdline contains "🎦" or tgt.process.cmdline contains "📶" or tgt.process.cmdline contains "🈁" or tgt.process.cmdline contains "🔣" or tgt.process.cmdline contains "ℹ️" or tgt.process.cmdline contains "🔤" or tgt.process.cmdline contains "🔡" or tgt.process.cmdline contains "🔠" or tgt.process.cmdline contains "🆖" or tgt.process.cmdline contains "🆗" or tgt.process.cmdline contains "🆙" or tgt.process.cmdline contains "🆒" or tgt.process.cmdline contains "🆕" or tgt.process.cmdline contains "🆓" or tgt.process.cmdline contains "0️⃣" or tgt.process.cmdline contains "1️⃣" or tgt.process.cmdline contains "2️⃣" or tgt.process.cmdline contains "3️⃣" or tgt.process.cmdline contains "4️⃣" or tgt.process.cmdline contains "5️⃣" or tgt.process.cmdline contains "6️⃣" or tgt.process.cmdline contains "7️⃣" or tgt.process.cmdline contains "8️⃣" or tgt.process.cmdline contains "9️⃣" or tgt.process.cmdline contains "🔟" or tgt.process.cmdline contains "🔢" or tgt.process.cmdline contains "#️⃣" or tgt.process.cmdline contains "️⃣" or tgt.process.cmdline contains "⏏️" or tgt.process.cmdline contains "▶️" or tgt.process.cmdline contains "⏸" or tgt.process.cmdline contains "⏯" or tgt.process.cmdline contains "⏹" or tgt.process.cmdline contains "⏺" or tgt.process.cmdline contains "⏭" or tgt.process.cmdline contains "⏮" or tgt.process.cmdline contains "⏩" or tgt.process.cmdline contains "⏪" or tgt.process.cmdline contains "⏫" or tgt.process.cmdline contains "⏬" or tgt.process.cmdline contains "◀️" or tgt.process.cmdline contains "🔼" or tgt.process.cmdline contains "🔽" or tgt.process.cmdline contains "➡️" or tgt.process.cmdline contains "⬅️" or tgt.process.cmdline contains "⬆️" or tgt.process.cmdline contains "⬇️" or tgt.process.cmdline contains "↗️" or tgt.process.cmdline contains "↘️" or tgt.process.cmdline contains "↙️" or tgt.process.cmdline contains "↖️" or tgt.process.cmdline contains "↕️" or tgt.process.cmdline contains "↔️" or tgt.process.cmdline contains "↪️" or tgt.process.cmdline contains "↩️" or tgt.process.cmdline contains "⤴️" or tgt.process.cmdline contains "⤵️" or tgt.process.cmdline contains "🔀" or tgt.process.cmdline contains "🔁" or tgt.process.cmdline contains "🔂" or tgt.process.cmdline contains "🔄" or tgt.process.cmdline contains "🔃" or tgt.process.cmdline contains "🎵" or tgt.process.cmdline contains "🎶" or tgt.process.cmdline contains "➕" or tgt.process.cmdline contains "➖" or tgt.process.cmdline contains "➗" or tgt.process.cmdline contains "✖️" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "♾" or tgt.process.cmdline contains "💲" or tgt.process.cmdline contains "💱" or tgt.process.cmdline contains "™️" or tgt.process.cmdline contains "©️" or tgt.process.cmdline contains "®️" or tgt.process.cmdline contains "〰️" or tgt.process.cmdline contains "➰" or tgt.process.cmdline contains "➿" or tgt.process.cmdline contains "🔚" or tgt.process.cmdline contains "🔙" or tgt.process.cmdline contains "🔛" or tgt.process.cmdline contains "🔝" or tgt.process.cmdline contains "🔜" or tgt.process.cmdline contains "✔️" or tgt.process.cmdline contains "☑️" or tgt.process.cmdline contains "🔘" or tgt.process.cmdline contains "🔴" or tgt.process.cmdline contains "🟠" or tgt.process.cmdline contains "🟡" or tgt.process.cmdline contains "🟢" or tgt.process.cmdline contains "🔵" or tgt.process.cmdline contains "🟣" or tgt.process.cmdline contains "⚫️" or tgt.process.cmdline contains "⚪️" or tgt.process.cmdline contains "🟤" or tgt.process.cmdline contains "🔺" or tgt.process.cmdline contains "🔻")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md index 06c8be879..88b2be133 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🔸" or tgt.process.cmdline contains "🔹" or tgt.process.cmdline contains "🔶" or tgt.process.cmdline contains "🔷" or tgt.process.cmdline contains "🔳" or tgt.process.cmdline contains "🔲" or tgt.process.cmdline contains "▪️" or tgt.process.cmdline contains "▫️" or tgt.process.cmdline contains "◾️" or tgt.process.cmdline contains "◽️" or tgt.process.cmdline contains "◼️" or tgt.process.cmdline contains "◻️" or tgt.process.cmdline contains "🟥" or tgt.process.cmdline contains "🟧" or tgt.process.cmdline contains "🟨" or tgt.process.cmdline contains "🟩" or tgt.process.cmdline contains "🟦" or tgt.process.cmdline contains "🟪" or tgt.process.cmdline contains "⬛️" or tgt.process.cmdline contains "⬜️" or tgt.process.cmdline contains "🟫" or tgt.process.cmdline contains "🔈" or tgt.process.cmdline contains "🔇" or tgt.process.cmdline contains "🔉" or tgt.process.cmdline contains "🔊" or tgt.process.cmdline contains "🔔" or tgt.process.cmdline contains "🔕" or tgt.process.cmdline contains "📣" or tgt.process.cmdline contains "📢" or tgt.process.cmdline contains "👁‍🗨" or tgt.process.cmdline contains "💬" or tgt.process.cmdline contains "💭" or tgt.process.cmdline contains "🗯" or tgt.process.cmdline contains "♠️" or tgt.process.cmdline contains "♣️" or tgt.process.cmdline contains "♥️" or tgt.process.cmdline contains "♦️" or tgt.process.cmdline contains "🃏" or tgt.process.cmdline contains "🎴" or tgt.process.cmdline contains "🀄️" or tgt.process.cmdline contains "🕐" or tgt.process.cmdline contains "🕑" or tgt.process.cmdline contains "🕒" or tgt.process.cmdline contains "🕓" or tgt.process.cmdline contains "🕔" or tgt.process.cmdline contains "🕕" or tgt.process.cmdline contains "🕖" or tgt.process.cmdline contains "🕗" or tgt.process.cmdline contains "🕘" or tgt.process.cmdline contains "🕙" or tgt.process.cmdline contains "🕚" or tgt.process.cmdline contains "🕛" or tgt.process.cmdline contains "🕜" or tgt.process.cmdline contains "🕝" or tgt.process.cmdline contains "🕞" or tgt.process.cmdline contains "🕟" or tgt.process.cmdline contains "🕠" or tgt.process.cmdline contains "🕡" or tgt.process.cmdline contains "🕢" or tgt.process.cmdline contains "🕣" or tgt.process.cmdline contains "🕤" or tgt.process.cmdline contains "🕥" or tgt.process.cmdline contains "🕦" or tgt.process.cmdline contains "🕧✢" or tgt.process.cmdline contains "✣" or tgt.process.cmdline contains "✤" or tgt.process.cmdline contains "✥" or tgt.process.cmdline contains "✦" or tgt.process.cmdline contains "✧" or tgt.process.cmdline contains "★" or tgt.process.cmdline contains "☆" or tgt.process.cmdline contains "✯" or tgt.process.cmdline contains "✡︎" or tgt.process.cmdline contains "✩" or tgt.process.cmdline contains "✪" or tgt.process.cmdline contains "✫" or tgt.process.cmdline contains "✬" or tgt.process.cmdline contains "✭" or tgt.process.cmdline contains "✮" or tgt.process.cmdline contains "✶" or tgt.process.cmdline contains "✷" or tgt.process.cmdline contains "✵" or tgt.process.cmdline contains "✸" or tgt.process.cmdline contains "✹" or tgt.process.cmdline contains "→" or tgt.process.cmdline contains "⇒" or tgt.process.cmdline contains "⟹" or tgt.process.cmdline contains "⇨" or tgt.process.cmdline contains "⇾" or tgt.process.cmdline contains "➾" or tgt.process.cmdline contains "⇢" or tgt.process.cmdline contains "☛" or tgt.process.cmdline contains "☞" or tgt.process.cmdline contains "➔" or tgt.process.cmdline contains "➜" or tgt.process.cmdline contains "➙" or tgt.process.cmdline contains "➛" or tgt.process.cmdline contains "➝" or tgt.process.cmdline contains "➞" or tgt.process.cmdline contains "♠︎" or tgt.process.cmdline contains "♣︎" or tgt.process.cmdline contains "♥︎" or tgt.process.cmdline contains "♦︎" or tgt.process.cmdline contains "♤" or tgt.process.cmdline contains "♧" or tgt.process.cmdline contains "♡" or tgt.process.cmdline contains "♢" or tgt.process.cmdline contains "♚" or tgt.process.cmdline contains "♛" or tgt.process.cmdline contains "♜" or tgt.process.cmdline contains "♝" or tgt.process.cmdline contains "♞" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "♔" or tgt.process.cmdline contains "♕" or tgt.process.cmdline contains "♖" or tgt.process.cmdline contains "♗" or tgt.process.cmdline contains "♘" or tgt.process.cmdline contains "♙" or tgt.process.cmdline contains "⚀" or tgt.process.cmdline contains "⚁" or tgt.process.cmdline contains "⚂" or tgt.process.cmdline contains "⚃" or tgt.process.cmdline contains "⚄" or tgt.process.cmdline contains "⚅" or tgt.process.cmdline contains "🂠" or tgt.process.cmdline contains "⚈" or tgt.process.cmdline contains "⚉" or tgt.process.cmdline contains "⚆" or tgt.process.cmdline contains "⚇" or tgt.process.cmdline contains "𓀀" or tgt.process.cmdline contains "𓀁" or tgt.process.cmdline contains "𓀂" or tgt.process.cmdline contains "𓀃" or tgt.process.cmdline contains "𓀄" or tgt.process.cmdline contains "𓀅" or tgt.process.cmdline contains "𓀆" or tgt.process.cmdline contains "𓀇" or tgt.process.cmdline contains "𓀈" or tgt.process.cmdline contains "𓀉" or tgt.process.cmdline contains "𓀊" or tgt.process.cmdline contains "𓀋" or tgt.process.cmdline contains "𓀌" or tgt.process.cmdline contains "𓀍" or tgt.process.cmdline contains "𓀎" or tgt.process.cmdline contains "𓀏" or tgt.process.cmdline contains "𓀐" or tgt.process.cmdline contains "𓀑" or tgt.process.cmdline contains "𓀒" or tgt.process.cmdline contains "𓀓" or tgt.process.cmdline contains "𓀔" or tgt.process.cmdline contains "𓀕" or tgt.process.cmdline contains "𓀖" or tgt.process.cmdline contains "𓀗" or tgt.process.cmdline contains "𓀘" or tgt.process.cmdline contains "𓀙" or tgt.process.cmdline contains "𓀚" or tgt.process.cmdline contains "𓀛" or tgt.process.cmdline contains "𓀜" or tgt.process.cmdline contains "𓀝🏳️" or tgt.process.cmdline contains "🏴" or tgt.process.cmdline contains "🏁" or tgt.process.cmdline contains "🚩" or tgt.process.cmdline contains "🏳️‍🌈" or tgt.process.cmdline contains "🏳️‍⚧️" or tgt.process.cmdline contains "🏴‍☠️" or tgt.process.cmdline contains "🇦🇫" or tgt.process.cmdline contains "🇦🇽" or tgt.process.cmdline contains "🇦🇱" or tgt.process.cmdline contains "🇩🇿" or tgt.process.cmdline contains "🇦🇸" or tgt.process.cmdline contains "🇦🇩" or tgt.process.cmdline contains "🇦🇴" or tgt.process.cmdline contains "🇦🇮" or tgt.process.cmdline contains "🇦🇶" or tgt.process.cmdline contains "🇦🇬" or tgt.process.cmdline contains "🇦🇷" or tgt.process.cmdline contains "🇦🇲" or tgt.process.cmdline contains "🇦🇼" or tgt.process.cmdline contains "🇦🇺" or tgt.process.cmdline contains "🇦🇹" or tgt.process.cmdline contains "🇦🇿" or tgt.process.cmdline contains "🇧🇸" or tgt.process.cmdline contains "🇧🇭" or tgt.process.cmdline contains "🇧🇩" or tgt.process.cmdline contains "🇧🇧" or tgt.process.cmdline contains "🇧🇾" or tgt.process.cmdline contains "🇧🇪" or tgt.process.cmdline contains "🇧🇿" or tgt.process.cmdline contains "🇧🇯" or tgt.process.cmdline contains "🇧🇲" or tgt.process.cmdline contains "🇧🇹" or tgt.process.cmdline contains "🇧🇴" or tgt.process.cmdline contains "🇧🇦" or tgt.process.cmdline contains "🇧🇼" or tgt.process.cmdline contains "🇧🇷" or tgt.process.cmdline contains "🇮🇴" or tgt.process.cmdline contains "🇻🇬" or tgt.process.cmdline contains "🇧🇳" or tgt.process.cmdline contains "🇧🇬" or tgt.process.cmdline contains "🇧🇫" or tgt.process.cmdline contains "🇧🇮" or tgt.process.cmdline contains "🇰🇭" or tgt.process.cmdline contains "🇨🇲" or tgt.process.cmdline contains "🇨🇦" or tgt.process.cmdline contains "🇮🇨" or tgt.process.cmdline contains "🇨🇻" or tgt.process.cmdline contains "🇧🇶" or tgt.process.cmdline contains "🇰🇾" or tgt.process.cmdline contains "🇨🇫" or tgt.process.cmdline contains "🇹🇩" or tgt.process.cmdline contains "🇨🇱" or tgt.process.cmdline contains "🇨🇳" or tgt.process.cmdline contains "🇨🇽" or tgt.process.cmdline contains "🇨🇨" or tgt.process.cmdline contains "🇨🇴" or tgt.process.cmdline contains "🇰🇲" or tgt.process.cmdline contains "🇨🇬" or tgt.process.cmdline contains "🇨🇩" or tgt.process.cmdline contains "🇨🇰" or tgt.process.cmdline contains "🇨🇷" or tgt.process.cmdline contains "🇨🇮" or tgt.process.cmdline contains "🇭🇷" or tgt.process.cmdline contains "🇨🇺" or tgt.process.cmdline contains "🇨🇼" or tgt.process.cmdline contains "🇨🇾" or tgt.process.cmdline contains "🇨🇿" or tgt.process.cmdline contains "🇩🇰" or tgt.process.cmdline contains "🇩🇯" or tgt.process.cmdline contains "🇩🇲" or tgt.process.cmdline contains "🇩🇴" or tgt.process.cmdline