From bef70d3bfb65b32b05750cfce0be0109e10998f1 Mon Sep 17 00:00:00 2001
From: wikijm <wikijm@users.noreply.github.com>
Date: Mon, 2 Dec 2024 01:28:00 +0000
Subject: [PATCH] Apply automatic changes
---
...on_win_addinutil_uncommon_child_process.md | 2 +-
...ation_win_appvlp_uncommon_child_process.md | 2 +-
..._creation_win_aspnet_compiler_exectuion.md | 2 +-
..._win_aspnet_compiler_susp_child_process.md | 2 +-
...creation_win_aspnet_compiler_susp_paths.md | 2 +-
...c_creation_win_at_interactive_execution.md | 2 +-
...tion_win_auditpol_nt_resource_kit_usage.md | 2 +-
...ion_win_bginfo_suspicious_child_process.md | 2 +-
...ation_win_bginfo_uncommon_child_process.md | 2 +-
...oc_creation_win_bitlockertogo_execution.md | 2 +-
...in_browsers_chromium_headless_debugging.md | 2 +-
...ion_win_browsers_chromium_headless_exec.md | 2 +-
...rowsers_chromium_headless_file_download.md | 2 +-
...on_win_browsers_chromium_load_extension.md | 2 +-
...ion_win_browsers_chromium_mockbin_abuse.md | 2 +-
...n_browsers_chromium_susp_load_extension.md | 2 +-
...ation_win_browsers_inline_file_download.md | 2 +-
..._creation_win_browsers_remote_debugging.md | 2 +-
...roc_creation_win_browsers_tor_execution.md | 2 +-
.../proc_creation_win_calc_uncommon_exec.md | 2 +-
.../proc_creation_win_chcp_codepage_lookup.md | 2 +-
.../proc_creation_win_chcp_codepage_switch.md | 2 +-
...tion_win_cloudflared_portable_execution.md | 2 +-
...creation_win_cloudflared_tunnel_cleanup.md | 2 +-
...roc_creation_win_cloudflared_tunnel_run.md | 2 +-
...eation_win_cmd_curl_download_exec_combo.md | 2 +-
.../proc_creation_win_cmd_dosfuscation.md | 2 +-
.../proc_creation_win_cmd_http_appdata.md | 2 +-
...cmd_mklink_shadow_copies_access_symlink.md | 2 +-
...roc_creation_win_cmd_no_space_execution.md | 2 +-
...roc_creation_win_cmd_ntdllpipe_redirect.md | 2 +-
...ion_win_cmd_ping_del_combined_execution.md | 2 +-
...proc_creation_win_cmd_shadowcopy_access.md | 2 +-
..._cmd_sticky_key_like_backdoor_execution.md | 2 +-
...oc_creation_win_cmd_sticky_keys_replace.md | 2 +-
...on_win_cmd_type_arbitrary_file_download.md | 2 +-
.../proc_creation_win_cmd_unusual_parent.md | 2 +-
...reation_win_cmstp_execution_by_creation.md | 2 +-
...proc_creation_win_conhost_legacy_option.md | 9 ++-
...roc_creation_win_conhost_path_traversal.md | 2 +-
...oc_creation_win_conhost_uncommon_parent.md | 2 +-
...eation_win_csc_susp_dynamic_compilation.md | 2 +-
.../proc_creation_win_curl_susp_download.md | 2 +-
..._win_defaultpack_uncommon_child_process.md | 2 +-
..._desktopimgdownldr_remote_file_download.md | 2 +-
...on_win_desktopimgdownldr_susp_execution.md | 2 +-
.../proc_creation_win_devinit_lolbin_usage.md | 2 +-
...on_win_dfsvc_suspicious_child_processes.md | 2 +-
...ation_win_diskshadow_child_process_susp.md | 2 +-
.../proc_creation_win_dism_remove.md | 2 +-
...c_creation_win_dll_sideload_vmware_xfer.md | 2 +-
...c_creation_win_dllhost_no_cli_execution.md | 2 +-
...on_win_dns_exfiltration_tools_execution.md | 2 +-
...roc_creation_win_dns_susp_child_process.md | 2 +-
.../proc_creation_win_dnscmd_discovery.md | 2 +-
...cmd_install_new_server_level_plugin_dll.md | 2 +-
...oc_creation_win_dnx_execute_csharp_code.md | 2 +-
.../proc_creation_win_dtrace_kernel_dump.md | 2 +-
.../proc_creation_win_esentutl_params.md | 2 +-
...reation_win_eventvwr_susp_child_process.md | 2 +-
.../proc_creation_win_expand_cabinet_files.md | 2 +-
...reation_win_explorer_break_process_tree.md | 2 +-
...plorer_folder_shortcut_via_shell_binary.md | 2 +-
.../proc_creation_win_explorer_nouaccheck.md | 2 +-
..._creation_win_findstr_recon_pipe_output.md | 2 +-
...win_forfiles_child_process_masquerading.md | 2 +-
...ion_win_format_uncommon_filesystem_load.md | 2 +-
...downloadwrapper_arbitrary_file_download.md | 2 +-
...ion_win_googleupdate_susp_child_process.md | 2 +-
.../proc_creation_win_gpg4win_decryption.md | 2 +-
.../proc_creation_win_gpg4win_encryption.md | 2 +-
...proc_creation_win_gpg4win_susp_location.md | 2 +-
.../proc_creation_win_gpresult_execution.md | 2 +-
...tion_win_gup_arbitrary_binary_execution.md | 2 +-
...c_creation_win_gup_suspicious_execution.md | 2 +-
...ion_win_hh_html_help_susp_child_process.md | 2 +-
.../proc_creation_win_hktl_adcspwn.md | 2 +-
...creation_win_hktl_bloodhound_sharphound.md | 2 +-
...c_creation_win_hktl_c3_rundll32_pattern.md | 2 +-
..._win_hktl_cobaltstrike_process_patterns.md | 2 +-
.../proc_creation_win_hktl_covenant.md | 2 +-
...reation_win_hktl_crackmapexec_execution.md | 2 +-
...in_hktl_crackmapexec_execution_patterns.md | 2 +-
...creation_win_hktl_crackmapexec_patterns.md | 2 +-
.../proc_creation_win_hktl_dinjector.md | 2 +-
...ation_win_hktl_empire_powershell_launch.md | 2 +-
...n_win_hktl_empire_powershell_uac_bypass.md | 2 +-
.../proc_creation_win_hktl_evil_winrm.md | 2 +-
...tion_win_hktl_execution_via_pe_metadata.md | 2 +-
.../proc_creation_win_hktl_hashcat.md | 2 +-
...oc_creation_win_hktl_htran_or_natbypass.md | 2 +-
.../proc_creation_win_hktl_hydra.md | 2 +-
...tion_win_hktl_impacket_lateral_movement.md | 2 +-
.../proc_creation_win_hktl_impacket_tools.md | 2 +-
...eation_win_hktl_invoke_obfuscation_clip.md | 2 +-
..._obfuscation_obfuscated_iex_commandline.md | 2 +-
...ation_win_hktl_invoke_obfuscation_stdin.md | 2 +-
...reation_win_hktl_invoke_obfuscation_var.md | 2 +-
...in_hktl_invoke_obfuscation_via_compress.md | 2 +-
...n_win_hktl_invoke_obfuscation_via_stdin.md | 2 +-
...in_hktl_invoke_obfuscation_via_use_clip.md | 2 +-
...n_hktl_invoke_obfuscation_via_use_mhsta.md | 2 +-
...ion_win_hktl_invoke_obfuscation_via_var.md | 2 +-
...reation_win_hktl_jlaive_batch_execution.md | 2 +-
.../proc_creation_win_hktl_lazagne.md | 2 +-
...creation_win_hktl_meterpreter_getsystem.md | 2 +-
...creation_win_hktl_mimikatz_command_line.md | 2 +-
...ktl_powersploit_empire_default_schtasks.md | 2 +-
.../proc_creation_win_hktl_pypykatz.md | 2 +-
.../proc_creation_win_hktl_quarks_pwdump.md | 2 +-
...ion_win_hktl_redmimicry_winnti_playbook.md | 2 +-
...c_creation_win_hktl_relay_attacks_tools.md | 2 +-
.../proc_creation_win_hktl_sharp_chisel.md | 2 +-
.../proc_creation_win_hktl_sharpersist.md | 2 +-
.../proc_creation_win_hktl_sharpevtmute.md | 2 +-
.../proc_creation_win_hktl_sharpup.md | 2 +-
..._win_hktl_sharpwsus_wsuspendu_execution.md | 2 +-
..._creation_win_hktl_silenttrinity_stager.md | 2 +-
...on_win_hktl_sliver_c2_execution_pattern.md | 2 +-
...c_creation_win_hktl_soaphound_execution.md | 4 +-
.../proc_creation_win_hktl_winpwn.md | 2 +-
...ion_win_hktl_wmiexec_default_powershell.md | 2 +-
.../proc_creation_win_hktl_xordump.md | 2 +-
.../proc_creation_win_hktl_zipexec.md | 2 +-
.../proc_creation_win_hostname_execution.md | 2 +-
.../proc_creation_win_hwp_exploits.md | 2 +-
.../proc_creation_win_hxtsr_masquerading.md | 2 +-
...eation_win_iis_susp_module_registration.md | 2 +-
...tion_win_imagingdevices_unusual_parents.md | 2 +-
...n_infdefaultinstall_execute_sct_scripts.md | 2 +-
...reation_win_instalutil_no_log_execution.md | 2 +-
...ion_win_java_keytool_susp_child_process.md | 2 +-
...in_java_manageengine_susp_child_process.md | 2 +-
...proc_creation_win_java_remote_debugging.md | 2 +-
...oc_creation_win_java_susp_child_process.md | 4 +-
..._creation_win_java_susp_child_process_2.md | 2 +-
...in_java_sysaidserver_susp_child_process.md | 2 +-
...ation_win_kavremover_uncommon_execution.md | 2 +-
...eation_win_link_uncommon_parent_process.md | 2 +-
...roc_creation_win_lolbin_customshellhost.md | 2 +-
...win_lolbin_device_credential_deployment.md | 2 +-
...oc_creation_win_lolbin_devtoolslauncher.md | 2 +-
.../proc_creation_win_lolbin_diantz_ads.md | 2 +-
...c_creation_win_lolbin_diantz_remote_cab.md | 2 +-
.../proc_creation_win_lolbin_extrac32_ads.md | 2 +-
...c_creation_win_lolbin_launch_vsdevshell.md | 2 +-
..._win_lolbin_mavinject_process_injection.md | 2 +-
.../proc_creation_win_lolbin_msdeploy.md | 2 +-
...oc_creation_win_lolbin_msdt_answer_file.md | 2 +-
.../proc_creation_win_lolbin_openwith.md | 2 +-
.../proc_creation_win_lolbin_pcalua.md | 2 +-
.../proc_creation_win_lolbin_pcwrun.md | 2 +-
...proc_creation_win_lolbin_pcwrun_follina.md | 2 +-
.../proc_creation_win_lolbin_pester.md | 2 +-
.../proc_creation_win_lolbin_pester_1.md | 2 +-
.../proc_creation_win_lolbin_printbrm.md | 2 +-
.../proc_creation_win_lolbin_pubprn.md | 2 +-
.../proc_creation_win_lolbin_register_app.md | 2 +-
.../proc_creation_win_lolbin_replace.md | 2 +-
.../proc_creation_win_lolbin_runexehelper.md | 2 +-
...roc_creation_win_lolbin_runscripthelper.md | 2 +-
...roc_creation_win_lolbin_settingsynchost.md | 2 +-
.../proc_creation_win_lolbin_sftp.md | 2 +-
...lolbin_susp_driver_installed_by_pnputil.md | 2 +-
.../proc_creation_win_lolbin_susp_grpconv.md | 2 +-
...tion_win_lolbin_susp_sqldumper_activity.md | 2 +-
...yncappvpublishingserver_vbs_execute_psh.md | 2 +-
.../proc_creation_win_lolbin_tracker.md | 2 +-
...c_creation_win_lolbin_tttracer_mod_load.md | 2 +-
...oc_creation_win_lolbin_utilityfunctions.md | 2 +-
...eation_win_lolbin_visual_basic_compiler.md | 2 +-
.../proc_creation_win_lsass_process_clone.md | 2 +-
...proc_creation_win_mftrace_child_process.md | 2 +-
...creation_win_mmc_mmc20_lateral_movement.md | 2 +-
...roc_creation_win_mmc_susp_child_process.md | 2 +-
...tion_win_mpcmdrun_dll_sideload_defender.md | 2 +-
...proc_creation_win_mshta_inline_vbscript.md | 2 +-
..._creation_win_mshta_lethalhta_technique.md | 2 +-
.../proc_creation_win_mshta_susp_execution.md | 2 +-
.../proc_creation_win_msiexec_embedding.md | 2 +-
.../proc_creation_win_msiexec_execute_dll.md | 2 +-
.../proc_creation_win_msiexec_web_install.md | 2 +-
...roc_creation_win_msra_process_injection.md | 2 +-
...c_creation_win_mssql_susp_child_process.md | 2 +-
...on_win_mssql_veaam_susp_child_processes.md | 2 +-
...creation_win_mstsc_rdp_hijack_shadowing.md | 2 +-
.../proc_creation_win_msxsl_execution.md | 2 +-
...roc_creation_win_msxsl_remote_execution.md | 2 +-
.../proc_creation_win_node_abuse.md | 2 +-
...ion_win_node_adobe_creative_cloud_abuse.md | 2 +-
..._creation_win_nslookup_domain_discovery.md | 2 +-
.../proc_creation_win_ntdsutil_usage.md | 2 +-
...ion_win_odbcconf_uncommon_child_process.md | 2 +-
...ffice_onenote_embedded_script_execution.md | 2 +-
...outlook_enable_unsafe_client_mail_rules.md | 2 +-
..._win_office_outlook_execution_from_temp.md | 2 +-
...win_office_outlook_susp_child_processes.md | 2 +-
...ice_outlook_susp_child_processes_remote.md | 2 +-
...n_office_spawn_exe_from_users_directory.md | 2 +-
...tion_win_pdqdeploy_runner_susp_children.md | 2 +-
.../proc_creation_win_ping_hex_ip.md | 2 +-
...proc_creation_win_plink_port_forwarding.md | 2 +-
.../proc_creation_win_plink_susp_tunneling.md | 2 +-
..._win_powershell_amsi_init_failed_bypass.md | 2 +-
...on_win_powershell_amsi_null_bits_bypass.md | 2 +-
...c_creation_win_powershell_audio_capture.md | 2 +-
...on_win_powershell_base64_encoded_obfusc.md | 2 +-
..._win_powershell_base64_frombase64string.md | 2 +-
...proc_creation_win_powershell_base64_iex.md | 2 +-
...tion_win_powershell_base64_mppreference.md | 2 +-
...ershell_base64_reflection_assembly_load.md | 2 +-
..._base64_reflection_assembly_load_obfusc.md | 2 +-
...c_creation_win_powershell_cl_invocation.md | 2 +-
...creation_win_powershell_cl_loadassembly.md | 2 +-
...eation_win_powershell_cl_mutexverifiers.md | 2 +-
..._creation_win_powershell_create_service.md | 2 +-
...roc_creation_win_powershell_decode_gzip.md | 2 +-
...win_powershell_defender_disable_feature.md | 2 +-
...ation_win_powershell_defender_exclusion.md | 2 +-
...tion_win_powershell_disable_ie_features.md | 2 +-
...reation_win_powershell_downgrade_attack.md | 2 +-
...ion_win_powershell_download_com_cradles.md | 2 +-
...n_powershell_download_cradle_obfuscated.md | 2 +-
...reation_win_powershell_download_cradles.md | 2 +-
...oc_creation_win_powershell_download_dll.md | 2 +-
...oc_creation_win_powershell_download_iex.md | 2 +-
...tion_win_powershell_dsinternals_cmdlets.md | 2 +-
...roc_creation_win_powershell_email_exfil.md | 2 +-
...ll_enable_susp_windows_optional_feature.md | 2 +-
.../proc_creation_win_powershell_encode.md | 2 +-
..._creation_win_powershell_exec_data_file.md | 2 +-
...ation_win_powershell_export_certificate.md | 2 +-
...reation_win_powershell_frombase64string.md | 2 +-
...win_powershell_frombase64string_archive.md | 2 +-
...c_creation_win_powershell_get_clipboard.md | 2 +-
..._powershell_get_localgroup_member_recon.md | 2 +-
...reation_win_powershell_getprocess_lsass.md | 2 +-
...oc_creation_win_powershell_iex_patterns.md | 2 +-
...n_powershell_import_cert_susp_locations.md | 2 +-
..._win_powershell_import_module_susp_dirs.md | 2 +-
...tion_win_powershell_invocation_specific.md | 2 +-
...tion_win_powershell_mailboxexport_share.md | 2 +-
...eation_win_powershell_malicious_cmdlets.md | 4 +-
...n_powershell_msexchange_transport_agent.md | 2 +-
...ion_win_powershell_obfuscation_via_utf8.md | 2 +-
...c_creation_win_powershell_public_folder.md | 2 +-
...owershell_remotefxvgpudisablement_abuse.md | 2 +-
...tion_win_powershell_remove_mppreference.md | 2 +-
...tion_win_powershell_run_script_from_ads.md | 2 +-
...powershell_run_script_from_input_stream.md | 2 +-
...proc_creation_win_powershell_sam_access.md | 2 +-
...ion_win_powershell_script_engine_parent.md | 2 +-
...tion_win_powershell_shadowcopy_deletion.md | 2 +-
...n_win_powershell_susp_download_patterns.md | 2 +-
...win_powershell_susp_parameter_variation.md | 2 +-
...creation_win_powershell_susp_ps_appdata.md | 2 +-
...ion_win_powershell_susp_ps_downloadfile.md | 2 +-
...eation_win_powershell_token_obfuscation.md | 2 +-
..._creation_win_powershell_x509enrollment.md | 2 +-
...oc_creation_win_powershell_zip_compress.md | 2 +-
...eation_win_pressanykey_lolbin_execution.md | 2 +-
...roc_creation_win_print_remote_file_copy.md | 2 +-
...creation_win_provlaunch_potential_abuse.md | 2 +-
...ation_win_provlaunch_susp_child_process.md | 2 +-
...oc_creation_win_psr_capture_screenshots.md | 2 +-
.../proc_creation_win_pua_3proxy_execution.md | 2 +-
...roc_creation_win_pua_adfind_enumeration.md | 2 +-
...proc_creation_win_pua_adfind_susp_usage.md | 2 +-
..._creation_win_pua_advancedrun_priv_user.md | 2 +-
.../proc_creation_win_pua_chisel.md | 2 +-
.../proc_creation_win_pua_cleanwipe.md | 2 +-
.../proc_creation_win_pua_csexec.md | 2 +-
.../proc_creation_win_pua_defendercheck.md | 2 +-
.../proc_creation_win_pua_ditsnap.md | 2 +-
...oc_creation_win_pua_mouselock_execution.md | 2 +-
.../proc_creation_win_pua_netcat.md | 2 +-
.../proc_creation_win_pua_netscan.md | 2 +-
.../proc_creation_win_pua_ngrok.md | 2 +-
.../proc_creation_win_pua_nircmd_as_system.md | 2 +-
.../proc_creation_win_pua_rcedit_execution.md | 2 +-
.../proc_creation_win_pua_rclone_execution.md | 2 +-
.../proc_creation_win_pua_runxcmd.md | 2 +-
...roc_creation_win_pua_webbrowserpassview.md | 2 +-
.../proc_creation_win_python_adidnsdump.md | 2 +-
.../proc_creation_win_python_pty_spawn.md | 2 +-
..._creation_win_qemu_suspicious_execution.md | 2 +-
.../proc_creation_win_query_session_exfil.md | 2 +-
.../proc_creation_win_rar_compress_data.md | 2 +-
...ation_win_rar_compression_with_password.md | 2 +-
...reation_win_rar_susp_greedy_compression.md | 2 +-
.../proc_creation_win_rasdial_execution.md | 2 +-
.../proc_creation_win_reg_add_run_key.md | 2 +-
.../proc_creation_win_reg_bitlocker.md | 2 +-
...g_credential_access_via_password_filter.md | 2 +-
...roc_creation_win_reg_defender_exclusion.md | 2 +-
..._direct_asep_registry_keys_modification.md | 2 +-
...c_creation_win_reg_disable_sec_services.md | 2 +-
...enumeration_for_credentials_in_registry.md | 2 +-
...on_win_reg_lsa_disable_restricted_admin.md | 2 +-
.../proc_creation_win_reg_machineguid.md | 2 +-
.../proc_creation_win_reg_nolmhash.md | 2 +-
.../proc_creation_win_reg_open_command.md | 2 +-
.../proc_creation_win_reg_screensaver.md | 2 +-
...eation_win_reg_service_imagepath_change.md | 2 +-
...roc_creation_win_reg_software_discovery.md | 2 +-
.../proc_creation_win_reg_volsnap_disable.md | 2 +-
..._reg_write_protect_for_storage_disabled.md | 2 +-
...c_creation_win_regedit_trustedinstaller.md | 2 +-
...ation_win_registry_cimprovider_dll_load.md | 2 +-
...egistry_enumeration_for_credentials_cli.md | 2 +-
...curity_zone_protocol_defaults_downgrade.md | 2 +-
..._registry_install_reg_debugger_backdoor.md | 2 +-
...proc_creation_win_registry_logon_script.md | 2 +-
...ation_win_registry_new_network_provider.md | 2 +-
...office_disable_python_security_warnings.md | 2 +-
...ry_privilege_escalation_via_service_key.md | 10 ++-
...egistry_provlaunch_provisioning_command.md | 2 +-
...registry_set_unsecure_powershell_policy.md | 2 +-
...win_registry_special_accounts_hide_user.md | 2 +-
...on_win_registry_typed_paths_persistence.md | 2 +-
...roc_creation_win_regsvr32_flags_anomaly.md | 2 +-
...reation_win_regsvr32_susp_child_process.md | 2 +-
.../proc_creation_win_regsvr32_susp_parent.md | 2 +-
...reation_win_remote_access_tools_anydesk.md | 2 +-
...ss_tools_anydesk_piped_password_via_cli.md | 2 +-
...ote_access_tools_anydesk_silent_install.md | 2 +-
...n_remote_access_tools_anydesk_susp_exec.md | 2 +-
...tion_win_remote_access_tools_gotoopener.md | 2 +-
...reation_win_remote_access_tools_logmein.md | 2 +-
..._win_remote_access_tools_meshagent_exec.md | 2 +-
...access_tools_rurat_non_default_location.md | 2 +-
...n_win_remote_access_tools_screenconnect.md | 2 +-
...ls_screenconnect_installation_cli_param.md | 2 +-
...ols_screenconnect_remote_execution_susp.md | 2 +-
...ote_access_tools_screenconnect_webshell.md | 2 +-
...ion_win_remote_access_tools_simple_help.md | 2 +-
...ss_tools_teamviewer_incoming_connection.md | 2 +-
...proc_creation_win_remote_time_discovery.md | 2 +-
.../proc_creation_win_renamed_jusched.md | 2 +-
..._win_renamed_rundll32_dllregisterserver.md | 2 +-
.../proc_creation_win_renamed_rurat.md | 2 +-
...creation_win_rpcping_credential_capture.md | 2 +-
.../proc_creation_win_rundll32_inline_vbs.md | 2 +-
..._win_rundll32_mshtml_runhtmlapplication.md | 2 +-
.../proc_creation_win_rundll32_no_params.md | 2 +-
...roc_creation_win_rundll32_run_locations.md | 2 +-
...in_rundll32_setupapi_installhinfsection.md | 2 +-
...oc_creation_win_rundll32_spawn_explorer.md | 2 +-
...roc_creation_win_rundll32_susp_activity.md | 2 +-
...n_win_rundll32_susp_shellexec_execution.md | 20 ++---
...ndll32_susp_shellexec_ordinal_execution.md | 77 +++++++++++++++++++
...ation_win_rundll32_susp_shimcache_flush.md | 2 +-
.../proc_creation_win_rundll32_sys.md | 2 +-
...n_rundll32_webdav_client_susp_execution.md | 2 +-
...reation_win_rundll32_without_parameters.md | 2 +-
.../proc_creation_win_runonce_execution.md | 2 +-
...c_change_sevice_image_path_by_non_admin.md | 10 ++-
.../proc_creation_win_sc_create_service.md | 2 +-
.../proc_creation_win_sc_new_kernel_driver.md | 2 +-
...eation_win_sc_service_path_modification.md | 2 +-
...n_win_sc_service_tamper_for_persistence.md | 2 +-
...ation_win_schtasks_appdata_local_system.md | 2 +-
.../proc_creation_win_schtasks_change.md | 2 +-
.../proc_creation_win_schtasks_creation.md | 2 +-
...ation_win_schtasks_creation_temp_folder.md | 2 +-
.../proc_creation_win_schtasks_delete.md | 2 +-
.../proc_creation_win_schtasks_delete_all.md | 2 +-
.../proc_creation_win_schtasks_disable.md | 2 +-
.../proc_creation_win_schtasks_env_folder.md | 2 +-
...oc_creation_win_schtasks_guid_task_name.md | 2 +-
...ion_win_schtasks_powershell_persistence.md | 2 +-
...proc_creation_win_schtasks_susp_pattern.md | 2 +-
.../proc_creation_win_schtasks_system.md | 2 +-
...creation_win_scrcons_susp_child_process.md | 2 +-
.../proc_creation_win_sdclt_child_process.md | 2 +-
...proc_creation_win_sdiagnhost_susp_child.md | 2 +-
...c_creation_win_servu_susp_child_process.md | 2 +-
...ation_win_setres_uncommon_child_process.md | 2 +-
...eation_win_setup16_custom_lst_execution.md | 36 +++++++++
.../proc_creation_win_shutdown_execution.md | 2 +-
.../proc_creation_win_shutdown_logoff.md | 2 +-
...ion_win_sigverif_uncommon_child_process.md | 2 +-
...reation_win_sndvol_susp_child_processes.md | 2 +-
...reation_win_soundrecorder_audio_capture.md | 2 +-
.../proc_creation_win_splwow64_cli_anomaly.md | 2 +-
...proc_creation_win_sqlcmd_veeam_db_recon.md | 2 +-
.../proc_creation_win_sqlcmd_veeam_dump.md | 2 +-
...eation_win_sqlite_chromium_profile_data.md | 2 +-
...n_win_sqlite_firefox_gecko_profile_data.md | 2 +-
.../proc_creation_win_squirrel_download.md | 2 +-
...c_creation_win_squirrel_proxy_execution.md | 2 +-
.../proc_creation_win_ssh_port_forward.md | 2 +-
.../proc_creation_win_ssh_proxy_execution.md | 2 +-
.../proc_creation_win_ssh_rdp_tunneling.md | 2 +-
.../proc_creation_win_ssm_agent_abuse.md | 2 +-
...reation_win_stordiag_susp_child_process.md | 2 +-
...roc_creation_win_susp_16bit_application.md | 2 +-
...ion_win_susp_add_user_local_admin_group.md | 2 +-
...tion_win_susp_add_user_privileged_group.md | 2 +-
..._win_susp_add_user_remote_desktop_group.md | 2 +-
...reation_win_susp_alternate_data_streams.md | 2 +-
...ways_install_elevated_windows_installer.md | 10 ++-
.../proc_creation_win_susp_appx_execution.md | 2 +-
...rary_shell_execution_via_settingcontent.md | 2 +-
...creation_win_susp_archiver_iso_phishing.md | 2 +-
...in_susp_bad_opsec_sacrificial_processes.md | 2 +-
...ser_launch_from_document_reader_process.md | 2 +-
...on_win_susp_cli_obfuscation_escape_char.md | 2 +-
...susp_commandline_path_traversal_evasion.md | 2 +-
..._creation_win_susp_crypto_mining_monero.md | 2 +-
...tion_win_susp_data_exfiltration_via_cli.md | 2 +-
.../proc_creation_win_susp_disable_raccine.md | 2 +-
...proc_creation_win_susp_double_extension.md | 2 +-
...eation_win_susp_double_extension_parent.md | 2 +-
...reation_win_susp_download_office_domain.md | 2 +-
...creation_win_susp_dumpstack_log_evasion.md | 2 +-
...creation_win_susp_electron_app_children.md | 2 +-
.../proc_creation_win_susp_embed_exe_lnk.md | 2 +-
..._creation_win_susp_emoji_usage_in_cli_1.md | 2 +-
..._creation_win_susp_emoji_usage_in_cli_2.md | 2 +-
..._creation_win_susp_emoji_usage_in_cli_3.md | 2 +-
..._creation_win_susp_emoji_usage_in_cli_4.md | 2 +-
...ation_win_susp_etw_modification_cmdline.md | 2 +-
...roc_creation_win_susp_etw_trace_evasion.md | 2 +-
.../proc_creation_win_susp_eventlog_clear.md | 2 +-
..._execution_from_public_folder_as_parent.md | 2 +-
.../proc_creation_win_susp_execution_path.md | 2 +-
..._win_susp_gather_network_info_execution.md | 2 +-
...on_win_susp_hidden_dir_index_allocation.md | 2 +-
...win_susp_hiding_malware_in_fonts_folder.md | 2 +-
..._win_susp_homoglyph_cyrillic_lookalikes.md | 2 +-
.../proc_creation_win_susp_image_missing.md | 2 +-
...eation_win_susp_inline_base64_mz_header.md | 2 +-
...creation_win_susp_inline_win_api_access.md | 2 +-
...proc_creation_win_susp_jwt_token_search.md | 2 +-
...sp_local_system_owner_account_discovery.md | 2 +-
...reation_win_susp_lsass_dmp_cli_keywords.md | 2 +-
...ation_win_susp_ms_appinstaller_download.md | 2 +-
.../proc_creation_win_susp_network_command.md | 2 +-
...roc_creation_win_susp_network_scan_loop.md | 2 +-
...proc_creation_win_susp_network_sniffing.md | 2 +-
.../proc_creation_win_susp_no_image_name.md | 2 +-
.../proc_creation_win_susp_non_exe_image.md | 2 +-
...oc_creation_win_susp_non_priv_reg_or_ps.md | 37 ++++-----
.../proc_creation_win_susp_ntds.md | 2 +-
..._creation_win_susp_nteventlogfile_usage.md | 2 +-
...n_win_susp_ntfs_short_name_path_use_cli.md | 2 +-
...win_susp_ntfs_short_name_path_use_image.md | 2 +-
...eation_win_susp_ntfs_short_name_use_cli.md | 2 +-
...tion_win_susp_ntfs_short_name_use_image.md | 2 +-
...reation_win_susp_obfuscated_ip_download.md | 2 +-
...creation_win_susp_obfuscated_ip_via_cli.md | 2 +-
.../proc_creation_win_susp_parents.md | 2 +-
..._susp_privilege_escalation_cli_patterns.md | 2 +-
...roc_creation_win_susp_proc_wrong_parent.md | 2 +-
.../proc_creation_win_susp_progname.md | 2 +-
...ion_win_susp_recycle_bin_fake_execution.md | 2 +-
...ion_win_susp_redirect_local_admin_share.md | 2 +-
...ation_win_susp_remote_desktop_tunneling.md | 2 +-
...reation_win_susp_right_to_left_override.md | 2 +-
...creation_win_susp_script_exec_from_temp.md | 2 +-
...n_susp_sensitive_file_access_shadowcopy.md | 2 +-
...proc_creation_win_susp_service_creation.md | 2 +-
.../proc_creation_win_susp_service_dir.md | 2 +-
...ation_win_susp_shell_spawn_susp_program.md | 2 +-
.../proc_creation_win_susp_sysnative.md | 2 +-
...oc_creation_win_susp_system_exe_anomaly.md | 2 +-
...c_creation_win_susp_system_user_anomaly.md | 10 ++-
.../proc_creation_win_susp_sysvol_access.md | 2 +-
...c_creation_win_susp_task_folder_evasion.md | 2 +-
...ation_win_susp_use_of_vsjitdebugger_bin.md | 2 +-
...ation_win_susp_weak_or_abused_passwords.md | 2 +-
...on_win_susp_web_request_cmd_and_cmdlets.md | 2 +-
.../proc_creation_win_susp_whoami_as_param.md | 2 +-
.../proc_creation_win_susp_workfolders.md | 2 +-
...win_svchost_execution_with_no_cli_flags.md | 2 +-
...reation_win_svchost_termserv_proc_spawn.md | 2 +-
...ion_win_svchost_uncommon_parent_process.md | 2 +-
...creation_win_sysinternals_eula_accepted.md | 2 +-
...proc_creation_win_sysinternals_procdump.md | 2 +-
...ation_win_sysinternals_procdump_evasion.md | 2 +-
...reation_win_sysinternals_procdump_lsass.md | 2 +-
...internals_psexec_paexec_escalate_system.md | 2 +-
...in_sysinternals_psexec_remote_execution.md | 2 +-
...ion_win_sysinternals_psexesvc_as_system.md | 2 +-
...n_sysinternals_susp_psexec_paexec_flags.md | 2 +-
...n_win_sysinternals_sysmon_config_update.md | 2 +-
...ation_win_sysinternals_sysmon_uninstall.md | 2 +-
...ion_win_sysinternals_tools_masquerading.md | 2 +-
.../proc_creation_win_sysprep_appdata.md | 2 +-
...proc_creation_win_takeown_recursive_own.md | 2 +-
.../proc_creation_win_tapinstall_execution.md | 2 +-
.../proc_creation_win_taskkill_sep.md | 2 +-
.../proc_creation_win_taskmgr_localsystem.md | 2 +-
...creation_win_taskmgr_susp_child_process.md | 2 +-
...ams_suspicious_command_line_cred_access.md | 2 +-
.../proc_creation_win_tscon_localsystem.md | 2 +-
.../proc_creation_win_tscon_rdp_redirect.md | 2 +-
...c_creation_win_uac_bypass_changepk_slui.md | 8 +-
.../proc_creation_win_uac_bypass_cleanmgr.md | 8 +-
..._win_uac_bypass_cmstp_com_object_access.md | 8 +-
...reation_win_uac_bypass_computerdefaults.md | 8 +-
...reation_win_uac_bypass_consent_comctl32.md | 8 +-
.../proc_creation_win_uac_bypass_dismhost.md | 8 +-
...ion_win_uac_bypass_eventvwr_recentviews.md | 2 +-
.../proc_creation_win_uac_bypass_fodhelper.md | 2 +-
...in_uac_bypass_hijacking_firwall_snap_in.md | 2 +-
...tion_win_uac_bypass_idiagnostic_profile.md | 7 +-
.../proc_creation_win_uac_bypass_ieinstal.md | 8 +-
...oc_creation_win_uac_bypass_msconfig_gui.md | 8 +-
...ation_win_uac_bypass_ntfs_reparse_point.md | 8 +-
...roc_creation_win_uac_bypass_pkgmgr_dism.md | 8 +-
.../proc_creation_win_uac_bypass_sdclt.md | 10 ++-
...roc_creation_win_uac_bypass_trustedpath.md | 2 +-
.../proc_creation_win_uac_bypass_winsat.md | 8 +-
.../proc_creation_win_uac_bypass_wmp.md | 18 ++---
..._win_uac_bypass_wsreset_integrity_level.md | 8 +-
...oc_creation_win_ultravnc_susp_execution.md | 2 +-
...eation_win_uninstall_crowdstrike_falcon.md | 2 +-
...n_win_userinit_uncommon_child_processes.md | 2 +-
.../proc_creation_win_virtualbox_execution.md | 2 +-
...on_win_virtualbox_vboxdrvinst_execution.md | 2 +-
...on_win_vscode_child_processes_anomalies.md | 2 +-
...reation_win_vscode_tunnel_remote_shell_.md | 2 +-
...ation_win_vscode_tunnel_service_install.md | 2 +-
...n_win_vslsagent_agentextensionpath_load.md | 2 +-
...wab_execution_from_non_default_location.md | 2 +-
.../proc_creation_win_wab_unusual_parents.md | 2 +-
.../proc_creation_win_webdav_lnk_execution.md | 2 +-
.../proc_creation_win_webshell_chopper.md | 2 +-
.../proc_creation_win_webshell_hacking.md | 2 +-
...ell_susp_process_spawned_from_webserver.md | 8 +-
.../proc_creation_win_webshell_tool_recon.md | 2 +-
..._creation_win_wermgr_susp_child_process.md | 2 +-
..._creation_win_wermgr_susp_exec_location.md | 2 +-
...tion_win_windows_terminal_susp_children.md | 2 +-
...roc_creation_win_winrar_exfil_dmp_files.md | 2 +-
...on_win_winrar_uncommon_folder_execution.md | 2 +-
.../proc_creation_win_winrm_awl_bypass.md | 2 +-
...winrm_remote_powershell_session_process.md | 2 +-
...c_creation_win_winrm_susp_child_process.md | 2 +-
...reation_win_winzip_password_compression.md | 2 +-
...n_wmi_backdoor_exchange_transport_agent.md | 2 +-
...n_wmi_persistence_script_event_consumer.md | 2 +-
...reation_win_wmic_eventconsumer_creation.md | 2 +-
...creation_win_wmic_susp_process_creation.md | 2 +-
...on_win_wmic_uninstall_security_products.md | 2 +-
...creation_win_wmic_xsl_script_processing.md | 2 +-
...ation_win_wmiprvse_susp_child_processes.md | 2 +-
...eation_win_wpbbin_potential_persistence.md | 2 +-
...oc_creation_win_wscript_cscript_dropper.md | 4 +-
...in_wscript_cscript_susp_child_processes.md | 2 +-
...ation_win_wsl_child_processes_anomalies.md | 2 +-
...tion_win_wsl_windows_binaries_execution.md | 2 +-
...sa_cab_files_extraction_from_susp_paths.md | 2 +-
...creation_win_wusa_susp_parent_execution.md | 2 +-
...n_win_xwizard_runwizard_com_object_exec.md | 2 +-
sigma | 2 +-
558 files changed, 792 insertions(+), 640 deletions(-)
create mode 100644 SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.md
create mode 100644 SentinelOne_PQ - Windows Process Creation/proc_creation_win_setup16_custom_lst_execution.md
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md
index b31072911..460121fc9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_addinutil_uncommon_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\addinutil.exe" and (not (tgt.process.image.path contains ":\Windows\System32\conhost.exe" or tgt.process.image.path contains ":\Windows\System32\werfault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\werfault.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md
index e77587cc2..227400e95 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_appvlp_uncommon_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\appvlp.exe" and (not (tgt.process.image.path contains ":\Windows\SysWOW64\rundll32.exe" or tgt.process.image.path contains ":\Windows\System32\rundll32.exe")) and (not ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\msoasb.exe") or ((tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\SkypeSrv\") and tgt.process.image.path contains "\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\Program Files\Microsoft Office" and tgt.process.image.path contains "\MSOUC.EXE")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md
index 4e641a40e..121267eab 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_exectuion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md
index e7a869e9f..803e48550 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\aspnet_compiler.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\notepad.exe") or (tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\AppData\Local\Roaming\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md
index 7f9199381..4b4f025f2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_aspnet_compiler_susp_paths.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework\" or tgt.process.image.path contains "C:\Windows\Microsoft.NET\Framework64\") and tgt.process.image.path contains "\aspnet_compiler.exe" and (tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Local\Roaming\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains ":\Windows\System32\Tasks\" or tgt.process.cmdline contains ":\Windows\Tasks\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md
index 01b972ca1..867c28a04 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_at_interactive_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\at.exe" and tgt.process.cmdline contains "interactive"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md
index a0ea79a41..4c3115500 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_auditpol_nt_resource_kit_usage.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md
index 5d5737a5d..796fdae8c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_suspicious_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\" or tgt.process.image.path contains "\AppData\Roaming\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\PerfLogs\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md
index 0ae62614f..5eb68a8af 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bginfo_uncommon_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\bginfo.exe" or src.process.image.path contains "\bginfo64.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md
index e24d49553..2aaf4b46a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_bitlockertogo_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\BitLockerToGo.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md
index 197f1d4e4..216ae0dff 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_debugging.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--remote-debugging-" and tgt.process.cmdline contains "--user-data-dir" and tgt.process.cmdline contains "--headless"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md
index 92dbd8ba1..05becdec6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_exec.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md
index fee4753b7..342d43caa 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_headless_file_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and (tgt.process.cmdline contains "--headless" and tgt.process.cmdline contains "dump-dom" and tgt.process.cmdline contains "http")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md
index 24ba0931a..c8c7fed99 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_load_extension.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension="))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md
index feea28857..ccb50cb36 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_mockbin_abuse.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--headless" and (tgt.process.cmdline contains "://run.mocky" or tgt.process.cmdline contains "://mockbin")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md
index 6c75e4a46..db4be64ec 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_chromium_susp_load_extension.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\wscript.exe") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "--load-extension="))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md
index 4b06c99d4..d15e229aa 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_inline_file_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\vivaldi.exe") and tgt.process.cmdline contains "http" and (tgt.process.cmdline contains ".7z" or tgt.process.cmdline contains ".dat" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".ps1" or tgt.process.cmdline contains ".psm1" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".zip")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md
index f5b910fb7..09c6d54a6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_remote_debugging.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --remote-debugging-" or (tgt.process.image.path contains "\firefox.exe" and tgt.process.cmdline contains " -start-debugger-server")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md
index 2a1236125..0d197d501 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_browsers_tor_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tor.exe" or tgt.process.image.path contains "\Tor Browser\Browser\firefox.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md
index a5424e305..35b00f7d6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_calc_uncommon_exec.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\calc.exe " or (tgt.process.image.path contains "\calc.exe" and (not (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\" or tgt.process.image.path contains ":\Windows\WinSxS\")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md
index 9a8591ec5..de49bd792 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_lookup.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\cmd.exe" and (src.process.cmdline contains " -c " or src.process.cmdline contains " /c " or src.process.cmdline contains " –c " or src.process.cmdline contains " —c " or src.process.cmdline contains " ―c " or src.process.cmdline contains " -r " or src.process.cmdline contains " /r " or src.process.cmdline contains " –r " or src.process.cmdline contains " —r " or src.process.cmdline contains " ―r " or src.process.cmdline contains " -k " or src.process.cmdline contains " /k " or src.process.cmdline contains " –k " or src.process.cmdline contains " —k " or src.process.cmdline contains " ―k ") and tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains "chcp" or tgt.process.cmdline contains "chcp " or tgt.process.cmdline contains "chcp ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md
index fea608d51..6a6757651 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_chcp_codepage_switch.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chcp.com" and (tgt.process.cmdline contains " 936" or tgt.process.cmdline contains " 1258"))) | columns src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md
index 3cfa6050d..65afc7473 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_portable_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cloudflared.exe" and (not (tgt.process.image.path contains ":\Program Files (x86)\cloudflared\" or tgt.process.image.path contains ":\Program Files\cloudflared\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md
index 24c5139e1..71ddff64e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_cleanup.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains "cleanup ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-connector-id ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md
index 94ad8a1b8..15fe5e5cb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cloudflared_tunnel_run.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tunnel " and tgt.process.cmdline contains " run ") and (tgt.process.cmdline contains "-config " or tgt.process.cmdline contains "-credentials-contents " or tgt.process.cmdline contains "-credentials-file " or tgt.process.cmdline contains "-token ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md
index c6439931c..873d77d1a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_curl_download_exec_combo.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " –c " or tgt.process.cmdline contains " —c " or tgt.process.cmdline contains " ―c ") and (tgt.process.cmdline contains "curl " and tgt.process.cmdline contains "http" and tgt.process.cmdline contains "-o" and tgt.process.cmdline contains "&")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md
index 9dfd2a2d8..4a717ecee 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_dosfuscation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "^^" or tgt.process.cmdline contains "^|^" or tgt.process.cmdline contains ",;," or tgt.process.cmdline contains ";;;;" or tgt.process.cmdline contains ";; ;;" or tgt.process.cmdline contains "(,(," or tgt.process.cmdline contains "%COMSPEC:~" or tgt.process.cmdline contains " c^m^d" or tgt.process.cmdline contains "^c^m^d" or tgt.process.cmdline contains " c^md" or tgt.process.cmdline contains " cm^d" or tgt.process.cmdline contains "^cm^d" or tgt.process.cmdline contains " s^et " or tgt.process.cmdline contains " s^e^t " or tgt.process.cmdline contains " se^t "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md
index 5b6c26e45..647411aef 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_http_appdata.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "://" and tgt.process.cmdline contains "%AppData%"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md
index aa5217877..22bb6ecd8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "mklink" and tgt.process.cmdline contains "HarddiskVolumeShadowCopy"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md
index c19ac0a57..7e5de21e8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_no_space_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "cmd.exe/c" or tgt.process.cmdline contains "\cmd/c" or tgt.process.cmdline contains "\"cmd/c" or tgt.process.cmdline contains "cmd.exe/k" or tgt.process.cmdline contains "\cmd/k" or tgt.process.cmdline contains "\"cmd/k" or tgt.process.cmdline contains "cmd.exe/r" or tgt.process.cmdline contains "\cmd/r" or tgt.process.cmdline contains "\"cmd/r") or (tgt.process.cmdline contains "/cwhoami" or tgt.process.cmdline contains "/cpowershell" or tgt.process.cmdline contains "/cschtasks" or tgt.process.cmdline contains "/cbitsadmin" or tgt.process.cmdline contains "/ccertutil" or tgt.process.cmdline contains "/kwhoami" or tgt.process.cmdline contains "/kpowershell" or tgt.process.cmdline contains "/kschtasks" or tgt.process.cmdline contains "/kbitsadmin" or tgt.process.cmdline contains "/kcertutil") or (tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /r")) and (not ((tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /r ") or (tgt.process.cmdline contains "AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules" or tgt.process.cmdline contains "cmd.exe/c ." or tgt.process.cmdline="cmd.exe /c")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md
index fdb5224a8..34ae34066 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ntdllpipe_redirect.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "type %windir%\system32\ntdll.dll" or tgt.process.cmdline contains "type %systemroot%\system32\ntdll.dll" or tgt.process.cmdline contains "type c:\windows\system32\ntdll.dll" or tgt.process.cmdline contains "\ntdll.dll > \\.\pipe\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md
index f1e909ef2..5d69f09d7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_ping_del_combined_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ") and tgt.process.cmdline contains "Nul" and (tgt.process.cmdline contains " -f " or tgt.process.cmdline contains " /f " or tgt.process.cmdline contains " –f " or tgt.process.cmdline contains " —f " or tgt.process.cmdline contains " ―f " or tgt.process.cmdline contains " -q " or tgt.process.cmdline contains " /q " or tgt.process.cmdline contains " –q " or tgt.process.cmdline contains " —q " or tgt.process.cmdline contains " ―q ") and (tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "del ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md
index 78eeed04d..c97528f2e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_shadowcopy_access.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md
index a6d9c14b8..d20860b82 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\winlogon.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "Magnify.exe" or tgt.process.cmdline contains "Narrator.exe" or tgt.process.cmdline contains "DisplaySwitch.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md
index 59a902a82..812c6417f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_sticky_keys_replace.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "copy " and tgt.process.cmdline contains "/y " and tgt.process.cmdline contains "C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md
index 660344eef..10c1dc504 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_type_arbitrary_file_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > \\") or (tgt.process.cmdline contains "type \\" and tgt.process.cmdline contains " > ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md
index d4ff51814..2d6c0cf48 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmd_unusual_parent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\cmd.exe" and (src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\ctfmon.exe" or src.process.image.path contains "\dllhost.exe" or src.process.image.path contains "\epad.exe" or src.process.image.path contains "\FlashPlayerUpdateService.exe" or src.process.image.path contains "\GoogleUpdate.exe" or src.process.image.path contains "\jucheck.exe" or src.process.image.path contains "\jusched.exe" or src.process.image.path contains "\LogonUI.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\SearchIndexer.exe" or src.process.image.path contains "\SearchProtocolHost.exe" or src.process.image.path contains "\SIHClient.exe" or src.process.image.path contains "\sihost.exe" or src.process.image.path contains "\slui.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\sppsvc.exe" or src.process.image.path contains "\taskhostw.exe" or src.process.image.path contains "\unsecapp.exe" or src.process.image.path contains "\WerFault.exe" or src.process.image.path contains "\wermgr.exe" or src.process.image.path contains "\wlanext.exe" or src.process.image.path contains "\WUDFHost.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md
index f4bbc8ef2..4d3adc439 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_cmstp_execution_by_creation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\cmstp.exe") | columns tgt.process.cmdline,src.process.cmdline,Details
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md
index 990f62ec5..5e66252d0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_legacy_option.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.integrityLevel="High" and (tgt.process.cmdline contains "conhost.exe" and tgt.process.cmdline contains "0xffffffff" and tgt.process.cmdline contains "-ForceV1")))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","S-1-16-12288")) and (tgt.process.cmdline contains "conhost.exe" and tgt.process.cmdline contains "0xffffffff" and tgt.process.cmdline contains "-ForceV1")))
```
@@ -16,6 +16,7 @@ references:
- https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
author: frack113
date: 2022-12-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1202
@@ -24,7 +25,9 @@ logsource:
category: process_creation
detection:
selection:
- IntegrityLevel: 'High'
+ IntegrityLevel:
+ - 'High'
+ - 'S-1-16-12288'
CommandLine|contains|all:
- 'conhost.exe'
- '0xffffffff'
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md
index 2a9342a01..7b152493f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_path_traversal.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.cmdline contains "conhost" and tgt.process.cmdline contains "/../../"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md
index 6e3c7a2bd..961b0821e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_conhost_uncommon_parent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\conhost.exe" and (src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\lsass.exe" or src.process.image.path contains "\regsvr32.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\smss.exe" or src.process.image.path contains "\spoolsv.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\userinit.exe" or src.process.image.path contains "\wininit.exe" or src.process.image.path contains "\winlogon.exe")) and (not (src.process.cmdline contains "-k apphost -s AppHostSvc" or src.process.cmdline contains "-k imgsvc" or src.process.cmdline contains "-k localService -p -s RemoteRegistry" or src.process.cmdline contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or src.process.cmdline contains "-k NetSvcs -p -s NcaSvc" or src.process.cmdline contains "-k netsvcs -p -s NetSetupSvc" or src.process.cmdline contains "-k netsvcs -p -s wlidsvc" or src.process.cmdline contains "-k NetworkService -p -s DoSvc" or src.process.cmdline contains "-k wsappx -p -s AppXSvc" or src.process.cmdline contains "-k wsappx -p -s ClipSVC")) and (not (src.process.cmdline contains "C:\Program Files (x86)\Dropbox\Client\" or src.process.cmdline contains "C:\Program Files\Dropbox\Client\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md
index c755247c1..4b978e57e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_csc_susp_dynamic_compilation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csc.exe" and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\Windows\Temp\") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Pictures\")) or tgt.process.cmdline matches "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not ((src.process.image.path contains "C:\Program Files (x86)\" or src.process.image.path contains "C:\Program Files\") or src.process.image.path="C:\Windows\System32\sdiagnhost.exe" or src.process.image.path="C:\Windows\System32\inetsrv\w3wp.exe")) and (not ((src.process.image.path in ("C:\ProgramData\chocolatey\choco.exe","C:\ProgramData\chocolatey\tools\shimgen.exe")) or src.process.cmdline contains "\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" or (src.process.cmdline contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or src.process.cmdline contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or src.process.cmdline contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md
index d0145c118..cb9b803c5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_curl_susp_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\curl.exe" or tgt.process.displayName="The curl executable") and ((tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "C:\PerfLogs\" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Windows\Temp\") or (tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".gif" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".temp" or tgt.process.cmdline contains ".tmp" or tgt.process.cmdline contains ".txt" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs")) and (not (src.process.image.path="C:\Program Files\Git\usr\bin\sh.exe" and tgt.process.image.path="C:\Program Files\Git\mingw64\bin\curl.exe" and (tgt.process.cmdline contains "--silent --show-error --output " and tgt.process.cmdline contains "gfw-httpget-" and tgt.process.cmdline contains "AppData")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md
index fae88adb0..7e6208fe1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_defaultpack_uncommon_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\DefaultPack.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md
index bd271883a..f3bc37173 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_remote_file_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\desktopimgdownldr.exe" and src.process.image.path contains "\desktopimgdownldr.exe" and tgt.process.cmdline contains "/lockscreenurl:http"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md
index a275f0644..dea90faed 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_desktopimgdownldr_susp_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /lockscreenurl:" and (not (tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".jpeg" or tgt.process.cmdline contains ".png"))) or (tgt.process.cmdline contains "reg delete" and tgt.process.cmdline contains "\PersonalizationCSP"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md
index 1b3f2908a..aeb593638 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_devinit_lolbin_usage.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -t msi-install " and tgt.process.cmdline contains " -i http"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md
index b34061045..044c154d8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dfsvc_suspicious_child_processes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\AppData\Local\Apps\2.0\" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md
index b0fb7bf1f..7dd3169b8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_diskshadow_child_process_susp.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\diskshadow.exe" and (tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md
index e51250756..4a75d97d4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dism_remove.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\DismHost.exe" and (src.process.cmdline contains "/Online" and src.process.cmdline contains "/Disable-Feature")) or (tgt.process.image.path contains "\Dism.exe" and (tgt.process.cmdline contains "/Online" and tgt.process.cmdline contains "/Disable-Feature"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md
index 319b9c4cc..37be295fb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dll_sideload_vmware_xfer.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VMwareXferlogs.exe" and (not tgt.process.image.path contains "C:\Program Files\VMware\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md
index d72163bca..1d525135f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dllhost_no_cli_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dllhost.exe" and (tgt.process.cmdline in ("dllhost.exe","dllhost"))) and (not not (tgt.process.cmdline matches "\.*"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md
index 0aaad838b..3fb75f7aa 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_exfiltration_tools_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\iodine.exe" or tgt.process.image.path contains "\dnscat2"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md
index 931844d76..56787f051 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dns_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\dns.exe" and (not tgt.process.image.path contains "\conhost.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md
index 4fa11fa19..2f376c5a2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_discovery.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/enumrecords" or tgt.process.cmdline contains "/enumzones" or tgt.process.cmdline contains "/ZonePrint" or tgt.process.cmdline contains "/info")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md
index a3c3bfbb9..5d86f23cb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\dnscmd.exe" and (tgt.process.cmdline contains "/config" and tgt.process.cmdline contains "/serverlevelplugindll")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md
index 3abbe8c0d..8403781ce 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dnx_execute_csharp_code.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\dnx.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md
index 14d6673fd..578d0403f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_dtrace_kernel_dump.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\dtrace.exe" and tgt.process.cmdline contains "lkd(0)") or (tgt.process.cmdline contains "syscall:::return" and tgt.process.cmdline contains "lkd(")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md
index c87d7751d..16099c88f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_esentutl_params.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "esentutl" and tgt.process.cmdline contains " /p")) | columns tgt.process.user,tgt.process.cmdline,src.process.cmdline,tgt.process.image.path
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md
index 95769008a..e45cab5e3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_eventvwr_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\eventvwr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\WerFault.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\WerFault.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md
index 0f41f7154..ea7761078 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_expand_cabinet_files.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\expand.exe" and (tgt.process.cmdline contains "-F:" or tgt.process.cmdline contains "/F:" or tgt.process.cmdline contains "–F:" or tgt.process.cmdline contains "—F:" or tgt.process.cmdline contains "―F:")) and ((tgt.process.cmdline contains ":\Perflogs\" or tgt.process.cmdline contains ":\ProgramData" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\Admin$\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\C$\" or tgt.process.cmdline contains "\Temporary Internet") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favorites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Favourites\") or (tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\Contacts\"))) and (not (src.process.image.path="C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" and tgt.process.cmdline contains "C:\ProgramData\Dell\UpdateService\Temp\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md
index f9211914d..a5cc1f9d4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_break_process_tree.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or ((tgt.process.cmdline contains "explorer.exe") and (tgt.process.cmdline contains " -root," or tgt.process.cmdline contains " /root," or tgt.process.cmdline contains " –root," or tgt.process.cmdline contains " —root," or tgt.process.cmdline contains " ―root,"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md
index d5fe72b1e..c3267f695 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "shell:mycomputerfolder"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md
index f9fbf673f..b87f4939c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_explorer_nouaccheck.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "/NOUACCHECK") and (not (src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" or src.process.image.path="C:\Windows\System32\svchost.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md
index 0a71a5279..fd32a15d9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_findstr_recon_pipe_output.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ipconfig*|*find*" or tgt.process.cmdline="*net*|*find*" or tgt.process.cmdline="*netstat*|*find*" or tgt.process.cmdline="*ping*|*find*" or tgt.process.cmdline="*systeminfo*|*find*" or tgt.process.cmdline="*tasklist*|*find*" or tgt.process.cmdline="*whoami*|*find*"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md
index 9c6467c49..eeff96ae9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_forfiles_child_process_masquerading.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.cmdline contains ".exe" or src.process.cmdline contains ".exe\"") and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "/c echo \"") and (not ((src.process.image.path contains ":\Windows\System32\" or src.process.image.path contains ":\Windows\SysWOW64\") and src.process.image.path contains "\forfiles.exe" and (tgt.process.image.path contains ":\Windows\System32\" or tgt.process.image.path contains ":\Windows\SysWOW64\") and tgt.process.image.path contains "\cmd.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md
index 43f870880..54bc7b796 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_format_uncommon_filesystem_load.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\format.com" and tgt.process.cmdline contains "/fs:") and (not (tgt.process.cmdline contains "/fs:exFAT" or tgt.process.cmdline contains "/fs:FAT" or tgt.process.cmdline contains "/fs:NTFS" or tgt.process.cmdline contains "/fs:ReFS" or tgt.process.cmdline contains "/fs:UDF"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md
index ffa5eca8a..d513b54a2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\GfxDownloadWrapper.exe" and (tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://")) and (not tgt.process.cmdline contains "https://gameplayapi.intel.com/")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md
index 700cb5638..36ed6c27b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_googleupdate_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\GoogleUpdate.exe" and (not ((tgt.process.image.path contains "\Google" or (tgt.process.image.path contains "\setup.exe" or tgt.process.image.path contains "chrome_updater.exe" or tgt.process.image.path contains "chrome_installer.exe")) or not (tgt.process.image.path matches "\.*")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md
index 16c5235e0..a3a22e63c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_decryption.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -d " and tgt.process.cmdline contains "passphrase")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md
index 0fe0a9954..d239f385a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_encryption.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GnuPG’s OpenPGP tool") and (tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "passphrase")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md
index 2988b60b3..e805cdbb5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpg4win_susp_location.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\gpg.exe" or tgt.process.image.path contains "\gpg2.exe") or tgt.process.displayName="GNU Privacy Guard (GnuPG)" or tgt.process.displayName="GnuPG’s OpenPGP tool") and tgt.process.cmdline contains "-passphrase" and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\AppData\Roaming\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md
index 5e974a847..9d2e5a866 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gpresult_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\gpresult.exe" and (tgt.process.cmdline contains "/z" or tgt.process.cmdline contains "/v")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md
index 6acfcb5b2..7565e5cf1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_arbitrary_binary_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\gup.exe" and tgt.process.image.path contains "\explorer.exe") and (not ((tgt.process.image.path contains "\explorer.exe" and tgt.process.cmdline contains "\Notepad++\notepad++.exe") or src.process.image.path contains "\Notepad++\updater\" or not (tgt.process.cmdline matches "\.*")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md
index 161700c20..2b67ad042 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_gup_suspicious_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\GUP.exe" and (not ((tgt.process.image.path contains "\Program Files\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\Program Files (x86)\Notepad++\updater\GUP.exe") or (tgt.process.image.path contains "\Users\" and (tgt.process.image.path contains "\AppData\Local\Notepad++\updater\GUP.exe" or tgt.process.image.path contains "\AppData\Roaming\Notepad++\updater\GUP.exe"))))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md
index 5cd302a21..78944c07e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hh_html_help_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\hh.exe" and (tgt.process.image.path contains "\CertReq.exe" or tgt.process.image.path contains "\CertUtil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\installutil.exe" or tgt.process.image.path contains "\MSbuild.exe" or tgt.process.image.path contains "\MSHTA.EXE" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md
index e849ac382..b3b292cac 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_adcspwn.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " --adcs " and tgt.process.cmdline contains " --port "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md
index 5faf0da49..acb1f6397 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_bloodhound_sharphound.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName contains "SharpHound" or tgt.process.displayName contains "SharpHound" or (tgt.process.publisher contains "SpecterOps" or tgt.process.publisher contains "evil corp") or (tgt.process.image.path contains "\Bloodhound.exe" or tgt.process.image.path contains "\SharpHound.exe")) or (tgt.process.cmdline contains " -CollectionMethod All " or tgt.process.cmdline contains " --CollectionMethods Session " or tgt.process.cmdline contains " --Loop --Loopduration " or tgt.process.cmdline contains " --PortScanTimeout " or tgt.process.cmdline contains ".exe -c All -d " or tgt.process.cmdline contains "Invoke-Bloodhound" or tgt.process.cmdline contains "Get-BloodHoundData") or (tgt.process.cmdline contains " -JsonFolder " and tgt.process.cmdline contains " -ZipFileName ") or (tgt.process.cmdline contains " DCOnly " and tgt.process.cmdline contains " --NoSaveCache ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md
index eb039444f..2d4569870 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_c3_rundll32_pattern.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains ".dll" and tgt.process.cmdline contains "StartNodeRelay"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md
index 370a8586a..455bb8d70 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_cobaltstrike_process_patterns.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd.exe /C whoami" and src.process.image.path contains "C:\Temp\") or ((src.process.image.path contains "\runonce.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.cmdline contains "cmd.exe /c echo" and tgt.process.cmdline contains "> \\.\pipe")) or ((src.process.cmdline contains "cmd.exe /C echo" and src.process.cmdline contains " > \\.\pipe") and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1") or (src.process.cmdline contains "/C whoami" and tgt.process.cmdline contains "conhost.exe 0xffffffff -ForceV1")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md
index 9504fccab..ee715595f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_covenant.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-Sta" and tgt.process.cmdline contains "-Nop" and tgt.process.cmdline contains "-Window" and tgt.process.cmdline contains "Hidden") and (tgt.process.cmdline contains "-Command" or tgt.process.cmdline contains "-EncodedCommand")) or (tgt.process.cmdline contains "sv o (New-Object IO.MemorySteam);sv d " or tgt.process.cmdline contains "mshta file.hta" or tgt.process.cmdline contains "GruntHTTP" or tgt.process.cmdline contains "-EncodedCommand cwB2ACAAbwAgA")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md
index e588f000d..cc7cc611f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\crackmapexec.exe" or tgt.process.cmdline contains " -M pe_inject " or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -x ") or (tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -H 'NTHASH'") or (tgt.process.cmdline contains " mssql " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -d ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -H " and tgt.process.cmdline contains " -M " and tgt.process.cmdline contains " -o ") or (tgt.process.cmdline contains " smb " and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " --local-auth")) or ((tgt.process.cmdline contains " --local-auth" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p ") and (tgt.process.cmdline contains " 10." and tgt.process.cmdline contains " 192.168." and tgt.process.cmdline contains "/24 ")))) | columns ComputerName,tgt.process.user,tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md
index 560acd777..201ef3cdd 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_execution_patterns.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*cmd.exe /Q /c * 1> \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > \\*\*\* 2>&1*" or tgt.process.cmdline="*cmd.exe /C * > *\Temp\* 2>&1*" or tgt.process.cmdline contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or tgt.process.cmdline contains "powershell.exe -noni -nop -w 1 -enc "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md
index fee7d70aa..706aa85c5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_crackmapexec_patterns.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "tasklist /fi " and tgt.process.cmdline contains "Imagename eq lsass.exe") and (tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd /k ") and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) or (tgt.process.cmdline contains "do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump" and tgt.process.cmdline contains "\Windows\Temp\" and tgt.process.cmdline contains " full" and tgt.process.cmdline contains "%%B") or (tgt.process.cmdline contains "tasklist /v /fo csv" and tgt.process.cmdline contains "findstr /i \"lsass\"")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md
index 9b8bff2db..32ffaaa2e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_dinjector.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /am51" and tgt.process.cmdline contains " /password"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md
index ecc664d86..5fd79eea7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_launch.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -sta -NonI -W Hidden -Enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc " or tgt.process.cmdline contains " -NoP -NonI -W Hidden -enc " or tgt.process.cmdline contains " -noP -sta -w 1 -enc" or tgt.process.cmdline contains " -enc SQB" or tgt.process.cmdline contains " -nop -exec bypass -EncodedCommand "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md
index 25bedd4b5..d84f28830 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_empire_powershell_uac_bypass.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)" or tgt.process.cmdline contains " -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);")) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md
index df33399e4..ec67cc04c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_evil_winrm.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ruby.exe" and (tgt.process.cmdline contains "-i " and tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md
index 1c37478e1..b46c9d191 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_execution_via_pe_metadata.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.publisher="Cube0x0")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md
index 1c0523a9c..6e8ca06cc 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hashcat.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hashcat.exe" or (tgt.process.cmdline contains "-a " and tgt.process.cmdline contains "-m 1000 " and tgt.process.cmdline contains "-r ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md
index 35d8adbed..ba78d0dad 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_htran_or_natbypass.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\htran.exe" or tgt.process.image.path contains "\lcx.exe") or (tgt.process.cmdline contains ".exe -tran " or tgt.process.cmdline contains ".exe -slave ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md
index 93ecf5afa..aa89b4c36 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_hydra.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-u " and tgt.process.cmdline contains "-p ") and (tgt.process.cmdline contains "^USER^" or tgt.process.cmdline contains "^PASS^")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md
index 019a36fef..39e690877 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_lateral_movement.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\mmc.exe" or src.process.image.path contains "\explorer.exe" or src.process.image.path contains "\services.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/Q" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "\\127.0.0.1\" and tgt.process.cmdline contains "&1")) or ((src.process.cmdline contains "svchost.exe -k netsvcs" or src.process.cmdline contains "taskeng.exe") and (tgt.process.cmdline contains "cmd.exe" and tgt.process.cmdline contains "/C" and tgt.process.cmdline contains "Windows\Temp\" and tgt.process.cmdline contains "&1")))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md
index 12f267382..718cb2a43 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_impacket_tools.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\goldenPac" or tgt.process.image.path contains "\karmaSMB" or tgt.process.image.path contains "\kintercept" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\rpcdump" or tgt.process.image.path contains "\samrdump" or tgt.process.image.path contains "\secretsdump" or tgt.process.image.path contains "\smbexec" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\wmiexec" or tgt.process.image.path contains "\wmipersist") or (tgt.process.image.path contains "\atexec_windows.exe" or tgt.process.image.path contains "\dcomexec_windows.exe" or tgt.process.image.path contains "\dpapi_windows.exe" or tgt.process.image.path contains "\findDelegation_windows.exe" or tgt.process.image.path contains "\GetADUsers_windows.exe" or tgt.process.image.path contains "\GetNPUsers_windows.exe" or tgt.process.image.path contains "\getPac_windows.exe" or tgt.process.image.path contains "\getST_windows.exe" or tgt.process.image.path contains "\getTGT_windows.exe" or tgt.process.image.path contains "\GetUserSPNs_windows.exe" or tgt.process.image.path contains "\ifmap_windows.exe" or tgt.process.image.path contains "\mimikatz_windows.exe" or tgt.process.image.path contains "\netview_windows.exe" or tgt.process.image.path contains "\nmapAnswerMachine_windows.exe" or tgt.process.image.path contains "\opdump_windows.exe" or tgt.process.image.path contains "\psexec_windows.exe" or tgt.process.image.path contains "\rdp_check_windows.exe" or tgt.process.image.path contains "\sambaPipe_windows.exe" or tgt.process.image.path contains "\smbclient_windows.exe" or tgt.process.image.path contains "\smbserver_windows.exe" or tgt.process.image.path contains "\sniff_windows.exe" or tgt.process.image.path contains "\sniffer_windows.exe" or tgt.process.image.path contains "\split_windows.exe" or tgt.process.image.path contains "\ticketer_windows.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md
index 5491f29e2..7c52e666d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_clip.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "clipboard]::" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "/r")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md
index facf3f296..51145b930 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline matches "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or tgt.process.cmdline matches "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or tgt.process.cmdline matches "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or tgt.process.cmdline matches "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or tgt.process.cmdline matches "\\*mdr\\*\\W\\s*\\)\\.Name" or tgt.process.cmdline matches "\\$VerbosePreference\\.ToString\\(" or tgt.process.cmdline matches "\\[String\\]\\s*\\$VerbosePreference"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md
index d4c3932ad..c3b3ff70a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_stdin.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md
index 34cf7298f..558898c46 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_var.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md
index f5ab2f74f..7e197a6ac 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "text.encoding]::ascii") and (tgt.process.cmdline contains "system.io.compression.deflatestream" or tgt.process.cmdline contains "system.io.streamreader" or tgt.process.cmdline contains "readtoend(")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md
index b21dd4a13..b9ad7accf 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md
index 6daa4f6dd..47efdce2c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline matches "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md
index fe7460160..67dd8c73c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "set" and tgt.process.cmdline contains "&&" and tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "vbscript:createobject" and tgt.process.cmdline contains ".run" and tgt.process.cmdline contains "(window.close)"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md
index 87a5342c9..f4985d863 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_invoke_obfuscation_via_var.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "&&set" and tgt.process.cmdline contains "cmd" and tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "-f") and (tgt.process.cmdline contains "{0}" or tgt.process.cmdline contains "{1}" or tgt.process.cmdline contains "{2}" or tgt.process.cmdline contains "{3}" or tgt.process.cmdline contains "{4}" or tgt.process.cmdline contains "{5}")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md
index 40c9366fc..23a9c8ca3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_jlaive_batch_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\cmd.exe" and src.process.cmdline contains ".bat") and ((tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "powershell.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\xcopy.exe" and (tgt.process.cmdline contains "pwsh.exe" and tgt.process.cmdline contains ".bat.exe")) or (tgt.process.image.path contains "\attrib.exe" and (tgt.process.cmdline contains "+s" and tgt.process.cmdline contains "+h" and tgt.process.cmdline contains ".bat.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md
index f2a8a1d1e..52fdfe5d7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_lazagne.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\lazagne.exe" or ((tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Tmp\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Users\Public\") and (tgt.process.cmdline contains ".exe all" or tgt.process.cmdline contains ".exe browsers" or tgt.process.cmdline contains ".exe chats" or tgt.process.cmdline contains ".exe databases" or tgt.process.cmdline contains ".exe games" or tgt.process.cmdline contains ".exe git" or tgt.process.cmdline contains ".exe mails" or tgt.process.cmdline contains ".exe maven" or tgt.process.cmdline contains ".exe memory" or tgt.process.cmdline contains ".exe multimedia" or tgt.process.cmdline contains ".exe sysadmin" or tgt.process.cmdline contains ".exe unused" or tgt.process.cmdline contains ".exe wifi" or tgt.process.cmdline contains ".exe windows")) or ((tgt.process.cmdline contains "all " or tgt.process.cmdline contains "browsers " or tgt.process.cmdline contains "chats " or tgt.process.cmdline contains "databases " or tgt.process.cmdline contains "games " or tgt.process.cmdline contains "git " or tgt.process.cmdline contains "mails " or tgt.process.cmdline contains "maven " or tgt.process.cmdline contains "memory " or tgt.process.cmdline contains "multimedia " or tgt.process.cmdline contains "php " or tgt.process.cmdline contains "svn " or tgt.process.cmdline contains "sysadmin " or tgt.process.cmdline contains "unused " or tgt.process.cmdline contains "wifi " or tgt.process.cmdline contains "windows ") and (tgt.process.cmdline contains "-oA" or tgt.process.cmdline contains "-oJ" or tgt.process.cmdline contains "-oN" or tgt.process.cmdline contains "-output" or tgt.process.cmdline contains "-password" or tgt.process.cmdline contains "-1Password" or tgt.process.cmdline contains "-apachedirectorystudio" or tgt.process.cmdline contains "-autologon" or tgt.process.cmdline contains "-ChromiumBased" or tgt.process.cmdline contains "-composer" or tgt.process.cmdline contains "-coreftp" or tgt.process.cmdline contains "-credfiles" or tgt.process.cmdline contains "-credman" or tgt.process.cmdline contains "-cyberduck" or tgt.process.cmdline contains "-dbvis" or tgt.process.cmdline contains "-EyeCon" or tgt.process.cmdline contains "-filezilla" or tgt.process.cmdline contains "-filezillaserver" or tgt.process.cmdline contains "-ftpnavigator" or tgt.process.cmdline contains "-galconfusion" or tgt.process.cmdline contains "-gitforwindows" or tgt.process.cmdline contains "-hashdump" or tgt.process.cmdline contains "-iisapppool" or tgt.process.cmdline contains "-IISCentralCertP" or tgt.process.cmdline contains "-kalypsomedia" or tgt.process.cmdline contains "-keepass" or tgt.process.cmdline contains "-keepassconfig" or tgt.process.cmdline contains "-lsa_secrets" or tgt.process.cmdline contains "-mavenrepositories" or tgt.process.cmdline contains "-memory_dump" or tgt.process.cmdline contains "-Mozilla" or tgt.process.cmdline contains "-mRemoteNG" or tgt.process.cmdline contains "-mscache" or tgt.process.cmdline contains "-opensshforwindows" or tgt.process.cmdline contains "-openvpn" or tgt.process.cmdline contains "-outlook" or tgt.process.cmdline contains "-pidgin" or tgt.process.cmdline contains "-postgresql" or tgt.process.cmdline contains "-psi-im" or tgt.process.cmdline contains "-puttycm" or tgt.process.cmdline contains "-pypykatz" or tgt.process.cmdline contains "-Rclone" or tgt.process.cmdline contains "-rdpmanager" or tgt.process.cmdline contains "-robomongo" or tgt.process.cmdline contains "-roguestale" or tgt.process.cmdline contains "-skype" or tgt.process.cmdline contains "-SQLDeveloper" or tgt.process.cmdline contains "-squirrel" or tgt.process.cmdline contains "-tortoise" or tgt.process.cmdline contains "-turba" or tgt.process.cmdline contains "-UCBrowser" or tgt.process.cmdline contains "-unattended" or tgt.process.cmdline contains "-vault" or tgt.process.cmdline contains "-vaultfiles" or tgt.process.cmdline contains "-vnc" or tgt.process.cmdline contains "-windows" or tgt.process.cmdline contains "-winscp" or tgt.process.cmdline contains "-wsl"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md
index 8dc85a811..161f731b4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_meterpreter_getsystem.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\services.exe" and (((tgt.process.cmdline contains "/c" and tgt.process.cmdline contains "echo" and tgt.process.cmdline contains "\pipe\") and (tgt.process.cmdline contains "cmd" or tgt.process.cmdline contains "%COMSPEC%")) or (tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains ".dll,a" and tgt.process.cmdline contains "/p:")) and (not tgt.process.cmdline contains "MpCmdRun"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md
index f584fcb69..e24751001 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_mimikatz_command_line.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "DumpCreds" or tgt.process.cmdline contains "mimikatz") or (tgt.process.cmdline contains "::aadcookie" or tgt.process.cmdline contains "::detours" or tgt.process.cmdline contains "::memssp" or tgt.process.cmdline contains "::mflt" or tgt.process.cmdline contains "::ncroutemon" or tgt.process.cmdline contains "::ngcsign" or tgt.process.cmdline contains "::printnightmare" or tgt.process.cmdline contains "::skeleton" or tgt.process.cmdline contains "::preshutdown" or tgt.process.cmdline contains "::mstsc" or tgt.process.cmdline contains "::multirdp") or (tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "crypto::" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "process::" or tgt.process.cmdline contains "vault::")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md
index b90ef7865..f26766e2c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "powershell.exe -NonI" and tgt.process.cmdline contains "/TN Updater /TR") and (tgt.process.cmdline contains "/SC ONLOGON" or tgt.process.cmdline contains "/SC DAILY /ST" or tgt.process.cmdline contains "/SC ONIDLE" or tgt.process.cmdline contains "/SC HOURLY")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md
index 207de9e9b..df5f463e9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_pypykatz.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\pypykatz.exe" or tgt.process.image.path contains "\python.exe") and (tgt.process.cmdline contains "live" and tgt.process.cmdline contains "registry")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md
index 955e4e881..bc8f8975b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_quarks_pwdump.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\QuarksPwDump.exe" or (tgt.process.cmdline in (" -dhl"," --dump-hash-local"," -dhdc"," --dump-hash-domain-cached"," --dump-bitlocker"," -dhd "," --dump-hash-domain ","--ntds-file"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md
index fff970160..18fa5363d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_redmimicry_winnti_playbook.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "gthread-3.6.dll" or tgt.process.cmdline contains "\Windows\Temp\tmp.bat" or tgt.process.cmdline contains "sigcmm-2.4.dll")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md
index 16526fc18..d20be1028 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_relay_attacks_tools.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "PetitPotam" or tgt.process.image.path contains "RottenPotato" or tgt.process.image.path contains "HotPotato" or tgt.process.image.path contains "JuicyPotato" or tgt.process.image.path contains "\just_dce_" or tgt.process.image.path contains "Juicy Potato" or tgt.process.image.path contains "\temp\rot.exe" or tgt.process.image.path contains "\Potato.exe" or tgt.process.image.path contains "\SpoolSample.exe" or tgt.process.image.path contains "\Responder.exe" or tgt.process.image.path contains "\smbrelayx" or tgt.process.image.path contains "\ntlmrelayx" or tgt.process.image.path contains "\LocalPotato") or (tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains " smbrelay" or tgt.process.cmdline contains " ntlmrelay" or tgt.process.cmdline contains "cme smb " or tgt.process.cmdline contains " /ntlm:NTLMhash " or tgt.process.cmdline contains "Invoke-PetitPotam" or tgt.process.cmdline="*.exe -t * -p *") or (tgt.process.cmdline contains ".exe -c \"{" and tgt.process.cmdline contains "}\" -z")) and (not (tgt.process.image.path contains "HotPotatoes6" or tgt.process.image.path contains "HotPotatoes7" or tgt.process.image.path contains "HotPotatoes "))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md
index 1f9504ecd..f485db1c1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharp_chisel.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpChisel.exe" or tgt.process.displayName="SharpChisel"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md
index 98799b4c7..57ea43d9a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpersist.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\SharPersist.exe" or tgt.process.displayName="SharPersist") or (tgt.process.cmdline contains " -t schtask -c " or tgt.process.cmdline contains " -t startupfolder -c ") or (tgt.process.cmdline contains " -t reg -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t service -c " and tgt.process.cmdline contains " -m add") or (tgt.process.cmdline contains " -t schtask -c " and tgt.process.cmdline contains " -m add")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md
index 719fb05d0..f16b9a76f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpevtmute.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpEvtMute.exe" or tgt.process.displayName="SharpEvtMute" or (tgt.process.cmdline contains "--Filter \"rule " or tgt.process.cmdline contains "--Encoded --Filter \\"")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md
index ca00852ad..b688a6858 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpup.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SharpUp.exe" or tgt.process.displayName="SharpUp" or (tgt.process.cmdline contains "HijackablePaths" or tgt.process.cmdline contains "UnquotedServicePath" or tgt.process.cmdline contains "ProcessDLLHijack" or tgt.process.cmdline contains "ModifiableServiceBinaries" or tgt.process.cmdline contains "ModifiableScheduledTask" or tgt.process.cmdline contains "DomainGPPPassword" or tgt.process.cmdline contains "CachedGPPPassword")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md
index 87ec37b87..534d99d22 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -Inject " and (tgt.process.cmdline contains " -PayloadArgs " or tgt.process.cmdline contains " -PayloadFile ")) or ((tgt.process.cmdline contains " approve " or tgt.process.cmdline contains " create " or tgt.process.cmdline contains " check " or tgt.process.cmdline contains " delete ") and (tgt.process.cmdline contains " /payload:" or tgt.process.cmdline contains " /payload=" or tgt.process.cmdline contains " /updateid:" or tgt.process.cmdline contains " /updateid="))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md
index 0727faa3b..49afa4807 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_silenttrinity_stager.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.displayName contains "st2stager")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md
index d57a202c3..7bbd0920f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_sliver_c2_execution_pattern.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md
index cdc45dc24..2a415aa27 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_soaphound_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --buildcache " or tgt.process.cmdline contains " --bhdump " or tgt.process.cmdline contains " --certdump " or tgt.process.cmdline contains " --dnsdump ") and (tgt.process.cmdline contains " -c " or tgt.process.cmdline contains " --cachefilename " or tgt.process.cmdline contains " -o " or tgt.process.cmdline contains " --outputdirectory")))
```
@@ -8,7 +8,7 @@ event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdli
```yaml
title: HackTool - SOAPHound Execution
id: e92a4287-e072-4a40-9739-370c106bb750
-status: experimental
+status: test
description: |
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
references:
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md
index ad0891e9f..1c3ea3233 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_winpwn.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Offline_Winpwn" or tgt.process.cmdline contains "WinPwn " or tgt.process.cmdline contains "WinPwn.exe" or tgt.process.cmdline contains "WinPwn.ps1"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md
index d42db5139..a44780262 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_wmiexec_default_powershell.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md
index fb0d20980..9fc1bf731 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_xordump.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\xordump.exe" or (tgt.process.cmdline contains " -process lsass.exe " or tgt.process.cmdline contains " -m comsvcs " or tgt.process.cmdline contains " -m dbghelp " or tgt.process.cmdline contains " -m dbgcore ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md
index 0f892bc59..6b0dcc7b3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hktl_zipexec.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip" and tgt.process.cmdline contains "/pass:" and tgt.process.cmdline contains "/user:") or (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "Microsoft_Windows_Shell_ZipFolder:filename=" and tgt.process.cmdline contains ".zip")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md
index 4d598d863..df9f156b7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hostname_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\HOSTNAME.EXE")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md
index 9ed7746af..d71fb1b8b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hwp_exploits.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Hwp.exe" and tgt.process.image.path contains "\gbb.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md