contains "🇪🇨" or tgt.process.cmdline contains "🇪🇬" or tgt.process.cmdline contains "🇸🇻" or tgt.process.cmdline contains "🇬🇶" or tgt.process.cmdline contains "🇪🇷" or tgt.process.cmdline contains "🇪🇪" or tgt.process.cmdline contains "🇪🇹" or tgt.process.cmdline contains "🇪🇺" or tgt.process.cmdline contains "🇫🇰" or tgt.process.cmdline contains "🇫🇴" or tgt.process.cmdline contains "🇫🇯" or tgt.process.cmdline contains "🇫🇮" or tgt.process.cmdline contains "🇫🇷" or tgt.process.cmdline contains "🇬🇫" or tgt.process.cmdline contains "🇵🇫" or tgt.process.cmdline contains "🇹🇫" or tgt.process.cmdline contains "🇬🇦" or tgt.process.cmdline contains "🇬🇲" or tgt.process.cmdline contains "🇬🇪" or tgt.process.cmdline contains "🇩🇪" or tgt.process.cmdline contains "🇬🇭" or tgt.process.cmdline contains "🇬🇮" or tgt.process.cmdline contains "🇬🇷" or tgt.process.cmdline contains "🇬🇱" or tgt.process.cmdline contains "🇬🇩" or tgt.process.cmdline contains "🇬🇵" or tgt.process.cmdline contains "🇬🇺" or tgt.process.cmdline contains "🇬🇹" or tgt.process.cmdline contains "🇬🇬" or tgt.process.cmdline contains "🇬🇳" or tgt.process.cmdline contains "🇬🇼" or tgt.process.cmdline contains "🇬🇾" or tgt.process.cmdline contains "🇭🇹" or tgt.process.cmdline contains "🇭🇳" or tgt.process.cmdline contains "🇭🇰" or tgt.process.cmdline contains "🇭🇺" or tgt.process.cmdline contains "🇮🇸" or tgt.process.cmdline contains "🇮🇳" or tgt.process.cmdline contains "🇮🇩" or tgt.process.cmdline contains "🇮🇷" or tgt.process.cmdline contains "🇮🇶" or tgt.process.cmdline contains "🇮🇪" or tgt.process.cmdline contains "🇮🇲" or tgt.process.cmdline contains "🇮🇱" or tgt.process.cmdline contains "🇮🇹" or tgt.process.cmdline contains "🇯🇲" or tgt.process.cmdline contains "🇯🇵" or tgt.process.cmdline contains "🎌" or tgt.process.cmdline contains "🇯🇪" or tgt.process.cmdline contains "🇯🇴" or tgt.process.cmdline contains "🇰🇿" or tgt.process.cmdline contains "🇰🇪" or tgt.process.cmdline contains "🇰🇮" or tgt.process.cmdline contains "🇽🇰" or tgt.process.cmdline contains "🇰🇼" or tgt.process.cmdline contains "🇰🇬" or tgt.process.cmdline contains "🇱🇦" or tgt.process.cmdline contains "🇱🇻" or tgt.process.cmdline contains "🇱🇧" or tgt.process.cmdline contains "🇱🇸" or tgt.process.cmdline contains "🇱🇷" or tgt.process.cmdline contains "🇱🇾" or tgt.process.cmdline contains "🇱🇮" or tgt.process.cmdline contains "🇱🇹" or tgt.process.cmdline contains "🇱🇺" or tgt.process.cmdline contains "🇲🇴" or tgt.process.cmdline contains "🇲🇰" or tgt.process.cmdline contains "🇲🇬" or tgt.process.cmdline contains "🇲🇼" or tgt.process.cmdline contains "🇲🇾" or tgt.process.cmdline contains "🇲🇻" or tgt.process.cmdline contains "🇲🇱" or tgt.process.cmdline contains "🇲🇹" or tgt.process.cmdline contains "🇲🇭" or tgt.process.cmdline contains "🇲🇶" or tgt.process.cmdline contains "🇲🇷" or tgt.process.cmdline contains "🇲🇺" or tgt.process.cmdline contains "🇾🇹" or tgt.process.cmdline contains "🇲🇽" or tgt.process.cmdline contains "🇫🇲" or tgt.process.cmdline contains "🇲🇩" or tgt.process.cmdline contains "🇲🇨" or tgt.process.cmdline contains "🇲🇳" or tgt.process.cmdline contains "🇲🇪" or tgt.process.cmdline contains "🇲🇸" or tgt.process.cmdline contains "🇲🇦" or tgt.process.cmdline contains "🇲🇿" or tgt.process.cmdline contains "🇲🇲" or tgt.process.cmdline contains "🇳🇦" or tgt.process.cmdline contains "🇳🇷" or tgt.process.cmdline contains "🇳🇵" or tgt.process.cmdline contains "🇳🇱" or tgt.process.cmdline contains "🇳🇨" or tgt.process.cmdline contains "🇳🇿" or tgt.process.cmdline contains "🇳🇮" or tgt.process.cmdline contains "🇳🇪" or tgt.process.cmdline contains "🇳🇬" or tgt.process.cmdline contains "🇳🇺" or tgt.process.cmdline contains "🇳🇫" or tgt.process.cmdline contains "🇰🇵" or tgt.process.cmdline contains "🇲🇵" or tgt.process.cmdline contains "🇳🇴" or tgt.process.cmdline contains "🇴🇲" or tgt.process.cmdline contains "🇵🇰" or tgt.process.cmdline contains "🇵🇼" or tgt.process.cmdline contains "🇵🇸" or tgt.process.cmdline contains "🇵🇦" or tgt.process.cmdline contains "🇵🇬" or tgt.process.cmdline contains "🇵🇾" or tgt.process.cmdline contains "🇵🇪" or tgt.process.cmdline contains "🇵🇭" or tgt.process.cmdline contains "🇵🇳" or tgt.process.cmdline contains "🇵🇱" or tgt.process.cmdline contains "🇵🇹" or tgt.process.cmdline contains "🇵🇷" or tgt.process.cmdline contains "🇶🇦" or tgt.process.cmdline contains "🇷🇪" or tgt.process.cmdline contains "🇷🇴" or tgt.process.cmdline contains "🇷🇺" or tgt.process.cmdline contains "🇷🇼" or tgt.process.cmdline contains "🇼🇸" or tgt.process.cmdline contains "🇸🇲" or tgt.process.cmdline contains "🇸🇦" or tgt.process.cmdline contains "🇸🇳" or tgt.process.cmdline contains "🇷🇸" or tgt.process.cmdline contains "🇸🇨" or tgt.process.cmdline contains "🇸🇱" or tgt.process.cmdline contains "🇸🇬" or tgt.process.cmdline contains "🇸🇽" or tgt.process.cmdline contains "🇸🇰" or tgt.process.cmdline contains "🇸🇮" or tgt.process.cmdline contains "🇬🇸" or tgt.process.cmdline contains "🇸🇧" or tgt.process.cmdline contains "🇸🇴" or tgt.process.cmdline contains "🇿🇦" or tgt.process.cmdline contains "🇰🇷" or tgt.process.cmdline contains "🇸🇸" or tgt.process.cmdline contains "🇪🇸" or tgt.process.cmdline contains "🇱🇰" or tgt.process.cmdline contains "🇧🇱" or tgt.process.cmdline contains "🇸🇭" or tgt.process.cmdline contains "🇰🇳" or tgt.process.cmdline contains "🇱🇨" or tgt.process.cmdline contains "🇵🇲" or tgt.process.cmdline contains "🇻🇨" or tgt.process.cmdline contains "🇸🇩" or tgt.process.cmdline contains "🇸🇷" or tgt.process.cmdline contains "🇸🇿" or tgt.process.cmdline contains "🇸🇪" or tgt.process.cmdline contains "🇨🇭" or tgt.process.cmdline contains "🇸🇾" or tgt.process.cmdline contains "🇹🇼" or tgt.process.cmdline contains "🇹🇯" or tgt.process.cmdline contains "🇹🇿" or tgt.process.cmdline contains "🇹🇭" or tgt.process.cmdline contains "🇹🇱" or tgt.process.cmdline contains "🇹🇬" or tgt.process.cmdline contains "🇹🇰" or tgt.process.cmdline contains "🇹🇴" or tgt.process.cmdline contains "🇹🇹" or tgt.process.cmdline contains "🇹🇳" or tgt.process.cmdline contains "🇹🇷" or tgt.process.cmdline contains "🇹🇲" or tgt.process.cmdline contains "🇹🇨" or tgt.process.cmdline contains "🇹🇻" or tgt.process.cmdline contains "🇻🇮" or tgt.process.cmdline contains "🇺🇬" or tgt.process.cmdline contains "🇺🇦" or tgt.process.cmdline contains "🇦🇪" or tgt.process.cmdline contains "🇬🇧" or tgt.process.cmdline contains "🏴󠁧󠁢󠁥󠁮󠁧󠁿" or tgt.process.cmdline contains "🏴󠁧󠁢󠁳󠁣󠁴󠁿" or tgt.process.cmdline contains "🏴󠁧󠁢󠁷󠁬󠁳󠁿" or tgt.process.cmdline contains "🇺🇳" or tgt.process.cmdline contains "🇺🇸" or tgt.process.cmdline contains "🇺🇾" or tgt.process.cmdline contains "🇺🇿" or tgt.process.cmdline contains "🇻🇺" or tgt.process.cmdline contains "🇻🇦" or tgt.process.cmdline contains "🇻🇪" or tgt.process.cmdline contains "🇻🇳" or tgt.process.cmdline contains "🇼🇫" or tgt.process.cmdline contains "🇪🇭" or tgt.process.cmdline contains "🇾🇪" or tgt.process.cmdline contains "🇿🇲" or tgt.process.cmdline contains "🇿🇼🫠" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🫤" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🤝🏻" or tgt.process.cmdline contains "🤝🏼" or tgt.process.cmdline contains "🤝🏽" or tgt.process.cmdline contains "🤝🏾" or tgt.process.cmdline contains "🤝🏿" or tgt.process.cmdline contains "🫱🏻‍🫲🏼" or tgt.process.cmdline contains "🫱🏻‍🫲🏽" or tgt.process.cmdline contains "🫱🏻‍🫲🏾" or tgt.process.cmdline contains "🫱🏻‍🫲🏿" or tgt.process.cmdline contains "🫱🏼‍🫲🏻" or tgt.process.cmdline contains "🫱🏼‍🫲🏽" or tgt.process.cmdline contains "🫱🏼‍🫲🏾" or tgt.process.cmdline contains "🫱🏼‍🫲🏿" or tgt.process.cmdline contains "🫱🏽‍🫲🏻" or tgt.process.cmdline contains "🫱🏽‍🫲🏼" or tgt.process.cmdline contains "🫱🏽‍🫲🏾" or tgt.process.cmdline contains "🫱🏽‍🫲🏿" or tgt.process.cmdline contains "🫱🏾‍🫲🏻" or tgt.process.cmdline contains "🫱🏾‍🫲🏼" or tgt.process.cmdline contains "🫱🏾‍🫲🏽" or tgt.process.cmdline contains "🫱🏾‍🫲🏿" or tgt.process.cmdline contains "🫱🏿‍🫲🏻" or tgt.process.cmdline contains "🫱🏿‍🫲🏼" or tgt.process.cmdline contains "🫱🏿‍🫲🏽" or tgt.process.cmdline contains "🫱🏿‍🫲🏾" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "😮‍💨" or tgt.process.cmdline contains "😵‍💫" or tgt.process.cmdline contains "😶‍🌫️" or tgt.process.cmdline contains "❤️‍🔥" or tgt.process.cmdline contains "❤️‍🩹" or tgt.process.cmdline contains "🧔‍♀️" or tgt.process.cmdline contains "🧔🏻‍♀️" or tgt.process.cmdline contains "🧔🏼‍♀️" or tgt.process.cmdline contains "🧔🏽‍♀️" or tgt.process.cmdline contains "🧔🏾‍♀️" or tgt.process.cmdline contains "🧔🏿‍♀️" or tgt.process.cmdline contains "🧔‍♂️" or tgt.process.cmdline contains "🧔🏻‍♂️" or tgt.process.cmdline contains "🧔🏼‍♂️" or tgt.process.cmdline contains "🧔🏽‍♂️" or tgt.process.cmdline contains "🧔🏾‍♂️" or tgt.process.cmdline contains "🧔🏿‍♂️" or tgt.process.cmdline contains "💑🏻" or tgt.process.cmdline contains "💑🏼" or tgt.process.cmdline contains "💑🏽" or tgt.process.cmdline contains "💑🏾" or tgt.process.cmdline contains "💑🏿" or tgt.process.cmdline contains "💏🏻" or tgt.process.cmdline contains "💏🏼" or tgt.process.cmdline contains "💏🏽" or tgt.process.cmdline contains "💏🏾" or tgt.process.cmdline contains "💏🏿" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏼‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏽‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏾‍❤️‍👨🏿" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏻" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏼" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏽" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏾" or tgt.process.cmdline contains "👨🏿‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍👩🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍👨🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍👩🏿" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏻‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏼‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏾" or tgt.process.cmdline contains "🧑🏽‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏾‍❤️‍🧑🏿" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏻" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏼" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏽" or tgt.process.cmdline contains "🧑🏿‍❤️‍🧑🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏻‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏼‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏽‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏾‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👨🏿‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏻‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏼‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏽‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏾‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👨🏿" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏻" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏼" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏽" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏾" or tgt.process.cmdline contains "👩🏿‍❤️‍💋‍👩🏿" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏻‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏼‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏾" or tgt.process.cmdline contains "🧑🏽‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏾‍❤️‍💋‍🧑🏿" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏻" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏼" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏽" or tgt.process.cmdline contains "🧑🏿‍❤️‍💋‍🧑🏾")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md index f7ae9c6a6..5c5d18fa0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "COMPlus_ETWEnabled" or tgt.process.cmdline contains "COMPlus_ETWFlags")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md index 80cb97a52..8fb77f54a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cl" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "clear-log" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "sl" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "set-log" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "logman" and tgt.process.cmdline contains "update" and tgt.process.cmdline