index 90a518f00..e63953282 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_hxtsr_masquerading.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\hxtsr.exe" and (not (tgt.process.image.path contains ":\program files\windowsapps\microsoft.windowscommunicationsapps_" and tgt.process.image.path contains "\hxtsr.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md
index 910ff3730..67fbd15bc 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_iis_susp_module_registration.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\w3wp.exe" and (tgt.process.cmdline contains "appcmd.exe add module" or (tgt.process.cmdline contains " system.enterpriseservices.internal.publish" and tgt.process.image.path contains "\powershell.exe") or (tgt.process.cmdline contains "gacutil" and tgt.process.cmdline contains " /I"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md
index 0487d4534..d1d2a6159 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_imagingdevices_unusual_parents.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and tgt.process.image.path contains "\ImagingDevices.exe") or src.process.image.path contains "\ImagingDevices.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md
index f8afacb79..2c0618c5a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "InfDefaultInstall.exe " and tgt.process.cmdline contains ".inf")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md
index 9f002ea70..0d09ff12a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_instalutil_no_log_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\InstallUtil.exe" and tgt.process.image.path contains "Microsoft.NET\Framework" and (tgt.process.cmdline contains "/logfile= " and tgt.process.cmdline contains "/LogToConsole=false")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md
index 104cce4e8..008e9bbcf 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_keytool_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\keytool.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\query.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md
index baa5115e4..818981d44 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_manageengine_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\ManageEngine\ServiceDesk\" and src.process.image.path contains "\java.exe") and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe")) and (not ((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains " stop"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md
index fa07535f1..63d433ec6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_remote_debugging.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "transport=dt_socket,address=" and (tgt.process.cmdline contains "jre1." or tgt.process.cmdline contains "jdk1.")) and (not (tgt.process.cmdline contains "address=127.0.0.1" or tgt.process.cmdline contains "address=localhost")))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md
index 80ed7d7de..350beb028 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe")))
```
@@ -11,7 +11,7 @@ id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
related:
- id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
type: similar
-status: experimental
+status: test
description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md
index d18c0b3b0..8e18aaafe 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_susp_child_process_2.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not (src.process.image.path contains "build" and tgt.process.cmdline contains "build"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md
index a98533e04..8185855f2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_java_sysaidserver_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and src.process.cmdline contains "SysAidServer"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md
index 3088896a6..6f4d002ef 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_kavremover_uncommon_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " run run-cmd " and (not (src.process.image.path contains "\cleanapi.exe" or src.process.image.path contains "\kavremover.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md
index c152ebdc7..279c6e805 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_link_uncommon_parent_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\link.exe" and tgt.process.cmdline contains "LINK /") and (not ((src.process.image.path contains "C:\Program Files\Microsoft Visual Studio\" or src.process.image.path contains "C:\Program Files (x86)\Microsoft Visual Studio\") and (src.process.image.path contains "\VC\bin\" or src.process.image.path contains "\VC\Tools\")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md
index 44ae65aa2..d0f3bf5e8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_customshellhost.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\CustomShellHost.exe" and (not tgt.process.image.path="C:\Windows\explorer.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md
index 203e6fa07..cbfa4fdad 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_device_credential_deployment.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\DeviceCredentialDeployment.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md
index 03847528f..f2ccd6bcc 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_devtoolslauncher.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\devtoolslauncher.exe" and tgt.process.cmdline contains "LaunchForDeploy"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md
index f370cf25c..d6474f428 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_ads.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md
index edc1a30e4..8342bde55 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_diantz_remote_cab.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "diantz.exe" and tgt.process.cmdline contains " \\" and tgt.process.cmdline contains ".cab"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md
index 97ce4e01b..7fdfa8ea1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_extrac32_ads.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "extrac32.exe" and tgt.process.cmdline contains ".cab") and tgt.process.cmdline matches ":[^\\\\]"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md
index 38d40504d..13661ae90 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_launch_vsdevshell.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Launch-VsDevShell.ps1" and (tgt.process.cmdline contains "VsWherePath " or tgt.process.cmdline contains "VsInstallationPath ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md
index 0c8cedb51..ee4eb8854 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_mavinject_process_injection.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " /INJECTRUNNING " and (not src.process.image.path="C:\Windows\System32\AppVClient.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md
index 43dfe0558..22e351738 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdeploy.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "verb:sync" and tgt.process.cmdline contains "-source:RunCommand" and tgt.process.cmdline contains "-dest:runCommand") and tgt.process.image.path contains "\msdeploy.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md
index 8b122a8c8..967d6fe80 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_msdt_answer_file.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\msdt.exe" and tgt.process.cmdline contains "\WINDOWS\diagnostics\index\PCWDiagnostic.xml") and (tgt.process.cmdline contains " -af " or tgt.process.cmdline contains " /af ")) and (not src.process.image.path contains "\pcwrun.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md
index 78e9d16d4..74074c44b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_openwith.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\OpenWith.exe" and tgt.process.cmdline contains "/c"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md
index b73afc1f3..edb715a92 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcalua.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcalua.exe" and tgt.process.cmdline contains " -a"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md
index e2da38b37..50d2d4bce 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\pcwrun.exe") | columns ComputerName,tgt.process.user,src.process.cmdline,tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md
index b858f484c..f4f975157 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pcwrun_follina.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\pcwrun.exe" and tgt.process.cmdline contains "../"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md
index 2e7c437f0..165eaac53 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and src.process.cmdline contains "\WindowsPowerShell\Modules\Pester\") and (src.process.cmdline contains "{ Invoke-Pester -EnableExit ;" or src.process.cmdline contains "{ Get-Help \"")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md
index b05d5797e..8f57597cf 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pester_1.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Pester" and tgt.process.cmdline contains "Get-Help")) or ((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "pester" and tgt.process.cmdline contains ";")) and (tgt.process.cmdline contains "help" or tgt.process.cmdline contains "?"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md
index d903bf838..ff0227712 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_printbrm.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\PrintBrm.exe" and (tgt.process.cmdline contains " -f" and tgt.process.cmdline contains ".zip")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md
index a94dc4ad3..597065ebf 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_pubprn.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\pubprn.vbs" and tgt.process.cmdline contains "script:"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md
index a2a18bf42..d94aec2e7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_register_app.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\register_app.vbs" and tgt.process.cmdline contains "-register"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md
index c05dc00e9..905bfc993 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_replace.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\replace.exe" and (tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/a" or tgt.process.cmdline contains "–a" or tgt.process.cmdline contains "—a" or tgt.process.cmdline contains "―a")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md
index 05f6d97f6..f09e5acad 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runexehelper.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\runexehelper.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md
index f4c4665d7..6631d4ba0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_runscripthelper.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Runscripthelper.exe" and tgt.process.cmdline contains "surfacecheck")) | columns tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md
index a0a4dcbf4..748475aec 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_settingsynchost.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\")) and (src.process.cmdline contains "cmd.exe /c" and src.process.cmdline contains "RoamDiag.cmd" and src.process.cmdline contains "-outputpath"))) | columns TargetFilename,tgt.process.image.path
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md
index ea3d84187..2ad701998 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_sftp.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sftp.exe" and (tgt.process.cmdline contains " -D .." or tgt.process.cmdline contains " -D C:\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md
index aacc28942..7e5d035de 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "-i" or tgt.process.cmdline contains "/install" or tgt.process.cmdline contains "-a" or tgt.process.cmdline contains "/add-driver" or tgt.process.cmdline contains ".inf") and tgt.process.image.path contains "\pnputil.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md
index 1c62a4aec..696f9beca 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_grpconv.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "grpconv.exe -o" or tgt.process.cmdline contains "grpconv -o"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md
index 9ddc2b668..dcaea4dde 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_susp_sqldumper_activity.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqldumper.exe" and (tgt.process.cmdline contains "0x0110" or tgt.process.cmdline contains "0x01100:40")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md
index f4e6156c2..8a1823e45 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SyncAppvPublishingServer.vbs" and tgt.process.cmdline contains ";")) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md
index 3d52a1d0f..7d3474648 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tracker.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\tracker.exe" or tgt.process.displayName="Tracker") and (tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " /c ")) and (not (tgt.process.cmdline contains " /ERRORREPORT:PROMPT " or (src.process.image.path contains "\Msbuild\Current\Bin\MSBuild.exe" or src.process.image.path contains "\Msbuild\Current\Bin\amd64\MSBuild.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md
index 97c2af45d..f528ca350 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_tttracer_mod_load.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\tttracer.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md
index fbcb15012..18810416f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_utilityfunctions.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "UtilityFunctions.ps1" or tgt.process.cmdline contains "RegSnapin "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md
index 62189ba71..20f7fbe99 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lolbin_visual_basic_compiler.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vbc.exe" and tgt.process.image.path contains "\cvtres.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md
index 835847d90..9b0fed967 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_lsass_process_clone.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Windows\System32\lsass.exe" and tgt.process.image.path contains "\Windows\System32\lsass.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md
index f1051e707..b4bed0aac 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mftrace_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\mftrace.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md
index 01d1ab673..7e8515c2c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_mmc20_lateral_movement.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mmc.exe" and tgt.process.cmdline contains "-Embedding"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md
index d39404eea..b65f77379 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mmc_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\mmc.exe" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\regsvr32.exe") or tgt.process.image.path contains "\BITSADMIN"))) | columns tgt.process.cmdline,tgt.process.image.path,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md
index bffdf3981..566f8ceea 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mpcmdrun_dll_sideload_defender.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\MpCmdRun.exe" or tgt.process.image.path contains "\NisSrv.exe") and (not (tgt.process.image.path contains "C:\Program Files (x86)\Windows Defender\" or tgt.process.image.path contains "C:\Program Files\Microsoft Security Client\" or tgt.process.image.path contains "C:\Program Files\Windows Defender\" or tgt.process.image.path contains "C:\ProgramData\Microsoft\Windows Defender\Platform\" or tgt.process.image.path contains "C:\Windows\WinSxS\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md
index 45381db0e..4fb823f7a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_inline_vbscript.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Wscript." and tgt.process.cmdline contains ".Shell" and tgt.process.cmdline contains ".Run"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md
index c82eeb7b6..b42029286 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_lethalhta_technique.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\svchost.exe" and tgt.process.image.path contains "\mshta.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md
index 728e7ce4e..4a778dbaa 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mshta_susp_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\mshta.exe" and (tgt.process.cmdline contains "vbscript" or tgt.process.cmdline contains ".jpg" or tgt.process.cmdline contains ".png" or tgt.process.cmdline contains ".lnk" or tgt.process.cmdline contains ".xls" or tgt.process.cmdline contains ".doc" or tgt.process.cmdline contains ".zip" or tgt.process.cmdline contains ".dll")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md
index 02142fdd2..541e2d740 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_embedding.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (src.process.cmdline contains "MsiExec.exe" and src.process.cmdline contains "-Embedding ")) and (not ((tgt.process.image.path contains ":\Windows\System32\cmd.exe" and tgt.process.cmdline contains "C:\Program Files\SplunkUniversalForwarder\bin\") or (tgt.process.cmdline contains "\DismFoDInstall.cmd" or (src.process.cmdline contains "\MsiExec.exe -Embedding " and src.process.cmdline contains "Global\MSI0000"))))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md
index eec10d463..1f1c04070 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_execute_dll.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\msiexec.exe" and (tgt.process.cmdline contains " -y" or tgt.process.cmdline contains " /y" or tgt.process.cmdline contains " –y" or tgt.process.cmdline contains " —y" or tgt.process.cmdline contains " ―y")) and (not (tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" /Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" /Y C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Bonjour\mdnsNSP.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll" or tgt.process.cmdline contains "\MsiExec.exe\" -Y \"C:\Windows\CCM\" or tgt.process.cmdline contains "\MsiExec.exe\" -Y C:\Windows\CCM\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md
index f1c8bcd21..23b538e27 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msiexec_web_install.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " msiexec" and tgt.process.cmdline contains "://"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md
index e265e7179..fcd1050b0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msra_process_injection.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\msra.exe" and src.process.cmdline contains "msra.exe" and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\route.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\whoami.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md
index 2098a72ce..d44a00d44 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\wsl.exe")) and (not (src.process.image.path contains "C:\Program Files\Microsoft SQL Server\" and src.process.image.path contains "DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\cmd.exe\" "))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md
index b0073e378..286804eaa 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mssql_veaam_susp_child_processes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sqlservr.exe" and src.process.cmdline contains "VEEAMSQL") and (((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wt.exe") and (tgt.process.cmdline contains "-ex " or tgt.process.cmdline contains "bypass" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "http://" or tgt.process.cmdline contains "https://" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "copy ")) or (tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\tasklist.exe" or tgt.process.image.path contains "\whoami.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md
index ddb7d4945..4d4d49fa3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_mstsc_rdp_hijack_shadowing.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "noconsentprompt" and tgt.process.cmdline contains "shadow:"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md
index 7db67dd8a..1bff4b009 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\msxsl.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md
index d03ffb088..71abe4163 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_msxsl_remote_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\msxsl.exe" and tgt.process.cmdline contains "http"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md
index 45ccdcbca..ac76c4d73 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_abuse.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\node.exe" and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " --eval ")) and (tgt.process.cmdline contains ".exec(" and tgt.process.cmdline contains "net.socket" and tgt.process.cmdline contains ".connect" and tgt.process.cmdline contains "child_process")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md
index 46b489b6b..5e74be52c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_node_adobe_creative_cloud_abuse.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Adobe Creative Cloud Experience\libs\node.exe" and (not tgt.process.cmdline contains "Adobe Creative Cloud Experience\js"))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md
index e01a3c57c..38a496a7b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_nslookup_domain_discovery.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "nslookup" and tgt.process.cmdline contains "_ldap._tcp.dc._msdcs."))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md
index 9ecdd3415..18e00d0af 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ntdsutil_usage.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\ntdsutil.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md
index 5003905c8..6935ae0db 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_odbcconf_uncommon_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\odbcconf.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md
index cf42bff59..44c86cdcb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_onenote_embedded_script_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\onenote.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and (tgt.process.cmdline contains "\exported\" or tgt.process.cmdline contains "\onenoteofflinecache_files\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md
index dbc2deef3..bbd10b1ef 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Outlook\Security\EnableUnsafeClientMailRules")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md
index 51e5ef582..769664123 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_execution_from_temp.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\Temporary Internet Files\Content.Outlook\")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md
index 6f37f560c..fd4fa3a4a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\OUTLOOK.EXE" and (tgt.process.image.path contains "\AppVLP.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mftrace.exe" or tgt.process.image.path contains "\msbuild.exe" or tgt.process.image.path contains "\msdt.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\scrcons.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md
index 208c07054..9f9ce67ee 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_outlook_susp_child_processes_remote.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\outlook.exe" and tgt.process.image.path contains "\\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md
index 151473331..874fc7816 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_office_spawn_exe_from_users_directory.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WINWORD.EXE" or src.process.image.path contains "\EXCEL.EXE" or src.process.image.path contains "\POWERPNT.exe" or src.process.image.path contains "\MSPUB.exe" or src.process.image.path contains "\VISIO.exe" or src.process.image.path contains "\MSACCESS.exe" or src.process.image.path contains "\EQNEDT32.exe") and tgt.process.image.path contains "C:\users\" and tgt.process.image.path contains ".exe") and (not tgt.process.image.path contains "\Teams.exe"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md
index 003d4c55c..e4a9494f0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pdqdeploy_runner_susp_children.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\PDQDeployRunner-" and ((tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\scriptrunner.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\TEMP\" or tgt.process.image.path contains "\AppData\Local\Temp") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -encodedcommand " or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "http" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md
index 247ff1368..196282973 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ping_hex_ip.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ping.exe" and tgt.process.cmdline contains "0x")) | columns src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md
index 42edf6ea3..846baeeb5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_port_forwarding.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Command-line SSH, Telnet, and Rlogin client" and tgt.process.cmdline contains " -R "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md
index 3f1f0f86c..3d671aa59 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_plink_susp_tunneling.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":127.0.0.1:3389") or ((tgt.process.image.path contains "\plink.exe" and tgt.process.cmdline contains ":3389") and (tgt.process.cmdline contains " -P 443" or tgt.process.cmdline contains " -P 22"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md
index 53d893f3a..f93bd113c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_init_failed_bypass.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "System.Management.Automation.AmsiUtils" and tgt.process.cmdline contains "amsiInitFailed") or (tgt.process.cmdline contains "[Ref].Assembly.GetType" and tgt.process.cmdline contains "SetValue($null,$true)" and tgt.process.cmdline contains "NonPublic,Static")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md
index 83f43005b..367e0dfd9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_amsi_null_bits_bypass.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "if(0){{{0}}}' -f $(0 -as [char]) +" or tgt.process.cmdline contains "#<NULL>"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md
index 2122fa641..0c8adf0b5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_audio_capture.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WindowsAudioDevice-Powershell-Cmdlet" or tgt.process.cmdline contains "Toggle-AudioDevice" or tgt.process.cmdline contains "Get-AudioDevice " or tgt.process.cmdline contains "Set-AudioDevice " or tgt.process.cmdline contains "Write-AudioDevice "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md
index 3c132f689..dd0083117 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_encoded_obfusc.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IAAtAGIAeABvAHIAIAAwAHgA" or tgt.process.cmdline contains "AALQBiAHgAbwByACAAMAB4A" or tgt.process.cmdline contains "gAC0AYgB4AG8AcgAgADAAeA" or tgt.process.cmdline contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or tgt.process.cmdline contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or tgt.process.cmdline contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or tgt.process.cmdline contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or tgt.process.cmdline contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or tgt.process.cmdline contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md
index ad6ba23b9..420f2b251 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_frombase64string.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OjpGcm9tQmFzZTY0U3RyaW5n" or tgt.process.cmdline contains "o6RnJvbUJhc2U2NFN0cmluZ" or tgt.process.cmdline contains "6OkZyb21CYXNlNjRTdHJpbm" or (tgt.process.cmdline contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or tgt.process.cmdline contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or tgt.process.cmdline contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md
index 03289a538..1c27e1c24 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_iex.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "SUVYIChb" or tgt.process.cmdline contains "lFWCAoW" or tgt.process.cmdline contains "JRVggKF" or tgt.process.cmdline contains "aWV4IChb" or tgt.process.cmdline contains "lleCAoW" or tgt.process.cmdline contains "pZXggKF" or tgt.process.cmdline contains "aWV4IChOZX" or tgt.process.cmdline contains "lleCAoTmV3" or tgt.process.cmdline contains "pZXggKE5ld" or tgt.process.cmdline contains "SUVYIChOZX" or tgt.process.cmdline contains "lFWCAoTmV3" or tgt.process.cmdline contains "JRVggKE5ld" or tgt.process.cmdline contains "SUVYKF" or tgt.process.cmdline contains "lFWChb" or tgt.process.cmdline contains "JRVgoW" or tgt.process.cmdline contains "aWV4KF" or tgt.process.cmdline contains "lleChb" or tgt.process.cmdline contains "pZXgoW" or tgt.process.cmdline contains "aWV4KE5ld" or tgt.process.cmdline contains "lleChOZX" or tgt.process.cmdline contains "pZXgoTmV3" or tgt.process.cmdline contains "SUVYKE5ld" or tgt.process.cmdline contains "lFWChOZX" or tgt.process.cmdline contains "JRVgoTmV3" or tgt.process.cmdline contains "SUVYKCgn" or tgt.process.cmdline contains "lFWCgoJ" or tgt.process.cmdline contains "JRVgoKC" or tgt.process.cmdline contains "aWV4KCgn" or tgt.process.cmdline contains "lleCgoJ" or tgt.process.cmdline contains "pZXgoKC") or (tgt.process.cmdline contains "SQBFAFgAIAAoAFsA" or tgt.process.cmdline contains "kARQBYACAAKABbA" or tgt.process.cmdline contains "JAEUAWAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAFsA" or tgt.process.cmdline contains "kAZQB4ACAAKABbA" or tgt.process.cmdline contains "pAGUAeAAgACgAWw" or tgt.process.cmdline contains "aQBlAHgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kAZQB4ACAAKABOAGUAdw" or tgt.process.cmdline contains "pAGUAeAAgACgATgBlAHcA" or tgt.process.cmdline contains "SQBFAFgAIAAoAE4AZQB3A" or tgt.process.cmdline contains "kARQBYACAAKABOAGUAdw" or tgt.process.cmdline contains "JAEUAWAAgACgATgBlAHcA")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md
index dcf7c396d..d8b888e5b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_mppreference.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "QWRkLU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "BZGQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "U2V0LU1wUHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1NcFByZWZlcmVuY2Ug" or tgt.process.cmdline contains "TZXQtTXBQcmVmZXJlbmNlI" or tgt.process.cmdline contains "YWRkLW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "FkZC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "hZGQtbXBwcmVmZXJlbmNlI" or tgt.process.cmdline contains "c2V0LW1wcHJlZmVyZW5jZS" or tgt.process.cmdline contains "NldC1tcHByZWZlcmVuY2Ug" or tgt.process.cmdline contains "zZXQtbXBwcmVmZXJlbmNlI") or (tgt.process.cmdline contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or tgt.process.cmdline contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or tgt.process.cmdline contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or tgt.process.cmdline contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md
index 6dbade140..0c95f57e4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or tgt.process.cmdline contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or tgt.process.cmdline contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or tgt.process.cmdline contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or tgt.process.cmdline contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or tgt.process.cmdline contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or tgt.process.cmdline contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or tgt.process.cmdline contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or tgt.process.cmdline contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or tgt.process.cmdline contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA")) | columns tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md
index e1220162a..eca616d79 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or tgt.process.cmdline contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or tgt.process.cmdline contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or tgt.process.cmdline contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or tgt.process.cmdline contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or tgt.process.cmdline contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or tgt.process.cmdline contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA")) | columns tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md
index 2ccf6ad98..8e89ec1e5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_invocation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SyncInvoke ")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md
index 3daa67e54..53ff3fb9f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_loadassembly.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "LoadAssemblyFromPath " or tgt.process.cmdline contains "LoadAssemblyFromNS "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md
index f46c1f58c..c04540468 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_cl_mutexverifiers.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and tgt.process.image.path contains "\powershell.exe" and tgt.process.cmdline contains " -nologo -windowstyle minimized -file ") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains "\Windows\Temp\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md
index abc9f6b2f..ba9066e0e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_create_service.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md
index 82e66b97a..60fe8c13e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_decode_gzip.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "GZipStream" and tgt.process.cmdline contains "::Decompress"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md
index c3616678c..58ec8794a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_disable_feature.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains "DisableArchiveScanning " or tgt.process.cmdline contains "DisableRealtimeMonitoring " or tgt.process.cmdline contains "DisableIOAVProtection " or tgt.process.cmdline contains "DisableBehaviorMonitoring " or tgt.process.cmdline contains "DisableBlockAtFirstSeen " or tgt.process.cmdline contains "DisableCatchupFullScan " or tgt.process.cmdline contains "DisableCatchupQuickScan ") and (tgt.process.cmdline contains "$true" or tgt.process.cmdline contains " 1 ")) or ((tgt.process.cmdline contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or tgt.process.cmdline contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or tgt.process.cmdline contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or tgt.process.cmdline contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or tgt.process.cmdline contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or tgt.process.cmdline contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or tgt.process.cmdline contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or tgt.process.cmdline contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or tgt.process.cmdline contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or tgt.process.cmdline contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or tgt.process.cmdline contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or tgt.process.cmdline contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or tgt.process.cmdline contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or tgt.process.cmdline contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or tgt.process.cmdline contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or tgt.process.cmdline contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or tgt.process.cmdline contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or tgt.process.cmdline contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or tgt.process.cmdline contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or tgt.process.cmdline contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or tgt.process.cmdline contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or tgt.process.cmdline contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or tgt.process.cmdline contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or tgt.process.cmdline contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") or (tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or tgt.process.cmdline contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or tgt.process.cmdline contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or tgt.process.cmdline contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or tgt.process.cmdline contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or tgt.process.cmdline contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md
index 635c61a6f..55efe0813 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_defender_exclusion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Add-MpPreference " or tgt.process.cmdline contains "Set-MpPreference ") and (tgt.process.cmdline contains " -ExclusionPath " or tgt.process.cmdline contains " -ExclusionExtension " or tgt.process.cmdline contains " -ExclusionProcess " or tgt.process.cmdline contains " -ExclusionIpAddress ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md
index 963bc71de..b01f9f25d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_disable_ie_features.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -name IEHarden " and tgt.process.cmdline contains " -value 0 ") or (tgt.process.cmdline contains " -name DEPOff " and tgt.process.cmdline contains " -value 1 ") or (tgt.process.cmdline contains " -name DisableFirstRunCustomize " and tgt.process.cmdline contains " -value 2 ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md
index 3f0d102cc..becc1e581 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_downgrade_attack.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains " -version 2 " or tgt.process.cmdline contains " -versio 2 " or tgt.process.cmdline contains " -versi 2 " or tgt.process.cmdline contains " -vers 2 " or tgt.process.cmdline contains " -ver 2 " or tgt.process.cmdline contains " -ve 2 " or tgt.process.cmdline contains " -v 2 ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md
index 3ad054a7a..599602b63 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_com_cradles.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[Type]::GetTypeFromCLSID(" and (tgt.process.cmdline contains "0002DF01-0000-0000-C000-000000000046" or tgt.process.cmdline contains "F6D90F16-9C73-11D3-B32E-00C04F990BB4" or tgt.process.cmdline contains "F5078F35-C551-11D3-89B9-0000F81FE221" or tgt.process.cmdline contains "88d96a0a-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "AFBA6B42-5692-48EA-8141-DC517DCF0EF1" or tgt.process.cmdline contains "AFB40FFD-B609-40A3-9828-F88BBE11E4E3" or tgt.process.cmdline contains "88d96a0b-f192-11d4-a65f-0040963251e5" or tgt.process.cmdline contains "2087c2f4-2cef-4953-a8ab-66779b670495" or tgt.process.cmdline contains "000209FF-0000-0000-C000-000000000046" or tgt.process.cmdline contains "00024500-0000-0000-C000-000000000046")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md
index 02e1e3b28..0b0c356cb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradle_obfuscated.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "http://127.0.0.1" and tgt.process.cmdline contains "%{(IRM $_)}" and tgt.process.cmdline contains ".SubString.ToString()[67,72,64]-Join" and tgt.process.cmdline contains "Import-Module")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md
index c7fe5f620..f4c0ecf08 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_cradles.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md
index 1dccf6e9b..359a4296a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_dll.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "IWR ") and (tgt.process.cmdline contains "http" and tgt.process.cmdline contains "OutFile" and tgt.process.cmdline contains ".dll")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md
index 711ba1cbd..7d699c7a8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_download_iex.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains ".DownloadString(" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains "Invoke-WebRequest " or tgt.process.cmdline contains "iwr ") and (tgt.process.cmdline contains ";iex $" or tgt.process.cmdline contains "| IEX" or tgt.process.cmdline contains "|IEX " or tgt.process.cmdline contains "I`E`X" or tgt.process.cmdline contains "I`EX" or tgt.process.cmdline contains "IE`X" or tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "IEX (" or tgt.process.cmdline contains "IEX(" or tgt.process.cmdline contains "Invoke-Expression")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md
index 068a32cb8..d3cbff5a9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_dsinternals_cmdlets.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-ADDBSidHistory" or tgt.process.cmdline contains "Add-ADNgcKey" or tgt.process.cmdline contains "Add-ADReplNgcKey" or tgt.process.cmdline contains "ConvertFrom-ADManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-GPPrefPassword" or tgt.process.cmdline contains "ConvertFrom-ManagedPasswordBlob" or tgt.process.cmdline contains "ConvertFrom-UnattendXmlPassword" or tgt.process.cmdline contains "ConvertFrom-UnicodePassword" or tgt.process.cmdline contains "ConvertTo-AADHash" or tgt.process.cmdline contains "ConvertTo-GPPrefPassword" or tgt.process.cmdline contains "ConvertTo-KerberosKey" or tgt.process.cmdline contains "ConvertTo-LMHash" or tgt.process.cmdline contains "ConvertTo-MsoPasswordHash" or tgt.process.cmdline contains "ConvertTo-NTHash" or tgt.process.cmdline contains "ConvertTo-OrgIdHash" or tgt.process.cmdline contains "ConvertTo-UnicodePassword" or tgt.process.cmdline contains "Disable-ADDBAccount" or tgt.process.cmdline contains "Enable-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBAccount" or tgt.process.cmdline contains "Get-ADDBBackupKey" or tgt.process.cmdline contains "Get-ADDBDomainController" or tgt.process.cmdline contains "Get-ADDBGroupManagedServiceAccount" or tgt.process.cmdline contains "Get-ADDBKdsRootKey" or tgt.process.cmdline contains "Get-ADDBSchemaAttribute" or tgt.process.cmdline contains "Get-ADDBServiceAccount" or tgt.process.cmdline contains "Get-ADDefaultPasswordPolicy" or tgt.process.cmdline contains "Get-ADKeyCredential" or tgt.process.cmdline contains "Get-ADPasswordPolicy" or tgt.process.cmdline contains "Get-ADReplAccount" or tgt.process.cmdline contains "Get-ADReplBackupKey" or tgt.process.cmdline contains "Get-ADReplicationAccount" or tgt.process.cmdline contains "Get-ADSIAccount" or tgt.process.cmdline contains "Get-AzureADUserEx" or tgt.process.cmdline contains "Get-BootKey" or tgt.process.cmdline contains "Get-KeyCredential" or tgt.process.cmdline contains "Get-LsaBackupKey" or tgt.process.cmdline contains "Get-LsaPolicy" or tgt.process.cmdline contains "Get-SamPasswordPolicy" or tgt.process.cmdline contains "Get-SysKey" or tgt.process.cmdline contains "Get-SystemKey" or tgt.process.cmdline contains "New-ADDBRestoreFromMediaScript" or tgt.process.cmdline contains "New-ADKeyCredential" or tgt.process.cmdline contains "New-ADNgcKey" or tgt.process.cmdline contains "New-NTHashSet" or tgt.process.cmdline contains "Remove-ADDBObject" or tgt.process.cmdline contains "Save-DPAPIBlob" or tgt.process.cmdline contains "Set-ADAccountPasswordHash" or tgt.process.cmdline contains "Set-ADDBAccountPassword" or tgt.process.cmdline contains "Set-ADDBBootKey" or tgt.process.cmdline contains "Set-ADDBDomainController" or tgt.process.cmdline contains "Set-ADDBPrimaryGroup" or tgt.process.cmdline contains "Set-ADDBSysKey" or tgt.process.cmdline contains "Set-AzureADUserEx" or tgt.process.cmdline contains "Set-LsaPolicy" or tgt.process.cmdline contains "Set-SamAccountPasswordHash" or tgt.process.cmdline contains "Set-WinUserPasswordHash" or tgt.process.cmdline contains "Test-ADDBPasswordQuality" or tgt.process.cmdline contains "Test-ADPasswordQuality" or tgt.process.cmdline contains "Test-ADReplPasswordQuality" or tgt.process.cmdline contains "Test-PasswordQuality" or tgt.process.cmdline contains "Unlock-ADDBAccount" or tgt.process.cmdline contains "Write-ADNgcKey" or tgt.process.cmdline contains "Write-ADReplNgcKey"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md
index 3df1e1c67..d64d48fa8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_email_exfil.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Add-PSSnapin" and tgt.process.cmdline contains "Get-Recipient" and tgt.process.cmdline contains "-ExpandProperty" and tgt.process.cmdline contains "EmailAddresses" and tgt.process.cmdline contains "SmtpAddress" and tgt.process.cmdline contains "-hidetableheaders")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md
index bd74acbe5..7def4004f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Enable-WindowsOptionalFeature" and tgt.process.cmdline contains "-Online" and tgt.process.cmdline contains "-FeatureName") and (tgt.process.cmdline contains "TelnetServer" or tgt.process.cmdline contains "Internet-Explorer-Optional-amd64" or tgt.process.cmdline contains "TFTP" or tgt.process.cmdline contains "SMB1Protocol" or tgt.process.cmdline contains "Client-ProjFS" or tgt.process.cmdline contains "Microsoft-Windows-Subsystem-Linux")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md
index bbec3b30e..2e1126ef1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_encode.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -e " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -enco" or tgt.process.cmdline contains " -ec ")) and (not (tgt.process.cmdline contains " -Encoding " or (src.process.image.path contains "C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or src.process.image.path contains "\gc_worker.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md
index 6445375a5..40d1f497f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_exec_data_file.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "iex " or tgt.process.cmdline contains "Invoke-Expression " or tgt.process.cmdline contains "Invoke-Command " or tgt.process.cmdline contains "icm ") and (tgt.process.cmdline contains "cat " or tgt.process.cmdline contains "get-content " or tgt.process.cmdline contains "type ") and tgt.process.cmdline contains " -raw"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md
index 2ab90ad0f..34a8d5f59 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_export_certificate.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Export-PfxCertificate " or tgt.process.cmdline contains "Export-Certificate "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md
index 4372ad6e3..44268a5b5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::FromBase64String(")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md
index f0b129c0e..ceb0c342c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_frombase64string_archive.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "FromBase64String" and tgt.process.cmdline contains "MemoryStream" and tgt.process.cmdline contains "H4sI"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md
index 8e4d72a7c..c353bb927 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_clipboard.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Get-Clipboard")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md
index d29e36725..2b8ceb131 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_get_localgroup_member_recon.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-LocalGroupMember " and (tgt.process.cmdline contains "domain admins" or tgt.process.cmdline contains " administrator" or tgt.process.cmdline contains " administrateur" or tgt.process.cmdline contains "enterprise admins" or tgt.process.cmdline contains "Exchange Trusted Subsystem" or tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md
index 9613ecac5..aad0e1a27 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_getprocess_lsass.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Get-Process lsas" or tgt.process.cmdline contains "ps lsas" or tgt.process.cmdline contains "gps lsas"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md
index df8a877bf..021d993e4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_iex_patterns.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " | iex;" or tgt.process.cmdline contains " | iex " or tgt.process.cmdline contains " | iex}" or tgt.process.cmdline contains " | IEX ;" or tgt.process.cmdline contains " | IEX -Error" or tgt.process.cmdline contains " | IEX (new" or tgt.process.cmdline contains ");IEX ")) and (tgt.process.cmdline contains "::FromBase64String" or tgt.process.cmdline contains ".GetString([System.Convert]::")) or (tgt.process.cmdline contains ")|iex;$" or tgt.process.cmdline contains ");iex($" or tgt.process.cmdline contains ");iex $" or tgt.process.cmdline contains " | IEX | " or tgt.process.cmdline contains " | iex\\"")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md
index 463197b9b..884553d50 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_cert_susp_locations.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Import-Certificate" and tgt.process.cmdline contains " -FilePath " and tgt.process.cmdline contains "Cert:\LocalMachine\Root") and (tgt.process.cmdline contains "\AppData\Local\Temp\" or tgt.process.cmdline contains ":\Windows\TEMP\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Perflogs\" or tgt.process.cmdline contains ":\Users\Public\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md
index 1ddf2aecd..b6da5bad2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_import_module_susp_dirs.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Import-Module \"$Env:Temp\" or tgt.process.cmdline contains "Import-Module '$Env:Temp\" or tgt.process.cmdline contains "Import-Module $Env:Temp\" or tgt.process.cmdline contains "Import-Module \"$Env:Appdata\" or tgt.process.cmdline contains "Import-Module '$Env:Appdata\" or tgt.process.cmdline contains "Import-Module $Env:Appdata\" or tgt.process.cmdline contains "Import-Module C:\Users\Public\" or tgt.process.cmdline contains "ipmo \"$Env:Temp\" or tgt.process.cmdline contains "ipmo '$Env:Temp\" or tgt.process.cmdline contains "ipmo $Env:Temp\" or tgt.process.cmdline contains "ipmo \"$Env:Appdata\" or tgt.process.cmdline contains "ipmo '$Env:Appdata\" or tgt.process.cmdline contains "ipmo $Env:Appdata\" or tgt.process.cmdline contains "ipmo C:\Users\Public\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md
index c30e7859d..4266455e0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_invocation_specific.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "[Convert]::FromBase64String") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-noni" and tgt.process.cmdline contains "-nop" and tgt.process.cmdline contains " -c " and tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object") or (tgt.process.cmdline contains " -w " and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "-ep" and tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-Enc") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "\software\") or (tgt.process.cmdline contains "bypass" and tgt.process.cmdline contains "-noprofile" and tgt.process.cmdline contains "-windowstyle" and tgt.process.cmdline contains "hidden" and tgt.process.cmdline contains "new-object" and tgt.process.cmdline contains "system.net.webclient" and tgt.process.cmdline contains ".download") or (tgt.process.cmdline contains "iex" and tgt.process.cmdline contains "New-Object" and tgt.process.cmdline contains "Net.WebClient" and tgt.process.cmdline contains ".Download")) and (not (tgt.process.cmdline contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or tgt.process.cmdline contains "Write-ChocolateyWarning"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md
index b311e2a64..3816aa1bf 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_mailboxexport_share.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "New-MailboxExportRequest" and tgt.process.cmdline contains " -Mailbox " and tgt.process.cmdline contains " -FilePath \\")) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md
index 5c1f119ef..1b5164b6a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_malicious_cmdlets.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Add-Exfiltration" or tgt.process.cmdline contains "Add-Persistence" or tgt.process.cmdline contains "Add-RegBackdoor" or tgt.process.cmdline contains "Add-RemoteRegBackdoor" or tgt.process.cmdline contains "Add-ScrnSaveBackdoor" or tgt.process.cmdline contains "Check-VM" or tgt.process.cmdline contains "ConvertTo-Rc4ByteStream" or tgt.process.cmdline contains "Decrypt-Hash" or tgt.process.cmdline contains "Disable-ADIDNSNode" or tgt.process.cmdline contains "Disable-MachineAccount" or tgt.process.cmdline contains "Do-Exfiltration" or tgt.process.cmdline contains "Enable-ADIDNSNode" or tgt.process.cmdline contains "Enable-MachineAccount" or tgt.process.cmdline contains "Enabled-DuplicateToken" or tgt.process.cmdline contains "Exploit-Jboss" or tgt.process.cmdline contains "Export-ADR" or tgt.process.cmdline contains "Export-ADRCSV" or tgt.process.cmdline contains "Export-ADRExcel" or tgt.process.cmdline contains "Export-ADRHTML" or tgt.process.cmdline contains "Export-ADRJSON" or tgt.process.cmdline contains "Export-ADRXML" or tgt.process.cmdline contains "Find-Fruit" or tgt.process.cmdline contains "Find-GPOLocation" or tgt.process.cmdline contains "Find-TrustedDocuments" or tgt.process.cmdline contains "Get-ADIDNS" or tgt.process.cmdline contains "Get-ApplicationHost" or tgt.process.cmdline contains "Get-ChromeDump" or tgt.process.cmdline contains "Get-ClipboardContents" or tgt.process.cmdline contains "Get-FoxDump" or tgt.process.cmdline contains "Get-GPPPassword" or tgt.process.cmdline contains "Get-IndexedItem" or tgt.process.cmdline contains "Get-KerberosAESKey" or tgt.process.cmdline contains "Get-Keystrokes" or tgt.process.cmdline contains "Get-LSASecret" or tgt.process.cmdline contains "Get-MachineAccountAttribute" or tgt.process.cmdline contains "Get-MachineAccountCreator" or tgt.process.cmdline contains "Get-PassHashes" or tgt.process.cmdline contains "Get-RegAlwaysInstallElevated" or tgt.process.cmdline contains "Get-RegAutoLogon" or tgt.process.cmdline contains "Get-RemoteBootKey" or tgt.process.cmdline contains "Get-RemoteCachedCredential" or tgt.process.cmdline contains "Get-RemoteLocalAccountHash" or tgt.process.cmdline contains "Get-RemoteLSAKey" or tgt.process.cmdline contains "Get-RemoteMachineAccountHash" or tgt.process.cmdline contains "Get-RemoteNLKMKey" or tgt.process.cmdline contains "Get-RickAstley" or tgt.process.cmdline contains "Get-Screenshot" or tgt.process.cmdline contains "Get-SecurityPackages" or tgt.process.cmdline contains "Get-ServiceFilePermission" or tgt.process.cmdline contains "Get-ServicePermission" or tgt.process.cmdline contains "Get-ServiceUnquoted" or tgt.process.cmdline contains "Get-SiteListPassword" or tgt.process.cmdline contains "Get-System" or tgt.process.cmdline contains "Get-TimedScreenshot" or tgt.process.cmdline contains "Get-UnattendedInstallFile" or tgt.process.cmdline contains "Get-Unconstrained" or tgt.process.cmdline contains "Get-USBKeystrokes" or tgt.process.cmdline contains "Get-VaultCredential" or tgt.process.cmdline contains "Get-VulnAutoRun" or tgt.process.cmdline contains "Get-VulnSchTask" or tgt.process.cmdline contains "Grant-ADIDNSPermission" or tgt.process.cmdline contains "Gupt-Backdoor" or tgt.process.cmdline contains "HTTP-Login" or tgt.process.cmdline contains "Install-ServiceBinary" or tgt.process.cmdline contains "Install-SSP" or tgt.process.cmdline contains "Invoke-ACLScanner" or tgt.process.cmdline contains "Invoke-ADRecon" or tgt.process.cmdline contains "Invoke-ADSBackdoor" or tgt.process.cmdline contains "Invoke-AgentSmith" or tgt.process.cmdline contains "Invoke-AllChecks" or tgt.process.cmdline contains "Invoke-ARPScan" or tgt.process.cmdline contains "Invoke-AzureHound" or tgt.process.cmdline contains "Invoke-BackdoorLNK" or tgt.process.cmdline contains "Invoke-BadPotato" or tgt.process.cmdline contains "Invoke-BetterSafetyKatz" or tgt.process.cmdline contains "Invoke-BypassUAC" or tgt.process.cmdline contains "Invoke-Carbuncle" or tgt.process.cmdline contains "Invoke-Certify" or tgt.process.cmdline contains "Invoke-ConPtyShell" or tgt.process.cmdline contains "Invoke-CredentialInjection" or tgt.process.cmdline contains "Invoke-DAFT" or tgt.process.cmdline contains "Invoke-DCSync" or tgt.process.cmdline contains "Invoke-DinvokeKatz" or tgt.process.cmdline contains "Invoke-DllInjection" or tgt.process.cmdline contains "Invoke-DNSUpdate" or tgt.process.cmdline contains "Invoke-DomainPasswordSpray" or tgt.process.cmdline contains "Invoke-DowngradeAccount" or tgt.process.cmdline contains "Invoke-EgressCheck" or tgt.process.cmdline contains "Invoke-Eyewitness" or tgt.process.cmdline contains "Invoke-FakeLogonScreen" or tgt.process.cmdline contains "Invoke-Farmer" or tgt.process.cmdline contains "Invoke-Get-RBCD-Threaded" or tgt.process.cmdline contains "Invoke-Gopher" or tgt.process.cmdline contains "Invoke-Grouper" or tgt.process.cmdline contains "Invoke-HandleKatz" or tgt.process.cmdline contains "Invoke-ImpersonatedProcess" or tgt.process.cmdline contains "Invoke-ImpersonateSystem" or tgt.process.cmdline contains "Invoke-InteractiveSystemPowerShell" or tgt.process.cmdline contains "Invoke-Internalmonologue" or tgt.process.cmdline contains "Invoke-Inveigh" or tgt.process.cmdline contains "Invoke-InveighRelay" or tgt.process.cmdline contains "Invoke-KrbRelay" or tgt.process.cmdline contains "Invoke-LdapSignCheck" or tgt.process.cmdline contains "Invoke-Lockless" or tgt.process.cmdline contains "Invoke-MalSCCM" or tgt.process.cmdline contains "Invoke-Mimikatz" or tgt.process.cmdline contains "Invoke-Mimikittenz" or tgt.process.cmdline contains "Invoke-MITM6" or tgt.process.cmdline contains "Invoke-NanoDump" or tgt.process.cmdline contains "Invoke-NetRipper" or tgt.process.cmdline contains "Invoke-Nightmare" or tgt.process.cmdline contains "Invoke-NinjaCopy" or tgt.process.cmdline contains "Invoke-OfficeScrape" or tgt.process.cmdline contains "Invoke-OxidResolver" or tgt.process.cmdline contains "Invoke-P0wnedshell" or tgt.process.cmdline contains "Invoke-Paranoia" or tgt.process.cmdline contains "Invoke-PortScan" or tgt.process.cmdline contains "Invoke-PoshRatHttp" or tgt.process.cmdline contains "Invoke-PostExfil" or tgt.process.cmdline contains "Invoke-PowerDump" or tgt.process.cmdline contains "Invoke-PowerShellTCP" or tgt.process.cmdline contains "Invoke-PowerShellWMI" or tgt.process.cmdline contains "Invoke-PPLDump" or tgt.process.cmdline contains "Invoke-PsExec" or tgt.process.cmdline contains "Invoke-PSInject" or tgt.process.cmdline contains "Invoke-PsUaCme" or tgt.process.cmdline contains "Invoke-ReflectivePEInjection" or tgt.process.cmdline contains "Invoke-ReverseDNSLookup" or tgt.process.cmdline contains "Invoke-Rubeus" or tgt.process.cmdline contains "Invoke-RunAs" or tgt.process.cmdline contains "Invoke-SafetyKatz" or tgt.process.cmdline contains "Invoke-SauronEye" or tgt.process.cmdline contains "Invoke-SCShell" or tgt.process.cmdline contains "Invoke-Seatbelt" or tgt.process.cmdline contains "Invoke-ServiceAbuse" or tgt.process.cmdline contains "Invoke-ShadowSpray" or tgt.process.cmdline contains "Invoke-Sharp" or tgt.process.cmdline contains "Invoke-Shellcode" or tgt.process.cmdline contains "Invoke-SMBScanner" or tgt.process.cmdline contains "Invoke-Snaffler" or tgt.process.cmdline contains "Invoke-Spoolsample" or tgt.process.cmdline contains "Invoke-SpraySinglePassword" or tgt.process.cmdline contains "Invoke-SSHCommand" or tgt.process.cmdline contains "Invoke-StandIn" or tgt.process.cmdline contains "Invoke-StickyNotesExtract" or tgt.process.cmdline contains "Invoke-SystemCommand" or tgt.process.cmdline contains "Invoke-Tasksbackdoor" or tgt.process.cmdline contains "Invoke-Tater" or tgt.process.cmdline contains "Invoke-Thunderfox" or tgt.process.cmdline contains "Invoke-ThunderStruck" or tgt.process.cmdline contains "Invoke-TokenManipulation" or tgt.process.cmdline contains "Invoke-Tokenvator" or tgt.process.cmdline contains "Invoke-TotalExec" or tgt.process.cmdline contains "Invoke-UrbanBishop" or tgt.process.cmdline contains "Invoke-UserHunter" or tgt.process.cmdline contains "Invoke-VoiceTroll" or tgt.process.cmdline contains "Invoke-Whisker" or tgt.process.cmdline contains "Invoke-WinEnum" or tgt.process.cmdline contains "Invoke-winPEAS" or tgt.process.cmdline contains "Invoke-WireTap" or tgt.process.cmdline contains "Invoke-WmiCommand" or tgt.process.cmdline contains "Invoke-WMIExec" or tgt.process.cmdline contains "Invoke-WScriptBypassUAC" or tgt.process.cmdline contains "Invoke-Zerologon" or tgt.process.cmdline contains "MailRaider" or tgt.process.cmdline contains "New-ADIDNSNode" or tgt.process.cmdline contains "New-DNSRecordArray" or tgt.process.cmdline contains "New-HoneyHash" or tgt.process.cmdline contains "New-InMemoryModule" or tgt.process.cmdline contains "New-MachineAccount" or tgt.process.cmdline contains "New-SOASerialNumberArray" or tgt.process.cmdline contains "Out-Minidump" or tgt.process.cmdline contains "Port-Scan" or tgt.process.cmdline contains "PowerBreach" or tgt.process.cmdline contains "powercat " or tgt.process.cmdline contains "PowerUp" or tgt.process.cmdline contains "PowerView" or tgt.process.cmdline contains "Remove-ADIDNSNode" or tgt.process.cmdline contains "Remove-MachineAccount" or tgt.process.cmdline contains "Remove-Update" or tgt.process.cmdline contains "Rename-ADIDNSNode" or tgt.process.cmdline contains "Revoke-ADIDNSPermission" or tgt.process.cmdline contains "Set-ADIDNSNode" or tgt.process.cmdline contains "Set-MacAttribute" or tgt.process.cmdline contains "Set-MachineAccountAttribute" or tgt.process.cmdline contains "Set-Wallpaper" or tgt.process.cmdline contains "Show-TargetScreen" or tgt.process.cmdline contains "Start-CaptureServer" or tgt.process.cmdline contains "Start-Dnscat2" or tgt.process.cmdline contains "Start-WebcamRecorder" or tgt.process.cmdline contains "VolumeShadowCopyTools"))
```
@@ -13,7 +13,7 @@ related:
type: derived
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
-status: experimental
+status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md
index 319970f09..0df6c3f9a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_msexchange_transport_agent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "Install-TransportAgent") | columns AssemblyPath
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md
index 9def9e227..ddba09e3e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_obfuscation_via_utf8.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "(WCHAR)0x")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md
index 3cac07543..33ad747ba 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_public_folder.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "-f C:\Users\Public" or tgt.process.cmdline contains "-f \"C:\Users\Public" or tgt.process.cmdline contains "-f %Public%" or tgt.process.cmdline contains "-fi C:\Users\Public" or tgt.process.cmdline contains "-fi \"C:\Users\Public" or tgt.process.cmdline contains "-fi %Public%" or tgt.process.cmdline contains "-fil C:\Users\Public" or tgt.process.cmdline contains "-fil \"C:\Users\Public" or tgt.process.cmdline contains "-fil %Public%" or tgt.process.cmdline contains "-file C:\Users\Public" or tgt.process.cmdline contains "-file \"C:\Users\Public" or tgt.process.cmdline contains "-file %Public%"))) | columns tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md
index f8a2038c8..d713d7e3f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or tgt.process.cmdline contains "Invoke-ATHRemoteFXvGPUDisableme"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md
index dfe45cd90..83b1072d8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_remove_mppreference.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Remove-MpPreference" and (tgt.process.cmdline contains "-ControlledFolderAccessProtectedFolders " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Ids " or tgt.process.cmdline contains "-AttackSurfaceReductionRules_Actions " or tgt.process.cmdline contains "-CheckForSignaturesBeforeRunningScan ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md
index 1c200293d..1aee23afc 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_ads.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Get-Content" and tgt.process.cmdline contains "-Stream")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md
index f472f8ab5..94ac7eced 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_run_script_from_input_stream.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline matches "\\s-\\s*<"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md
index 5c510e154..ff759434c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_sam_access.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\HarddiskVolumeShadowCopy" and tgt.process.cmdline contains "System32\config\sam") and (tgt.process.cmdline contains "Copy-Item" or tgt.process.cmdline contains "cp $_." or tgt.process.cmdline contains "cpi $_." or tgt.process.cmdline contains "copy $_." or tgt.process.cmdline contains ".File]::Copy(")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md
index e7803661b..236382c1b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_script_engine_parent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")) and (not tgt.process.image.path contains "\Health Service State\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md
index 8b627df38..73d23aad9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_shadowcopy_deletion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Get-WmiObject" or tgt.process.cmdline contains "gwmi" or tgt.process.cmdline contains "Get-CimInstance" or tgt.process.cmdline contains "gcim") and tgt.process.cmdline contains "Win32_ShadowCopy" and (tgt.process.cmdline contains ".Delete()" or tgt.process.cmdline contains "Remove-WmiObject" or tgt.process.cmdline contains "rwmi" or tgt.process.cmdline contains "Remove-CimInstance" or tgt.process.cmdline contains "rcim")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md
index bfeb52c41..2a08b030c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_download_patterns.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "IEX ((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX (New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX((New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains "IEX(New-Object Net.WebClient).DownloadString" or tgt.process.cmdline contains " -command (New-Object System.Net.WebClient).DownloadFile(" or tgt.process.cmdline contains " -c (New-Object System.Net.WebClient).DownloadFile("))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md
index 824376b46..199a8f4fe 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_parameter_variation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains " -windowstyle h " or tgt.process.cmdline contains " -windowstyl h" or tgt.process.cmdline contains " -windowsty h" or tgt.process.cmdline contains " -windowst h" or tgt.process.cmdline contains " -windows h" or tgt.process.cmdline contains " -windo h" or tgt.process.cmdline contains " -wind h" or tgt.process.cmdline contains " -win h" or tgt.process.cmdline contains " -wi h" or tgt.process.cmdline contains " -win h " or tgt.process.cmdline contains " -win hi " or tgt.process.cmdline contains " -win hid " or tgt.process.cmdline contains " -win hidd " or tgt.process.cmdline contains " -win hidde " or tgt.process.cmdline contains " -NoPr " or tgt.process.cmdline contains " -NoPro " or tgt.process.cmdline contains " -NoProf " or tgt.process.cmdline contains " -NoProfi " or tgt.process.cmdline contains " -NoProfil " or tgt.process.cmdline contains " -nonin " or tgt.process.cmdline contains " -nonint " or tgt.process.cmdline contains " -noninte " or tgt.process.cmdline contains " -noninter " or tgt.process.cmdline contains " -nonintera " or tgt.process.cmdline contains " -noninterac " or tgt.process.cmdline contains " -noninteract " or tgt.process.cmdline contains " -noninteracti " or tgt.process.cmdline contains " -noninteractiv " or tgt.process.cmdline contains " -ec " or tgt.process.cmdline contains " -encodedComman " or tgt.process.cmdline contains " -encodedComma " or tgt.process.cmdline contains " -encodedComm " or tgt.process.cmdline contains " -encodedCom " or tgt.process.cmdline contains " -encodedCo " or tgt.process.cmdline contains " -encodedC " or tgt.process.cmdline contains " -encoded " or tgt.process.cmdline contains " -encode " or tgt.process.cmdline contains " -encod " or tgt.process.cmdline contains " -enco " or tgt.process.cmdline contains " -en " or tgt.process.cmdline contains " -executionpolic " or tgt.process.cmdline contains " -executionpoli " or tgt.process.cmdline contains " -executionpol " or tgt.process.cmdline contains " -executionpo " or tgt.process.cmdline contains " -executionp " or tgt.process.cmdline contains " -execution bypass" or tgt.process.cmdline contains " -executio bypass" or tgt.process.cmdline contains " -executi bypass" or tgt.process.cmdline contains " -execut bypass" or tgt.process.cmdline contains " -execu bypass" or tgt.process.cmdline contains " -exec bypass" or tgt.process.cmdline contains " -exe bypass" or tgt.process.cmdline contains " -ex bypass" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " /windowstyle h " or tgt.process.cmdline contains " /windowstyl h" or tgt.process.cmdline contains " /windowsty h" or tgt.process.cmdline contains " /windowst h" or tgt.process.cmdline contains " /windows h" or tgt.process.cmdline contains " /windo h" or tgt.process.cmdline contains " /wind h" or tgt.process.cmdline contains " /win h" or tgt.process.cmdline contains " /wi h" or tgt.process.cmdline contains " /win h " or tgt.process.cmdline contains " /win hi " or tgt.process.cmdline contains " /win hid " or tgt.process.cmdline contains " /win hidd " or tgt.process.cmdline contains " /win hidde " or tgt.process.cmdline contains " /NoPr " or tgt.process.cmdline contains " /NoPro " or tgt.process.cmdline contains " /NoProf " or tgt.process.cmdline contains " /NoProfi " or tgt.process.cmdline contains " /NoProfil " or tgt.process.cmdline contains " /nonin " or tgt.process.cmdline contains " /nonint " or tgt.process.cmdline contains " /noninte " or tgt.process.cmdline contains " /noninter " or tgt.process.cmdline contains " /nonintera " or tgt.process.cmdline contains " /noninterac " or tgt.process.cmdline contains " /noninteract " or tgt.process.cmdline contains " /noninteracti " or tgt.process.cmdline contains " /noninteractiv " or tgt.process.cmdline contains " /ec " or tgt.process.cmdline contains " /encodedComman " or tgt.process.cmdline contains " /encodedComma " or tgt.process.cmdline contains " /encodedComm " or tgt.process.cmdline contains " /encodedCom " or tgt.process.cmdline contains " /encodedCo " or tgt.process.cmdline contains " /encodedC " or tgt.process.cmdline contains " /encoded " or tgt.process.cmdline contains " /encode " or tgt.process.cmdline contains " /encod " or tgt.process.cmdline contains " /enco " or tgt.process.cmdline contains " /en " or tgt.process.cmdline contains " /executionpolic " or tgt.process.cmdline contains " /executionpoli " or tgt.process.cmdline contains " /executionpol " or tgt.process.cmdline contains " /executionpo " or tgt.process.cmdline contains " /executionp " or tgt.process.cmdline contains " /execution bypass" or tgt.process.cmdline contains " /executio bypass" or tgt.process.cmdline contains " /executi bypass" or tgt.process.cmdline contains " /execut bypass" or tgt.process.cmdline contains " /execu bypass" or tgt.process.cmdline contains " /exec bypass" or tgt.process.cmdline contains " /exe bypass" or tgt.process.cmdline contains " /ex bypass" or tgt.process.cmdline contains " /ep bypass")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md
index f6d522f6b..4d1d784da 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_appdata.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "powershell.exe" or tgt.process.cmdline contains "\powershell" or tgt.process.cmdline contains "\pwsh" or tgt.process.cmdline contains "pwsh.exe") and ((tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "\AppData\") and (tgt.process.cmdline contains "Local\" or tgt.process.cmdline contains "Roaming\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md
index 0aa9a28cf..2772e18d8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_susp_ps_downloadfile.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".DownloadFile" and tgt.process.cmdline contains "System.Net.WebClient"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md
index 66d9de504..fe4378eca 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_token_obfuscation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline matches "\\w+`(\\w+|-|.)`[\\w+|\\s]" or tgt.process.cmdline matches ""(\\{\\d\\})+"\\s*-f" or tgt.process.cmdline matches "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not tgt.process.cmdline contains "${env:path}")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md
index 915823b18..0135b09bc 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_x509enrollment.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "X509Enrollment.CBinaryConverter" or tgt.process.cmdline contains "884e2002-217d-11da-b2a4-000e7bbb2b09"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md
index a17c1e3b2..dae4ce258 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_powershell_zip_compress.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath $env:TEMP*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\*" or tgt.process.cmdline="*Compress-Archive -Path*-DestinationPath*:\Windows\Temp\*"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md
index af84ef393..69db0828e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pressanykey_lolbin_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\Microsoft.NodejsTools.PressAnyKey.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md
index 7e253548a..2f36cb4fa 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_print_remote_file_copy.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\print.exe" and tgt.process.cmdline contains "print" and (tgt.process.cmdline contains "/D" and tgt.process.cmdline contains ".exe")) and (not tgt.process.cmdline contains "print.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md
index 9fe4636b5..7a433388d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_potential_abuse.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and (not ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md
index 275978106..231ab9477 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_provlaunch_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\provlaunch.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\PerfLogs\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains "\AppData\Temp\" or tgt.process.image.path contains "\Windows\System32\Tasks\" or tgt.process.image.path contains "\Windows\Tasks\" or tgt.process.image.path contains "\Windows\Temp\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md
index 230d05293..fda4bcaec 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_psr_capture_screenshots.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\Psr.exe" and (tgt.process.cmdline contains "/start" or tgt.process.cmdline contains "-start")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md
index 4a36c2d23..190dd7d89 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_3proxy_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\3proxy.exe" or tgt.process.displayName="3proxy - tiny proxy server" or tgt.process.cmdline contains ".exe -i127.0.0.1 -p"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md
index 83ec34d79..235eedf36 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_enumeration.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lockoutduration" or tgt.process.cmdline contains "lockoutthreshold" or tgt.process.cmdline contains "lockoutobservationwindow" or tgt.process.cmdline contains "maxpwdage" or tgt.process.cmdline contains "minpwdage" or tgt.process.cmdline contains "minpwdlength" or tgt.process.cmdline contains "pwdhistorylength" or tgt.process.cmdline contains "pwdproperties") or tgt.process.cmdline contains "-sc admincountdmp" or tgt.process.cmdline contains "-sc exchaddresses"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md
index ba0f88c68..c2cc15dec 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_adfind_susp_usage.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "domainlist" or tgt.process.cmdline contains "trustdmp" or tgt.process.cmdline contains "dcmodes" or tgt.process.cmdline contains "adinfo" or tgt.process.cmdline contains " dclist " or tgt.process.cmdline contains "computer_pwdnotreqd" or tgt.process.cmdline contains "objectcategory=" or tgt.process.cmdline contains "-subnets -f" or tgt.process.cmdline contains "name=\"Domain Admins\"" or tgt.process.cmdline contains "-sc u:" or tgt.process.cmdline contains "domainncs" or tgt.process.cmdline contains "dompol" or tgt.process.cmdline contains " oudmp " or tgt.process.cmdline contains "subnetdmp" or tgt.process.cmdline contains "gpodmp" or tgt.process.cmdline contains "fspdmp" or tgt.process.cmdline contains "users_noexpire" or tgt.process.cmdline contains "computers_active" or tgt.process.cmdline contains "computers_pwdnotreqd"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md
index 945e77e76..173c1cf9b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_advancedrun_priv_user.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "/EXEFilename" or tgt.process.cmdline contains "/CommandLine") and ((tgt.process.cmdline contains " /RunAs 8 " or tgt.process.cmdline contains " /RunAs 4 " or tgt.process.cmdline contains " /RunAs 10 " or tgt.process.cmdline contains " /RunAs 11 ") or (tgt.process.cmdline contains "/RunAs 8" or tgt.process.cmdline contains "/RunAs 4" or tgt.process.cmdline contains "/RunAs 10" or tgt.process.cmdline contains "/RunAs 11"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md
index f545662d9..69ff51a4b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_chisel.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\chisel.exe" or ((tgt.process.cmdline contains "exe client " or tgt.process.cmdline contains "exe server ") and (tgt.process.cmdline contains "-socks5" or tgt.process.cmdline contains "-reverse" or tgt.process.cmdline contains " r:" or tgt.process.cmdline contains ":127.0.0.1:" or tgt.process.cmdline contains "-tls-skip-verify " or tgt.process.cmdline contains ":socks"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md
index 6b32ee4a5..31d3a279b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_cleanwipe.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SepRemovalToolNative_x64.exe" or (tgt.process.image.path contains "\CATClean.exe" and tgt.process.cmdline contains "--uninstall") or (tgt.process.image.path contains "\NetInstaller.exe" and tgt.process.cmdline contains "-r") or (tgt.process.image.path contains "\WFPUnins.exe" and (tgt.process.cmdline contains "/uninstall" and tgt.process.cmdline contains "/enterprise"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md
index 363f93062..84891adb9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_csexec.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\csexec.exe" or tgt.process.displayName="csexec"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md
index 09d7ab4d3..edbe24cc9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_defendercheck.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DefenderCheck.exe" or tgt.process.displayName="DefenderCheck"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md
index c0d6c95b1..57f768d5d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ditsnap.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ditsnap.exe" or tgt.process.cmdline contains "ditsnap.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md
index ed8213949..c6a64c8f1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_mouselock_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName contains "Mouse Lock" or tgt.process.publisher contains "Misc314" or tgt.process.cmdline contains "Mouse Lock_")) | columns tgt.process.displayName,tgt.process.publisher,tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md
index 6cfc90bd4..e6e6986f4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netcat.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\nc.exe" or tgt.process.image.path contains "\ncat.exe" or tgt.process.image.path contains "\netcat.exe") or (tgt.process.cmdline contains " -lvp " or tgt.process.cmdline contains " -lvnp" or tgt.process.cmdline contains " -l -v -p " or tgt.process.cmdline contains " -lv -p " or tgt.process.cmdline contains " -l --proxy-type http " or tgt.process.cmdline contains " -vnl --exec " or tgt.process.cmdline contains " -vnl -e " or tgt.process.cmdline contains " --lua-exec " or tgt.process.cmdline contains " --sh-exec ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md
index 36a9061cc..c5c23b169 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_netscan.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\netscan.exe" or tgt.process.displayName="Network Scanner" or tgt.process.displayName="Application for scanning networks"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md
index dbb6c8104..6d11fd4c4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_ngrok.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " tcp 139" or tgt.process.cmdline contains " tcp 445" or tgt.process.cmdline contains " tcp 3389" or tgt.process.cmdline contains " tcp 5985" or tgt.process.cmdline contains " tcp 5986") or (tgt.process.cmdline contains " start " and tgt.process.cmdline contains "--all" and tgt.process.cmdline contains "--config" and tgt.process.cmdline contains ".yml") or (tgt.process.image.path contains "ngrok.exe" and (tgt.process.cmdline contains " tcp " or tgt.process.cmdline contains " http " or tgt.process.cmdline contains " authtoken ")) or (tgt.process.cmdline contains ".exe authtoken " or tgt.process.cmdline contains ".exe start --all")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md
index d0fdc10a1..ca8820c70 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_nircmd_as_system.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " runassystem ") | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md
index cc42ca53d..94f86dbad 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rcedit_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rcedit-x64.exe" or tgt.process.image.path contains "\rcedit-x86.exe") or tgt.process.displayName="Edit resources of exe" or tgt.process.displayName="rcedit") and tgt.process.cmdline contains "--set-" and (tgt.process.cmdline contains "OriginalFileName" or tgt.process.cmdline contains "CompanyName" or tgt.process.cmdline contains "FileDescription" or tgt.process.cmdline contains "ProductName" or tgt.process.cmdline contains "ProductVersion" or tgt.process.cmdline contains "LegalCopyright")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md
index bce00c0df..b8bb9d46e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_rclone_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "--config " and tgt.process.cmdline contains "--no-check-certificate " and tgt.process.cmdline contains " copy ") or ((tgt.process.image.path contains "\rclone.exe" or tgt.process.displayName="Rsync for cloud storage") and (tgt.process.cmdline contains "pass" or tgt.process.cmdline contains "user" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "sync" or tgt.process.cmdline contains "config" or tgt.process.cmdline contains "lsd" or tgt.process.cmdline contains "remote" or tgt.process.cmdline contains "ls" or tgt.process.cmdline contains "mega" or tgt.process.cmdline contains "pcloud" or tgt.process.cmdline contains "ftp" or tgt.process.cmdline contains "ignore-existing" or tgt.process.cmdline contains "auto-confirm" or tgt.process.cmdline contains "transfers" or tgt.process.cmdline contains "multi-thread-streams" or tgt.process.cmdline contains "no-check-certificate ")))) | columns tgt.process.cmdline,src.process.cmdline,Details
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md
index 219e31b83..12ece6ec9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_runxcmd.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " /account=system " or tgt.process.cmdline contains " /account=ti ") and tgt.process.cmdline contains "/exec=")) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md
index 5826736d0..9b9109803 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_pua_webbrowserpassview.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Web Browser Password Viewer" or tgt.process.image.path contains "\WebBrowserPassView.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md
index 3a44b0570..373b475fb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_adidnsdump.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\python.exe" and tgt.process.cmdline contains "adidnsdump"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md
index 1a22ccb91..609767721 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_python_pty_spawn.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "python.exe" or tgt.process.image.path contains "python3.exe" or tgt.process.image.path contains "python2.exe") and ((tgt.process.cmdline contains "import pty" and tgt.process.cmdline contains ".spawn(") or tgt.process.cmdline contains "from pty import spawn")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md
index 63540b22a..c6944f151 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_qemu_suspicious_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "-m 1M" or tgt.process.cmdline contains "-m 2M" or tgt.process.cmdline contains "-m 3M") and (tgt.process.cmdline contains "restrict=off" and tgt.process.cmdline contains "-netdev " and tgt.process.cmdline contains "connect=" and tgt.process.cmdline contains "-nographic")) and (not (tgt.process.cmdline contains " -cdrom " or tgt.process.cmdline contains " type=virt " or tgt.process.cmdline contains " -blockdev "))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md
index 8349b1c2e..45c0acc75 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_query_session_exfil.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains ":\Windows\System32\query.exe" and (tgt.process.cmdline contains "session >" or tgt.process.cmdline contains "process >")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md
index 7e4bbdf30..a4d63c337 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compress_data.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rar.exe" and tgt.process.cmdline contains " a "))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md
index c89e4f31c..f6e260655 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_compression_with_password.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -hp" and (tgt.process.cmdline contains " -m" or tgt.process.cmdline contains " a ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md
index 316895eff..ebe652004 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rar_susp_greedy_compression.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.displayName="Command line RAR") or (tgt.process.cmdline contains ".exe a " or tgt.process.cmdline contains " a -m")) and ((tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " -r ") and (tgt.process.cmdline="* *:\\*.*" or tgt.process.cmdline="* *:\\\*.*" or tgt.process.cmdline="* *:\$Recycle.bin\*" or tgt.process.cmdline="* *:\PerfLogs\*" or tgt.process.cmdline="* *:\Temp*" or tgt.process.cmdline="* *:\Users\Public\*" or tgt.process.cmdline="* *:\Windows\*" or tgt.process.cmdline contains " %public%"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md
index 4a4c63adc..0ba6132e2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rasdial_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "rasdial.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md
index 6cbf3c722..a9299afc5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_add_run_key.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains " ADD " and tgt.process.cmdline contains "Software\Microsoft\Windows\CurrentVersion\Run"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md
index 8d87ba99e..3dd453edb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_bitlocker.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "REG" and tgt.process.cmdline contains "ADD" and tgt.process.cmdline contains "\SOFTWARE\Policies\Microsoft\FVE" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/f") and (tgt.process.cmdline contains "EnableBDEWithNoTPM" or tgt.process.cmdline contains "UseAdvancedStartup" or tgt.process.cmdline contains "UseTPM" or tgt.process.cmdline contains "UseTPMKey" or tgt.process.cmdline contains "UseTPMKeyPIN" or tgt.process.cmdline contains "RecoveryKeyMessageSource" or tgt.process.cmdline contains "UseTPMPIN" or tgt.process.cmdline contains "RecoveryKeyMessage")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md
index bc7072627..cfc38f498 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_credential_access_via_password_filter.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "scecli\0" and tgt.process.cmdline contains "reg add"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md