contains "trace" and tgt.process.cmdline contains "--p" and tgt.process.cmdline contains "-ets") or tgt.process.cmdline contains "Remove-EtwTraceProvider" or (tgt.process.cmdline contains "Set-EtwTraceProvider" and tgt.process.cmdline contains "0x11"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md index efa6d7dde..d786f4350 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\wevtutil.exe" and (tgt.process.cmdline contains "clear-log " or tgt.process.cmdline contains " cl " or tgt.process.cmdline contains "set-log " or tgt.process.cmdline contains " sl " or tgt.process.cmdline contains "lfn:")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Clear-EventLog " or tgt.process.cmdline contains "Remove-EventLog " or tgt.process.cmdline contains "Limit-EventLog " or tgt.process.cmdline contains "Clear-WinEvent ")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wmic.exe") and tgt.process.cmdline contains "ClearEventLog")) and (not ((src.process.image.path in ("C:\Windows\SysWOW64\msiexec.exe","C:\Windows\System32\msiexec.exe")) and tgt.process.cmdline contains " sl ")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md index 5c6342dc6..3c697d07b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains ":\Users\Public\" and ((tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md index 0ac684b7d..33aecca65 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\Perflogs\" or tgt.process.image.path contains ":\Users\All Users\" or tgt.process.image.path contains ":\Users\Default\" or tgt.process.image.path contains ":\Users\NetworkService\" or tgt.process.image.path contains ":\Windows\addins\" or tgt.process.image.path contains ":\Windows\debug\" or tgt.process.image.path contains ":\Windows\Fonts\" or tgt.process.image.path contains ":\Windows\Help\" or tgt.process.image.path contains ":\Windows\IME\" or tgt.process.image.path contains ":\Windows\Media\" or tgt.process.image.path contains ":\Windows\repair\" or tgt.process.image.path contains ":\Windows\security\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\" or tgt.process.image.path contains "$Recycle.bin" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Intel\Logs\" or tgt.process.image.path contains "\RSA\MachineKeys\") and (not (tgt.process.image.path contains "C:\Users\Public\IBM\ClientSolutions\Start_Programs\" or (tgt.process.image.path contains "C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\" and tgt.process.image.path contains "\CitrixReceiverUpdater.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md index e256d9e04..7a8358781 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "gatherNetworkInfo.vbs" and (not (tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md index a35688963..e96479b2c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::$index_allocation") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md index 96e7b6528..35f0f2241 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "type" or tgt.process.cmdline contains "file createnew" or tgt.process.cmdline contains "cacls") and tgt.process.cmdline contains "C:\Windows\Fonts\" and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh" or tgt.process.cmdline contains ".reg" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl" or tgt.process.cmdline contains ".inf" or tgt.process.cmdline contains ".cpl" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".msi" or tgt.process.cmdline contains ".vbs"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md index a0e9b9282..3a71f2f1d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "А" or tgt.process.cmdline contains "В" or tgt.process.cmdline contains "Е" or tgt.process.cmdline contains "К" or tgt.process.cmdline contains "М" or tgt.process.cmdline contains "Н" or tgt.process.cmdline contains "О" or tgt.process.cmdline contains "Р" or tgt.process.cmdline contains "С" or tgt.process.cmdline contains "Т" or tgt.process.cmdline contains "Х" or tgt.process.cmdline contains "Ѕ" or tgt.process.cmdline contains "І" or tgt.process.cmdline contains "Ј" or tgt.process.cmdline contains "Ү" or tgt.process.cmdline contains "Ӏ" or tgt.process.cmdline contains "Ԍ" or tgt.process.cmdline contains "Ԛ" or tgt.process.cmdline contains "Ԝ" or tgt.process.cmdline contains "Α" or tgt.process.cmdline contains "Β" or tgt.process.cmdline contains "Ε" or tgt.process.cmdline contains "Ζ" or tgt.process.cmdline contains "Η" or tgt.process.cmdline contains "Ι" or tgt.process.cmdline contains "Κ" or tgt.process.cmdline contains "Μ" or tgt.process.cmdline contains "Ν" or tgt.process.cmdline contains "Ο" or tgt.process.cmdline contains "Ρ" or tgt.process.cmdline contains "Τ" or tgt.process.cmdline contains "Υ" or tgt.process.cmdline contains "Χ") or (tgt.process.cmdline contains "а" or tgt.process.cmdline contains "е" or tgt.process.cmdline contains "о" or tgt.process.cmdline contains "р" or tgt.process.cmdline contains "с" or tgt.process.cmdline contains "х" or tgt.process.cmdline contains "ѕ" or tgt.process.cmdline contains "і" or tgt.process.cmdline contains "ӏ" or tgt.process.cmdline contains "ј" or tgt.process.cmdline contains "һ" or tgt.process.cmdline contains "ԁ" or tgt.process.cmdline contains "ԛ" or tgt.process.cmdline contains "ԝ" or tgt.process.cmdline contains "ο"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md index ede78b710..6833d8214 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((not tgt.process.image.path contains "\") and (not (not (tgt.process.image.path matches "\.*") or (tgt.process.image.path in ("-","")) or ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or (tgt.process.cmdline in ("Registry","MemCompression","vmmem"))))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md index f308cc934..3718c6a2c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "TVqQAAMAAAAEAAAA" or tgt.process.cmdline contains "TVpQAAIAAAAEAA8A" or tgt.process.cmdline contains "TVqAAAEAAAAEABAA" or tgt.process.cmdline contains "TVoAAAAAAAAAAAAA" or tgt.process.cmdline contains "TVpTAQEAAAAEAAAA")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md index 79d0972c1..5e3563836 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "AddSecurityPackage" or tgt.process.cmdline contains "AdjustTokenPrivileges" or tgt.process.cmdline contains "Advapi32" or tgt.process.cmdline contains "CloseHandle" or tgt.process.cmdline contains "CreateProcessWithToken" or tgt.process.cmdline contains "CreatePseudoConsole" or tgt.process.cmdline contains "CreateRemoteThread" or tgt.process.cmdline contains "CreateThread" or tgt.process.cmdline contains "CreateUserThread" or tgt.process.cmdline contains "DangerousGetHandle" or tgt.process.cmdline contains "DuplicateTokenEx" or tgt.process.cmdline contains "EnumerateSecurityPackages" or tgt.process.cmdline contains "FreeHGlobal" or tgt.process.cmdline contains "FreeLibrary" or tgt.process.cmdline contains "GetDelegateForFunctionPointer" or tgt.process.cmdline contains "GetLogonSessionData" or tgt.process.cmdline contains "GetModuleHandle" or tgt.process.cmdline contains "GetProcAddress" or tgt.process.cmdline contains "GetProcessHandle" or tgt.process.cmdline contains "GetTokenInformation" or tgt.process.cmdline contains "ImpersonateLoggedOnUser" or tgt.process.cmdline contains "kernel32" or tgt.process.cmdline contains "LoadLibrary" or tgt.process.cmdline contains "memcpy" or tgt.process.cmdline contains "MiniDumpWriteDump" or tgt.process.cmdline contains "ntdll" or tgt.process.cmdline contains "OpenDesktop" or tgt.process.cmdline contains "OpenProcess" or tgt.process.cmdline contains "OpenProcessToken" or tgt.process.cmdline contains "OpenThreadToken" or tgt.process.cmdline contains "OpenWindowStation" or tgt.process.cmdline contains "PtrToString" or tgt.process.cmdline contains "QueueUserApc" or tgt.process.cmdline contains "ReadProcessMemory" or tgt.process.cmdline contains "RevertToSelf" or tgt.process.cmdline contains "RtlCreateUserThread" or tgt.process.cmdline contains "secur32" or tgt.process.cmdline contains "SetThreadToken" or tgt.process.cmdline contains "VirtualAlloc" or tgt.process.cmdline contains "VirtualFree" or tgt.process.cmdline contains "VirtualProtect" or tgt.process.cmdline contains "WaitForSingleObject" or tgt.process.cmdline contains "WriteInt32" or tgt.process.cmdline contains "WriteProcessMemory" or tgt.process.cmdline contains "ZeroFreeGlobalAllocUnicode") and (not (tgt.process.image.path contains "\MpCmdRun.exe" and tgt.process.cmdline contains "GetLoadLibraryWAddress32")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md index fd904ea5d..ba311b00d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "eyJ0eXAiOi" or tgt.process.cmdline contains "eyJhbGciOi" or tgt.process.cmdline contains " eyJ0eX" or tgt.process.cmdline contains " \"eyJ0eX\"" or tgt.process.cmdline contains " 'eyJ0eX'" or tgt.process.cmdline contains " eyJhbG" or tgt.process.cmdline contains " \"eyJhbG\"" or tgt.process.cmdline contains " 'eyJhbG'")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md index 65e06b874..c27646c28 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains " /c" and tgt.process.cmdline contains "dir " and tgt.process.cmdline contains "\Users\")) and (not tgt.process.cmdline contains " rmdir ")) or (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "user") and (not (tgt.process.cmdline contains "/domain" or tgt.process.cmdline contains "/add" or tgt.process.cmdline contains "/delete" or tgt.process.cmdline contains "/active" or tgt.process.cmdline contains "/expires" or tgt.process.cmdline contains "/passwordreq" or tgt.process.cmdline contains "/scriptpath" or tgt.process.cmdline contains "/times" or tgt.process.cmdline contains "/workstations"))) or ((tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\quser.exe" or tgt.process.image.path contains "\qwinsta.exe") or (tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "useraccount" and tgt.process.cmdline contains "get")) or (tgt.process.image.path contains "\cmdkey.exe" and tgt.process.cmdline contains " /l")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md index 9b1a5924b..2236a7daf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lsass.dmp" or tgt.process.cmdline contains "lsass.zip" or tgt.process.cmdline contains "lsass.rar" or tgt.process.cmdline contains "Andrew.dmp" or tgt.process.cmdline contains "Coredump.dmp" or tgt.process.cmdline contains "NotLSASS.zip" or tgt.process.cmdline contains "lsass_2" or tgt.process.cmdline contains "lsassdump" or tgt.process.cmdline contains "lsassdmp") or (tgt.process.cmdline contains "lsass" and tgt.process.cmdline contains ".dmp") or (tgt.process.cmdline contains "SQLDmpr" and tgt.process.cmdline contains ".mdmp") or (tgt.process.cmdline contains "nanodump" and tgt.process.cmdline contains ".dmp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md index b68a29cf0..6980f8718 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ms-appinstaller://*source=*" and tgt.process.cmdline contains "http")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md index 55fa81005..ef1907ed7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ipconfig /all" or tgt.process.cmdline contains "netsh interface show interface" or tgt.process.cmdline contains "arp -a" or tgt.process.cmdline contains "nbtstat -n" or tgt.process.cmdline contains "net config" or tgt.process.cmdline contains "route print")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md index 822ffe745..1a07ccab7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "for " or tgt.process.cmdline contains "foreach ") and (tgt.process.cmdline contains "nslookup" or tgt.process.cmdline contains "ping"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md index 11cf3ea27..652ac73b8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\tshark.exe" and tgt.process.cmdline contains "-i") or tgt.process.image.path contains "\windump.