index 44749de2e..773699c95 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_defender_exclusion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" or tgt.process.cmdline contains "SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths") and (tgt.process.cmdline contains "ADD " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_DWORD " and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "0")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md
index 2b8d2dad1..7b6eacff2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_direct_asep_registry_keys_modification.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and tgt.process.cmdline contains "add") and (tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" or tgt.process.cmdline contains "\software\Microsoft\Windows NT\CurrentVersion\Windows" or tgt.process.cmdline contains "\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" or tgt.process.cmdline contains "\system\CurrentControlSet\Control\SafeBoot\AlternateShell"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md
index 06239b8b7..cbdad2f6c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_disable_sec_services.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add") and ((tgt.process.cmdline contains "d 4" and tgt.process.cmdline contains "v Start") and (tgt.process.cmdline contains "\AppIDSvc" or tgt.process.cmdline contains "\MsMpSvc" or tgt.process.cmdline contains "\NisSrv" or tgt.process.cmdline contains "\SecurityHealthService" or tgt.process.cmdline contains "\Sense" or tgt.process.cmdline contains "\UsoSvc" or tgt.process.cmdline contains "\WdBoot" or tgt.process.cmdline contains "\WdFilter" or tgt.process.cmdline contains "\WdNisDrv" or tgt.process.cmdline contains "\WdNisSvc" or tgt.process.cmdline contains "\WinDefend" or tgt.process.cmdline contains "\wscsvc" or tgt.process.cmdline contains "\wuauserv"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md
index eb5f9e11c..6c2413f43 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains " query " and tgt.process.cmdline contains "/t " and tgt.process.cmdline contains "REG_SZ" and tgt.process.cmdline contains "/s")) and ((tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKLM") or (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "HKCU") or tgt.process.cmdline contains "HKCU\Software\SimonTatham\PuTTY\Sessions")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md
index f65424963..c3b25ccdd 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_lsa_disable_restricted_admin.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa\" and tgt.process.cmdline contains "DisableRestrictedAdmin"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md
index c05c58249..422de651c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_machineguid.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "SOFTWARE\Microsoft\Cryptography" and tgt.process.cmdline contains "/v " and tgt.process.cmdline contains "MachineGuid")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md
index acbd9680e..0469bf7ed 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_nolmhash.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control\Lsa" and tgt.process.cmdline contains "NoLMHash" and tgt.process.cmdline contains " 0"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md
index 0f939b353..8f589a874 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_open_command.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/ve " and tgt.process.cmdline contains "/d") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings\shell\open\command" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "DelegateExecute") or (tgt.process.cmdline contains "reg" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "hkcu\software\classes\ms-settings")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md
index 2969b2f0f..1f3d93228 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_screensaver.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "HKEY_CURRENT_USER\Control Panel\Desktop" or tgt.process.cmdline contains "HKCU\Control Panel\Desktop")) and ((tgt.process.cmdline contains "/v ScreenSaveActive" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 1" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaveTimeout" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v ScreenSaverIsSecure" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d 0" and tgt.process.cmdline contains "/f") or (tgt.process.cmdline contains "/v SCRNSAVE.EXE" and tgt.process.cmdline contains "/t REG_SZ" and tgt.process.cmdline contains "/d " and tgt.process.cmdline contains ".scr" and tgt.process.cmdline contains "/f"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md
index f781e35f9..279a8b5c8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_service_imagepath_change.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "add " and tgt.process.cmdline contains "SYSTEM\CurrentControlSet\Services\" and tgt.process.cmdline contains " ImagePath ")) and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " /d " or tgt.process.cmdline contains " –d " or tgt.process.cmdline contains " —d " or tgt.process.cmdline contains " ―d ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md
index 0b24baef4..3ddcf7dd5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_software_discovery.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "query" and tgt.process.cmdline contains "\software\" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "svcversion")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md
index 908a1e1ec..1a9f37ca2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_volsnap_disable.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Services\VSS\Diag" and tgt.process.cmdline contains "/d Disabled"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md
index 215f96633..0095ba960 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_reg_write_protect_for_storage_disabled.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Control" and tgt.process.cmdline contains "Write Protection" and tgt.process.cmdline contains "0" and tgt.process.cmdline contains "storage"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md
index a9a2b9de4..51d3be9b8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regedit_trustedinstaller.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\regedit.exe" and (src.process.image.path contains "\TrustedInstaller.exe" or src.process.image.path contains "\ProcessHacker.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md
index 1026bb045..b612514e1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_cimprovider_dll_load.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\register-cimprovider.exe" and (tgt.process.cmdline contains "-path" and tgt.process.cmdline contains "dll"))) | columns tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md
index 4d2ce31ea..d26030420 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_enumeration_for_credentials_cli.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\Sessions" or tgt.process.cmdline contains "\Software\SimonTatham\PuTTY\SshHostKeys\" or tgt.process.cmdline contains "\Software\Mobatek\MobaXterm\" or tgt.process.cmdline contains "\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin" or tgt.process.cmdline contains "\Software\Aerofox\FoxmailPreview" or tgt.process.cmdline contains "\Software\Aerofox\Foxmail\V3.1" or tgt.process.cmdline contains "\Software\IncrediMail\Identities" or tgt.process.cmdline contains "\Software\Qualcomm\Eudora\CommandLine" or tgt.process.cmdline contains "\Software\RimArts\B2\Settings" or tgt.process.cmdline contains "\Software\OpenVPN-GUI\configs" or tgt.process.cmdline contains "\Software\Martin Prikryl\WinSCP 2\Sessions" or tgt.process.cmdline contains "\Software\FTPWare\COREFTP\Sites" or tgt.process.cmdline contains "\Software\DownloadManager\Passwords" or tgt.process.cmdline contains "\Software\OpenSSH\Agent\Keys" or tgt.process.cmdline contains "\Software\TightVNC\Server" or tgt.process.cmdline contains "\Software\ORL\WinVNC3\Password" or tgt.process.cmdline contains "\Software\RealVNC\WinVNC4"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md
index 714e4cc13..313945c32 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" and tgt.process.cmdline contains "http" and tgt.process.cmdline contains " 0"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md
index 99064eeb6..0f19f0ad2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_install_reg_debugger_backdoor.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\CurrentVersion\Image File Execution Options\" and (tgt.process.cmdline contains "sethc.exe" or tgt.process.cmdline contains "utilman.exe" or tgt.process.cmdline contains "osk.exe" or tgt.process.cmdline contains "magnify.exe" or tgt.process.cmdline contains "narrator.exe" or tgt.process.cmdline contains "displayswitch.exe" or tgt.process.cmdline contains "atbroker.exe" or tgt.process.cmdline contains "HelpPane.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md
index 49881d6d4..5ff28c894 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_logon_script.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "UserInitMprLogonScript")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md
index df2f13de0..1078105bb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_new_network_provider.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\System\CurrentControlSet\Services\" and tgt.process.cmdline contains "\NetworkProvider"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md
index 220b8b1bc..4a34fadfa 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_office_disable_python_security_warnings.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Office\" and tgt.process.cmdline contains "\Excel\Security" and tgt.process.cmdline contains "PythonFunctionWarnings") and tgt.process.cmdline contains " 0"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md
index 02ba73373..651e84e20 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_privilege_escalation_via_service_key.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.integrityLevel="Medium" and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "services") and (tgt.process.cmdline contains "\ImagePath" or tgt.process.cmdline contains "\FailureCommand" or tgt.process.cmdline contains "\ServiceDll")))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("Medium","S-1-16-8192")) and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "services") and (tgt.process.cmdline contains "\ImagePath" or tgt.process.cmdline contains "\FailureCommand" or tgt.process.cmdline contains "\ServiceDll")))
```
@@ -15,7 +15,7 @@ references:
- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
-modified: 2023-01-30
+modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1574.011
@@ -24,7 +24,9 @@ logsource:
category: process_creation
detection:
selection:
- IntegrityLevel: 'Medium'
+ IntegrityLevel:
+ - 'Medium'
+ - 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'services'
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md
index 2e508486b..1a47d7fd1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_provlaunch_provisioning_command.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "SOFTWARE\Microsoft\Provisioning\Commands\")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md
index 9cf7caee7..8e957b34f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_set_unsecure_powershell_policy.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\ShellIds\Microsoft.PowerShell\ExecutionPolicy" or tgt.process.cmdline contains "\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy") and (tgt.process.cmdline contains "Bypass" or tgt.process.cmdline contains "RemoteSigned" or tgt.process.cmdline contains "Unrestricted")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md
index 133c80784..9f8308252 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_special_accounts_hide_user.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\reg.exe" and (tgt.process.cmdline contains "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" and tgt.process.cmdline contains "add" and tgt.process.cmdline contains "/v" and tgt.process.cmdline contains "/d 0")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md
index 34dab2ca9..c10b0cd39 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_registry_typed_paths_persistence.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md
index 481d64187..190f0b242 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_flags_anomaly.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\regsvr32.exe" and (tgt.process.cmdline contains " -i:" or tgt.process.cmdline contains " /i:" or tgt.process.cmdline contains " –i:" or tgt.process.cmdline contains " —i:" or tgt.process.cmdline contains " ―i:")) and (not tgt.process.cmdline contains " -n " or tgt.process.cmdline contains " /n " or tgt.process.cmdline contains " –n " or tgt.process.cmdline contains " —n " or tgt.process.cmdline contains " ―n ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md
index 4882e8038..2c18cc296 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\regsvr32.exe" and (tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\explorer.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\notepad.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\werfault.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\werfault.exe" and tgt.process.cmdline contains " -u -p "))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md
index 3cc627dce..d43dbb623 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_regsvr32_susp_parent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\cmd.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell_ise.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\wscript.exe") and tgt.process.image.path contains "\regsvr32.exe") and (not (src.process.image.path="C:\Windows\System32\cmd.exe" and tgt.process.cmdline contains " /s C:\Windows\System32\RpcProxy\RpcProxy.dll"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md
index 9a252e097..1085f504e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md
index 5bf2cac9a..9593a8ab8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/c " and tgt.process.cmdline contains "echo " and tgt.process.cmdline contains ".exe --set-password"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md
index 563aa8e7e..427eaa909 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_silent_install.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "--install" and tgt.process.cmdline contains "--start-with-win" and tgt.process.cmdline contains "--silent")) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md
index ea9d7bf02..1842d4708 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\AnyDesk.exe" or tgt.process.displayName="AnyDesk" or tgt.process.displayName="AnyDesk" or tgt.process.publisher="AnyDesk Software GmbH") and (not (tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "Program Files (x86)\AnyDesk" or tgt.process.image.path contains "Program Files\AnyDesk"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md
index b7c541d23..b403b4982 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_gotoopener.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="GoTo Opener" or tgt.process.displayName="GoTo Opener" or tgt.process.publisher="LogMeIn, Inc."))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md
index 62c9b88b5..286044fb0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_logmein.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="LMIGuardianSvc" or tgt.process.displayName="LMIGuardianSvc" or tgt.process.publisher="LogMeIn, Inc."))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md
index 8456b9657..1fe193203 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_meshagent_exec.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\meshagent.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md
index c0c3c2ef4..6415e1fef 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_rurat_non_default_location.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe") or tgt.process.displayName="Remote Utilities") and (not (tgt.process.image.path contains "C:\Program Files\Remote Utilities" or tgt.process.image.path contains "C:\Program Files (x86)\Remote Utilities"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md
index 33b2a014d..8589926fc 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="ScreenConnect Service" or tgt.process.displayName="ScreenConnect" or tgt.process.publisher="ScreenConnect Software"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md
index 894cb5e98..b4c5a5cea 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "e=Access&" and tgt.process.cmdline contains "y=Guest&" and tgt.process.cmdline contains "&p=" and tgt.process.cmdline contains "&c=" and tgt.process.cmdline contains "&k="))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md
index 315490f7e..42abe3294 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains ":\Windows\TEMP\ScreenConnect\" and src.process.cmdline contains "run.cmd") and (tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wevtutil.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md
index bdba6e2e1..600c01352 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_screenconnect_webshell.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\ScreenConnect.Service.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\csc.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md
index de68df67d..35d7fb585 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_simple_help.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\JWrapper-Remote Access\" or tgt.process.image.path contains "\JWrapper-Remote Support\") and tgt.process.image.path contains "\SimpleService.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md
index 088b2265c..51e111098 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="TeamViewer_Desktop.exe" and src.process.image.path="TeamViewer_Service.exe" and tgt.process.cmdline contains "TeamViewer_Desktop.exe --IPCport 5939 --Module 1"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md
index 331bb72df..ce5d819b6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_remote_time_discovery.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "time") or (tgt.process.image.path contains "\w32tm.exe" and tgt.process.cmdline contains "tz")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md
index fccb85b70..32ea0ac9a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_jusched.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName in ("Java Update Scheduler","Java(TM) Update Scheduler")) and (not tgt.process.image.path contains "\jusched.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md
index ca6df8456..db0a309ac 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rundll32_dllregisterserver.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "DllRegisterServer" and (not tgt.process.image.path contains "\rundll32.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md
index 6135320b6..578f59706 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_renamed_rurat.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.displayName="Remote Utilities" and (not (tgt.process.image.path contains "\rutserv.exe" or tgt.process.image.path contains "\rfusclient.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md
index 682151b22..5ccab562f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rpcping_credential_capture.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\rpcping.exe" and (tgt.process.cmdline contains "-s" or tgt.process.cmdline contains "/s" or tgt.process.cmdline contains "–s" or tgt.process.cmdline contains "—s" or tgt.process.cmdline contains "―s") and (((tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u") and (tgt.process.cmdline contains "NTLM")) or ((tgt.process.cmdline contains "-t" or tgt.process.cmdline contains "/t" or tgt.process.cmdline contains "–t" or tgt.process.cmdline contains "—t" or tgt.process.cmdline contains "―t") and (tgt.process.cmdline contains "ncacn_np")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md
index 5340951f7..35a9f285d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_inline_vbs.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and tgt.process.cmdline contains "Execute" and tgt.process.cmdline contains "RegRead" and tgt.process.cmdline contains "window.close"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md
index eb3753578..b8ececb15 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\..\" and tgt.process.cmdline contains "mshtml") and (tgt.process.cmdline contains "#135" or tgt.process.cmdline contains "RunHTMLApplication")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md
index 24dfa7029..51277c215 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_no_params.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\rundll32.exe" or tgt.process.cmdline contains "\rundll32.exe\"" or tgt.process.cmdline contains "\rundll32") and (not (src.process.image.path contains "\AppData\Local\" or src.process.image.path contains "\Microsoft\Edge\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md
index 164230024..8d80e92a3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_run_locations.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\RECYCLER\" or tgt.process.image.path contains ":\SystemVolumeInformation\") or (tgt.process.image.path contains "C:\Windows\Tasks\" or tgt.process.image.path contains "C:\Windows\debug\" or tgt.process.image.path contains "C:\Windows\fonts\" or tgt.process.image.path contains "C:\Windows\help\" or tgt.process.image.path contains "C:\Windows\drivers\" or tgt.process.image.path contains "C:\Windows\addins\" or tgt.process.image.path contains "C:\Windows\cursors\" or tgt.process.image.path contains "C:\Windows\system32\tasks\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md
index 6536b3ad8..90933da95 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_setupapi_installhinfsection.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\runonce.exe" and src.process.image.path contains "\rundll32.exe" and (src.process.cmdline contains "setupapi.dll" and src.process.cmdline contains "InstallHinfSection"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md
index f2cabaad8..1c9981854 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_spawn_explorer.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\rundll32.exe" and tgt.process.image.path contains "\explorer.exe") and (not src.process.cmdline contains "\shell32.dll,Control_RunDLL")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md
index eb3a1ead8..2f06620e0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_activity.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "javascript:" and tgt.process.cmdline contains ".RegisterXLL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "OpenURLA") or (tgt.process.cmdline contains "url.dll" and tgt.process.cmdline contains "FileProtocolHandler") or (tgt.process.cmdline contains "zipfldr.dll" and tgt.process.cmdline contains "RouteTheCall") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "Control_RunDLL") or (tgt.process.cmdline contains "shell32.dll" and tgt.process.cmdline contains "ShellExec_RunDLL") or (tgt.process.cmdline contains "mshtml.dll" and tgt.process.cmdline contains "PrintHTML") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "advpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "LaunchINFSection") or (tgt.process.cmdline contains "ieadvpack.dll" and tgt.process.cmdline contains "RegisterOCX") or (tgt.process.cmdline contains "ieframe.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "shdocvw.dll" and tgt.process.cmdline contains "OpenURL") or (tgt.process.cmdline contains "syssetup.dll" and tgt.process.cmdline contains "SetupInfObjectInstallAction") or (tgt.process.cmdline contains "setupapi.dll" and tgt.process.cmdline contains "InstallHinfSection") or (tgt.process.cmdline contains "pcwutl.dll" and tgt.process.cmdline contains "LaunchApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbApplication") or (tgt.process.cmdline contains "dfshim.dll" and tgt.process.cmdline contains "ShOpenVerbShortcut") or (tgt.process.cmdline contains "scrobj.dll" and tgt.process.cmdline contains "GenerateTypeLib" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "shimgvw.dll" and tgt.process.cmdline contains "ImageView_Fullscreen" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "comsvcs.dll" and tgt.process.cmdline contains "MiniDump")) and (not (tgt.process.cmdline contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (src.process.image.path="C:\Windows\System32\control.exe" and src.process.cmdline contains ".cpl" and (tgt.process.cmdline contains "Shell32.dll" and tgt.process.cmdline contains "Control_RunDLL" and tgt.process.cmdline contains ".cpl")) or (src.process.image.path="C:\Windows\System32\control.exe" and tgt.process.cmdline contains "\"C:\Windows\system32\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\Windows\System32\" and tgt.process.cmdline contains ".cpl\",")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md
index bea854d65..0b87b8369 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_execution.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ShellExec_RunDLL" and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "odbcconf" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "iex" or tgt.process.cmdline contains "comspec")))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ShellExec_RunDLL" and (tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Temp\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "comspec" or tgt.process.cmdline contains "iex" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "msiexec" or tgt.process.cmdline contains "odbcconf" or tgt.process.cmdline contains "regsvr32")))
```
@@ -11,6 +11,8 @@ id: d87bd452-6da1-456e-8155-7dc988157b7d
related:
- id: 36c5146c-d127-4f85-8e21-01bf62355d5a
type: obsolete
+ - id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
+ type: similar
status: test
description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
references:
@@ -30,16 +32,16 @@ detection:
CommandLine|contains: 'ShellExec_RunDLL'
selection_suspcli:
CommandLine|contains:
- # Add more LOLBINs and Susp Paths
- - 'regsvr32'
- - 'msiexec'
- - '\Users\Public\'
- - 'odbcconf'
+ # Note: The ordinal number may differ depending on the DLL version
- '\Desktop\'
- '\Temp\'
- - 'Invoke-'
- - 'iex'
+ - '\Users\Public\'
- 'comspec'
+ - 'iex'
+ - 'Invoke-'
+ - 'msiexec'
+ - 'odbcconf'
+ - 'regsvr32'
condition: all of selection_*
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.md
new file mode 100644
index 000000000..89b462090
--- /dev/null
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.md
@@ -0,0 +1,77 @@
+```sql
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains "SHELL32.DLL" and (src.process.cmdline contains "#568" or src.process.cmdline contains "#570" or src.process.cmdline contains "#572" or src.process.cmdline contains "#576")) and (((src.process.cmdline contains "comspec" or src.process.cmdline contains "iex" or src.process.cmdline contains "Invoke-" or src.process.cmdline contains "msiexec" or src.process.cmdline contains "odbcconf" or src.process.cmdline contains "regsvr32") or (src.process.cmdline contains "\Desktop\" or src.process.cmdline contains "\ProgramData\" or src.process.cmdline contains "\Temp\" or src.process.cmdline contains "\Users\Public\")) or (tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\msxsl.exe" or tgt.process.image.path contains "\odbcconf.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe"))))
+```
+
+
+# Original Sigma Rule:
+```yaml
+title: Suspicious ShellExec_RunDLL Call Via Ordinal
+id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
+related:
+ - id: d87bd452-6da1-456e-8155-7dc988157b7d
+ type: derived
+status: experimental
+description: |
+ Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
+ Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
+references:
+ - https://redcanary.com/blog/raspberry-robin/
+ - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
+ - https://github.com/SigmaHQ/sigma/issues/1009
+ - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
+author: Swachchhanda Shrawan Poudel
+date: 2024-12-01
+tags:
+ - attack.defense-evasion
+ - attack.t1218.011
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection_parent_img:
+ ParentCommandLine|contains: 'SHELL32.DLL'
+ selection_parent_ordinal:
+ ParentCommandLine|contains:
+ # Note: The ordinal number may differ depending on the DLL version
+ # Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
+ - '#568'
+ - '#570'
+ - '#572'
+ - '#576'
+ selection_susp_cli_parent:
+ # Note: Add additional binaries and suspicious paths to increase coverage
+ - ParentCommandLine|contains:
+ - 'comspec'
+ - 'iex'
+ - 'Invoke-'
+ - 'msiexec'
+ - 'odbcconf'
+ - 'regsvr32'
+ - ParentCommandLine|contains:
+ - '\Desktop\'
+ - '\ProgramData\'
+ - '\Temp\'
+ - '\Users\Public\'
+ selection_susp_child_img:
+ Image|endswith:
+ - '\bash.exe'
+ - '\bitsadmin.exe'
+ - '\cmd.exe'
+ - '\cscript.exe'
+ - '\curl.exe'
+ - '\mshta.exe'
+ - '\msiexec.exe'
+ - '\msxsl.exe'
+ - '\odbcconf.exe'
+ - '\powershell.exe'
+ - '\pwsh.exe'
+ - '\regsvr32.exe'
+ - '\schtasks.exe'
+ - '\wmic.exe'
+ - '\wscript.exe'
+ condition: all of selection_parent_* and 1 of selection_susp_*
+falsepositives:
+ - Unknown
+level: high
+```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md
index c1277c6c2..716682b8d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_susp_shimcache_flush.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "apphelp.dll") and (tgt.process.cmdline contains "ShimFlushCache" or tgt.process.cmdline contains "#250")) or ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "kernel32.dll") and (tgt.process.cmdline contains "BaseFlushAppcompatCache" or tgt.process.cmdline contains "#46")))) | columns tgt.process.image.path,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md
index 5afebf3be..ba690844f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_sys.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "rundll32.exe" and (tgt.process.cmdline contains ".sys," or tgt.process.cmdline contains ".sys ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md
index 2af7aef03..9807e3c1e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_webdav_client_susp_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\svchost.exe" and src.process.cmdline contains "-s WebClient" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "C:\windows\system32\davclnt.dll,DavSetCookie" and tgt.process.cmdline matches "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}") and (not (tgt.process.cmdline contains "://10." or tgt.process.cmdline contains "://192.168." or tgt.process.cmdline contains "://172.16." or tgt.process.cmdline contains "://172.17." or tgt.process.cmdline contains "://172.18." or tgt.process.cmdline contains "://172.19." or tgt.process.cmdline contains "://172.20." or tgt.process.cmdline contains "://172.21." or tgt.process.cmdline contains "://172.22." or tgt.process.cmdline contains "://172.23." or tgt.process.cmdline contains "://172.24." or tgt.process.cmdline contains "://172.25." or tgt.process.cmdline contains "://172.26." or tgt.process.cmdline contains "://172.27." or tgt.process.cmdline contains "://172.28." or tgt.process.cmdline contains "://172.29." or tgt.process.cmdline contains "://172.30." or tgt.process.cmdline contains "://172.31." or tgt.process.cmdline contains "://127." or tgt.process.cmdline contains "://169.254."))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md
index 7b00351f8..af56b8a9a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_rundll32_without_parameters.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline in ("rundll32.exe","rundll32"))) | columns ComputerName,SubjectUserName,tgt.process.cmdline,tgt.process.image.path,src.process.image.path
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md
index 6f30a658c..5a9ed916c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_runonce_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\runonce.exe" or tgt.process.displayName="Run Once Wrapper") and (tgt.process.cmdline contains "/AlternateShellStartup" or tgt.process.cmdline contains "/r")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md
index d7af4b7cd..569d48d5c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sc.exe" and tgt.process.integrityLevel="Medium") and ((tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") or (tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sc.exe" and (tgt.process.integrityLevel in ("Medium","S-1-16-8192"))) and ((tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") or (tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command"))))
```
@@ -15,7 +15,7 @@ references:
- https://pentestlab.blog/2017/03/30/weak-service-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
-modified: 2022-07-14
+modified: 2024-12-01
tags:
- attack.persistence
- attack.defense-evasion
@@ -27,7 +27,9 @@ logsource:
detection:
scbynonadmin:
Image|endswith: '\sc.exe'
- IntegrityLevel: 'Medium'
+ IntegrityLevel:
+ - 'Medium'
+ - 'S-1-16-8192'
selection_binpath:
CommandLine|contains|all:
- 'config'
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md
index c0109f87a..825a283f0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_create_service.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md
index 6ab58ac34..07235e791 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_new_kernel_driver.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" or tgt.process.cmdline contains "config") and (tgt.process.cmdline contains "binPath" and tgt.process.cmdline contains "type" and tgt.process.cmdline contains "kernel")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md
index 7d224ac7d..1bcf82c52 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_path_modification.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "config" and tgt.process.cmdline contains "binPath") and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md
index 416abd3c4..64bbda79c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sc_service_tamper_for_persistence.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "config " and tgt.process.cmdline contains "binpath=") or (tgt.process.cmdline contains "sc " and tgt.process.cmdline contains "failure" and tgt.process.cmdline contains "command=")) or (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "FailureCommand") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add " and tgt.process.cmdline contains "ImagePath")) and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin$" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh$" or tgt.process.cmdline contains ".reg$" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md
index cbcc1d048..fa9a21aa8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_appdata_local_system.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Create" and tgt.process.cmdline contains "/RU" and tgt.process.cmdline contains "/TR" and tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\") and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "TeamViewer_.exe") and tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/TN TVInstallRestore"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md
index d52d84f67..8cc62db2e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_change.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /Change " and tgt.process.cmdline contains " /TN ")) and (tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\WINDOWS\Temp\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "C:\ProgramData\" or tgt.process.cmdline contains "C:\Perflogs\" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%") and (tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "bash.exe" or tgt.process.cmdline contains "bash " or tgt.process.cmdline contains "scrcons" or tgt.process.cmdline contains "wmic " or tgt.process.cmdline contains "wmic.exe" or tgt.process.cmdline contains "forfiles" or tgt.process.cmdline contains "scriptrunner" or tgt.process.cmdline contains "hh.exe" or tgt.process.cmdline contains "hh ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md
index 49d4b07d5..f3503fdc6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (not (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md
index 194ee5f51..7c62d706b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_creation_temp_folder.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /create " and tgt.process.cmdline contains " /sc once " and tgt.process.cmdline contains "\Temp\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md
index ab5e8dda3..b021971d0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/delete" and tgt.process.cmdline contains "/tn") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md
index 66b2624b5..e199ad160 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_delete_all.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /delete " and tgt.process.cmdline contains "/tn \*" and tgt.process.cmdline contains " /f")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md
index 3f07f2371..e8ce7e759 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_disable.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/Change" and tgt.process.cmdline contains "/TN" and tgt.process.cmdline contains "/disable") and (tgt.process.cmdline contains "\Windows\BitLocker" or tgt.process.cmdline contains "\Windows\ExploitGuard" or tgt.process.cmdline contains "\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" or tgt.process.cmdline contains "\Windows\SystemRestore\SR" or tgt.process.cmdline contains "\Windows\UpdateOrchestrator\" or tgt.process.cmdline contains "\Windows\Windows Defender\" or tgt.process.cmdline contains "\Windows\WindowsBackup\" or tgt.process.cmdline contains "\Windows\WindowsUpdate\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md
index 6174edb9d..6926a59c8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_env_folder.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains " /create ") and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Users\All Users\" or tgt.process.cmdline contains ":\Users\Default\" or tgt.process.cmdline contains ":\Users\Public" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "\AppData\Roaming\" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Public%")) or (src.process.cmdline contains "\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.cmdline contains ":\Perflogs" or tgt.process.cmdline contains ":\Windows\Temp" or tgt.process.cmdline contains "\Users\Public" or tgt.process.cmdline contains "%Public%"))) and (not ((src.process.cmdline contains "unattended.ini" or tgt.process.cmdline contains "update_task.xml") or tgt.process.cmdline contains "/Create /TN TVInstallRestore /TR" or (tgt.process.cmdline contains "/Create /Xml \"C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\.CR." and tgt.process.cmdline contains "Avira_Security_Installation.xml") or ((tgt.process.cmdline contains "/Create /F /TN" and tgt.process.cmdline contains "/Xml " and tgt.process.cmdline contains "\AppData\Local\Temp\is-" and tgt.process.cmdline contains "Avira_") and (tgt.process.cmdline contains ".tmp\UpdateFallbackTask.xml" or tgt.process.cmdline contains ".tmp\WatchdogServiceControlManagerTimeout.xml" or tgt.process.cmdline contains ".tmp\SystrayAutostart.xml" or tgt.process.cmdline contains ".tmp\MaintenanceTask.xml")) or (tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "/Create /TN \"klcp_update\" /XML " and tgt.process.cmdline contains "\klcp_update_task.xml")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md
index 301f3713e..29a2c00c2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_guid_task_name.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (tgt.process.cmdline contains "/TN \"{" or tgt.process.cmdline contains "/TN '{" or tgt.process.cmdline contains "/TN {") and (tgt.process.cmdline contains "}\"" or tgt.process.cmdline contains "}'" or tgt.process.cmdline contains "} ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md
index 059676bc8..2030e5479 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_powershell_persistence.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\WINDOWS\System32\svchost.exe" and (src.process.cmdline contains "-k netsvcs" and src.process.cmdline contains "-s Schedule") and (tgt.process.cmdline contains " -windowstyle hidden" or tgt.process.cmdline contains " -w hidden" or tgt.process.cmdline contains " -ep bypass" or tgt.process.cmdline contains " -noni")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md
index f36aa99ac..a20a7dc13 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_susp_pattern.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\schtasks.exe" and tgt.process.cmdline contains "/Create ") and (((tgt.process.cmdline contains "/sc minute " or tgt.process.cmdline contains "/ru system ") and (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "cmd /k" or tgt.process.cmdline contains "cmd /r" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r ")) or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -enc " or tgt.process.cmdline contains " -w hidden " or tgt.process.cmdline contains " bypass " or tgt.process.cmdline contains " IEX" or tgt.process.cmdline contains ".DownloadData" or tgt.process.cmdline contains ".DownloadFile" or tgt.process.cmdline contains ".DownloadString" or tgt.process.cmdline contains "/c start /min " or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "mshta http" or tgt.process.cmdline contains "mshta.exe http") or ((tgt.process.cmdline contains ":\ProgramData\" or tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\" or tgt.process.cmdline contains "%AppData%" or tgt.process.cmdline contains "%Temp%" or tgt.process.cmdline contains "%tmp%") and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "curl" or tgt.process.cmdline contains "wscript")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md
index b8bdaecc6..012cf7b2f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_schtasks_system.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains " /change " or tgt.process.cmdline contains " /create ")) and tgt.process.cmdline contains "/ru " and (tgt.process.cmdline contains "NT AUT" or tgt.process.cmdline contains " SYSTEM ")) and (not ((tgt.process.image.path contains "\schtasks.exe" and (tgt.process.cmdline contains "/TN TVInstallRestore" and tgt.process.cmdline contains "\TeamViewer_.exe")) or (tgt.process.cmdline contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or tgt.process.cmdline contains ":\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe" or tgt.process.cmdline contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md
index d70984424..8b450fd36 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_scrcons_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\scrcons.exe" and (tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\msbuild.exe"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md
index 0050fd2ba..31f5e7ad8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdclt_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\sdclt.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md
index 1553fce17..66727ea16 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sdiagnhost_susp_child.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\sdiagnhost.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\taskkill.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\calc.exe")) and (not ((tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "bits") or (tgt.process.image.path contains "\powershell.exe" and (tgt.process.cmdline contains "-noprofile -" or tgt.process.cmdline contains "-noprofile"))))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md
index 16904210f..5fa1c29a7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_servu_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\Serv-U.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\scriptrunner.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md
index 46d6275c7..ec8310fc6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setres_uncommon_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\setres.exe" and tgt.process.image.path contains "\choice") and (not (tgt.process.image.path contains "C:\Windows\System32\choice.exe" or tgt.process.image.path contains "C:\Windows\SysWOW64\choice.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setup16_custom_lst_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setup16_custom_lst_execution.md
new file mode 100644
index 000000000..08c90e9f4
--- /dev/null
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_setup16_custom_lst_execution.md
@@ -0,0 +1,36 @@
+```sql
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path="C:\Windows\SysWOW64\setup16.exe" and src.process.cmdline contains " -m ") and (not tgt.process.image.path contains "C:\~MSSETUP.T\")))
+```
+
+
+# Original Sigma Rule:
+```yaml
+title: Setup16.EXE Execution With Custom .Lst File
+id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e
+status: experimental
+description: |
+ Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
+ These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
+ Attackers and adversaries might leverage this as a living of the land utility.