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md index af9dddf53..bfeaaffe9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md index 5e4724d08..c07c781de 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains ".bin" or tgt.process.image.path contains ".cgi" or tgt.process.image.path contains ".com" or tgt.process.image.path contains ".exe" or tgt.process.image.path contains ".scr" or tgt.process.image.path contains ".tmp")) and (not ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or tgt.process.image.path contains ":\Windows\Installer\MSI" or tgt.process.image.path contains ":\Windows\System32\DriverStore\FileRepository\" or (tgt.process.image.path contains ":\Config.Msi\" and (tgt.process.image.path contains ".rbf" or tgt.process.image.path contains ".rbs")) or (src.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\Temp\") or tgt.process.image.path contains ":\$Extend\$Deleted\" or (tgt.process.image.path in ("-","")) or not (tgt.process.image.path matches "\.*"))) and (not (src.process.image.path contains ":\ProgramData\Avira\" or (tgt.process.image.path contains "NVIDIA\NvBackend\" and tgt.process.image.path contains ".dat") or ((tgt.process.image.path contains ":\Program Files (x86)\WINPAKPRO\" or tgt.process.image.path contains ":\Program Files\WINPAKPRO\") and tgt.process.image.path contains ".ngn") or (tgt.process.image.path contains ":\Program Files (x86)\MyQ\Server\pcltool.dll" or tgt.process.image.path contains ":\Program Files\MyQ\Server\pcltool.dll") or (tgt.process.image.path contains "\AppData\Local\Packages\" and tgt.process.image.path contains "\LocalState\rootfs\") or tgt.process.image.path contains "\LZMA_EXE" or tgt.process.image.path contains ":\Program Files\Mozilla Firefox\" or (src.process.image.path="C:\Windows\System32\services.exe" and tgt.process.image.path contains "com.docker.service"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md index 6e5d566cf..d30599ec9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add") or (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "set-itemproperty" or tgt.process.cmdline contains " sp " or tgt.process.cmdline contains "new-itemproperty")) and (tgt.process.integrityLevel="Medium" and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "Services") and (tgt.process.cmdline contains "ImagePath" or tgt.process.cmdline contains "FailureCommand" or tgt.process.cmdline contains "ServiceDLL")))) | columns EventID,tgt.process.integrityLevel,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md index f802aeb71..ef33e31a8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\NTDSDump.exe" or tgt.process.image.path contains "\NTDSDumpEx.exe") or (tgt.process.cmdline contains "ntds.dit" and tgt.process.cmdline contains "system.hiv") or tgt.process.cmdline contains "NTDSgrab.ps1") or (tgt.process.cmdline contains "ac i ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "/c copy " and tgt.process.cmdline contains "\windows\ntds\ntds.dit") or (tgt.process.cmdline contains "activate instance ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "ntds.dit")) or (tgt.process.cmdline contains "ntds.dit" and ((src.process.image.path contains "\apache" or src.process.image.path contains "\tomcat" or src.process.image.path contains "\AppData\" or src.process.image.path contains "\Temp\" or src.process.image.path contains "\Public\" or src.process.image.path contains "\PerfLogs\") or (tgt.process.image.path contains "\apache" or tgt.process.image.path contains "\tomcat" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Temp\" or tgt.process.image.path contains "\Public\" or tgt.process.image.path contains "\PerfLogs\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md index 5565c3941..9d9e10675 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Win32_NTEventlogFile" and (tgt.process.cmdline contains ".BackupEventlog(" or tgt.process.cmdline contains ".ChangeSecurityPermissions(" or tgt.process.cmdline contains ".ChangeSecurityPermissionsEx(" or tgt.process.cmdline contains ".ClearEventLog(" or tgt.process.cmdline contains ".Delete(" or tgt.process.cmdline contains ".DeleteEx(" or tgt.process.cmdline contains ".Rename(" or tgt.process.cmdline contains ".TakeOwnerShip(" or tgt.process.cmdline contains ".TakeOwnerShipEx("))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md index 84f5663f1..bf494d0e0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1\" or tgt.process.cmdline contains "~2\") and (not ((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe","C:\Program Files\GPSoftware\Directory Opus\dopus.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or src.process.image.path contains "\veam.backup.shell.exe" or src.process.image.path contains "\winget.exe" or src.process.image.path contains "\Everything\Everything.exe") or src.process.image.path contains "\AppData\Local\Temp\WinGet\" or (tgt.process.cmdline contains "\appdata\local\webex\webex64\meetings\wbxreport.exe" or tgt.process.cmdline contains "C:\Program Files\Git\post-install.bat" or tgt.process.cmdline contains "C:\Program Files\Git\cmd\scalar.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md index 7166e2a77..5cb885ac1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1\" or tgt.process.image.path contains "~2\") and (not (((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.displayName="InstallShield (R)" or tgt.process.displayName="InstallShield (R) Setup Engine" or tgt.process.publisher="InstallShield Software Corporation") or ((tgt.process.image.path contains "\AppData\" and tgt.process.image.path contains "\Temp\") or (tgt.process.image.path contains "~1\unzip.exe" or tgt.process.image.path contains "~1\7zG.exe")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md index 91b0ad352..5c93fd300 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1.exe" or tgt.process.cmdline contains "~1.bat" or tgt.process.cmdline contains "~1.msi" or tgt.process.cmdline contains "~1.vbe" or tgt.process.cmdline contains "~1.vbs" or tgt.process.cmdline contains "~1.dll" or tgt.process.cmdline contains "~1.ps1" or tgt.process.cmdline contains "~1.js" or tgt.process.cmdline contains "~1.hta" or tgt.process.cmdline contains "~2.exe" or tgt.process.cmdline contains "~2.bat" or tgt.process.cmdline contains "~2.msi" or tgt.process.cmdline contains "~2.vbe" or tgt.process.cmdline contains "~2.vbs" or tgt.process.cmdline contains "~2.dll" or tgt.process.cmdline contains "~2.ps1" or tgt.process.cmdline contains "~2.js" or tgt.process.cmdline contains "~2.hta") and (not ((src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.cmdline contains "C:\xampp\vcredist\VCREDI~1.EXE")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md index 1b0682caf..4b4d4ce7b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1.bat" or tgt.process.image.path contains "~1.dll" or tgt.process.image.path contains "~1.exe" or tgt.process.image.path contains "~1.hta" or tgt.process.image.path contains "~1.js" or tgt.process.image.path contains "~1.msi" or tgt.process.image.path contains "~1.ps1" or tgt.process.image.path contains "~1.tmp" or tgt.process.image.path contains "~1.vbe" or tgt.process.image.path contains "~1.vbs" or tgt.process.image.path contains "~2.bat" or tgt.process.image.path contains "~2.dll" or tgt.process.image.path contains "~2.exe" or tgt.process.image.path contains "~2.hta" or tgt.process.image.path contains "~2.js" or tgt.process.image.path contains "~2.msi" or tgt.process.image.path contains "~2.ps1" or tgt.process.image.path contains "~2.tmp" or tgt.process.image.path contains "~2.vbe" or tgt.process.image.path contains "~2.vbs") and (not src.process.image.path="C:\Windows\explorer.exe") and (not (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or tgt.process.image.path="C:\PROGRA~1\WinZip\WZPREL~1.EXE" or tgt.process.image.path contains "\VCREDI~1.EXE")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md index f14fb87a3..6808302c9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "DownloadFile" or tgt.process.cmdline contains "DownloadString") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md index 570d96586..a6712a7fd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\arp.exe") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md index 33b734f7b..dca0e233c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\minesweeper.exe" or src.process.image.path contains "\winver.exe" or src.process.image.path contains "\bitsadmin.exe") or ((src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\certutil.exe" or src.process.image.path contains "\eventvwr.exe" or src.process.image.path contains "\calc.exe" or src.process.image.path contains "\notepad.exe") and (not ((tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\wermgr.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\mmc.exe" or tgt.process.image.path contains "\win32calc.exe" or tgt.process.image.path contains "\notepad.exe") or not (tgt.process.image.path matches "\.*")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md index 37079778e..df8c5adef 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -u system " or tgt.process.cmdline contains " --user system " or tgt.process.cmdline contains " -u NT" or tgt.process.cmdline contains " -u \"NT" or tgt.process.cmdline contains " -u 'NT" or tgt.process.cmdline contains " --system " or tgt.process.cmdline contains " -u administrator ") and (tgt.process.cmdline contains " -c cmd" or tgt.process.cmdline contains " -c \"cmd" or tgt.process.cmdline contains " -c powershell" or tgt.process.cmdline contains " -c \"powershell" or tgt.process.cmdline contains " --command cmd" or tgt.process.cmdline contains " --command powershell" or tgt.process.cmdline contains " -c whoami" or tgt.process.cmdline contains " -c wscript" or tgt.process.cmdline contains " -c cscript"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md index e7ba6f2e1..49fdbeff6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\lsaiso.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe") and (not (((src.process.image.path contains "\SavService.exe" or src.process.image.path contains "\ngen.exe") or (src.process.image.path contains "\System32\" or src.process.image.path contains "\SysWOW64\")) or ((src.process.image.path contains "\Windows Defender\" or src.process.image.path contains "\Microsoft Security Client\") and src.process.image.path contains "\MsMpEng.exe") or (not (src.process.image.path matches "\.*") or src.process.image.path="-"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md index e38b94e88..1bf8f7eb1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\CVE-202" or tgt.process.image.path contains "\CVE202") or (tgt.process.image.path contains "\poc.exe" or tgt.process.image.path contains "\artifact.exe" or tgt.process.image.path contains "\artifact64.exe" or tgt.process.image.path contains "\artifact_protected.exe" or tgt.process.image.path contains "\artifact32.exe" or tgt.process.image.path contains "\artifact32big.exe" or tgt.process.image.path contains "obfuscated.exe" or tgt.process.image.path contains "obfusc.exe" or tgt.process.image.path contains "\meterpreter")) or (tgt.process.cmdline contains "inject.ps1" or tgt.process.cmdline contains "Invoke-CVE" or tgt.process.cmdline contains "pupy.ps1" or tgt.process.cmdline contains "payload.ps1" or tgt.process.cmdline contains "beacon.ps1" or tgt.process.cmdline contains "PowerView.ps1" or tgt.process.cmdline contains "bypass.ps1" or tgt.process.cmdline contains "obfuscated.ps1" or tgt.process.cmdline contains "obfusc.ps1" or tgt.process.cmdline contains "obfus.ps1" or tgt.process.cmdline contains "obfs.ps1" or tgt.process.cmdline contains "evil.ps1" or tgt.process.cmdline contains "MiniDogz.ps1" or tgt.process.cmdline contains "_enc.ps1" or tgt.process.cmdline contains "\shell.ps1" or tgt.process.cmdline contains "\rshell.ps1" or tgt.process.cmdline contains "revshell.ps1" or tgt.process.cmdline contains "\av.ps1" or tgt.process.cmdline contains "\av_test.ps1" or tgt.process.cmdline contains "adrecon.ps1" or tgt.process.cmdline contains "mimikatz.ps1" or tgt.process.cmdline contains "\PowerUp_" or tgt.process.cmdline contains "powerup.ps1" or tgt.process.cmdline contains "\Temp\a.ps1" or tgt.process.cmdline contains "\Temp\p.ps1" or tgt.process.cmdline contains "\Temp\1.ps1" or tgt.process.cmdline contains "Hound.ps1" or tgt.process.cmdline contains "encode.ps1" or tgt.process.cmdline contains "powercat.ps1"))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md index 5d8407eef..a70e8b285 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "RECYCLERS.BIN\" or tgt.process.image.path contains "RECYCLER.BIN\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md index 9eecfb0bc..db6cde6fe 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ">" and (tgt.process.cmdline contains "\\127.0.0.1\admin$\" or tgt.process.cmdline contains "\\localhost\admin$\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md index 06fdfe0cf..3aef1f934 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":3389" and (tgt.process.cmdline contains " -L " or tgt.process.cmdline contains " -P " or tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " -pw " or tgt.process.cmdline contains " -ssh "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md index a017837d7..91f1d53d2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "‮") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md index 4e4d7d226..d655175da 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains "\Windows\Temp" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\Temp" or tgt.process.cmdline contains "%TEMP%" or tgt.process.cmdline contains "%TMP%" or tgt.process.cmdline contains "%LocalAppData%\Temp")) and (not (tgt.process.cmdline contains " >" or tgt.process.cmdline contains "Out-File" or tgt.process.cmdline contains "ConvertTo-Json" or tgt.process.cmdline contains "-WindowStyle hidden -Verb runAs" or tgt.process.cmdline contains "\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md index ab7894869..bda79b1d1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" and (tgt.process.cmdline contains "\NTDS.dit" or tgt.process.cmdline contains "\SYSTEM" or tgt.process.cmdline contains "\SECURITY"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md index 8c5157b6a..4b35503d8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath=")) or (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md index 92535da61..40c0796ca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\$Recycle.bin" or tgt.process.image.path contains "\Users\All Users\" or tgt.process.image.path contains "\Users\Default\" or tgt.process.image.path contains "\Users\Contacts\" or tgt.process.image.path contains "\Users\Searches\" or tgt.process.image.path contains "C:\Perflogs\" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Windows\Fonts\" or tgt.process.image.path contains "\Windows\IME\" or tgt.process.image.path contains "\Windows\addins\") and (src.process.image.path contains "\services.exe" or src.process.image.path contains "\svchost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md index abfd0095b..e70240f7e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\regsvr32.exe") and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\mshta.exe")) and (not (tgt.process.image.path contains "\ccmcache\" or (src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1" or src.process.cmdline contains "\nessus_") or tgt.process.cmdline contains "\nessus_" or (src.process.image.path contains "\mshta.exe" and tgt.process.image.path contains "\mshta.exe" and (src.process.cmdline contains "C:\MEM_Configmgr_" and src.process.cmdline contains "\splash.hta" and src.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}") and (tgt.process.cmdline contains "C:\MEM_Configmgr_" and tgt.process.cmdline contains "\SMSSETUP\BIN\" and tgt.process.cmdline contains "\autorun.hta" and tgt.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}")))))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path,tgt.process.image.path,src.process.image.path ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md index aa5700ad2..f50e46d06 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":\Windows\Sysnative\" or tgt.process.image.path contains ":\Windows\Sysnative\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md index b8e0cc609..070c6dfc2 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\atbroker.exe" or tgt.process.image.path contains "\audiodg.exe" or tgt.process.image.path contains "\bcdedit.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certreq.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmstp.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\consent.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\dashost.exe" or tgt.process.image.path contains "\defrag.exe" or tgt.process.image.path contains "\dfrgui.exe" or tgt.process.image.path contains "\dism.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\dllhst3g.exe" or tgt.process.image.path contains "\dwm.exe" or tgt.process.image.path contains "\eventvwr.exe" or tgt.process.image.path contains "\logonui.exe" or tgt.process.image.path contains "\LsaIso.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\ntoskrnl.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\runonce.exe" or tgt.process.image.path contains "\RuntimeBroker.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\sihost.exe" or tgt.process.image.path contains "\smartscreen.exe" or tgt.process.image.path contains "\smss.exe" or tgt.process.image.path contains "\spoolsv.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\Taskmgr.exe" or tgt.process.image.path contains "\userinit.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe" or tgt.process.image.path contains "\winver.exe" or tgt.process.image.path contains "\wlanext.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wsmprovhost.exe") and (not ((tgt.process.image.path contains "C:\$WINDOWS.~BT\" or tgt.process.image.path contains "C:\$WinREAgent\" or tgt.process.image.path contains "C:\Windows\SoftwareDistribution\" or tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SystemTemp\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\uus\" or tgt.process.image.path contains "C:\Windows\WinSxS\") or (tgt.process.image.path in ("C:\Program Files\PowerShell\7\pwsh.exe","C:\Program Files\PowerShell\7-preview\pwsh.exe")) or (tgt.process.image.path contains "C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux" and tgt.process.image.path contains "\wsl.exe"))) and (not tgt.process.image.path contains "\SystemRoot\System32\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md index 64f4c8a67..0e00901be 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel="System" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /urlcache " or tgt.process.cmdline contains " -urlcache " or tgt.process.cmdline="* -e* JAB*" or tgt.process.cmdline="* -e* SUVYI*" or tgt.process.cmdline="* -e* SQBFAFgA*" or tgt.process.cmdline="* -e* aWV4I*" or tgt.process.cmdline="* -e* IAB*" or tgt.process.cmdline="* -e* PAA*" or tgt.process.cmdline="* -e* aQBlAHgA*" or tgt.process.cmdline contains "vssadmin delete shadows" or tgt.process.cmdline contains "reg SAVE HKLM" or tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains "Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "event::clear" or tgt.process.cmdline contains "event::drop" or tgt.process.cmdline contains "id::modify" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "misc::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "sid::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "vault::cred" or tgt.process.cmdline contains "vault::list" or tgt.process.cmdline contains " p::d " or tgt.process.cmdline contains ";iex(" or tgt.process.cmdline contains "MiniDump" or tgt.process.cmdline contains "net user "))) and (not (tgt.process.cmdline contains "ping 127.0.0.1 -n" or (tgt.process.image.path contains "\PING.EXE" and src.process.cmdline contains "\DismFoDInstall.cmd") or src.process.image.path contains ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or ((src.process.image.path contains ":\Program Files (x86)\Java\" or src.process.image.path contains ":\Program Files\Java\") and src.process.image.path contains "\bin\javaws.exe" and (tgt.process.image.path contains ":\Program Files (x86)\Java\" or tgt.process.image.path contains ":\Program Files\Java\") and tgt.process.image.path contains "\bin\jp2launcher.exe" and tgt.process.cmdline contains " -ma "))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md index 1b49390f8..3cc72afd9 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SYSVOL\" and tgt.process.cmdline contains "\policies\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md index 2f27b6eba..606088160 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo " or tgt.process.cmdline contains "copy " or tgt.process.cmdline contains "type " or tgt.process.cmdline contains "file createnew") and (tgt.process.cmdline contains " C:\Windows\System32\Tasks\" or tgt.process.cmdline contains " C:\Windows\SysWow64\Tasks\"))) | columns tgt.process.cmdline,ParentProcess ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md index 4640cb5b9..06944678a 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vsjitdebugger.exe" and (not (tgt.process.image.path="*\vsimmersiveactivatehelper*.exe" or tgt.process.image.path contains "\devenv.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md index 86ae246b7..626ab6cb0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "123456789" or tgt.process.cmdline contains "123123qwE" or tgt.process.cmdline contains "Asd123.aaaa" or tgt.process.cmdline contains "Decryptme" or tgt.process.cmdline contains "P@ssw0rd!" or tgt.process.cmdline contains "Pass8080" or tgt.process.cmdline contains "password123" or tgt.process.cmdline contains "test@202")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md index c839fddf9..c514dcffc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[System.Net.WebRequest]::create" or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "Invoke-RestMethod" or tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "Net.WebClient" or tgt.process.cmdline contains "Resume-BitsTransfer" or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "WinHttp.WinHttpRequest")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md index ea2841340..67c81c0f6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains ".exe whoami") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md index e5ae174d0..1bf5d0f00 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\control.exe" and src.process.image.path contains "\WorkFolders.exe") and (not tgt.process.image.path="C:\Windows\System32\control.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md index 8cabec310..7adf5de83 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "svchost.exe" and tgt.process.image.path contains "\svchost.exe") and (not ((src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\rpcnetp.exe") or not (tgt.process.cmdline matches "\.*"))))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md index 94273cdc6..e15cd6a0e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains "\svchost.exe" and src.process.cmdline contains "termsvcs") and (not ((tgt.process.image.path contains "\rdpclip.exe" or tgt.process.image.path contains ":\Windows\System32\csrss.exe" or tgt.process.image.path contains ":\Windows\System32\wininit.exe" or tgt.process.image.path contains ":\Windows\System32\winlogon.exe") or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md index 1c9e25ccd..76cbe3ec8 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\svchost.exe" and (not ((src.process.image.path contains "\Mrt.exe" or src.process.image.path contains "\MsMpEng.exe" or src.process.image.path contains "\ngen.exe" or src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\TiWorker.exe") or not (src.process.image.path matches "\.