+references:
+ - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
+author: frack113
+date: 2024-12-01
+tags:
+ - attack.defense-evasion
+ - attack.t1574.005
+logsource:
+ category: process_creation
+ product: windows
+detection:
+ selection:
+ ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
+ ParentCommandLine|contains: ' -m '
+ filter_optional_valid_path:
+ Image|startswith: 'C:\~MSSETUP.T\'
+ condition: selection and not 1 of filter_optional_*
+falsepositives:
+ - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
+level: medium
+```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md
index d70dad0fa..50f5af57c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and (tgt.process.cmdline contains "/r " or tgt.process.cmdline contains "/s ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md
index a8244aa60..077277123 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_shutdown_logoff.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\shutdown.exe" and tgt.process.cmdline contains "/l"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md
index 4aacb9a2a..f76f6ba55 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sigverif_uncommon_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\sigverif.exe" and (not (tgt.process.image.path in ("C:\Windows\System32\WerFault.exe","C:\Windows\SysWOW64\WerFault.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md
index 3bd768eb7..e6dbed341 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sndvol_susp_child_processes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\SndVol.exe" and (not (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains " shell32.dll,Control_RunDLL "))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md
index eb0714ceb..247ed65d5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_soundrecorder_audio_capture.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\SoundRecorder.exe" and tgt.process.cmdline contains "/FILE"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md
index ebda86de5..8bdb3f349 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_splwow64_cli_anomaly.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\splwow64.exe" and tgt.process.cmdline contains "splwow64.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md
index 3dd2c0426..a58ef3df4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_db_recon.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "VeeamBackup" and tgt.process.cmdline contains "From ")) and (tgt.process.cmdline contains "BackupRepositories" or tgt.process.cmdline contains "Backups" or tgt.process.cmdline contains "Credentials" or tgt.process.cmdline contains "HostCreds" or tgt.process.cmdline contains "SmbFileShares" or tgt.process.cmdline contains "Ssh_creds" or tgt.process.cmdline contains "VSphereInfo")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md
index 7ac1e4553..06e071805 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlcmd_veeam_dump.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sqlcmd.exe" and (tgt.process.cmdline contains "SELECT" and tgt.process.cmdline contains "TOP" and tgt.process.cmdline contains "[VeeamBackup].[dbo].[Credentials]")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md
index 7231f2cf4..1a0ed38b2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_chromium_profile_data.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "\User Data\" or tgt.process.cmdline contains "\Opera Software\" or tgt.process.cmdline contains "\ChromiumViewer\") and (tgt.process.cmdline contains "Login Data" or tgt.process.cmdline contains "Cookies" or tgt.process.cmdline contains "Web Data" or tgt.process.cmdline contains "History" or tgt.process.cmdline contains "Bookmarks")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md
index 84fbe4a39..1f40fae7e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sqlite_firefox_gecko_profile_data.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.displayName="SQLite" or (tgt.process.image.path contains "\sqlite.exe" or tgt.process.image.path contains "\sqlite3.exe")) and (tgt.process.cmdline contains "cookies.sqlite" or tgt.process.cmdline contains "places.sqlite")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md
index d491609ff..657646191 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains " --download " or tgt.process.cmdline contains " --update " or tgt.process.cmdline contains " --updateRollback=") and tgt.process.cmdline contains "http"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md
index 5854fb807..b4f9501c0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_squirrel_proxy_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\squirrel.exe" or tgt.process.image.path contains "\update.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--processStartAndWait" or tgt.process.cmdline contains "--createShortcut")) and (not ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Discord\Update.exe" and tgt.process.cmdline contains " --processStart" and tgt.process.cmdline contains "Discord.exe") or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\GitHubDesktop\Update.exe" and tgt.process.cmdline contains "GitHubDesktop.exe") and (tgt.process.cmdline contains "--createShortcut" or tgt.process.cmdline contains "--processStartAndWait")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\Microsoft\Teams\Update.exe" and tgt.process.cmdline contains "Teams.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut")) or ((tgt.process.cmdline contains ":\Users\" and tgt.process.cmdline contains "\AppData\Local\yammerdesktop\Update.exe" and tgt.process.cmdline contains "Yammer.exe") and (tgt.process.cmdline contains "--processStart" or tgt.process.cmdline contains "--createShortcut"))))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md
index 1445a6c08..0ca0df2af 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_port_forward.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " /R " or tgt.process.cmdline contains " –R " or tgt.process.cmdline contains " —R " or tgt.process.cmdline contains " ―R ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md
index 3f6552331..7d6e5783d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_proxy_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\System32\OpenSSH\sshd.exe" or (tgt.process.image.path contains "\ssh.exe" and (tgt.process.cmdline contains "ProxyCommand=" or (tgt.process.cmdline contains "PermitLocalCommand" and tgt.process.cmdline contains "LocalCommand")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md
index 5d765841b..093d7c831 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssh_rdp_tunneling.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ssh.exe" and tgt.process.cmdline contains ":3389"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md
index 252ffa533..f80706700 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ssm_agent_abuse.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\amazon-ssm-agent.exe" and (tgt.process.cmdline contains "-register " and tgt.process.cmdline contains "-code " and tgt.process.cmdline contains "-id " and tgt.process.cmdline contains "-region ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md
index 8865f8dbe..d0608fbe7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_stordiag_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\stordiag.exe" and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\fltmc.exe")) and (not (src.process.image.path contains "c:\windows\system32\" or src.process.image.path contains "c:\windows\syswow64\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md
index c01dc7090..4ed5d625b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_16bit_application.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\ntvdm.exe" or tgt.process.image.path contains "\csrstub.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md
index 6fd03edb7..fa09074c8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_local_admin_group.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains " administrators " or tgt.process.cmdline contains " administrateur")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md
index f8ab087fe..b08e119fe 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_privileged_group.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Group Policy Creator Owners" or tgt.process.cmdline contains "Schema Admins")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md
index d77c36d5f..1a0b10da7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_add_user_remote_desktop_group.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "localgroup " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "Add-LocalGroupMember " and tgt.process.cmdline contains " -Group ")) and (tgt.process.cmdline contains "Remote Desktop Users" or tgt.process.cmdline contains "Utilisateurs du Bureau à distance" or tgt.process.cmdline contains "Usuarios de escritorio remoto")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md
index 68f42e72c..98979d4e2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_alternate_data_streams.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "txt:" and ((tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > ") or (tgt.process.cmdline contains "makecab " and tgt.process.cmdline contains ".cab") or (tgt.process.cmdline contains "reg " and tgt.process.cmdline contains " export ") or (tgt.process.cmdline contains "regedit " and tgt.process.cmdline contains " /E ") or (tgt.process.cmdline contains "esentutl " and tgt.process.cmdline contains " /y " and tgt.process.cmdline contains " /d " and tgt.process.cmdline contains " /o "))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md
index de19b5e34..5178f3825 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_always_install_elevated_windows_installer.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\Windows\Installer\" and tgt.process.image.path contains "msi") and tgt.process.image.path contains "tmp") or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.integrityLevel="System")) and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and (not (src.process.image.path="C:\Windows\System32\services.exe" or (tgt.process.cmdline contains "\system32\msiexec.exe /V" or src.process.cmdline contains "\system32\msiexec.exe /V") or src.process.image.path contains "C:\ProgramData\Sophos\" or src.process.image.path contains "C:\ProgramData\Avira\" or (src.process.image.path contains "C:\Program Files\Avast Software\" or src.process.image.path contains "C:\Program Files (x86)\Avast Software\") or (src.process.image.path contains "C:\Program Files\Google\Update\" or src.process.image.path contains "C:\Program Files (x86)\Google\Update\")))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\Windows\Installer\" and tgt.process.image.path contains "msi") and tgt.process.image.path contains "tmp") or (tgt.process.image.path contains "\msiexec.exe" and (tgt.process.integrityLevel in ("System","S-1-16-16384")))) and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and (not (src.process.image.path="C:\Windows\System32\services.exe" or (tgt.process.cmdline contains "\system32\msiexec.exe /V" or src.process.cmdline contains "\system32\msiexec.exe /V") or src.process.image.path contains "C:\ProgramData\Sophos\" or src.process.image.path contains "C:\ProgramData\Avira\" or (src.process.image.path contains "C:\Program Files\Avast Software\" or src.process.image.path contains "C:\Program Files (x86)\Avast Software\") or (src.process.image.path contains "C:\Program Files\Google\Update\" or src.process.image.path contains "C:\Program Files (x86)\Google\Update\")))))
```
@@ -14,7 +14,7 @@ references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
-modified: 2023-03-23
+modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
@@ -33,7 +33,9 @@ detection:
Image|endswith: 'tmp'
selection_image_2:
Image|endswith: '\msiexec.exe'
- IntegrityLevel: 'System'
+ IntegrityLevel:
+ - 'System'
+ - 'S-1-16-16384'
filter_installer:
ParentImage: 'C:\Windows\System32\services.exe'
filter_repair:
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md
index 2dce1ba0b..839f41399 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_appx_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "C:\Program Files\WindowsApps\" and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "cmd /c" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Base64")) and (not (src.process.image.path contains ":\Program Files\WindowsApps\Microsoft.WindowsTerminal" and src.process.image.path contains "\WindowsTerminal.exe" and (tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\pwsh.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md
index 34a9eb43a..546e14f8c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ".SettingContent-ms" and (not tgt.process.cmdline contains "immersivecontrolpanel"))) | columns ParentProcess,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md
index 018ea109a..8c2e474f2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_archiver_iso_phishing.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\Winrar.exe" or src.process.image.path contains "\7zFM.exe" or src.process.image.path contains "\peazip.exe") and (tgt.process.image.path contains "\isoburn.exe" or tgt.process.image.path contains "\PowerISO.exe" or tgt.process.image.path contains "\ImgBurn.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md
index 6e2154bc7..3a58a9643 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\WerFault.exe" and tgt.process.cmdline contains "WerFault.exe") or (tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or (tgt.process.image.path contains "\regsvcs.exe" and tgt.process.cmdline contains "regsvcs.exe") or (tgt.process.image.path contains "\regasm.exe" and tgt.process.cmdline contains "regasm.exe") or (tgt.process.image.path contains "\regsvr32.exe" and tgt.process.cmdline contains "regsvr32.exe")) and (not ((src.process.image.path contains "\AppData\Local\Microsoft\EdgeUpdate\Install\{" and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe") or ((src.process.image.path contains "\AppData\Local\BraveSoftware\Brave-Browser\Application\" or src.process.image.path contains "\AppData\Local\Google\Chrome\Application\") and src.process.image.path contains "\Installer\setup.exe" and src.process.cmdline contains "--uninstall " and tgt.process.image.path contains "\rundll32.exe" and tgt.process.cmdline contains "rundll32.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md
index d8c701c71..ac535faf5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_browser_launch_from_document_reader_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "Acrobat Reader" or src.process.image.path contains "Microsoft Office" or src.process.image.path contains "PDF Reader") and (tgt.process.image.path contains "\brave.exe" or tgt.process.image.path contains "\chrome.exe" or tgt.process.image.path contains "\firefox.exe" or tgt.process.image.path contains "\msedge.exe" or tgt.process.image.path contains "\opera.exe" or tgt.process.image.path contains "\maxthon.exe" or tgt.process.image.path contains "\seamonkey.exe" or tgt.process.image.path contains "\vivaldi.exe" or tgt.process.image.path contains "") and tgt.process.cmdline contains "http"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md
index 13255b67f..6fed50323 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_cli_obfuscation_escape_char.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "h^t^t^p" or tgt.process.cmdline contains "h\"t\"t\"p"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md
index b60f379f7..00032115c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_commandline_path_traversal_evasion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Windows\" and (tgt.process.cmdline contains "\..\Windows\" or tgt.process.cmdline contains "\..\System32\" or tgt.process.cmdline contains "\..\..\")) or tgt.process.cmdline contains ".exe\..\") and (not (tgt.process.cmdline contains "\Google\Drive\googledrivesync.exe\..\" or tgt.process.cmdline contains "\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md
index 1a4c5310d..d009af08a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_crypto_mining_monero.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " --cpu-priority=" or tgt.process.cmdline contains "--donate-level=0" or tgt.process.cmdline contains " -o pool." or tgt.process.cmdline contains " --nicehash" or tgt.process.cmdline contains " --algo=rx/0 " or tgt.process.cmdline contains "stratum+tcp://" or tgt.process.cmdline contains "stratum+udp://" or tgt.process.cmdline contains "LS1kb25hdGUtbGV2ZWw9" or tgt.process.cmdline contains "0tZG9uYXRlLWxldmVsP" or tgt.process.cmdline contains "tLWRvbmF0ZS1sZXZlbD" or tgt.process.cmdline contains "c3RyYXR1bSt0Y3A6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdGNwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3RjcDovL" or tgt.process.cmdline contains "c3RyYXR1bSt1ZHA6Ly" or tgt.process.cmdline contains "N0cmF0dW0rdWRwOi8v" or tgt.process.cmdline contains "zdHJhdHVtK3VkcDovL") and (not (tgt.process.cmdline contains " pool.c " or tgt.process.cmdline contains " pool.o " or tgt.process.cmdline contains "gcc -"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md
index 3c223b8c2..e52713258 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_data_exfiltration_via_cli.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl ") and (tgt.process.cmdline contains " -ur" and tgt.process.cmdline contains " -me" and tgt.process.cmdline contains " -b" and tgt.process.cmdline contains " POST ")) or ((tgt.process.image.path contains "\curl.exe" and tgt.process.cmdline contains "--ur") and (tgt.process.cmdline contains " -d " or tgt.process.cmdline contains " --data ")) or (tgt.process.image.path contains "\wget.exe" and (tgt.process.cmdline contains "--post-data" or tgt.process.cmdline contains "--post-file"))) and ((tgt.process.cmdline contains "Get-Content" or tgt.process.cmdline contains "GetBytes" or tgt.process.cmdline contains "hostname" or tgt.process.cmdline contains "ifconfig" or tgt.process.cmdline contains "ipconfig" or tgt.process.cmdline contains "net view" or tgt.process.cmdline contains "netstat" or tgt.process.cmdline contains "nltest" or tgt.process.cmdline contains "qprocess" or tgt.process.cmdline contains "sc query" or tgt.process.cmdline contains "systeminfo" or tgt.process.cmdline contains "tasklist" or tgt.process.cmdline contains "ToBase64String" or tgt.process.cmdline contains "whoami") or (tgt.process.cmdline contains "type " and tgt.process.cmdline contains " > " and tgt.process.cmdline contains " C:\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md
index 0e1d6816e..c83dff307 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_disable_raccine.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "taskkill " and tgt.process.cmdline contains "RaccineSettings.exe") or (tgt.process.cmdline contains "reg.exe" and tgt.process.cmdline contains "delete" and tgt.process.cmdline contains "Raccine Tray") or (tgt.process.cmdline contains "schtasks" and tgt.process.cmdline contains "/DELETE" and tgt.process.cmdline contains "Raccine Rules Updater")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md
index bc163509b..46728e45e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ".doc.exe" or tgt.process.image.path contains ".docx.exe" or tgt.process.image.path contains ".xls.exe" or tgt.process.image.path contains ".xlsx.exe" or tgt.process.image.path contains ".ppt.exe" or tgt.process.image.path contains ".pptx.exe" or tgt.process.image.path contains ".rtf.exe" or tgt.process.image.path contains ".pdf.exe" or tgt.process.image.path contains ".txt.exe" or tgt.process.image.path contains " .exe" or tgt.process.image.path contains "______.exe" or tgt.process.image.path contains ".doc.js" or tgt.process.image.path contains ".docx.js" or tgt.process.image.path contains ".xls.js" or tgt.process.image.path contains ".xlsx.js" or tgt.process.image.path contains ".ppt.js" or tgt.process.image.path contains ".pptx.js" or tgt.process.image.path contains ".rtf.js" or tgt.process.image.path contains ".pdf.js" or tgt.process.image.path contains ".txt.js") and (tgt.process.cmdline contains ".doc.exe" or tgt.process.cmdline contains ".docx.exe" or tgt.process.cmdline contains ".xls.exe" or tgt.process.cmdline contains ".xlsx.exe" or tgt.process.cmdline contains ".ppt.exe" or tgt.process.cmdline contains ".pptx.exe" or tgt.process.cmdline contains ".rtf.exe" or tgt.process.cmdline contains ".pdf.exe" or tgt.process.cmdline contains ".txt.exe" or tgt.process.cmdline contains " .exe" or tgt.process.cmdline contains "______.exe" or tgt.process.cmdline contains ".doc.js" or tgt.process.cmdline contains ".docx.js" or tgt.process.cmdline contains ".xls.js" or tgt.process.cmdline contains ".xlsx.js" or tgt.process.cmdline contains ".ppt.js" or tgt.process.cmdline contains ".pptx.js" or tgt.process.cmdline contains ".rtf.js" or tgt.process.cmdline contains ".pdf.js" or tgt.process.cmdline contains ".txt.js")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md
index c664ada2c..d0276ff35 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_double_extension_parent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains ".doc.lnk" or src.process.image.path contains ".docx.lnk" or src.process.image.path contains ".xls.lnk" or src.process.image.path contains ".xlsx.lnk" or src.process.image.path contains ".ppt.lnk" or src.process.image.path contains ".pptx.lnk" or src.process.image.path contains ".rtf.lnk" or src.process.image.path contains ".pdf.lnk" or src.process.image.path contains ".txt.lnk" or src.process.image.path contains ".doc.js" or src.process.image.path contains ".docx.js" or src.process.image.path contains ".xls.js" or src.process.image.path contains ".xlsx.js" or src.process.image.path contains ".ppt.js" or src.process.image.path contains ".pptx.js" or src.process.image.path contains ".rtf.js" or src.process.image.path contains ".pdf.js" or src.process.image.path contains ".txt.js") or (src.process.cmdline contains ".doc.lnk" or src.process.cmdline contains ".docx.lnk" or src.process.cmdline contains ".xls.lnk" or src.process.cmdline contains ".xlsx.lnk" or src.process.cmdline contains ".ppt.lnk" or src.process.cmdline contains ".pptx.lnk" or src.process.cmdline contains ".rtf.lnk" or src.process.cmdline contains ".pdf.lnk" or src.process.cmdline contains ".txt.lnk" or src.process.cmdline contains ".doc.js" or src.process.cmdline contains ".docx.js" or src.process.cmdline contains ".xls.js" or src.process.cmdline contains ".xlsx.js" or src.process.cmdline contains ".ppt.js" or src.process.cmdline contains ".pptx.js" or src.process.cmdline contains ".rtf.js" or src.process.cmdline contains ".pdf.js" or src.process.cmdline contains ".txt.js")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md
index b162835d3..bcc630c50 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_download_office_domain.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\curl.exe" or tgt.process.image.path contains "\wget.exe") or (tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains ".DownloadFile(" or tgt.process.cmdline contains ".DownloadString(")) and (tgt.process.cmdline contains "https://attachment.outlook.live.net/owa/" or tgt.process.cmdline contains "https://onenoteonlinesync.onenote.com/onenoteonlinesync/")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md
index 474c7d399..a2a7578cb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_dumpstack_log_evasion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\DumpStack.log" or tgt.process.cmdline contains " -o DumpStack.log"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md
index 9afafa507..02fd42bf8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_electron_app_children.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\chrome.exe" or src.process.image.path contains "\discord.exe" or src.process.image.path contains "\GitHubDesktop.exe" or src.process.image.path contains "\keybase.exe" or src.process.image.path contains "\msedge.exe" or src.process.image.path contains "\msedgewebview2.exe" or src.process.image.path contains "\msteams.exe" or src.process.image.path contains "\slack.exe" or src.process.image.path contains "\teams.exe") and ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains ":\ProgramData\" or tgt.process.image.path contains ":\Temp\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\Windows\Temp\")) and (not (src.process.image.path contains "\Discord.exe" and tgt.process.image.path contains "\cmd.exe" and tgt.process.cmdline contains "\NVSMI\nvidia-smi.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md
index f569e894f..8d70a48a3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_embed_exe_lnk.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\explorer.exe" and tgt.process.image.path="C:\Windows\System32\cmd.exe" and (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains ".lnk")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md
index a042da2f6..e4efa54e8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_1.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "😀" or tgt.process.cmdline contains "😃" or tgt.process.cmdline contains "😄" or tgt.process.cmdline contains "😁" or tgt.process.cmdline contains "😆" or tgt.process.cmdline contains "😅" or tgt.process.cmdline contains "😂" or tgt.process.cmdline contains "🤣" or tgt.process.cmdline contains "🥲" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "☺️" or tgt.process.cmdline contains "😊" or tgt.process.cmdline contains "😇" or tgt.process.cmdline contains "🙂" or tgt.process.cmdline contains "🙃" or tgt.process.cmdline contains "😉" or tgt.process.cmdline contains "😌" or tgt.process.cmdline contains "😍" or tgt.process.cmdline contains "🥰" or tgt.process.cmdline contains "😘" or tgt.process.cmdline contains "😗" or tgt.process.cmdline contains "😙" or tgt.process.cmdline contains "😚" or tgt.process.cmdline contains "😋" or tgt.process.cmdline contains "😛" or tgt.process.cmdline contains "😝" or tgt.process.cmdline contains "😜" or tgt.process.cmdline contains "🤪" or tgt.process.cmdline contains "🤨" or tgt.process.cmdline contains "🧐" or tgt.process.cmdline contains "🤓" or tgt.process.cmdline contains "😎" or tgt.process.cmdline contains "🥸" or tgt.process.cmdline contains "🤩" or tgt.process.cmdline contains "🥳" or tgt.process.cmdline contains "😏" or tgt.process.cmdline contains "😒" or tgt.process.cmdline contains "😞" or tgt.process.cmdline contains "😔" or tgt.process.cmdline contains "😟" or tgt.process.cmdline contains "😕" or tgt.process.cmdline contains "🙁" or tgt.process.cmdline contains "☹️" or tgt.process.cmdline contains "😣" or tgt.process.cmdline contains "😖" or tgt.process.cmdline contains "😫" or tgt.process.cmdline contains "😩" or tgt.process.cmdline contains "🥺" or tgt.process.cmdline contains "😢" or tgt.process.cmdline contains "😭" or tgt.process.cmdline contains "😮💨" or tgt.process.cmdline contains "😤" or tgt.process.cmdline contains "😠" or tgt.process.cmdline contains "😡" or tgt.process.cmdline contains "🤬" or tgt.process.cmdline contains "🤯" or tgt.process.cmdline contains "😳" or tgt.process.cmdline contains "🥵" or tgt.process.cmdline contains "🥶" or tgt.process.cmdline contains "😱" or tgt.process.cmdline contains "😨" or tgt.process.cmdline contains "😰" or tgt.process.cmdline contains "😥" or tgt.process.cmdline contains "😓" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🤗" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🤔" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🤭" or tgt.process.cmdline contains "🤫" or tgt.process.cmdline contains "🤥" or tgt.process.cmdline contains "😶" or tgt.process.cmdline contains "😶🌫️" or tgt.process.cmdline contains "😐" or tgt.process.cmdline contains "😑" or tgt.process.cmdline contains "😬" or tgt.process.cmdline contains "🫠" or tgt.process.cmdline contains "🙄" or tgt.process.cmdline contains "😯" or tgt.process.cmdline contains "😦" or tgt.process.cmdline contains "😧" or tgt.process.cmdline contains "😮" or tgt.process.cmdline contains "😲" or tgt.process.cmdline contains "🥱" or tgt.process.cmdline contains "😴" or tgt.process.cmdline contains "🤤" or tgt.process.cmdline contains "😪" or tgt.process.cmdline contains "😵" or tgt.process.cmdline contains "😵💫" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🤐" or tgt.process.cmdline contains "🥴" or tgt.process.cmdline contains "🤢" or tgt.process.cmdline contains "🤮" or tgt.process.cmdline contains "🤧" or tgt.process.cmdline contains "😷" or tgt.process.cmdline contains "🤒" or tgt.process.cmdline contains "🤕" or tgt.process.cmdline contains "🤑" or tgt.process.cmdline contains "🤠" or tgt.process.cmdline contains "😈" or tgt.process.cmdline contains "👿" or tgt.process.cmdline contains "👹" or tgt.process.cmdline contains "👺" or tgt.process.cmdline contains "🤡" or tgt.process.cmdline contains "💩" or tgt.process.cmdline contains "👻" or tgt.process.cmdline contains "💀" or tgt.process.cmdline contains "☠️" or tgt.process.cmdline contains "👽" or tgt.process.cmdline contains "👾" or tgt.process.cmdline contains "🤖" or tgt.process.cmdline contains "🎃" or tgt.process.cmdline contains "😺" or tgt.process.cmdline contains "😸" or tgt.process.cmdline contains "😹" or tgt.process.cmdline contains "😻" or tgt.process.cmdline contains "😼" or tgt.process.cmdline contains "😽" or tgt.process.cmdline contains "🙀" or tgt.process.cmdline contains "😿" or tgt.process.cmdline contains "😾" or tgt.process.cmdline contains "👋" or tgt.process.cmdline contains "🤚" or tgt.process.cmdline contains "🖐" or tgt.process.cmdline contains "✋" or tgt.process.cmdline contains "🖖" or tgt.process.cmdline contains "👌" or tgt.process.cmdline contains "🤌" or tgt.process.cmdline contains "🤏" or tgt.process.cmdline contains "✌️" or tgt.process.cmdline contains "🤞" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🤟" or tgt.process.cmdline contains "🤘" or tgt.process.cmdline contains "🤙" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "👈" or tgt.process.cmdline contains "👉" or tgt.process.cmdline contains "👆" or tgt.process.cmdline contains "🖕" or tgt.process.cmdline contains "👇" or tgt.process.cmdline contains "☝️" or tgt.process.cmdline contains "👍" or tgt.process.cmdline contains "👎" or tgt.process.cmdline contains "✊" or tgt.process.cmdline contains "👊" or tgt.process.cmdline contains "🤛" or tgt.process.cmdline contains "🤜" or tgt.process.cmdline contains "👏" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🙌" or tgt.process.cmdline contains "👐" or tgt.process.cmdline contains "🤲" or tgt.process.cmdline contains "🤝" or tgt.process.cmdline contains "🙏" or tgt.process.cmdline contains "✍️" or tgt.process.cmdline contains "💪" or tgt.process.cmdline contains "🦾" or tgt.process.cmdline contains "🦵" or tgt.process.cmdline contains "🦿" or tgt.process.cmdline contains "🦶" or tgt.process.cmdline contains "👣" or tgt.process.cmdline contains "👂" or tgt.process.cmdline contains "🦻" or tgt.process.cmdline contains "👃" or tgt.process.cmdline contains "🫀" or tgt.process.cmdline contains "🫁" or tgt.process.cmdline contains "🧠" or tgt.process.cmdline contains "🦷" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "👀" or tgt.process.cmdline contains "👁" or tgt.process.cmdline contains "👅" or tgt.process.cmdline contains "👄" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "💋" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "👶" or tgt.process.cmdline contains "👧" or tgt.process.cmdline contains "🧒" or tgt.process.cmdline contains "👦" or tgt.process.cmdline contains "👩" or tgt.process.cmdline contains "🧑" or tgt.process.cmdline contains "👨" or tgt.process.cmdline contains "👩🦱" or tgt.process.cmdline contains "🧑🦱" or tgt.process.cmdline contains "👨🦱" or tgt.process.cmdline contains "👩🦰" or tgt.process.cmdline contains "🧑🦰" or tgt.process.cmdline contains "👨🦰" or tgt.process.cmdline contains "👱♀️" or tgt.process.cmdline contains "👱" or tgt.process.cmdline contains "👱♂️" or tgt.process.cmdline contains "👩🦳" or tgt.process.cmdline contains "🧑🦳" or tgt.process.cmdline contains "👨🦳" or tgt.process.cmdline contains "👩🦲" or tgt.process.cmdline contains "🧑🦲" or tgt.process.cmdline contains "👨🦲" or tgt.process.cmdline contains "🧔♀️" or tgt.process.cmdline contains "🧔" or tgt.process.cmdline contains "🧔♂️" or tgt.process.cmdline contains "👵" or tgt.process.cmdline contains "🧓" or tgt.process.cmdline contains "👴" or tgt.process.cmdline contains "👲" or tgt.process.cmdline contains "👳♀️" or tgt.process.cmdline contains "👳" or tgt.process.cmdline contains "👳♂️" or tgt.process.cmdline contains "🧕" or tgt.process.cmdline contains "👮♀️" or tgt.process.cmdline contains "👮" or tgt.process.cmdline contains "👮♂️" or tgt.process.cmdline contains "👷♀️" or tgt.process.cmdline contains "👷" or tgt.process.cmdline contains "👷♂️" or tgt.process.cmdline contains "💂♀️" or tgt.process.cmdline contains "💂" or tgt.process.cmdline contains "💂♂️" or tgt.process.cmdline contains "🕵️♀️" or tgt.process.cmdline contains "🕵️" or tgt.process.cmdline contains "🕵️♂️" or tgt.process.cmdline contains "👩⚕️" or tgt.process.cmdline contains "🧑⚕️" or tgt.process.cmdline contains "👨⚕️" or tgt.process.cmdline contains "👩🌾" or tgt.process.cmdline contains "🧑🌾" or tgt.process.cmdline contains "👨🌾" or tgt.process.cmdline contains "👩🍳" or tgt.process.cmdline contains "🧑🍳" or tgt.process.cmdline contains "👨🍳" or tgt.process.cmdline contains "👩🎓" or tgt.process.cmdline contains "🧑🎓" or tgt.process.cmdline contains "👨🎓" or tgt.process.cmdline contains "👩🎤" or tgt.process.cmdline contains "🧑🎤" or tgt.process.cmdline contains "👨🎤" or tgt.process.cmdline contains "👩🏫" or tgt.process.cmdline contains "🧑🏫" or tgt.process.cmdline contains "👨🏫" or tgt.process.cmdline contains "👩🏭" or tgt.process.cmdline contains "🧑🏭" or tgt.process.cmdline contains "👨🏭" or tgt.process.cmdline contains "👩💻" or tgt.process.cmdline contains "🧑💻" or tgt.process.cmdline contains "👨💻" or tgt.process.cmdline contains "👩💼" or tgt.process.cmdline contains "🧑💼" or tgt.process.cmdline contains "👨💼" or tgt.process.cmdline contains "👩🔧" or tgt.process.cmdline contains "🧑🔧" or tgt.process.cmdline contains "👨🔧" or tgt.process.cmdline contains "👩🔬" or tgt.process.cmdline contains "🧑🔬" or tgt.process.cmdline contains "👨🔬" or tgt.process.cmdline contains "👩🎨" or tgt.process.cmdline contains "🧑🎨" or tgt.process.cmdline contains "👨🎨" or tgt.process.cmdline contains "👩🚒" or tgt.process.cmdline contains "🧑🚒" or tgt.process.cmdline contains "👨🚒" or tgt.process.cmdline contains "👩✈️" or tgt.process.cmdline contains "🧑✈️" or tgt.process.cmdline contains "👨✈️" or tgt.process.cmdline contains "👩🚀" or tgt.process.cmdline contains "🧑🚀" or