*") or (src.process.image.path in ("-","")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md index 238eaf674..5cbde24a5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -accepteula" or tgt.process.cmdline contains " /accepteula" or tgt.process.cmdline contains " –accepteula" or tgt.process.cmdline contains " —accepteula" or tgt.process.cmdline contains " ―accepteula")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md index e3b3d0032..9762d4532 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md index 2a0786396..ec73517b3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "copy procdump" or tgt.process.cmdline contains "move procdump") or ((tgt.process.cmdline contains "copy " and tgt.process.cmdline contains ".dmp ") and (tgt.process.cmdline contains "2.dmp" or tgt.process.cmdline contains "lsass" or tgt.process.cmdline contains "out.dmp")) or (tgt.process.cmdline contains "copy lsass.exe_" or tgt.process.cmdline contains "move lsass.exe_"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md index 7b61d9b7b..241ffb148 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains " /ma " or tgt.process.cmdline contains " –ma " or tgt.process.cmdline contains " —ma " or tgt.process.cmdline contains " ―ma ") and tgt.process.cmdline contains " ls")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md index 6f0a2f93e..76e1ad28f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (tgt.process.cmdline contains "psexec" or tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "accepteula"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md index 9fa938683..240040c0d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "accepteula" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " \\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md index a9a98fa04..94f220059 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\PSEXESVC.exe" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md index e01da39f7..630ce1eff 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (not (tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "PsExec" or tgt.process.cmdline contains "accepteula")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md index 76ebb53ec..1ad956af5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-c" or tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "–c" or tgt.process.cmdline contains "—c" or tgt.process.cmdline contains "―c"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md index f089f3f40..8a0f12064 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md index 09fcf2428..12d98fd32 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\accesschk.exe" or tgt.process.image.path contains "\accesschk64.exe" or tgt.process.image.path contains "\AccessEnum.exe" or tgt.process.image.path contains "\ADExplorer.exe" or tgt.process.image.path contains "\ADExplorer64.exe" or tgt.process.image.path contains "\ADInsight.exe" or tgt.process.image.path contains "\ADInsight64.exe" or tgt.process.image.path contains "\adrestore.exe" or tgt.process.image.path contains "\adrestore64.exe" or tgt.process.image.path contains "\Autologon.exe" or tgt.process.image.path contains "\Autologon64.exe" or tgt.process.image.path contains "\Autoruns.exe" or tgt.process.image.path contains "\Autoruns64.exe" or tgt.process.image.path contains "\autorunsc.exe" or tgt.process.image.path contains "\autorunsc64.exe" or tgt.process.image.path contains "\Bginfo.exe" or tgt.process.image.path contains "\Bginfo64.exe" or tgt.process.image.path contains "\Cacheset.exe" or tgt.process.image.path contains "\Cacheset64.exe" or tgt.process.image.path contains "\Clockres.exe" or tgt.process.image.path contains "\Clockres64.exe" or tgt.process.image.path contains "\Contig.exe" or tgt.process.image.path contains "\Contig64.exe" or tgt.process.image.path contains "\Coreinfo.exe" or tgt.process.image.path contains "\Coreinfo64.exe" or tgt.process.image.path contains "\CPUSTRES.EXE" or tgt.process.image.path contains "\CPUSTRES64.EXE" or tgt.process.image.path contains "\ctrl2cap.exe" or tgt.process.image.path contains "\Dbgview.exe" or tgt.process.image.path contains "\dbgview64.exe" or tgt.process.image.path contains "\Desktops.exe" or tgt.process.image.path contains "\Desktops64.exe" or tgt.process.image.path contains "\disk2vhd.exe" or tgt.process.image.path contains "\disk2vhd64.exe" or tgt.process.image.path contains "\diskext.exe" or tgt.process.image.path contains "\diskext64.exe" or tgt.process.image.path contains "\Diskmon.exe" or tgt.process.image.path contains "\Diskmon64.exe" or tgt.process.image.path contains "\DiskView.exe" or tgt.process.image.path contains "\DiskView64.exe" or tgt.process.image.path contains "\du.exe" or tgt.process.image.path contains "\du64.exe" or tgt.process.image.path contains "\efsdump.exe" or tgt.process.image.path contains "\FindLinks.exe" or tgt.process.image.path contains "\FindLinks64.exe" or tgt.process.image.path contains "\handle.exe" or tgt.process.image.path contains "\handle64.exe" or tgt.process.image.path contains "\hex2dec.exe" or tgt.process.image.path contains "\hex2dec64.exe" or tgt.process.image.path contains "\junction.exe" or tgt.process.image.path contains "\junction64.exe" or tgt.process.image.path contains "\ldmdump.exe" or tgt.process.image.path contains "\listdlls.exe" or tgt.process.image.path contains "\listdlls64.exe" or tgt.process.image.path contains "\livekd.exe" or tgt.process.image.path contains "\livekd64.exe" or tgt.process.image.path contains "\loadOrd.exe" or tgt.process.image.path contains "\loadOrd64.exe" or tgt.process.image.path contains "\loadOrdC.exe" or tgt.process.image.path contains "\loadOrdC64.exe" or tgt.process.image.path contains "\logonsessions.exe" or tgt.process.image.path contains "\logonsessions64.exe" or tgt.process.image.path contains "\movefile.exe" or tgt.process.image.path contains "\movefile64.exe" or tgt.process.image.path contains "\notmyfault.exe" or tgt.process.image.path contains "\notmyfault64.exe" or tgt.process.image.path contains "\notmyfaultc.exe" or tgt.process.image.path contains "\notmyfaultc64.exe" or tgt.process.image.path contains "\ntfsinfo.exe" or tgt.process.image.path contains "\ntfsinfo64.exe" or tgt.process.image.path contains "\pendmoves.exe" or tgt.process.image.path contains "\pendmoves64.exe" or tgt.process.image.path contains "\pipelist.exe" or tgt.process.image.path contains "\pipelist64.exe" or tgt.process.image.path contains "\portmon.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe" or tgt.process.image.path contains "\procexp.exe" or tgt.process.image.path contains "\procexp64.exe" or tgt.process.image.path contains "\Procmon.exe" or tgt.process.image.path contains "\Procmon64.exe" or tgt.process.image.path contains "\psExec.exe" or tgt.process.image.path contains "\psExec64.exe" or tgt.process.image.path contains "\psfile.exe" or tgt.process.image.path contains "\psfile64.exe" or tgt.process.image.path contains "\psGetsid.exe" or tgt.process.image.path contains "\psGetsid64.exe" or tgt.process.image.path contains "\psInfo.exe" or tgt.process.image.path contains "\psInfo64.exe" or tgt.process.image.path contains "\pskill.exe" or tgt.process.image.path contains "\pskill64.exe" or tgt.process.image.path contains "\pslist.exe" or tgt.process.image.path contains "\pslist64.exe" or tgt.process.image.path contains "\psLoggedon.exe" or tgt.process.image.path contains "\psLoggedon64.exe" or tgt.process.image.path contains "\psloglist.exe" or tgt.process.image.path contains "\psloglist64.exe" or tgt.process.image.path contains "\pspasswd.exe" or tgt.process.image.path contains "\pspasswd64.exe" or tgt.process.image.path contains "\psping.exe" or tgt.process.image.path contains "\psping64.exe" or tgt.process.image.path contains "\psService.exe" or tgt.process.image.path contains "\psService64.exe" or tgt.process.image.path contains "\psshutdown.exe" or tgt.process.image.path contains "\psshutdown64.exe" or tgt.process.image.path contains "\pssuspend.exe" or tgt.process.image.path contains "\pssuspend64.exe" or tgt.process.image.path contains "\RAMMap.exe" or tgt.process.image.path contains "\RDCMan.exe" or tgt.process.image.path contains "\RegDelNull.exe" or tgt.process.image.path contains "\RegDelNull64.exe" or tgt.process.image.path contains "\regjump.exe" or tgt.process.image.path contains "\ru.exe" or tgt.process.image.path contains "\ru64.exe" or tgt.process.image.path contains "\sdelete.exe" or tgt.process.image.path contains "\sdelete64.exe" or tgt.process.image.path contains "\ShareEnum.exe" or tgt.process.image.path contains "\ShareEnum64.exe" or tgt.process.image.path contains "\shellRunas.exe" or tgt.process.image.path contains "\sigcheck.exe" or tgt.process.image.path contains "\sigcheck64.exe" or tgt.process.image.path contains "\streams.exe" or tgt.process.image.path contains "\streams64.exe" or tgt.process.image.path contains "\strings.exe" or tgt.process.image.path contains "\strings64.exe" or tgt.process.image.path contains "\sync.exe" or tgt.process.image.path contains "\sync64.exe" or tgt.process.image.path contains "\Sysmon.exe" or tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\tcpvcon.exe" or tgt.process.image.path contains "\tcpvcon64.exe" or tgt.process.image.path contains "\tcpview.exe" or tgt.process.image.path contains "\tcpview64.exe" or tgt.process.image.path contains "\Testlimit.exe" or tgt.process.image.path contains "\Testlimit64.exe" or tgt.process.image.path contains "\vmmap.exe" or tgt.process.image.path contains "\vmmap64.exe" or tgt.process.image.path contains "\Volumeid.exe" or tgt.process.image.path contains "\Volumeid64.exe" or tgt.process.image.path contains "\whois.exe" or tgt.process.image.path contains "\whois64.exe" or tgt.process.image.path contains "\Winobj.exe" or tgt.process.image.path contains "\Winobj64.exe" or tgt.process.image.path contains "\ZoomIt.exe" or tgt.process.image.path contains "\ZoomIt64.exe") and (not ((tgt.process.publisher in ("Sysinternals - www.sysinternals.com","Sysinternals")) or not (tgt.process.publisher matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md index 0a6908989..feb016847 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sysprep.exe" and tgt.process.cmdline contains "\AppData\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md index 3c44ad722..c97a6647c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\takeown.exe" and (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "/r"))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md index 038fc08e5..fde9b63ee 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tapinstall.exe" and (not ((tgt.process.image.path contains ":\Program Files\Avast Software\SecureLine VPN\" or tgt.process.image.path contains ":\Program Files (x86)\Avast Software\SecureLine VPN\") or tgt.process.image.path contains ":\Program Files\OpenVPN Connect\drivers\tap\" or tgt.process.image.path contains ":\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md index b1b63ad67..45d7d1878 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "taskkill" and tgt.process.cmdline contains " /F " and tgt.process.cmdline contains " /IM " and tgt.process.cmdline contains "ccSvcHst.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md index faadee154..68dfd03f3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\taskmgr.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md index 382087291..05706aac3 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\taskmgr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\resmon.exe" or tgt.process.image.path contains ":\Windows\System32\Taskmgr.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md index 81f2cde64..43a93d94b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Teams\Cookies" or tgt.process.cmdline contains "\Microsoft\Teams\Local Storage\leveldb") and (not tgt.process.image.path contains "\Microsoft\Teams\current\Teams.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md index b29e4399a..c73b54ff0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\tscon.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md index 29d8c0e5b..e1e350fd5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " /dest:rdp-tcp#") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md index 2e8db026a..dcc4ccf3b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\changepk.exe" and src.process.image.path contains "\slui.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md index 9a81c77f5..086a9614d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\"\system32\cleanmgr.exe /autoclean /d C:" and src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md index 21524568d..61484246d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and (src.process.cmdline contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or src.process.cmdline contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or src.process.cmdline contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or src.process.cmdline contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or src.process.cmdline contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md index fa2836b19..a2a6351b1 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel in ("High","System")) and tgt.process.image.path="C:\Windows\System32\ComputerDefaults.exe") and (not (src.process.image.path contains ":\Windows\System32" or src.process.image.path contains ":\Program Files")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md index 686566687..fe95a2476 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\consent.exe" and tgt.process.image.path contains "\werfault.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md index 9f7eb288d..0c5b4e64e 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "C:\Users\" and src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "\DismHost.exe") and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md index de0355417..de454d017 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Event Viewer\RecentViews" or tgt.process.cmdline contains "\EventV~1\RecentViews") and tgt.process.cmdline contains ">")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md index 2d2c8f17f..0d643f394 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\fodhelper.exe") | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md index b29fc1745..44a6f6a20 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\mmc.exe" and src.process.cmdline contains "WF.msc") and (not tgt.process.image.path contains "\WerFault.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md index f5dff79cc..96022e7e7 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and src.process.cmdline contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md index 3559fa049..5edd4eb21 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\ieinstal.exe" and tgt.process.image.path contains "\AppData\Local\Temp\" and tgt.process.image.path contains "consent.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md index 7350e7dbe..de0f40a60 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\AppData\Local\Temp\pkgmgr.exe" and tgt.process.cmdline="\"C:\Windows\system32\msconfig.exe\" -5")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md index 36bc8a1b7..07a564591 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\"C:\Windows\system32\wusa.exe\" /quiet C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\update.msu" and (tgt.process.integrityLevel in ("High","System"))) or (src.process.cmdline="\"C:\Windows\system32\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\Windows\system32\pe386\" /ignorecheck" and (tgt.process.integrityLevel in ("High","System")) and (tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "\dismhost.exe {") and tgt.process.image.path contains "\DismHost.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md index c94b9a260..ed82813ca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\pkgmgr.exe" and tgt.process.image.path contains "\dism.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md index c45ddb6da..3358e86ca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "sdclt.exe" and tgt.process.integrityLevel="High")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md index a201a5a88..5f2957dfc 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "C:\Windows \System32\") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md index d8894cbaf..0617974f5 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\AppData\Local\Temp\system32\winsat.exe" and src.process.cmdline contains "C:\Windows \system32\winsat.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md index f2405dfa4..a0d179f74 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path="C:\Program Files\Windows Media Player\osk.exe" and (tgt.process.integrityLevel in ("High","System"))) or (tgt.process.image.path="C:\Windows\System32\cmd.exe" and src.process.cmdline="\"C:\Windows\system32\mmc.exe\" \"C:\Windows\system32\eventvwr.msc\" /s" and (tgt.process.integrityLevel in ("High","System"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md index af8d774ce..19e6fc283 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsreset.exe" and (tgt.process.integrityLevel in ("High","System")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md index 597334eba..01393c473 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "-autoreconnect " and tgt.process.cmdline contains "-connect " and tgt.process.cmdline contains "-id:")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md index 9824171dc..27dd1491b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\WindowsSensor.exe" and tgt.process.cmdline contains " /uninstall" and tgt.process.cmdline contains " /quiet")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md index f2ce7f062..3e2f4f869 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\userinit.exe" and (not tgt.process.image.path contains ":\WINDOWS\explorer.exe") and (not ((tgt.process.cmdline contains "netlogon.bat" or tgt.process.cmdline contains "UsrLogon.cmd") or tgt.process.cmdline="PowerShell.exe" or (tgt.process.image.path contains ":\Windows\System32\proquota.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\proquota.exe") or (tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\System32\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\System32\icast.exe") or not (tgt.process.image.path matches "\.*"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md index 9afe5ef5b..2ae0d3a12 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "VBoxRT.dll,RTR3Init" or tgt.process.cmdline contains "VBoxC.dll" or tgt.process.cmdline contains "VBoxDrv.sys") or (tgt.process.cmdline contains "startvm" or tgt.process.cmdline contains "controlvm"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md index 34d96997b..b0d3440cd 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VBoxDrvInst.exe" and (tgt.process.cmdline contains "driver" and tgt.process.cmdline contains "executeinf"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md index 6213f665b..4a9f00b58 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\code.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe") or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-Expressions" or tgt.process.cmdline contains "IEX" or tgt.process.cmdline contains "Invoke-Command" or tgt.process.cmdline contains "ICM" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript")) or (tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Temp\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md index 2c8db3aa2..a7d53d529 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\servers\Stable-" and src.process.image.path contains "\server\node.exe" and src.process.cmdline contains ".vscode-server") and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline contains "\terminal\browser\media\shellIntegration.ps1") or (tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\bash.exe")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md index 06fed85ba..f514eab78 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "tunnel " and tgt.process.cmdline contains "service" and tgt.process.cmdline contains "internal-run" and tgt.process.cmdline contains "tunnel-service.log")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md index a293094c0..988a27a27 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\vsls-agent.exe" and tgt.process.cmdline contains "--agentExtensionPath") and (not tgt.process.cmdline contains "Microsoft.VisualStudio.LiveShare.Agent."))) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md index c112b4029..3df1b6395 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe") and (not (tgt.process.image.path contains "C:\Windows\WinSxS\" or tgt.process.image.path contains "C:\Program Files\Windows Mail\" or tgt.process.image.path contains "C:\Program Files (x86)\Windows Mail\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md index b64df1283..5ec696e36 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe")) or (src.process.image.path contains "\wab.exe" or src.process.image.path contains "\wabmig.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md index 391dc5337..b8e875409 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\explorer.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and tgt.process.cmdline contains "\DavWWWRoot\")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md index 09132153e..cb745bacf 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\w3wp.exe") and (tgt.process.cmdline contains "&ipconfig&echo" or tgt.process.cmdline contains "&quser&echo" or tgt.process.cmdline contains "&whoami&echo" or tgt.process.cmdline contains "&c:&echo" or tgt.process.cmdline contains "&cd&echo" or tgt.process.cmdline contains "&dir&echo" or tgt.process.cmdline contains "&echo [E]" or tgt.process.cmdline contains "&echo [S]"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md index 1d9a65b84..df4b58aca 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "catalina.jar" or tgt.process.cmdline contains "CATALINA_HOME"))) and ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "comsvcs") or (tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " a " and tgt.process.cmdline contains " -m") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " user " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " localgroup " and tgt.process.cmdline contains " administrators " and tgt.process.cmdline contains "/add") or (tgt.process.image.path contains "\ntdsutil.exe" or tgt.process.image.path contains "\ldifde.exe" or tgt.process.image.path contains "\adfind.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\Nanodump.exe" or tgt.process.image.path contains "\vssadmin.exe" or tgt.process.image.path contains "\fsutil.exe") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains " sekurlsa" or tgt.process.cmdline contains ".dmp full" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "process call create" or tgt.process.cmdline contains "reg save " or tgt.process.cmdline contains "whoami /priv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md index 124ddded6..8b2b7f0d6 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\php.exe" or src.process.image.path contains "\tomcat.exe" or src.process.image.path contains "\UMWorkerProcess.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_TomcatService.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.cmdline contains "CATALINA_HOME" or src.process.cmdline contains "catalina.home" or src.process.cmdline contains "catalina.jar"))) and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\at.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dsget.exe" or tgt.process.image.path contains "\hostname.exe" or tgt.process.image.path contains "\nbtstat.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netdom.exe" or tgt.process.image.path contains "\netsh.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ntdutil.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\qprocess.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\qwinsta.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sc.