tgt.process.cmdline contains "👨🚀" or tgt.process.cmdline contains "👩⚖️" or tgt.process.cmdline contains "🧑⚖️" or tgt.process.cmdline contains "👨⚖️" or tgt.process.cmdline contains "👰♀️" or tgt.process.cmdline contains "👰" or tgt.process.cmdline contains "👰♂️" or tgt.process.cmdline contains "🤵♀️" or tgt.process.cmdline contains "🤵" or tgt.process.cmdline contains "🤵♂️" or tgt.process.cmdline contains "👸" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🤴" or tgt.process.cmdline contains "🥷" or tgt.process.cmdline contains "🦸♀️" or tgt.process.cmdline contains "🦸" or tgt.process.cmdline contains "🦸♂️" or tgt.process.cmdline contains "🦹♀️" or tgt.process.cmdline contains "🦹" or tgt.process.cmdline contains "🦹♂️" or tgt.process.cmdline contains "🤶" or tgt.process.cmdline contains "🧑🎄" or tgt.process.cmdline contains "🎅" or tgt.process.cmdline contains "🧙♀️" or tgt.process.cmdline contains "🧙" or tgt.process.cmdline contains "🧙♂️" or tgt.process.cmdline contains "🧝♀️" or tgt.process.cmdline contains "🧝" or tgt.process.cmdline contains "🧝♂️" or tgt.process.cmdline contains "🧛♀️" or tgt.process.cmdline contains "🧛" or tgt.process.cmdline contains "🧛♂️" or tgt.process.cmdline contains "🧟♀️" or tgt.process.cmdline contains "🧟" or tgt.process.cmdline contains "🧟♂️" or tgt.process.cmdline contains "🧞♀️" or tgt.process.cmdline contains "🧞" or tgt.process.cmdline contains "🧞♂️" or tgt.process.cmdline contains "🧜♀️" or tgt.process.cmdline contains "🧜" or tgt.process.cmdline contains "🧜♂️" or tgt.process.cmdline contains "🧚♀️" or tgt.process.cmdline contains "🧚" or tgt.process.cmdline contains "🧚♂️" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "👼" or tgt.process.cmdline contains "🤰" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🤱" or tgt.process.cmdline contains "👩🍼" or tgt.process.cmdline contains "🧑🍼" or tgt.process.cmdline contains "👨🍼" or tgt.process.cmdline contains "🙇♀️" or tgt.process.cmdline contains "🙇" or tgt.process.cmdline contains "🙇♂️" or tgt.process.cmdline contains "💁♀️" or tgt.process.cmdline contains "💁" or tgt.process.cmdline contains "💁♂️" or tgt.process.cmdline contains "🙅♀️" or tgt.process.cmdline contains "🙅" or tgt.process.cmdline contains "🙅♂️" or tgt.process.cmdline contains "🙆♀️" or tgt.process.cmdline contains "🙆" or tgt.process.cmdline contains "🙆♂️" or tgt.process.cmdline contains "🙋♀️" or tgt.process.cmdline contains "🙋" or tgt.process.cmdline contains "🙋♂️" or tgt.process.cmdline contains "🧏♀️" or tgt.process.cmdline contains "🧏" or tgt.process.cmdline contains "🧏♂️" or tgt.process.cmdline contains "🤦♀️" or tgt.process.cmdline contains "🤦" or tgt.process.cmdline contains "🤦♂️" or tgt.process.cmdline contains "🤷♀️" or tgt.process.cmdline contains "🤷" or tgt.process.cmdline contains "🤷♂️" or tgt.process.cmdline contains "🙎♀️" or tgt.process.cmdline contains "🙎" or tgt.process.cmdline contains "🙎♂️" or tgt.process.cmdline contains "🙍♀️" or tgt.process.cmdline contains "🙍" or tgt.process.cmdline contains "🙍♂️" or tgt.process.cmdline contains "💇♀️" or tgt.process.cmdline contains "💇" or tgt.process.cmdline contains "💇♂️" or tgt.process.cmdline contains "💆♀️" or tgt.process.cmdline contains "💆" or tgt.process.cmdline contains "💆♂️" or tgt.process.cmdline contains "🧖♀️" or tgt.process.cmdline contains "🧖" or tgt.process.cmdline contains "🧖♂️" or tgt.process.cmdline contains "💅" or tgt.process.cmdline contains "💃" or tgt.process.cmdline contains "🕺" or tgt.process.cmdline contains "👯♀️" or tgt.process.cmdline contains "👯" or tgt.process.cmdline contains "👯♂️" or tgt.process.cmdline contains "🕴" or tgt.process.cmdline contains "👩🦽" or tgt.process.cmdline contains "🧑🦽" or tgt.process.cmdline contains "👨🦽" or tgt.process.cmdline contains "👩🦼" or tgt.process.cmdline contains "🧑🦼" or tgt.process.cmdline contains "👨🦼" or tgt.process.cmdline contains "🚶♀️" or tgt.process.cmdline contains "🚶" or tgt.process.cmdline contains "🚶♂️" or tgt.process.cmdline contains "👩🦯" or tgt.process.cmdline contains "🧑🦯" or tgt.process.cmdline contains "👨🦯" or tgt.process.cmdline contains "🧎♀️" or tgt.process.cmdline contains "🧎" or tgt.process.cmdline contains "🧎♂️" or tgt.process.cmdline contains "🏃♀️" or tgt.process.cmdline contains "🏃" or tgt.process.cmdline contains "🏃♂️" or tgt.process.cmdline contains "🧍♀️" or tgt.process.cmdline contains "🧍" or tgt.process.cmdline contains "🧍♂️" or tgt.process.cmdline contains "👭" or tgt.process.cmdline contains "🧑🤝🧑" or tgt.process.cmdline contains "👬" or tgt.process.cmdline contains "👫" or tgt.process.cmdline contains "👩❤️👩" or tgt.process.cmdline contains "💑" or tgt.process.cmdline contains "👨❤️👨" or tgt.process.cmdline contains "👩❤️👨" or tgt.process.cmdline contains "👩❤️💋👩" or tgt.process.cmdline contains "💏" or tgt.process.cmdline contains "👨❤️💋👨" or tgt.process.cmdline contains "👩❤️💋👨" or tgt.process.cmdline contains "👪" or tgt.process.cmdline contains "👨👩👦" or tgt.process.cmdline contains "👨👩👧" or tgt.process.cmdline contains "👨👩👧👦" or tgt.process.cmdline contains "👨👩👦👦" or tgt.process.cmdline contains "👨👩👧👧" or tgt.process.cmdline contains "👨👨👦" or tgt.process.cmdline contains "👨👨👧" or tgt.process.cmdline contains "👨👨👧👦" or tgt.process.cmdline contains "👨👨👦👦" or tgt.process.cmdline contains "👨👨👧👧" or tgt.process.cmdline contains "👩👩👦" or tgt.process.cmdline contains "👩👩👧" or tgt.process.cmdline contains "👩👩👧👦" or tgt.process.cmdline contains "👩👩👦👦" or tgt.process.cmdline contains "👩👩👧👧" or tgt.process.cmdline contains "👨👦" or tgt.process.cmdline contains "👨👦👦" or tgt.process.cmdline contains "👨👧" or tgt.process.cmdline contains "👨👧👦" or tgt.process.cmdline contains "👨👧👧" or tgt.process.cmdline contains "👩👦" or tgt.process.cmdline contains "👩👦👦" or tgt.process.cmdline contains "👩👧" or tgt.process.cmdline contains "👩👧👦" or tgt.process.cmdline contains "👩👧👧" or tgt.process.cmdline contains "🗣" or tgt.process.cmdline contains "👤" or tgt.process.cmdline contains "👥" or tgt.process.cmdline contains "🫂" or tgt.process.cmdline contains "🧳" or tgt.process.cmdline contains "🌂" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🧵" or tgt.process.cmdline contains "🪡" or tgt.process.cmdline contains "🪢" or tgt.process.cmdline contains "🧶" or tgt.process.cmdline contains "👓" or tgt.process.cmdline contains "🕶" or tgt.process.cmdline contains "🥽" or tgt.process.cmdline contains "🥼" or tgt.process.cmdline contains "🦺" or tgt.process.cmdline contains "👔" or tgt.process.cmdline contains "👕" or tgt.process.cmdline contains "👖" or tgt.process.cmdline contains "🧣" or tgt.process.cmdline contains "🧤" or tgt.process.cmdline contains "🧥" or tgt.process.cmdline contains "🧦" or tgt.process.cmdline contains "👗" or tgt.process.cmdline contains "👘" or tgt.process.cmdline contains "🥻" or tgt.process.cmdline contains "🩴" or tgt.process.cmdline contains "🩱" or tgt.process.cmdline contains "🩲" or tgt.process.cmdline contains "🩳" or tgt.process.cmdline contains "👙" or tgt.process.cmdline contains "👚" or tgt.process.cmdline contains "👛" or tgt.process.cmdline contains "👜" or tgt.process.cmdline contains "👝" or tgt.process.cmdline contains "🎒" or tgt.process.cmdline contains "👞" or tgt.process.cmdline contains "👟" or tgt.process.cmdline contains "🥾" or tgt.process.cmdline contains "🥿" or tgt.process.cmdline contains "👠" or tgt.process.cmdline contains "👡" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "👢" or tgt.process.cmdline contains "👑" or tgt.process.cmdline contains "👒" or tgt.process.cmdline contains "🎩" or tgt.process.cmdline contains "🎓" or tgt.process.cmdline contains "🧢" or tgt.process.cmdline contains "⛑" or tgt.process.cmdline contains "🪖" or tgt.process.cmdline contains "💄" or tgt.process.cmdline contains "💍" or tgt.process.cmdline contains "💼" or tgt.process.cmdline contains "👋🏻" or tgt.process.cmdline contains "🤚🏻" or tgt.process.cmdline contains "🖐🏻" or tgt.process.cmdline contains "✋🏻" or tgt.process.cmdline contains "🖖🏻" or tgt.process.cmdline contains "👌🏻" or tgt.process.cmdline contains "🤌🏻" or tgt.process.cmdline contains "🤏🏻" or tgt.process.cmdline contains "✌🏻" or tgt.process.cmdline contains "🤞🏻" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🤟🏻" or tgt.process.cmdline contains "🤘🏻" or tgt.process.cmdline contains "🤙🏻" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "👈🏻" or tgt.process.cmdline contains "👉🏻" or tgt.process.cmdline contains "👆🏻" or tgt.process.cmdline contains "🖕🏻" or tgt.process.cmdline contains "👇🏻" or tgt.process.cmdline contains "☝🏻" or tgt.process.cmdline contains "👍🏻" or tgt.process.cmdline contains "👎🏻" or tgt.process.cmdline contains "✊🏻" or tgt.process.cmdline contains "👊🏻" or tgt.process.cmdline contains "🤛🏻" or tgt.process.cmdline contains "🤜🏻" or tgt.process.cmdline contains "👏🏻" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🙌🏻" or tgt.process.cmdline contains "👐🏻" or tgt.process.cmdline contains "🤲🏻" or tgt.process.cmdline contains "🙏🏻" or tgt.process.cmdline contains "✍🏻" or tgt.process.cmdline contains "💪🏻" or tgt.process.cmdline contains "🦵🏻" or tgt.process.cmdline contains "🦶🏻" or tgt.process.cmdline contains "👂🏻" or tgt.process.cmdline contains "🦻🏻" or tgt.process.cmdline contains "👃🏻" or tgt.process.cmdline contains "👶🏻" or tgt.process.cmdline contains "👧🏻" or tgt.process.cmdline contains "🧒🏻" or tgt.process.cmdline contains "👦🏻" or tgt.process.cmdline contains "👩🏻" or tgt.process.cmdline contains "🧑🏻" or tgt.process.cmdline contains "👨🏻" or tgt.process.cmdline contains "👩🏻🦱" or tgt.process.cmdline contains "🧑🏻🦱" or tgt.process.cmdline contains "👨🏻🦱" or tgt.process.cmdline contains "👩🏻🦰" or tgt.process.cmdline contains "🧑🏻🦰" or tgt.process.cmdline contains "👨🏻🦰" or tgt.process.cmdline contains "👱🏻♀️" or tgt.process.cmdline contains "👱🏻" or tgt.process.cmdline contains "👱🏻♂️" or tgt.process.cmdline contains "👩🏻🦳" or tgt.process.cmdline contains "🧑🏻🦳" or tgt.process.cmdline contains "👨🏻🦳" or tgt.process.cmdline contains "👩🏻🦲" or tgt.process.cmdline contains "🧑🏻🦲" or tgt.process.cmdline contains "👨🏻🦲" or tgt.process.cmdline contains "🧔🏻♀️" or tgt.process.cmdline contains "🧔🏻" or tgt.process.cmdline contains "🧔🏻♂️" or tgt.process.cmdline contains "👵🏻" or tgt.process.cmdline contains "🧓🏻" or tgt.process.cmdline contains "👴🏻" or tgt.process.cmdline contains "👲🏻" or tgt.process.cmdline contains "👳🏻♀️" or tgt.process.cmdline contains "👳🏻" or tgt.process.cmdline contains "👳🏻♂️" or tgt.process.cmdline contains "🧕🏻" or tgt.process.cmdline contains "👮🏻♀️" or tgt.process.cmdline contains "👮🏻" or tgt.process.cmdline contains "👮🏻♂️" or tgt.process.cmdline contains "👷🏻♀️" or tgt.process.cmdline contains "👷🏻" or tgt.process.cmdline contains "👷🏻♂️" or tgt.process.cmdline contains "💂🏻♀️" or tgt.process.cmdline contains "💂🏻" or tgt.process.cmdline contains "💂🏻♂️" or tgt.process.cmdline contains "🕵🏻♀️" or tgt.process.cmdline contains "🕵🏻" or tgt.process.cmdline contains "🕵🏻♂️" or tgt.process.cmdline contains "👩🏻⚕️" or tgt.process.cmdline contains "🧑🏻⚕️" or tgt.process.cmdline contains "👨🏻⚕️" or tgt.process.cmdline contains "👩🏻🌾" or tgt.process.cmdline contains "🧑🏻🌾" or tgt.process.cmdline contains "👨🏻🌾" or tgt.process.cmdline contains "👩🏻🍳" or tgt.process.cmdline contains "🧑🏻🍳" or tgt.process.cmdline contains "👨🏻🍳" or tgt.process.cmdline contains "👩🏻🎓" or tgt.process.cmdline contains "🧑🏻🎓" or tgt.process.cmdline contains "👨🏻🎓" or tgt.process.cmdline contains "👩🏻🎤" or tgt.process.cmdline contains "🧑🏻🎤" or tgt.process.cmdline contains "👨🏻🎤" or tgt.process.cmdline contains "👩🏻🏫" or tgt.process.cmdline contains "🧑🏻🏫" or tgt.process.cmdline contains "👨🏻🏫" or tgt.process.cmdline contains "👩🏻🏭" or tgt.process.cmdline contains "🧑🏻🏭" or tgt.process.cmdline contains "👨🏻🏭" or tgt.process.cmdline contains "👩🏻💻" or tgt.process.cmdline contains "🧑🏻💻" or tgt.process.cmdline contains "👨🏻💻" or tgt.process.cmdline contains "👩🏻💼" or tgt.process.cmdline contains "🧑🏻💼" or tgt.process.cmdline contains "👨🏻💼" or tgt.process.cmdline contains "👩🏻🔧" or tgt.process.cmdline contains "🧑🏻🔧" or tgt.process.cmdline contains "👨🏻🔧" or tgt.process.cmdline contains "👩🏻🔬" or tgt.process.cmdline contains "🧑🏻🔬" or tgt.process.cmdline contains "👨🏻🔬" or tgt.process.cmdline contains "👩🏻🎨" or tgt.process.cmdline contains "🧑🏻🎨" or tgt.process.cmdline contains "👨🏻🎨" or tgt.process.cmdline contains "👩🏻🚒" or tgt.process.cmdline contains "🧑🏻🚒" or tgt.process.cmdline contains "👨🏻🚒" or tgt.process.cmdline contains "👩🏻✈️" or tgt.process.cmdline contains "🧑🏻✈️" or tgt.process.cmdline contains "👨🏻✈️" or tgt.process.cmdline contains "👩🏻🚀" or tgt.process.cmdline contains "🧑🏻🚀" or tgt.process.cmdline contains "👨🏻🚀" or tgt.process.cmdline contains "👩🏻⚖️" or tgt.process.cmdline contains "🧑🏻⚖️" or tgt.process.cmdline contains "👨🏻⚖️" or tgt.process.cmdline contains "👰🏻♀️" or tgt.process.cmdline contains "👰🏻" or tgt.process.cmdline contains "👰🏻♂️" or tgt.process.cmdline contains "🤵🏻♀️" or tgt.process.cmdline contains "🤵🏻" or tgt.process.cmdline contains "🤵🏻♂️" or tgt.process.cmdline contains "👸🏻" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🤴🏻" or tgt.process.cmdline contains "🥷🏻" or tgt.process.cmdline contains "🦸🏻♀️" or tgt.process.cmdline contains "🦸🏻" or tgt.process.cmdline contains "🦸🏻♂️" or tgt.process.cmdline contains "🦹🏻♀️" or tgt.process.cmdline contains "🦹🏻" or tgt.process.cmdline contains "🦹🏻♂️" or tgt.process.cmdline contains "🤶🏻" or tgt.process.cmdline contains "🧑🏻🎄" or tgt.process.cmdline contains "🎅🏻" or tgt.process.cmdline contains "🧙🏻♀️" or tgt.process.cmdline contains "🧙🏻" or tgt.process.cmdline contains "🧙🏻♂️" or tgt.process.cmdline contains "🧝🏻♀️" or tgt.process.cmdline contains "🧝🏻" or tgt.process.cmdline contains "🧝🏻♂️" or tgt.process.cmdline contains "🧛🏻♀️" or tgt.process.cmdline contains "🧛🏻" or tgt.process.cmdline contains "🧛🏻♂️" or tgt.process.cmdline contains "🧜🏻♀️" or tgt.process.cmdline contains "🧜🏻" or tgt.process.cmdline contains "🧜🏻♂️" or tgt.process.cmdline contains "🧚🏻♀️" or tgt.process.cmdline contains "🧚🏻" or tgt.process.cmdline contains "🧚🏻♂️" or tgt.process.cmdline contains "👼🏻" or tgt.process.cmdline contains "🤰🏻" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🤱🏻" or tgt.process.cmdline contains "👩🏻🍼" or tgt.process.cmdline contains "🧑🏻🍼" or tgt.process.cmdline contains "👨🏻🍼" or tgt.process.cmdline contains "🙇🏻♀️" or tgt.process.cmdline contains "🙇🏻" or tgt.process.cmdline contains "🙇🏻♂️" or tgt.process.cmdline contains "💁🏻♀️" or tgt.process.cmdline contains "💁🏻" or tgt.process.cmdline contains "💁🏻♂️" or tgt.process.cmdline contains "🙅🏻♀️" or tgt.process.cmdline contains "🙅🏻" or tgt.process.cmdline contains "🙅🏻♂️" or tgt.process.cmdline contains "🙆🏻♀️" or tgt.process.cmdline contains "🙆🏻" or tgt.process.cmdline contains "🙆🏻♂️" or tgt.process.cmdline contains "🙋🏻♀️" or tgt.process.cmdline contains "🙋🏻" or tgt.process.cmdline contains "🙋🏻♂️" or tgt.process.cmdline contains "🧏🏻♀️" or tgt.process.cmdline contains "🧏🏻" or tgt.process.cmdline contains "🧏🏻♂️" or tgt.process.cmdline contains "🤦🏻♀️" or tgt.process.cmdline contains "🤦🏻" or tgt.process.cmdline contains "🤦🏻♂️" or tgt.process.cmdline contains "🤷🏻♀️" or tgt.process.cmdline contains "🤷🏻" or tgt.process.cmdline contains "🤷🏻♂️" or tgt.process.cmdline contains "🙎🏻♀️" or tgt.process.cmdline contains "🙎🏻" or tgt.process.cmdline contains "🙎🏻♂️" or tgt.process.cmdline contains "🙍🏻♀️" or tgt.process.cmdline contains "🙍🏻" or tgt.process.cmdline contains "🙍🏻♂️" or tgt.process.cmdline contains "💇🏻♀️" or tgt.process.cmdline contains "💇🏻" or tgt.process.cmdline contains "💇🏻♂️" or tgt.process.cmdline contains "💆🏻♀️" or tgt.process.cmdline contains "💆🏻" or tgt.process.cmdline contains "💆🏻♂️" or tgt.process.cmdline contains "🧖🏻♀️" or tgt.process.cmdline contains "🧖🏻" or tgt.process.cmdline contains "🧖🏻♂️" or tgt.process.cmdline contains "💃🏻" or tgt.process.cmdline contains "🕺🏻" or tgt.process.cmdline contains "🕴🏻" or tgt.process.cmdline contains "👩🏻🦽" or tgt.process.cmdline contains "🧑🏻🦽" or tgt.process.cmdline contains "👨🏻🦽" or tgt.process.cmdline contains "👩🏻🦼" or tgt.process.cmdline contains "🧑🏻🦼" or tgt.process.cmdline contains "👨🏻🦼" or tgt.process.cmdline contains "🚶🏻♀️" or tgt.process.cmdline contains "🚶🏻" or tgt.process.cmdline contains "🚶🏻♂️" or tgt.process.cmdline contains "👩🏻🦯" or tgt.process.cmdline contains "🧑🏻🦯" or tgt.process.cmdline contains "👨🏻🦯" or tgt.process.cmdline contains "🧎🏻♀️" or tgt.process.cmdline contains "🧎🏻" or tgt.process.cmdline contains "🧎🏻♂️" or tgt.process.cmdline contains "🏃🏻♀️" or tgt.process.cmdline contains "🏃🏻" or tgt.process.cmdline contains "🏃🏻♂️" or tgt.process.cmdline contains "🧍🏻♀️" or tgt.process.cmdline contains "🧍🏻" or tgt.process.cmdline contains "🧍🏻♂️" or tgt.process.cmdline contains "👭🏻" or tgt.process.cmdline contains "🧑🏻🤝🧑🏻" or tgt.process.cmdline contains "👬🏻" or tgt.process.cmdline contains "👫🏻" or tgt.process.cmdline contains "🧗🏻♀️" or tgt.process.cmdline contains "🧗🏻" or tgt.process.cmdline contains "🧗🏻♂️" or tgt.process.cmdline contains "🏇🏻" or tgt.process.cmdline contains "🏂🏻" or tgt.process.cmdline contains "🏌🏻♀️" or tgt.process.cmdline contains "🏌🏻" or tgt.process.cmdline contains "🏌🏻♂️" or tgt.process.cmdline contains "🏄🏻♀️" or tgt.process.cmdline contains "🏄🏻" or tgt.process.cmdline contains "🏄🏻♂️" or tgt.process.cmdline contains "🚣🏻♀️" or tgt.process.cmdline contains "🚣🏻" or tgt.process.cmdline contains "🚣🏻♂️" or tgt.process.cmdline contains "🏊🏻♀️" or tgt.process.cmdline contains "🏊🏻" or tgt.process.cmdline contains "🏊🏻♂️" or tgt.process.cmdline contains "⛹🏻♀️" or tgt.process.cmdline contains "⛹🏻" or tgt.process.cmdline contains "⛹🏻♂️" or tgt.process.cmdline contains "🏋🏻♀️" or tgt.process.cmdline contains "🏋🏻" or tgt.process.cmdline contains "🏋🏻♂️" or tgt.process.cmdline contains "🚴🏻♀️" or tgt.process.cmdline contains "🚴🏻" or tgt.process.cmdline contains "🚴🏻♂️" or tgt.process.cmdline contains "🚵🏻♀️" or tgt.process.cmdline contains "🚵🏻" or tgt.process.cmdline contains "🚵🏻♂️" or tgt.process.cmdline contains "🤸🏻♀️" or tgt.process.cmdline contains "🤸🏻" or tgt.process.cmdline contains "🤸🏻♂️" or tgt.process.cmdline contains "🤽🏻♀️" or tgt.process.cmdline contains "🤽🏻" or tgt.process.cmdline contains "🤽🏻♂️" or tgt.process.cmdline contains "🤾🏻♀️" or tgt.process.cmdline contains "🤾🏻" or tgt.process.cmdline contains "🤾🏻♂️" or tgt.process.cmdline contains "🤹🏻♀️" or tgt.process.cmdline contains "🤹🏻" or tgt.process.cmdline contains "🤹🏻♂️" or tgt.process.cmdline contains "🧘🏻♀️" or tgt.process.cmdline contains "🧘🏻" or tgt.process.cmdline contains "🧘🏻♂️" or tgt.process.cmdline contains "🛀🏻" or tgt.process.cmdline contains "🛌🏻" or tgt.process.cmdline contains "👋🏼" or tgt.process.cmdline contains "🤚🏼" or tgt.process.cmdline contains "🖐🏼" or tgt.process.cmdline contains "✋🏼" or tgt.process.cmdline contains "🖖🏼" or tgt.process.cmdline contains "👌🏼" or tgt.process.cmdline contains "🤌🏼" or tgt.process.cmdline contains "🤏🏼" or tgt.process.cmdline contains "✌🏼" or tgt.process.cmdline contains "🤞🏼" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🤟🏼" or tgt.process.cmdline contains "🤘🏼" or tgt.process.cmdline contains "🤙🏼" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "👈🏼" or tgt.process.cmdline contains "👉🏼" or tgt.process.cmdline contains "👆🏼" or tgt.process.cmdline contains "🖕🏼" or tgt.process.cmdline contains "👇🏼" or tgt.process.cmdline contains "☝🏼" or tgt.process.cmdline contains "👍🏼" or tgt.process.cmdline contains "👎🏼" or tgt.process.cmdline contains "✊🏼" or tgt.process.cmdline contains "👊🏼" or tgt.process.cmdline contains "🤛🏼" or tgt.process.cmdline contains "🤜🏼" or tgt.process.cmdline contains "👏🏼" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🙌🏼" or tgt.process.cmdline contains "👐🏼" or tgt.process.cmdline contains "🤲🏼" or tgt.process.cmdline contains "🙏🏼" or tgt.process.cmdline contains "✍🏼" or tgt.process.cmdline contains "💪🏼" or tgt.process.cmdline contains "🦵🏼" or tgt.process.cmdline contains "🦶🏼" or tgt.process.cmdline contains "👂🏼" or tgt.process.cmdline contains "🦻🏼" or tgt.process.cmdline contains "👃🏼" or tgt.process.cmdline contains "👶🏼" or tgt.process.cmdline contains "👧🏼" or tgt.process.cmdline contains "🧒🏼" or tgt.process.cmdline contains "👦🏼" or tgt.process.cmdline contains "👩🏼" or tgt.process.cmdline contains "🧑🏼" or tgt.process.cmdline contains "👨🏼" or tgt.process.cmdline contains "👩🏼🦱" or tgt.process.cmdline contains "🧑🏼🦱" or tgt.process.cmdline contains "👨🏼🦱" or tgt.process.cmdline contains "👩🏼🦰" or tgt.process.cmdline contains "🧑🏼🦰" or tgt.process.cmdline contains "👨🏼🦰" or tgt.process.cmdline contains "👱🏼♀️" or tgt.process.cmdline contains "👱🏼" or tgt.process.cmdline contains "👱🏼♂️" or tgt.process.cmdline contains "👩🏼🦳" or tgt.process.cmdline contains "🧑🏼🦳" or tgt.process.cmdline contains "👨🏼🦳" or tgt.process.cmdline contains "👩🏼🦲" or tgt.process.cmdline contains "🧑🏼🦲" or tgt.process.cmdline contains "👨🏼🦲" or tgt.process.cmdline contains "🧔🏼♀️" or tgt.process.cmdline contains "🧔🏼" or tgt.process.cmdline contains "🧔🏼♂️" or tgt.process.cmdline contains "👵🏼" or tgt.process.cmdline contains "🧓🏼" or tgt.process.cmdline contains "👴🏼" or tgt.process.cmdline contains "👲🏼" or tgt.process.cmdline contains "👳🏼♀️" or tgt.process.cmdline contains "👳🏼" or tgt.process.cmdline contains "👳🏼♂️" or tgt.process.cmdline contains "🧕🏼" or tgt.process.cmdline contains "👮🏼♀️" or tgt.process.cmdline contains "👮🏼" or tgt.process.cmdline contains "👮🏼♂️" or tgt.process.cmdline contains "👷🏼♀️" or tgt.process.cmdline contains "👷🏼" or tgt.process.cmdline contains "👷🏼♂️" or tgt.process.cmdline contains "💂🏼♀️" or tgt.process.cmdline contains "💂🏼" or tgt.process.cmdline contains "💂🏼♂️" or tgt.process.cmdline contains "🕵🏼♀️" or tgt.process.cmdline contains "🕵🏼" or tgt.process.cmdline contains "🕵🏼♂️" or tgt.process.cmdline contains "👩🏼⚕️" or tgt.process.cmdline contains "🧑🏼⚕️" or tgt.process.cmdline contains "👨🏼⚕️" or tgt.process.cmdline contains "👩🏼🌾" or tgt.process.cmdline contains "🧑🏼🌾" or tgt.process.cmdline contains "👨🏼🌾" or tgt.process.cmdline contains "👩🏼🍳" or tgt.process.cmdline contains "🧑🏼🍳" or tgt.process.cmdline contains "👨🏼🍳" or tgt.process.cmdline contains "👩🏼🎓" or tgt.process.cmdline contains "🧑🏼🎓" or tgt.process.cmdline contains "👨🏼🎓" or tgt.process.cmdline contains "👩🏼🎤" or tgt.process.cmdline contains "🧑🏼🎤" or tgt.process.cmdline contains "👨🏼🎤" or tgt.process.cmdline contains "👩🏼🏫" or tgt.process.cmdline contains "🧑🏼🏫" or tgt.process.cmdline contains "👨🏼🏫" or tgt.process.cmdline contains "👩🏼🏭" or tgt.process.cmdline contains "🧑🏼🏭" or tgt.process.cmdline contains "👨🏼🏭" or tgt.process.cmdline contains "👩🏼💻" or tgt.process.cmdline contains "🧑🏼💻" or tgt.process.cmdline contains "👨🏼💻" or tgt.process.cmdline contains "👩🏼💼" or tgt.process.cmdline contains "🧑🏼💼" or tgt.process.cmdline contains "👨🏼💼" or tgt.process.cmdline contains "👩🏼🔧" or tgt.process.cmdline contains "🧑🏼🔧" or tgt.process.cmdline contains "👨🏼🔧" or tgt.process.cmdline contains "👩🏼🔬" or tgt.process.cmdline contains "🧑🏼🔬" or tgt.process.cmdline contains "👨🏼🔬" or tgt.process.cmdline contains "👩🏼🎨" or tgt.process.cmdline contains "🧑🏼🎨" or tgt.process.cmdline contains "👨🏼🎨" or tgt.process.cmdline contains "👩🏼🚒" or tgt.process.cmdline contains "🧑🏼🚒" or tgt.process.cmdline contains "👨🏼🚒" or tgt.process.cmdline contains "👩🏼✈️" or tgt.process.cmdline contains "🧑🏼✈️" or tgt.process.cmdline contains "👨🏼✈️" or tgt.process.cmdline contains "👩🏼🚀" or tgt.process.cmdline contains "🧑🏼🚀" or tgt.process.cmdline contains "👨🏼🚀" or tgt.process.cmdline contains "👩🏼⚖️" or tgt.process.cmdline contains "🧑🏼⚖️" or tgt.process.cmdline contains "👨🏼⚖️" or tgt.process.cmdline contains "👰🏼♀️" or tgt.process.cmdline contains "👰🏼" or tgt.process.cmdline contains "👰🏼♂️" or tgt.process.cmdline contains "🤵🏼♀️" or tgt.process.cmdline contains "🤵🏼" or tgt.process.cmdline contains "🤵🏼♂️" or tgt.process.cmdline contains "👸🏼" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🤴🏼" or tgt.process.cmdline contains "🥷🏼" or tgt.process.cmdline contains "🦸🏼♀️" or tgt.process.cmdline contains "🦸🏼" or tgt.process.cmdline contains "🦸🏼♂️" or tgt.process.cmdline contains "🦹🏼♀️" or tgt.process.cmdline contains "🦹🏼" or tgt.process.cmdline contains "🦹🏼♂️" or tgt.process.cmdline contains "🤶🏼" or tgt.process.cmdline contains "🧑🏼🎄" or tgt.process.cmdline contains "🎅🏼" or tgt.process.cmdline contains "🧙🏼♀️" or tgt.process.cmdline contains "🧙🏼" or tgt.process.cmdline contains "🧙🏼♂️" or tgt.process.cmdline contains "🧝🏼♀️" or tgt.process.cmdline contains "🧝🏼" or tgt.process.cmdline contains "🧝🏼♂️" or tgt.process.cmdline contains "🧛🏼♀️" or tgt.process.cmdline contains "🧛🏼" or tgt.process.cmdline contains "🧛🏼♂️" or tgt.process.cmdline contains "🧜🏼♀️" or tgt.process.cmdline contains "🧜🏼" or tgt.process.cmdline contains "🧜🏼♂️" or tgt.process.cmdline contains "🧚🏼♀️" or tgt.process.cmdline contains "🧚🏼" or tgt.process.cmdline contains "🧚🏼♂️" or tgt.process.cmdline contains "👼🏼" or tgt.process.cmdline contains "🤰🏼" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🤱🏼" or tgt.process.cmdline contains "👩🏼🍼" or tgt.process.cmdline contains "🧑🏼🍼" or tgt.process.cmdline contains "👨🏼🍼" or tgt.process.cmdline contains "🙇🏼♀️" or tgt.process.cmdline contains "🙇🏼" or tgt.process.cmdline contains "🙇🏼♂️" or tgt.process.cmdline contains "💁🏼♀️" or tgt.process.cmdline contains "💁🏼" or tgt.process.cmdline contains "💁🏼♂️" or tgt.process.cmdline contains "🙅🏼♀️" or tgt.process.cmdline contains "🙅🏼" or tgt.process.cmdline contains "🙅🏼♂️" or tgt.process.cmdline contains "🙆🏼♀️" or tgt.process.cmdline contains "🙆🏼" or tgt.process.cmdline contains "🙆🏼♂️" or tgt.process.cmdline contains "🙋🏼♀️" or tgt.process.cmdline contains "🙋🏼" or tgt.process.cmdline contains "🙋🏼♂️" or tgt.process.cmdline contains "🧏🏼♀️" or tgt.process.cmdline contains "🧏🏼" or tgt.process.cmdline contains "🧏🏼♂️" or tgt.process.cmdline contains "🤦🏼♀️" or tgt.process.cmdline contains "🤦🏼" or tgt.process.cmdline contains "🤦🏼♂️" or tgt.process.cmdline contains "🤷🏼♀️"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md
index 6659b11c8..24b4ba041 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_2.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🤷🏼" or tgt.process.cmdline contains "🤷🏼♂️" or tgt.process.cmdline contains "🙎🏼♀️" or tgt.process.cmdline contains "🙎🏼" or tgt.process.cmdline contains "🙎🏼♂️" or tgt.process.cmdline contains "🙍🏼♀️" or tgt.process.cmdline contains "🙍🏼" or tgt.process.cmdline contains "🙍🏼♂️" or tgt.process.cmdline contains "💇🏼♀️" or tgt.process.cmdline contains "💇🏼" or tgt.process.cmdline contains "💇🏼♂️" or tgt.process.cmdline contains "💆🏼♀️" or tgt.process.cmdline contains "💆🏼" or tgt.process.cmdline contains "💆🏼♂️" or tgt.process.cmdline contains "🧖🏼♀️" or tgt.process.cmdline contains "🧖🏼" or tgt.process.cmdline contains "🧖🏼♂️" or tgt.process.cmdline contains "💃🏼" or tgt.process.cmdline contains "🕺🏼" or tgt.process.cmdline contains "🕴🏼" or tgt.process.cmdline contains "👩🏼🦽" or tgt.process.cmdline contains "🧑🏼🦽" or tgt.process.cmdline contains "👨🏼🦽" or tgt.process.cmdline contains "👩🏼🦼" or tgt.process.cmdline contains "🧑🏼🦼" or tgt.process.cmdline contains "👨🏼🦼" or tgt.process.cmdline contains "🚶🏼♀️" or tgt.process.cmdline contains "🚶🏼" or tgt.process.cmdline contains "🚶🏼♂️" or tgt.process.cmdline contains "👩🏼🦯" or tgt.process.cmdline contains "🧑🏼🦯" or tgt.process.cmdline contains "👨🏼🦯" or tgt.process.cmdline contains "🧎🏼♀️" or tgt.process.cmdline contains "🧎🏼" or tgt.process.cmdline contains "🧎🏼♂️" or tgt.process.cmdline contains "🏃🏼♀️" or tgt.process.cmdline contains "🏃🏼" or tgt.process.cmdline contains "🏃🏼♂️" or tgt.process.cmdline contains "🧍🏼♀️" or tgt.process.cmdline contains "🧍🏼" or tgt.process.cmdline contains "🧍🏼♂️" or tgt.process.cmdline contains "👭🏼" or tgt.process.cmdline contains "🧑🏼🤝🧑🏼" or tgt.process.cmdline contains "👬🏼" or tgt.process.cmdline contains "👫🏼" or tgt.process.cmdline contains "🧗🏼♀️" or tgt.process.cmdline contains "🧗🏼" or tgt.process.cmdline contains "🧗🏼♂️" or tgt.process.cmdline contains "🏇🏼" or tgt.process.cmdline contains "🏂🏼" or tgt.process.cmdline contains "🏌🏼♀️" or tgt.process.cmdline contains "🏌🏼" or tgt.process.cmdline contains "🏌🏼♂️" or tgt.process.cmdline contains "🏄🏼♀️" or tgt.process.cmdline contains "🏄🏼" or tgt.process.cmdline contains "🏄🏼♂️" or tgt.process.cmdline contains "🚣🏼♀️" or tgt.process.cmdline contains "🚣🏼" or tgt.process.cmdline contains "🚣🏼♂️" or tgt.process.cmdline contains "🏊🏼♀️" or tgt.process.cmdline contains "🏊🏼" or tgt.process.cmdline contains "🏊🏼♂️" or tgt.process.cmdline contains "⛹🏼♀️" or tgt.process.cmdline contains "⛹🏼" or tgt.process.cmdline contains "⛹🏼♂️" or tgt.process.cmdline contains "🏋🏼♀️" or tgt.process.cmdline contains "🏋🏼" or tgt.process.cmdline contains "🏋🏼♂️" or tgt.process.cmdline contains "🚴🏼♀️" or tgt.process.cmdline contains "🚴🏼" or tgt.process.cmdline contains "🚴🏼♂️" or tgt.process.cmdline contains "🚵🏼♀️" or tgt.process.cmdline contains "🚵🏼" or tgt.process.cmdline contains "🚵🏼♂️" or tgt.process.cmdline contains "🤸🏼♀️" or tgt.process.cmdline contains "🤸🏼" or tgt.process.cmdline contains "🤸🏼♂️" or tgt.process.cmdline contains "🤽🏼♀️" or tgt.process.cmdline contains "🤽🏼" or tgt.process.cmdline contains "🤽🏼♂️" or tgt.process.cmdline contains "🤾🏼♀️" or tgt.process.cmdline contains "🤾🏼" or tgt.process.cmdline contains "🤾🏼♂️" or tgt.process.cmdline contains "🤹🏼♀️" or tgt.process.cmdline contains "🤹🏼" or tgt.process.cmdline contains "🤹🏼♂️" or tgt.process.cmdline contains "🧘🏼♀️" or tgt.process.cmdline contains "🧘🏼" or tgt.process.cmdline contains "🧘🏼♂️" or tgt.process.cmdline contains "🛀🏼" or tgt.process.cmdline contains "🛌🏼" or tgt.process.cmdline contains "👋🏽" or tgt.process.cmdline contains "🤚🏽" or tgt.process.cmdline contains "🖐🏽" or tgt.process.cmdline contains "✋🏽" or tgt.process.cmdline contains "🖖🏽" or tgt.process.cmdline contains "👌🏽" or tgt.process.cmdline contains "🤌🏽" or tgt.process.cmdline contains "🤏🏽" or tgt.process.cmdline contains "✌🏽" or tgt.process.cmdline contains "🤞🏽" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🤟🏽" or tgt.process.cmdline contains "🤘🏽" or tgt.process.cmdline contains "🤙🏽" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "👈🏽" or tgt.process.cmdline contains "👉🏽" or tgt.process.cmdline contains "👆🏽" or tgt.process.cmdline contains "🖕🏽" or tgt.process.cmdline contains "👇🏽" or tgt.process.cmdline contains "☝🏽" or tgt.process.cmdline contains "👍🏽" or tgt.process.cmdline contains "👎🏽" or tgt.process.cmdline contains "✊🏽" or tgt.process.cmdline contains "👊🏽" or tgt.process.cmdline contains "🤛🏽" or tgt.process.cmdline contains "🤜🏽" or tgt.process.cmdline contains "👏🏽" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🙌🏽" or tgt.process.cmdline contains "👐🏽" or tgt.process.cmdline contains "🤲🏽" or tgt.process.cmdline contains "🙏🏽" or tgt.process.cmdline contains "✍🏽" or tgt.process.cmdline contains "💪🏽" or tgt.process.cmdline contains "🦵🏽" or tgt.process.cmdline contains "🦶🏽" or tgt.process.cmdline contains "👂🏽" or tgt.process.cmdline contains "🦻🏽" or tgt.process.cmdline contains "👃🏽" or tgt.process.cmdline contains "👶🏽" or tgt.process.cmdline contains "👧🏽" or tgt.process.cmdline contains "🧒🏽" or tgt.process.cmdline contains "👦🏽" or tgt.process.cmdline contains "👩🏽" or tgt.process.cmdline contains "🧑🏽" or tgt.process.cmdline contains "👨🏽" or tgt.process.cmdline contains "👩🏽🦱" or tgt.process.cmdline contains "🧑🏽🦱" or tgt.process.cmdline contains "👨🏽🦱" or tgt.process.cmdline contains "👩🏽🦰" or tgt.process.cmdline contains "🧑🏽🦰" or tgt.process.cmdline contains "👨🏽🦰" or tgt.process.cmdline contains "👱🏽♀️" or tgt.process.cmdline contains "👱🏽" or tgt.process.cmdline contains "👱🏽♂️" or tgt.process.cmdline contains "👩🏽🦳" or tgt.process.cmdline contains "🧑🏽🦳" or tgt.process.cmdline contains "👨🏽🦳" or tgt.process.cmdline contains "👩🏽🦲" or tgt.process.cmdline contains "🧑🏽🦲" or tgt.process.cmdline contains "👨🏽🦲" or tgt.process.cmdline contains "🧔🏽♀️" or tgt.process.cmdline contains "🧔🏽" or tgt.process.cmdline contains "🧔🏽♂️" or tgt.process.cmdline contains "👵🏽" or tgt.process.cmdline contains "🧓🏽" or tgt.process.cmdline contains "👴🏽" or tgt.process.cmdline contains "👲🏽" or tgt.process.cmdline contains "👳🏽♀️" or tgt.process.cmdline contains "👳🏽" or tgt.process.cmdline contains "👳🏽♂️" or tgt.process.cmdline contains "🧕🏽" or tgt.process.cmdline contains "👮🏽♀️" or tgt.process.cmdline contains "👮🏽" or tgt.process.cmdline contains "👮🏽♂️" or tgt.process.cmdline contains "👷🏽♀️" or tgt.process.cmdline contains "👷🏽" or tgt.process.cmdline contains "👷🏽♂️" or tgt.process.cmdline contains "💂🏽♀️" or tgt.process.cmdline contains "💂🏽" or tgt.process.cmdline contains "💂🏽♂️" or tgt.process.cmdline contains "🕵🏽♀️" or tgt.process.cmdline contains "🕵🏽" or tgt.process.cmdline contains "🕵🏽♂️" or tgt.process.cmdline contains "👩🏽⚕️" or tgt.process.cmdline contains "🧑🏽⚕️" or tgt.process.cmdline contains "👨🏽⚕️" or tgt.process.cmdline contains "👩🏽🌾" or tgt.process.cmdline contains "🧑🏽🌾" or tgt.process.cmdline contains "👨🏽🌾" or tgt.process.cmdline contains "👩🏽🍳" or tgt.process.cmdline contains "🧑🏽🍳" or tgt.process.cmdline contains "👨🏽🍳" or tgt.process.cmdline contains "👩🏽🎓" or tgt.process.cmdline contains "🧑🏽🎓" or tgt.process.cmdline contains "👨🏽🎓" or tgt.process.cmdline contains "👩🏽🎤" or tgt.process.cmdline contains "🧑🏽🎤" or tgt.process.cmdline contains "👨🏽🎤" or tgt.process.cmdline contains "👩🏽🏫" or tgt.process.cmdline contains "🧑🏽🏫" or tgt.process.cmdline contains "👨🏽🏫" or tgt.process.cmdline contains "👩🏽🏭" or tgt.process.cmdline contains "🧑🏽🏭" or tgt.process.cmdline contains "👨🏽🏭" or tgt.process.cmdline contains "👩🏽💻" or tgt.process.cmdline contains "🧑🏽💻" or tgt.process.cmdline contains "👨🏽💻" or tgt.process.cmdline contains "👩🏽💼" or tgt.process.cmdline contains "🧑🏽💼" or tgt.process.cmdline contains "👨🏽💼" or tgt.process.cmdline contains "👩🏽🔧" or tgt.process.cmdline contains "🧑🏽🔧" or tgt.process.cmdline contains "👨🏽🔧" or tgt.process.cmdline contains "👩🏽🔬" or tgt.process.cmdline contains "🧑🏽🔬" or tgt.process.cmdline contains "👨🏽🔬" or tgt.process.cmdline contains "👩🏽🎨" or tgt.process.cmdline contains "🧑🏽🎨" or tgt.process.cmdline contains "👨🏽🎨" or tgt.process.cmdline contains "👩🏽🚒" or tgt.process.cmdline contains "🧑🏽🚒" or tgt.process.cmdline contains "👨🏽🚒" or tgt.process.cmdline contains "👩🏽✈️" or tgt.process.cmdline contains "🧑🏽✈️" or tgt.process.cmdline contains "👨🏽✈️" or tgt.process.cmdline contains "👩🏽🚀" or tgt.process.cmdline contains "🧑🏽🚀" or tgt.process.cmdline contains "👨🏽🚀" or tgt.process.cmdline contains "👩🏽⚖️" or tgt.process.cmdline contains "🧑🏽⚖️" or tgt.process.cmdline contains "👨🏽⚖️" or tgt.process.cmdline contains "👰🏽♀️" or tgt.process.cmdline contains "👰🏽" or tgt.process.cmdline contains "👰🏽♂️" or tgt.process.cmdline contains "🤵🏽♀️" or tgt.process.cmdline contains "🤵🏽" or tgt.process.cmdline contains "🤵🏽♂️" or tgt.process.cmdline contains "👸🏽" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🤴🏽" or