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wusa.exe") and (not ((src.process.image.path contains "\java.exe" and tgt.process.cmdline contains "Windows\system32\cmd.exe /c C:\ManageEngine\ADManager \"Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") or (src.process.image.path contains "\java.exe" and (tgt.process.cmdline contains "sc query" and tgt.process.cmdline contains "ADManager Plus")))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md index dcf63d555..2d97d77d4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "CATALINA_HOME" or tgt.process.cmdline contains "catalina.jar"))) and (tgt.process.cmdline contains "perl --help" or tgt.process.cmdline contains "perl -h" or tgt.process.cmdline contains "python --help" or tgt.process.cmdline contains "python -h" or tgt.process.cmdline contains "python3 --help" or tgt.process.cmdline contains "python3 -h" or tgt.process.cmdline contains "wget --help"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md index 4822f19f0..eeaac775b 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wermgr.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\ipconfig.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "C:\Windows\system32\WerConCpl.dll" and tgt.process.cmdline contains "LaunchErcApp ") and (tgt.process.cmdline contains "-queuereporting" or tgt.process.cmdline contains "-responsepester"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md index 053dd4f32..3ab02f123 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wermgr.exe" and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\WinSxS\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md index dea96f5cf..ab45fa53d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WindowsTerminal.exe" or src.process.image.path contains "\wt.exe") and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\csc.exe") or (tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Windows\TEMP\") or (tgt.process.cmdline contains " iex " or tgt.process.cmdline contains " icm" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Import-Module " or tgt.process.cmdline contains "ipmo " or tgt.process.cmdline contains "DownloadString(" or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " /k " or tgt.process.cmdline contains " /r "))) and (not ((tgt.process.cmdline contains "Import-Module" and tgt.process.cmdline contains "Microsoft.VisualStudio.DevShell.dll" and tgt.process.cmdline contains "Enter-VsDevShell") or (tgt.process.cmdline contains "\AppData\Local\Packages\Microsoft.WindowsTerminal_" and tgt.process.cmdline contains "\LocalState\settings.json") or (tgt.process.cmdline contains "C:\Program Files\Microsoft Visual Studio\" and tgt.process.cmdline contains "\Common7\Tools\VsDevCmd.bat"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md index d97314de9..29fdebbbe 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (tgt.process.cmdline contains ".dmp" or tgt.process.cmdline contains ".dump" or tgt.process.cmdline contains ".hdmp"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md index cba852938..4ab82b6af 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (not (tgt.process.image.path contains "\UnRAR.exe" or (tgt.process.image.path contains ":\Program Files (x86)\WinRAR\" or tgt.process.image.path contains ":\Program Files\WinRAR\"))) and (not tgt.process.image.path contains ":\Windows\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md index 41c9a4807..4ae9b8364 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "winrm" and ((tgt.process.cmdline contains "format:pretty" or tgt.process.cmdline contains "format:\"pretty\"" or tgt.process.cmdline contains "format:\"text\"" or tgt.process.cmdline contains "format:text") and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md index ae211a166..aa975e92f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsmprovhost.exe" or src.process.image.path contains "\wsmprovhost.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md index a6bd9740c..9005a438c 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wsmprovhost.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md index c36de7417..765a6ab7d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "winzip.exe" or tgt.process.cmdline contains "winzip64.exe") and tgt.process.cmdline contains "-s\"" and (tgt.process.cmdline contains " -min " or tgt.process.cmdline contains " -a "))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md index 6913e53db..239563e87 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\EdgeTransport.exe" and (not (tgt.process.image.path="C:\Windows\System32\conhost.exe" or (tgt.process.image.path contains "C:\Program Files\Microsoft\Exchange Server\" and tgt.process.image.path contains "\Bin\OleConverter.exe"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md index d445fdeb5..b7e1218a4 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="C:\WINDOWS\system32\wbem\scrcons.exe" and src.process.image.path="C:\Windows\System32\svchost.exe")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md index 00c7d51b3..f041f1999 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ActiveScriptEventConsumer" and tgt.process.cmdline contains " CREATE ")) | columns tgt.process.cmdline,src.process.cmdline ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md index a81544db6..3fb56d5d0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "process " and tgt.process.cmdline contains "call " and tgt.process.cmdline contains "create ") and (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "%temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md index 5ff78f74a..36f73f617 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "product where " and tgt.process.cmdline contains "call" and tgt.process.cmdline contains "uninstall" and tgt.process.cmdline contains "/nointeractive") or ((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "caption like ") and (tgt.process.cmdline contains "call delete" or tgt.process.cmdline contains "call terminate")) or (tgt.process.cmdline contains "process " and tgt.process.cmdline contains "where " and tgt.process.cmdline contains "delete")) and (tgt.process.cmdline contains "%carbon%" or tgt.process.cmdline contains "%cylance%" or tgt.process.cmdline contains "%endpoint%" or tgt.process.cmdline contains "%eset%" or tgt.process.cmdline contains "%malware%" or tgt.process.cmdline contains "%Sophos%" or tgt.process.cmdline contains "%symantec%" or tgt.process.cmdline contains "Antivirus" or tgt.process.cmdline contains "AVG " or tgt.process.cmdline contains "Carbon Black" or tgt.process.cmdline contains "CarbonBlack" or tgt.process.cmdline contains "Cb Defense Sensor 64-bit" or tgt.process.cmdline contains "Crowdstrike Sensor" or tgt.process.cmdline contains "Cylance " or tgt.process.cmdline contains "Dell Threat Defense" or tgt.process.cmdline contains "DLP Endpoint" or tgt.process.cmdline contains "Endpoint Detection" or tgt.process.cmdline contains "Endpoint Protection" or tgt.process.cmdline contains "Endpoint Security" or tgt.process.cmdline contains "Endpoint Sensor" or tgt.process.cmdline contains "ESET File Security" or tgt.process.cmdline contains "LogRhythm System Monitor Service" or tgt.process.cmdline contains "Malwarebytes" or tgt.process.cmdline contains "McAfee Agent" or tgt.process.cmdline contains "Microsoft Security Client" or tgt.process.cmdline contains "Sophos Anti-Virus" or tgt.process.cmdline contains "Sophos AutoUpdate" or tgt.process.cmdline contains "Sophos Credential Store" or tgt.process.cmdline contains "Sophos Management Console" or tgt.process.cmdline contains "Sophos Management Database" or tgt.process.cmdline contains "Sophos Management Server" or tgt.process.cmdline contains "Sophos Remote Management System" or tgt.process.cmdline contains "Sophos Update Manager" or tgt.process.cmdline contains "Threat Protection" or tgt.process.cmdline contains "VirusScan" or tgt.process.cmdline contains "Webroot SecureAnywhere" or tgt.process.cmdline contains "Windows Defender"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md index 67decffcb..f5d5153fb 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "-format" or tgt.process.cmdline contains "/format" or tgt.process.cmdline contains "–format" or tgt.process.cmdline contains "—format" or tgt.process.cmdline contains "―format")) and (not (tgt.process.cmdline contains "Format:List" or tgt.process.cmdline contains "Format:htable" or tgt.process.cmdline contains "Format:hform" or tgt.process.cmdline contains "Format:table" or tgt.process.cmdline contains "Format:mof" or tgt.process.cmdline contains "Format:value" or tgt.process.cmdline contains "Format:rawxml" or tgt.process.cmdline contains "Format:xml" or tgt.process.cmdline contains "Format:csv")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md index 4f7e0718c..c817ee099 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wbem\WmiPrvSE.exe" and ((tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\verclsid.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript"))) and (not (tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\WmiPrvSE.exe" or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.cmdline contains "/i "))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md index 005d5b538..498374765 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path="C:\Windows\System32\wpbbin.exe") ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md index b36caa72a..1202e7964 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\") and (tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".jse" or tgt.process.cmdline contains ".vba" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".wsf"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md index 08e8e0eb3..f314d65a0 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\rundll32.exe" or ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and ((tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec")))) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "UpdatePerUserSystemParameters" or tgt.process.cmdline contains "PrintUIEntry" or tgt.process.cmdline contains "ClearMyTracksByProcess"))))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md index d42535f83..47549e066 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wsl.exe" or src.process.image.path contains "\wslhost.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "C:\Windows\Temp\" or tgt.process.image.path contains "C:\Temp\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\")))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md index 0a2a8e059..280427f4f 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path matches "[a-zA-Z]:\\\\" and tgt.process.image.path contains "\\wsl.localhost")) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md index 4acfa1a41..f79745674 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wusa.exe" and tgt.process.cmdline contains "/extract:") and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\Appdata\Local\Temp\"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md index dc7e8e39a..a22952a8d 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wusa.exe" and ((src.process.image.path contains ":\Perflogs\" or src.process.image.path contains ":\Users\Public\" or src.process.image.path contains ":\Windows\Temp\" or src.process.image.path contains "\Appdata\Local\Temp\" or src.process.image.path contains "\Temporary Internet") or ((src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favorites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favourites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Contacts\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Pictures\"))) and (not tgt.process.cmdline contains ".msu"))) ``` diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md index 19fe7b900..450713506 100644 --- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md +++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md @@ -1,5 +1,5 @@ ```sql -// Translated content (automatically translated on 26-10-2024 01:17:36): +// Translated content (automatically translated on 27-10-2024 01:25:11): event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="RunWizard" and tgt.process.cmdline matches "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}")) ```