tgt.process.cmdline contains "🥷🏽" or tgt.process.cmdline contains "🦸🏽♀️" or tgt.process.cmdline contains "🦸🏽" or tgt.process.cmdline contains "🦸🏽♂️" or tgt.process.cmdline contains "🦹🏽♀️" or tgt.process.cmdline contains "🦹🏽" or tgt.process.cmdline contains "🦹🏽♂️" or tgt.process.cmdline contains "🤶🏽" or tgt.process.cmdline contains "🧑🏽🎄" or tgt.process.cmdline contains "🎅🏽" or tgt.process.cmdline contains "🧙🏽♀️" or tgt.process.cmdline contains "🧙🏽" or tgt.process.cmdline contains "🧙🏽♂️" or tgt.process.cmdline contains "🧝🏽♀️" or tgt.process.cmdline contains "🧝🏽" or tgt.process.cmdline contains "🧝🏽♂️" or tgt.process.cmdline contains "🧛🏽♀️" or tgt.process.cmdline contains "🧛🏽" or tgt.process.cmdline contains "🧛🏽♂️" or tgt.process.cmdline contains "🧜🏽♀️" or tgt.process.cmdline contains "🧜🏽" or tgt.process.cmdline contains "🧜🏽♂️" or tgt.process.cmdline contains "🧚🏽♀️" or tgt.process.cmdline contains "🧚🏽" or tgt.process.cmdline contains "🧚🏽♂️" or tgt.process.cmdline contains "👼🏽" or tgt.process.cmdline contains "🤰🏽" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🤱🏽" or tgt.process.cmdline contains "👩🏽🍼" or tgt.process.cmdline contains "🧑🏽🍼" or tgt.process.cmdline contains "👨🏽🍼" or tgt.process.cmdline contains "🙇🏽♀️" or tgt.process.cmdline contains "🙇🏽" or tgt.process.cmdline contains "🙇🏽♂️" or tgt.process.cmdline contains "💁🏽♀️" or tgt.process.cmdline contains "💁🏽" or tgt.process.cmdline contains "💁🏽♂️" or tgt.process.cmdline contains "🙅🏽♀️" or tgt.process.cmdline contains "🙅🏽" or tgt.process.cmdline contains "🙅🏽♂️" or tgt.process.cmdline contains "🙆🏽♀️" or tgt.process.cmdline contains "🙆🏽" or tgt.process.cmdline contains "🙆🏽♂️" or tgt.process.cmdline contains "🙋🏽♀️" or tgt.process.cmdline contains "🙋🏽" or tgt.process.cmdline contains "🙋🏽♂️" or tgt.process.cmdline contains "🧏🏽♀️" or tgt.process.cmdline contains "🧏🏽" or tgt.process.cmdline contains "🧏🏽♂️" or tgt.process.cmdline contains "🤦🏽♀️" or tgt.process.cmdline contains "🤦🏽" or tgt.process.cmdline contains "🤦🏽♂️" or tgt.process.cmdline contains "🤷🏽♀️" or tgt.process.cmdline contains "🤷🏽" or tgt.process.cmdline contains "🤷🏽♂️" or tgt.process.cmdline contains "🙎🏽♀️" or tgt.process.cmdline contains "🙎🏽" or tgt.process.cmdline contains "🙎🏽♂️" or tgt.process.cmdline contains "🙍🏽♀️" or tgt.process.cmdline contains "🙍🏽" or tgt.process.cmdline contains "🙍🏽♂️" or tgt.process.cmdline contains "💇🏽♀️" or tgt.process.cmdline contains "💇🏽" or tgt.process.cmdline contains "💇🏽♂️" or tgt.process.cmdline contains "💆🏽♀️" or tgt.process.cmdline contains "💆🏽" or tgt.process.cmdline contains "💆🏽♂️" or tgt.process.cmdline contains "🧖🏽♀️" or tgt.process.cmdline contains "🧖🏽" or tgt.process.cmdline contains "🧖🏽♂️" or tgt.process.cmdline contains "💃🏽" or tgt.process.cmdline contains "🕺🏽" or tgt.process.cmdline contains "🕴🏽" or tgt.process.cmdline contains "👩🏽🦽" or tgt.process.cmdline contains "🧑🏽🦽" or tgt.process.cmdline contains "👨🏽🦽" or tgt.process.cmdline contains "👩🏽🦼" or tgt.process.cmdline contains "🧑🏽🦼" or tgt.process.cmdline contains "👨🏽🦼" or tgt.process.cmdline contains "🚶🏽♀️" or tgt.process.cmdline contains "🚶🏽" or tgt.process.cmdline contains "🚶🏽♂️" or tgt.process.cmdline contains "👩🏽🦯" or tgt.process.cmdline contains "🧑🏽🦯" or tgt.process.cmdline contains "👨🏽🦯" or tgt.process.cmdline contains "🧎🏽♀️" or tgt.process.cmdline contains "🧎🏽" or tgt.process.cmdline contains "🧎🏽♂️" or tgt.process.cmdline contains "🏃🏽♀️" or tgt.process.cmdline contains "🏃🏽" or tgt.process.cmdline contains "🏃🏽♂️" or tgt.process.cmdline contains "🧍🏽♀️" or tgt.process.cmdline contains "🧍🏽" or tgt.process.cmdline contains "🧍🏽♂️" or tgt.process.cmdline contains "👭🏽" or tgt.process.cmdline contains "🧑🏽🤝🧑🏽" or tgt.process.cmdline contains "👬🏽" or tgt.process.cmdline contains "👫🏽" or tgt.process.cmdline contains "🧗🏽♀️" or tgt.process.cmdline contains "🧗🏽" or tgt.process.cmdline contains "🧗🏽♂️" or tgt.process.cmdline contains "🏇🏽" or tgt.process.cmdline contains "🏂🏽" or tgt.process.cmdline contains "🏌🏽♀️" or tgt.process.cmdline contains "🏌🏽" or tgt.process.cmdline contains "🏌🏽♂️" or tgt.process.cmdline contains "🏄🏽♀️" or tgt.process.cmdline contains "🏄🏽" or tgt.process.cmdline contains "🏄🏽♂️" or tgt.process.cmdline contains "🚣🏽♀️" or tgt.process.cmdline contains "🚣🏽" or tgt.process.cmdline contains "🚣🏽♂️" or tgt.process.cmdline contains "🏊🏽♀️" or tgt.process.cmdline contains "🏊🏽" or tgt.process.cmdline contains "🏊🏽♂️" or tgt.process.cmdline contains "⛹🏽♀️" or tgt.process.cmdline contains "⛹🏽" or tgt.process.cmdline contains "⛹🏽♂️" or tgt.process.cmdline contains "🏋🏽♀️" or tgt.process.cmdline contains "🏋🏽" or tgt.process.cmdline contains "🏋🏽♂️" or tgt.process.cmdline contains "🚴🏽♀️" or tgt.process.cmdline contains "🚴🏽" or tgt.process.cmdline contains "🚴🏽♂️" or tgt.process.cmdline contains "🚵🏽♀️" or tgt.process.cmdline contains "🚵🏽" or tgt.process.cmdline contains "🚵🏽♂️" or tgt.process.cmdline contains "🤸🏽♀️" or tgt.process.cmdline contains "🤸🏽" or tgt.process.cmdline contains "🤸🏽♂️" or tgt.process.cmdline contains "🤽🏽♀️" or tgt.process.cmdline contains "🤽🏽" or tgt.process.cmdline contains "🤽🏽♂️" or tgt.process.cmdline contains "🤾🏽♀️" or tgt.process.cmdline contains "🤾🏽" or tgt.process.cmdline contains "🤾🏽♂️" or tgt.process.cmdline contains "🤹🏽♀️" or tgt.process.cmdline contains "🤹🏽" or tgt.process.cmdline contains "🤹🏽♂️" or tgt.process.cmdline contains "🧘🏽♀️" or tgt.process.cmdline contains "🧘🏽" or tgt.process.cmdline contains "🧘🏽♂️" or tgt.process.cmdline contains "🛀🏽" or tgt.process.cmdline contains "🛌🏽" or tgt.process.cmdline contains "👋🏾" or tgt.process.cmdline contains "🤚🏾" or tgt.process.cmdline contains "🖐🏾" or tgt.process.cmdline contains "✋🏾" or tgt.process.cmdline contains "🖖🏾" or tgt.process.cmdline contains "👌🏾" or tgt.process.cmdline contains "🤌🏾" or tgt.process.cmdline contains "🤏🏾" or tgt.process.cmdline contains "✌🏾" or tgt.process.cmdline contains "🤞🏾" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🤟🏾" or tgt.process.cmdline contains "🤘🏾" or tgt.process.cmdline contains "🤙🏾" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "👈🏾" or tgt.process.cmdline contains "👉🏾" or tgt.process.cmdline contains "👆🏾" or tgt.process.cmdline contains "🖕🏾" or tgt.process.cmdline contains "👇🏾" or tgt.process.cmdline contains "☝🏾" or tgt.process.cmdline contains "👍🏾" or tgt.process.cmdline contains "👎🏾" or tgt.process.cmdline contains "✊🏾" or tgt.process.cmdline contains "👊🏾" or tgt.process.cmdline contains "🤛🏾" or tgt.process.cmdline contains "🤜🏾" or tgt.process.cmdline contains "👏🏾" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🙌🏾" or tgt.process.cmdline contains "👐🏾" or tgt.process.cmdline contains "🤲🏾" or tgt.process.cmdline contains "🙏🏾" or tgt.process.cmdline contains "✍🏾" or tgt.process.cmdline contains "💪🏾" or tgt.process.cmdline contains "🦵🏾" or tgt.process.cmdline contains "🦶🏾" or tgt.process.cmdline contains "👂🏾" or tgt.process.cmdline contains "🦻🏾" or tgt.process.cmdline contains "👃🏾" or tgt.process.cmdline contains "👶🏾" or tgt.process.cmdline contains "👧🏾" or tgt.process.cmdline contains "🧒🏾" or tgt.process.cmdline contains "👦🏾" or tgt.process.cmdline contains "👩🏾" or tgt.process.cmdline contains "🧑🏾" or tgt.process.cmdline contains "👨🏾" or tgt.process.cmdline contains "👩🏾🦱" or tgt.process.cmdline contains "🧑🏾🦱" or tgt.process.cmdline contains "👨🏾🦱" or tgt.process.cmdline contains "👩🏾🦰" or tgt.process.cmdline contains "🧑🏾🦰" or tgt.process.cmdline contains "👨🏾🦰" or tgt.process.cmdline contains "👱🏾♀️" or tgt.process.cmdline contains "👱🏾" or tgt.process.cmdline contains "👱🏾♂️" or tgt.process.cmdline contains "👩🏾🦳" or tgt.process.cmdline contains "🧑🏾🦳" or tgt.process.cmdline contains "👨🏾🦳" or tgt.process.cmdline contains "👩🏾🦲" or tgt.process.cmdline contains "🧑🏾🦲" or tgt.process.cmdline contains "👨🏾🦲" or tgt.process.cmdline contains "🧔🏾♀️" or tgt.process.cmdline contains "🧔🏾" or tgt.process.cmdline contains "🧔🏾♂️" or tgt.process.cmdline contains "👵🏾" or tgt.process.cmdline contains "🧓🏾" or tgt.process.cmdline contains "👴🏾" or tgt.process.cmdline contains "👲🏾" or tgt.process.cmdline contains "👳🏾♀️" or tgt.process.cmdline contains "👳🏾" or tgt.process.cmdline contains "👳🏾♂️" or tgt.process.cmdline contains "🧕🏾" or tgt.process.cmdline contains "👮🏾♀️" or tgt.process.cmdline contains "👮🏾" or tgt.process.cmdline contains "👮🏾♂️" or tgt.process.cmdline contains "👷🏾♀️" or tgt.process.cmdline contains "👷🏾" or tgt.process.cmdline contains "👷🏾♂️" or tgt.process.cmdline contains "💂🏾♀️" or tgt.process.cmdline contains "💂🏾" or tgt.process.cmdline contains "💂🏾♂️" or tgt.process.cmdline contains "🕵🏾♀️" or tgt.process.cmdline contains "🕵🏾" or tgt.process.cmdline contains "🕵🏾♂️" or tgt.process.cmdline contains "👩🏾⚕️" or tgt.process.cmdline contains "🧑🏾⚕️" or tgt.process.cmdline contains "👨🏾⚕️" or tgt.process.cmdline contains "👩🏾🌾" or tgt.process.cmdline contains "🧑🏾🌾" or tgt.process.cmdline contains "👨🏾🌾" or tgt.process.cmdline contains "👩🏾🍳" or tgt.process.cmdline contains "🧑🏾🍳" or tgt.process.cmdline contains "👨🏾🍳" or tgt.process.cmdline contains "👩🏾🎓" or tgt.process.cmdline contains "🧑🏾🎓" or tgt.process.cmdline contains "👨🏾🎓" or tgt.process.cmdline contains "👩🏾🎤" or tgt.process.cmdline contains "🧑🏾🎤" or tgt.process.cmdline contains "👨🏾🎤" or tgt.process.cmdline contains "👩🏾🏫" or tgt.process.cmdline contains "🧑🏾🏫" or tgt.process.cmdline contains "👨🏾🏫" or tgt.process.cmdline contains "👩🏾🏭" or tgt.process.cmdline contains "🧑🏾🏭" or tgt.process.cmdline contains "👨🏾🏭" or tgt.process.cmdline contains "👩🏾💻" or tgt.process.cmdline contains "🧑🏾💻" or tgt.process.cmdline contains "👨🏾💻" or tgt.process.cmdline contains "👩🏾💼" or tgt.process.cmdline contains "🧑🏾💼" or tgt.process.cmdline contains "👨🏾💼" or tgt.process.cmdline contains "👩🏾🔧" or tgt.process.cmdline contains "🧑🏾🔧" or tgt.process.cmdline contains "👨🏾🔧" or tgt.process.cmdline contains "👩🏾🔬" or tgt.process.cmdline contains "🧑🏾🔬" or tgt.process.cmdline contains "👨🏾🔬" or tgt.process.cmdline contains "👩🏾🎨" or tgt.process.cmdline contains "🧑🏾🎨" or tgt.process.cmdline contains "👨🏾🎨" or tgt.process.cmdline contains "👩🏾🚒" or tgt.process.cmdline contains "🧑🏾🚒" or tgt.process.cmdline contains "👨🏾🚒" or tgt.process.cmdline contains "👩🏾✈️" or tgt.process.cmdline contains "🧑🏾✈️" or tgt.process.cmdline contains "👨🏾✈️" or tgt.process.cmdline contains "👩🏾🚀" or tgt.process.cmdline contains "🧑🏾🚀" or tgt.process.cmdline contains "👨🏾🚀" or tgt.process.cmdline contains "👩🏾⚖️" or tgt.process.cmdline contains "🧑🏾⚖️" or tgt.process.cmdline contains "👨🏾⚖️" or tgt.process.cmdline contains "👰🏾♀️" or tgt.process.cmdline contains "👰🏾" or tgt.process.cmdline contains "👰🏾♂️" or tgt.process.cmdline contains "🤵🏾♀️" or tgt.process.cmdline contains "🤵🏾" or tgt.process.cmdline contains "🤵🏾♂️" or tgt.process.cmdline contains "👸🏾" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🤴🏾" or tgt.process.cmdline contains "🥷🏾" or tgt.process.cmdline contains "🦸🏾♀️" or tgt.process.cmdline contains "🦸🏾" or tgt.process.cmdline contains "🦸🏾♂️" or tgt.process.cmdline contains "🦹🏾♀️" or tgt.process.cmdline contains "🦹🏾" or tgt.process.cmdline contains "🦹🏾♂️" or tgt.process.cmdline contains "🤶🏾" or tgt.process.cmdline contains "🧑🏾🎄" or tgt.process.cmdline contains "🎅🏾" or tgt.process.cmdline contains "🧙🏾♀️" or tgt.process.cmdline contains "🧙🏾" or tgt.process.cmdline contains "🧙🏾♂️" or tgt.process.cmdline contains "🧝🏾♀️" or tgt.process.cmdline contains "🧝🏾" or tgt.process.cmdline contains "🧝🏾♂️" or tgt.process.cmdline contains "🧛🏾♀️" or tgt.process.cmdline contains "🧛🏾" or tgt.process.cmdline contains "🧛🏾♂️" or tgt.process.cmdline contains "🧜🏾♀️" or tgt.process.cmdline contains "🧜🏾" or tgt.process.cmdline contains "🧜🏾♂️" or tgt.process.cmdline contains "🧚🏾♀️" or tgt.process.cmdline contains "🧚🏾" or tgt.process.cmdline contains "🧚🏾♂️" or tgt.process.cmdline contains "👼🏾" or tgt.process.cmdline contains "🤰🏾" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🤱🏾" or tgt.process.cmdline contains "👩🏾🍼" or tgt.process.cmdline contains "🧑🏾🍼" or tgt.process.cmdline contains "👨🏾🍼" or tgt.process.cmdline contains "🙇🏾♀️" or tgt.process.cmdline contains "🙇🏾" or tgt.process.cmdline contains "🙇🏾♂️" or tgt.process.cmdline contains "💁🏾♀️" or tgt.process.cmdline contains "💁🏾" or tgt.process.cmdline contains "💁🏾♂️" or tgt.process.cmdline contains "🙅🏾♀️" or tgt.process.cmdline contains "🙅🏾" or tgt.process.cmdline contains "🙅🏾♂️" or tgt.process.cmdline contains "🙆🏾♀️" or tgt.process.cmdline contains "🙆🏾" or tgt.process.cmdline contains "🙆🏾♂️" or tgt.process.cmdline contains "🙋🏾♀️" or tgt.process.cmdline contains "🙋🏾" or tgt.process.cmdline contains "🙋🏾♂️" or tgt.process.cmdline contains "🧏🏾♀️" or tgt.process.cmdline contains "🧏🏾" or tgt.process.cmdline contains "🧏🏾♂️" or tgt.process.cmdline contains "🤦🏾♀️" or tgt.process.cmdline contains "🤦🏾" or tgt.process.cmdline contains "🤦🏾♂️" or tgt.process.cmdline contains "🤷🏾♀️" or tgt.process.cmdline contains "🤷🏾" or tgt.process.cmdline contains "🤷🏾♂️" or tgt.process.cmdline contains "🙎🏾♀️" or tgt.process.cmdline contains "🙎🏾" or tgt.process.cmdline contains "🙎🏾♂️" or tgt.process.cmdline contains "🙍🏾♀️" or tgt.process.cmdline contains "🙍🏾" or tgt.process.cmdline contains "🙍🏾♂️" or tgt.process.cmdline contains "💇🏾♀️" or tgt.process.cmdline contains "💇🏾" or tgt.process.cmdline contains "💇🏾♂️" or tgt.process.cmdline contains "💆🏾♀️" or tgt.process.cmdline contains "💆🏾" or tgt.process.cmdline contains "💆🏾♂️" or tgt.process.cmdline contains "🧖🏾♀️" or tgt.process.cmdline contains "🧖🏾" or tgt.process.cmdline contains "🧖🏾♂️" or tgt.process.cmdline contains "💃🏾" or tgt.process.cmdline contains "🕺🏾" or tgt.process.cmdline contains "👩🏾🦽" or tgt.process.cmdline contains "🧑🏾🦽" or tgt.process.cmdline contains "👨🏾🦽" or tgt.process.cmdline contains "👩🏾🦼" or tgt.process.cmdline contains "🧑🏾🦼" or tgt.process.cmdline contains "👨🏾🦼" or tgt.process.cmdline contains "🚶🏾♀️" or tgt.process.cmdline contains "🚶🏾" or tgt.process.cmdline contains "🚶🏾♂️" or tgt.process.cmdline contains "👩🏾🦯" or tgt.process.cmdline contains "🧑🏾🦯" or tgt.process.cmdline contains "👨🏾🦯" or tgt.process.cmdline contains "🧎🏾♀️" or tgt.process.cmdline contains "🧎🏾" or tgt.process.cmdline contains "🧎🏾♂️" or tgt.process.cmdline contains "🏃🏾♀️" or tgt.process.cmdline contains "🏃🏾" or tgt.process.cmdline contains "🏃🏾♂️" or tgt.process.cmdline contains "🧍🏾♀️" or tgt.process.cmdline contains "🧍🏾" or tgt.process.cmdline contains "🧍🏾♂️" or tgt.process.cmdline contains "👭🏾" or tgt.process.cmdline contains "🧑🏾🤝🧑🏾" or tgt.process.cmdline contains "👬🏾" or tgt.process.cmdline contains "👫🏾" or tgt.process.cmdline contains "🧗🏾♀️" or tgt.process.cmdline contains "🧗🏾" or tgt.process.cmdline contains "🧗🏾♂️" or tgt.process.cmdline contains "🏇🏾" or tgt.process.cmdline contains "🏂🏾" or tgt.process.cmdline contains "🏌🏾♀️" or tgt.process.cmdline contains "🏌🏾" or tgt.process.cmdline contains "🏌🏾♂️" or tgt.process.cmdline contains "🏄🏾♀️" or tgt.process.cmdline contains "🏄🏾" or tgt.process.cmdline contains "🏄🏾♂️" or tgt.process.cmdline contains "🚣🏾♀️" or tgt.process.cmdline contains "🚣🏾" or tgt.process.cmdline contains "🚣🏾♂️" or tgt.process.cmdline contains "🏊🏾♀️" or tgt.process.cmdline contains "🏊🏾" or tgt.process.cmdline contains "🏊🏾♂️" or tgt.process.cmdline contains "⛹🏾♀️" or tgt.process.cmdline contains "⛹🏾" or tgt.process.cmdline contains "⛹🏾♂️" or tgt.process.cmdline contains "🏋🏾♀️" or tgt.process.cmdline contains "🏋🏾" or tgt.process.cmdline contains "🏋🏾♂️" or tgt.process.cmdline contains "🚴🏾♀️" or tgt.process.cmdline contains "🚴🏾" or tgt.process.cmdline contains "🚴🏾♂️" or tgt.process.cmdline contains "🚵🏾♀️" or tgt.process.cmdline contains "🚵🏾" or tgt.process.cmdline contains "🚵🏾♂️" or tgt.process.cmdline contains "🤸🏾♀️" or tgt.process.cmdline contains "🤸🏾" or tgt.process.cmdline contains "🤸🏾♂️" or tgt.process.cmdline contains "🤽🏾♀️" or tgt.process.cmdline contains "🤽🏾" or tgt.process.cmdline contains "🤽🏾♂️" or tgt.process.cmdline contains "🤾🏾♀️" or tgt.process.cmdline contains "🤾🏾" or tgt.process.cmdline contains "🤾🏾♂️" or tgt.process.cmdline contains "🤹🏾♀️" or tgt.process.cmdline contains "🤹🏾" or tgt.process.cmdline contains "🤹🏾♂️" or tgt.process.cmdline contains "🧘🏾♀️" or tgt.process.cmdline contains "🧘🏾" or tgt.process.cmdline contains "🧘🏾♂️" or tgt.process.cmdline contains "🛀🏾" or tgt.process.cmdline contains "🛌🏾" or tgt.process.cmdline contains "👋🏿" or tgt.process.cmdline contains "🤚🏿" or tgt.process.cmdline contains "🖐🏿" or tgt.process.cmdline contains "✋🏿" or tgt.process.cmdline contains "🖖🏿" or tgt.process.cmdline contains "👌🏿" or tgt.process.cmdline contains "🤌🏿" or tgt.process.cmdline contains "🤏🏿" or tgt.process.cmdline contains "✌🏿" or tgt.process.cmdline contains "🤞🏿" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🤟🏿" or tgt.process.cmdline contains "🤘🏿" or tgt.process.cmdline contains "🤙🏿" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "👈🏿" or tgt.process.cmdline contains "👉🏿" or tgt.process.cmdline contains "👆🏿" or tgt.process.cmdline contains "🖕🏿" or tgt.process.cmdline contains "👇🏿" or tgt.process.cmdline contains "☝🏿" or tgt.process.cmdline contains "👍🏿" or tgt.process.cmdline contains "👎🏿" or tgt.process.cmdline contains "✊🏿" or tgt.process.cmdline contains "👊🏿" or tgt.process.cmdline contains "🤛🏿" or tgt.process.cmdline contains "🤜🏿" or tgt.process.cmdline contains "👏🏿" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🙌🏿" or tgt.process.cmdline contains "👐🏿" or tgt.process.cmdline contains "🤲🏿" or tgt.process.cmdline contains "🙏🏿" or tgt.process.cmdline contains "✍🏿" or tgt.process.cmdline contains "🤳🏿" or tgt.process.cmdline contains "💪🏿" or tgt.process.cmdline contains "🦵🏿" or tgt.process.cmdline contains "🦶🏿" or tgt.process.cmdline contains "👂🏿" or tgt.process.cmdline contains "🦻🏿" or tgt.process.cmdline contains "👃🏿" or tgt.process.cmdline contains "👶🏿" or tgt.process.cmdline contains "👧🏿" or tgt.process.cmdline contains "🧒🏿" or tgt.process.cmdline contains "👦🏿" or tgt.process.cmdline contains "👩🏿" or tgt.process.cmdline contains "🧑🏿" or tgt.process.cmdline contains "👨🏿" or tgt.process.cmdline contains "👩🏿🦱" or tgt.process.cmdline contains "🧑🏿🦱" or tgt.process.cmdline contains "👨🏿🦱" or tgt.process.cmdline contains "👩🏿🦰" or tgt.process.cmdline contains "🧑🏿🦰" or tgt.process.cmdline contains "👨🏿🦰" or tgt.process.cmdline contains "👱🏿♀️" or tgt.process.cmdline contains "👱🏿" or tgt.process.cmdline contains "👱🏿♂️" or tgt.process.cmdline contains "👩🏿🦳" or tgt.process.cmdline contains "🧑🏿🦳" or tgt.process.cmdline contains "👨🏿🦳" or tgt.process.cmdline contains "👩🏿🦲" or tgt.process.cmdline contains "🧑🏿🦲" or tgt.process.cmdline contains "👨🏿🦲" or tgt.process.cmdline contains "🧔🏿♀️" or tgt.process.cmdline contains "🧔🏿" or tgt.process.cmdline contains "🧔🏿♂️" or tgt.process.cmdline contains "👵🏿" or tgt.process.cmdline contains "🧓🏿" or tgt.process.cmdline contains "👴🏿" or tgt.process.cmdline contains "👲🏿" or tgt.process.cmdline contains "👳🏿♀️" or tgt.process.cmdline contains "👳🏿" or tgt.process.cmdline contains "👳🏿♂️" or tgt.process.cmdline contains "🧕🏿" or tgt.process.cmdline contains "👮🏿♀️" or tgt.process.cmdline contains "👮🏿" or tgt.process.cmdline contains "👮🏿♂️" or tgt.process.cmdline contains "👷🏿♀️" or tgt.process.cmdline contains "👷🏿" or tgt.process.cmdline contains "👷🏿♂️" or tgt.process.cmdline contains "💂🏿♀️" or tgt.process.cmdline contains "💂🏿" or tgt.process.cmdline contains "💂🏿♂️" or tgt.process.cmdline contains "🕵🏿♀️" or tgt.process.cmdline contains "🕵🏿" or tgt.process.cmdline contains "🕵🏿♂️" or tgt.process.cmdline contains "👩🏿⚕️" or tgt.process.cmdline contains "🧑🏿⚕️" or tgt.process.cmdline contains "👨🏿⚕️" or tgt.process.cmdline contains "👩🏿🌾" or tgt.process.cmdline contains "🧑🏿🌾" or tgt.process.cmdline contains "👨🏿🌾" or tgt.process.cmdline contains "👩🏿🍳" or tgt.process.cmdline contains "🧑🏿🍳" or tgt.process.cmdline contains "👨🏿🍳" or tgt.process.cmdline contains "👩🏿🎓" or tgt.process.cmdline contains "🧑🏿🎓" or tgt.process.cmdline contains "👨🏿🎓" or tgt.process.cmdline contains "👩🏿🎤" or tgt.process.cmdline contains "🧑🏿🎤" or tgt.process.cmdline contains "👨🏿🎤" or tgt.process.cmdline contains "👩🏿🏫" or tgt.process.cmdline contains "🧑🏿🏫" or tgt.process.cmdline contains "👨🏿🏫" or tgt.process.cmdline contains "👩🏿🏭" or tgt.process.cmdline contains "🧑🏿🏭" or tgt.process.cmdline contains "👨🏿🏭" or tgt.process.cmdline contains "👩🏿💻" or tgt.process.cmdline contains "🧑🏿💻" or tgt.process.cmdline contains "👨🏿💻" or tgt.process.cmdline contains "👩🏿💼" or tgt.process.cmdline contains "🧑🏿💼" or tgt.process.cmdline contains "👨🏿💼" or tgt.process.cmdline contains "👩🏿🔧" or tgt.process.cmdline contains "🧑🏿🔧" or tgt.process.cmdline contains "👨🏿🔧" or tgt.process.cmdline contains "👩🏿🔬" or tgt.process.cmdline contains "🧑🏿🔬" or tgt.process.cmdline contains "👨🏿🔬" or tgt.process.cmdline contains "👩🏿🎨" or tgt.process.cmdline contains "🧑🏿🎨" or tgt.process.cmdline contains "👨🏿🎨" or tgt.process.cmdline contains "👩🏿🚒" or tgt.process.cmdline contains "🧑🏿🚒" or tgt.process.cmdline contains "👨🏿🚒" or tgt.process.cmdline contains "👩🏿✈️" or tgt.process.cmdline contains "🧑🏿✈️" or tgt.process.cmdline contains "👨🏿✈️" or tgt.process.cmdline contains "👩🏿🚀" or tgt.process.cmdline contains "🧑🏿🚀" or tgt.process.cmdline contains "👨🏿🚀" or tgt.process.cmdline contains "👩🏿⚖️" or tgt.process.cmdline contains "🧑🏿⚖️" or tgt.process.cmdline contains "👨🏿⚖️" or tgt.process.cmdline contains "👰🏿♀️" or tgt.process.cmdline contains "👰🏿" or tgt.process.cmdline contains "👰🏿♂️" or tgt.process.cmdline contains "🤵🏿♀️" or tgt.process.cmdline contains "🤵🏿" or tgt.process.cmdline contains "🤵🏿♂️" or tgt.process.cmdline contains "👸🏿" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🤴🏿" or tgt.process.cmdline contains "🥷🏿" or tgt.process.cmdline contains "🦸🏿♀️" or tgt.process.cmdline contains "🦸🏿" or tgt.process.cmdline contains "🦸🏿♂️" or tgt.process.cmdline contains "🦹🏿♀️" or tgt.process.cmdline contains "🦹🏿" or tgt.process.cmdline contains "🦹🏿♂️" or tgt.process.cmdline contains "🤶🏿" or tgt.process.cmdline contains "🧑🏿🎄" or tgt.process.cmdline contains "🎅🏿" or tgt.process.cmdline contains "🧙🏿♀️" or tgt.process.cmdline contains "🧙🏿" or tgt.process.cmdline contains "🧙🏿♂️" or tgt.process.cmdline contains "🧝🏿♀️" or tgt.process.cmdline contains "🧝🏿" or tgt.process.cmdline contains "🧝🏿♂️" or tgt.process.cmdline contains "🧛🏿♀️" or tgt.process.cmdline contains "🧛🏿" or tgt.process.cmdline contains "🧛🏿♂️" or tgt.process.cmdline contains "🧜🏿♀️" or tgt.process.cmdline contains "🧜🏿" or tgt.process.cmdline contains "🧜🏿♂️" or tgt.process.cmdline contains "🧚🏿♀️" or tgt.process.cmdline contains "🧚🏿" or tgt.process.cmdline contains "🧚🏿♂️" or tgt.process.cmdline contains "👼🏿" or tgt.process.cmdline contains "🤰🏿" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🤱🏿" or tgt.process.cmdline contains "👩🏿🍼" or tgt.process.cmdline contains "🧑🏿🍼" or tgt.process.cmdline contains "👨🏿🍼" or tgt.process.cmdline contains "🙇🏿♀️" or tgt.process.cmdline contains "🙇🏿" or tgt.process.cmdline contains "🙇🏿♂️" or tgt.process.cmdline contains "💁🏿♀️" or tgt.process.cmdline contains "💁🏿" or tgt.process.cmdline contains "💁🏿♂️" or tgt.process.cmdline contains "🙅🏿♀️" or tgt.process.cmdline contains "🙅🏿" or tgt.process.cmdline contains "🙅🏿♂️" or tgt.process.cmdline contains "🙆🏿♀️" or tgt.process.cmdline contains "🙆🏿" or tgt.process.cmdline contains "🙆🏿♂️" or tgt.process.cmdline contains "🙋🏿♀️" or tgt.process.cmdline contains "🙋🏿" or tgt.process.cmdline contains "🙋🏿♂️" or tgt.process.cmdline contains "🧏🏿♀️" or tgt.process.cmdline contains "🧏🏿" or tgt.process.cmdline contains "🧏🏿♂️" or tgt.process.cmdline contains "🤦🏿♀️" or tgt.process.cmdline contains "🤦🏿" or tgt.process.cmdline contains "🤦🏿♂️" or tgt.process.cmdline contains "🤷🏿♀️" or tgt.process.cmdline contains "🤷🏿" or tgt.process.cmdline contains "🤷🏿♂️" or tgt.process.cmdline contains "🙎🏿♀️" or tgt.process.cmdline contains "🙎🏿" or tgt.process.cmdline contains "🙎🏿♂️" or tgt.process.cmdline contains "🙍🏿♀️" or tgt.process.cmdline contains "🙍🏿" or tgt.process.cmdline contains "🙍🏿♂️" or tgt.process.cmdline contains "💇🏿♀️" or tgt.process.cmdline contains "💇🏿" or tgt.process.cmdline contains "💇🏿♂️" or tgt.process.cmdline contains "💆🏿♀️" or tgt.process.cmdline contains "💆🏿" or tgt.process.cmdline contains "💆🏿♂️" or tgt.process.cmdline contains "🧖🏿♀️" or tgt.process.cmdline contains "🧖🏿" or tgt.process.cmdline contains "🧖🏿♂️" or tgt.process.cmdline contains "💃🏿" or tgt.process.cmdline contains "🕺🏿" or tgt.process.cmdline contains "🕴🏿" or tgt.process.cmdline contains "👩🏿🦽" or tgt.process.cmdline contains "🧑🏿🦽" or tgt.process.cmdline contains "👨🏿🦽" or tgt.process.cmdline contains "👩🏿🦼" or tgt.process.cmdline contains "🧑🏿🦼" or tgt.process.cmdline contains "👨🏿🦼" or tgt.process.cmdline contains "🚶🏿♀️" or tgt.process.cmdline contains "🚶🏿" or tgt.process.cmdline contains "🚶🏿♂️" or tgt.process.cmdline contains "👩🏿🦯" or tgt.process.cmdline contains "🧑🏿🦯" or tgt.process.cmdline contains "👨🏿🦯" or tgt.process.cmdline contains "🧎🏿♀️" or tgt.process.cmdline contains "🧎🏿" or tgt.process.cmdline contains "🧎🏿♂️" or tgt.process.cmdline contains "🏃🏿♀️" or tgt.process.cmdline contains "🏃🏿" or tgt.process.cmdline contains "🏃🏿♂️" or tgt.process.cmdline contains "🧍🏿♀️" or tgt.process.cmdline contains "🧍🏿" or tgt.process.cmdline contains "🧍🏿♂️" or tgt.process.cmdline contains "👭🏿" or tgt.process.cmdline contains "🧑🏿🤝🧑🏿" or tgt.process.cmdline contains "👬🏿" or tgt.process.cmdline contains "👫🏿" or tgt.process.cmdline contains "🧗🏿♀️" or tgt.process.cmdline contains "🧗🏿" or tgt.process.cmdline contains "🧗🏿♂️" or tgt.process.cmdline contains "🏇🏿" or tgt.process.cmdline contains "🏂🏿" or tgt.process.cmdline contains "🏌🏿♀️" or tgt.process.cmdline contains "🏌🏿" or tgt.process.cmdline contains "🏌🏿♂️" or tgt.process.cmdline contains "🏄🏿♀️" or tgt.process.cmdline contains "🏄🏿" or tgt.process.cmdline contains "🏄🏿♂️" or tgt.process.cmdline contains "🚣🏿♀️" or tgt.process.cmdline contains "🚣🏿" or tgt.process.cmdline contains "🚣🏿♂️" or tgt.process.cmdline contains "🏊🏿♀️" or tgt.process.cmdline contains "🏊🏿" or tgt.process.cmdline contains "🏊🏿♂️" or tgt.process.cmdline contains "⛹🏿♀️" or tgt.process.cmdline contains "⛹🏿" or tgt.process.cmdline contains "⛹🏿♂️" or tgt.process.cmdline contains "🏋🏿♀️" or tgt.process.cmdline contains "🏋🏿" or tgt.process.cmdline contains "🏋🏿♂️" or tgt.process.cmdline contains "🚴🏿♀️" or tgt.process.cmdline contains "🚴🏿" or tgt.process.cmdline contains "🚴🏿♂️" or tgt.process.cmdline contains "🚵🏿♀️" or tgt.process.cmdline contains "🚵🏿" or tgt.process.cmdline contains "🚵🏿♂️" or tgt.process.cmdline contains "🤸🏿♀️" or tgt.process.cmdline contains "🤸🏿" or tgt.process.cmdline contains "🤸🏿♂️" or tgt.process.cmdline contains "🤽🏿♀️" or tgt.process.cmdline contains "🤽🏿" or tgt.process.cmdline contains "🤽🏿♂️" or tgt.process.cmdline contains "🤾🏿♀️" or tgt.process.cmdline contains "🤾🏿" or tgt.process.cmdline contains "🤾🏿♂️" or tgt.process.cmdline contains "🤹🏿♀️" or tgt.process.cmdline contains "🤹🏿" or tgt.process.cmdline contains "🤹🏿♂️" or tgt.process.cmdline contains "🧘🏿♀️" or tgt.process.cmdline contains "🧘🏿" or tgt.process.cmdline contains "🧘🏿♂️" or tgt.process.cmdline contains "🛀🏿" or tgt.process.cmdline contains "🛌🏿" or tgt.process.cmdline contains "🐶" or tgt.process.cmdline contains "🐱" or tgt.process.cmdline contains "🐭" or tgt.process.cmdline contains "🐹" or tgt.process.cmdline contains "🐰" or tgt.process.cmdline contains "🦊" or tgt.process.cmdline contains "🐻" or tgt.process.cmdline contains "🐼" or tgt.process.cmdline contains "🐻❄️" or tgt.process.cmdline contains "🐨" or tgt.process.cmdline contains "🐯" or tgt.process.cmdline contains "🦁" or tgt.process.cmdline contains "🐮" or tgt.process.cmdline contains "🐷" or tgt.process.cmdline contains "🐽" or tgt.process.cmdline contains "🐸" or tgt.process.cmdline contains "🐵" or tgt.process.cmdline contains "🙈" or tgt.process.cmdline contains "🙉" or tgt.process.cmdline contains "🙊" or tgt.process.cmdline contains "🐒" or tgt.process.cmdline contains "🐔" or tgt.process.cmdline contains "🐧" or tgt.process.cmdline contains "🐦" or tgt.process.cmdline contains "🐤" or tgt.process.cmdline contains "🐣" or tgt.process.cmdline contains "🐥"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md
index 5db80e22d..90c2578ca 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_3.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🦆" or tgt.process.cmdline contains "🦅" or tgt.process.cmdline contains "🦉" or tgt.process.cmdline contains "🦇" or tgt.process.cmdline contains "🐺" or tgt.process.cmdline contains "🐗" or tgt.process.cmdline contains "🐴" or tgt.process.cmdline contains "🦄" or tgt.process.cmdline contains "🐝" or tgt.process.cmdline contains "🪱" or tgt.process.cmdline contains "🐛" or tgt.process.cmdline contains "🦋" or tgt.process.cmdline contains "🐌" or tgt.process.cmdline contains "🐞" or tgt.process.cmdline contains "🐜" or tgt.process.cmdline contains "🪰" or tgt.process.cmdline contains "🪲" or tgt.process.cmdline contains "🪳" or tgt.process.cmdline contains "🦟" or tgt.process.cmdline contains "🦗" or tgt.process.cmdline contains "🕷" or tgt.process.cmdline contains "🕸" or tgt.process.cmdline contains "🦂" or tgt.process.cmdline contains "🐢" or tgt.process.cmdline contains "🐍" or tgt.process.cmdline contains "🦎" or tgt.process.cmdline contains "🦖" or tgt.process.cmdline contains "🦕" or tgt.process.cmdline contains "🐙" or tgt.process.cmdline contains "🦑" or tgt.process.cmdline contains "🦐" or tgt.process.cmdline contains "🦞" or tgt.process.cmdline contains "🦀" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🐡" or tgt.process.cmdline contains "🐠" or tgt.process.cmdline contains "🐟" or tgt.process.cmdline contains "🐬" or tgt.process.cmdline contains "🐳" or tgt.process.cmdline contains "🐋" or tgt.process.cmdline contains "🦈" or tgt.process.cmdline contains "🐊" or tgt.process.cmdline contains "🐅" or tgt.process.cmdline contains "🐆" or tgt.process.cmdline contains "🦓" or tgt.process.cmdline contains "🦍" or tgt.process.cmdline contains "🦧" or tgt.process.cmdline contains "🦣" or tgt.process.cmdline contains "🐘" or tgt.process.cmdline contains "🦛" or tgt.process.cmdline contains "🦏" or tgt.process.cmdline contains "🐪" or tgt.process.cmdline contains "🐫" or tgt.process.cmdline contains "🦒" or tgt.process.cmdline contains "🦘" or tgt.process.cmdline contains "🦬" or tgt.process.cmdline contains "🐃" or tgt.process.cmdline contains "🐂" or tgt.process.cmdline contains "🐄" or tgt.process.cmdline contains "🐎" or tgt.process.cmdline contains "🐖" or tgt.process.cmdline contains "🐏" or tgt.process.cmdline contains "🐑" or tgt.process.cmdline contains "🦙" or tgt.process.cmdline contains "🐐" or tgt.process.cmdline contains "🦌" or tgt.process.cmdline contains "🐕" or tgt.process.cmdline contains "🐩" or tgt.process.cmdline contains "🦮" or tgt.process.cmdline contains "🐕🦺" or tgt.process.cmdline contains "🐈" or tgt.process.cmdline contains "🐈⬛" or tgt.process.cmdline contains "🪶" or tgt.process.cmdline contains "🐓" or tgt.process.cmdline contains "🦃" or tgt.process.cmdline contains "🦤" or tgt.process.cmdline contains "🦚" or tgt.process.cmdline contains "🦜" or tgt.process.cmdline contains "🦢" or tgt.process.cmdline contains "🦩" or tgt.process.cmdline contains "🕊" or tgt.process.cmdline contains "🐇" or tgt.process.cmdline contains "🦝" or tgt.process.cmdline contains "🦨" or tgt.process.cmdline contains "🦡" or tgt.process.cmdline contains "🦫" or tgt.process.cmdline contains "🦦" or tgt.process.cmdline contains "🦥" or tgt.process.cmdline contains "🐁" or tgt.process.cmdline contains "🐀" or tgt.process.cmdline contains "🐿" or tgt.process.cmdline contains "🦔" or tgt.process.cmdline contains "🐾" or tgt.process.cmdline contains "🐉" or tgt.process.cmdline contains "🐲" or tgt.process.cmdline contains "🌵" or tgt.process.cmdline contains "🎄" or tgt.process.cmdline contains "🌲" or tgt.process.cmdline contains "🌳" or tgt.process.cmdline contains "🌴" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🪵" or tgt.process.cmdline contains "🌱" or tgt.process.cmdline contains "🌿" or tgt.process.cmdline contains "☘️" or tgt.process.cmdline contains "🍀" or tgt.process.cmdline contains "🎍" or tgt.process.cmdline contains "🪴" or tgt.process.cmdline contains "🎋" or tgt.process.cmdline contains "🍃" or tgt.process.cmdline contains "🍂" or tgt.process.cmdline contains "🍁" or tgt.process.cmdline contains "🍄" or tgt.process.cmdline contains "🐚" or tgt.process.cmdline contains "🪨" or tgt.process.cmdline contains "🌾" or tgt.process.cmdline contains "💐" or tgt.process.cmdline contains "🌷" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🌹" or tgt.process.cmdline contains "🥀" or tgt.process.cmdline contains "🌺" or tgt.process.cmdline contains "🌸" or tgt.process.cmdline contains "🌼" or tgt.process.cmdline contains "🌻" or tgt.process.cmdline contains "🌞" or tgt.process.cmdline contains "🌝" or tgt.process.cmdline contains "🌛" or tgt.process.cmdline contains "🌜" or tgt.process.cmdline contains "🌚" or tgt.process.cmdline contains "🌕" or tgt.process.cmdline contains "🌖" or tgt.process.cmdline contains "🌗" or tgt.process.cmdline contains "🌘" or tgt.process.cmdline contains "🌑" or tgt.process.cmdline contains "🌒" or tgt.process.cmdline contains "🌓" or tgt.process.cmdline contains "🌔" or tgt.process.cmdline contains "🌙" or tgt.process.cmdline contains "🌎" or tgt.process.cmdline contains "🌍" or tgt.process.cmdline contains "🌏" or tgt.process.cmdline contains "🪐" or tgt.process.cmdline contains "💫" or tgt.process.cmdline contains "⭐️" or tgt.process.cmdline contains "🌟" or tgt.process.cmdline contains "✨" or tgt.process.cmdline contains "⚡️" or tgt.process.cmdline contains "☄️" or tgt.process.cmdline contains "💥" or tgt.process.cmdline contains "🔥" or tgt.process.cmdline contains "🌪" or tgt.process.cmdline contains "🌈" or tgt.process.cmdline contains "☀️" or tgt.process.cmdline contains "🌤" or tgt.process.cmdline contains "⛅️" or tgt.process.cmdline contains "🌥" or tgt.process.cmdline contains "☁️" or tgt.process.cmdline contains "🌦" or tgt.process.cmdline contains "🌧" or tgt.process.cmdline contains "⛈" or tgt.process.cmdline contains "🌩" or tgt.process.cmdline contains "🌨" or tgt.process.cmdline contains "❄️" or tgt.process.cmdline contains "☃️" or tgt.process.cmdline contains "⛄️" or tgt.process.cmdline contains "🌬" or tgt.process.cmdline contains "💨" or tgt.process.cmdline contains "💧" or tgt.process.cmdline contains "💦" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "☔️" or tgt.process.cmdline contains "☂️" or tgt.process.cmdline contains "🌊" or tgt.process.cmdline contains "🌫🍏" or tgt.process.cmdline contains "🍎" or tgt.process.cmdline contains "🍐" or tgt.process.cmdline contains "🍊" or tgt.process.cmdline contains "🍋" or tgt.process.cmdline contains "🍌" or tgt.process.cmdline contains "🍉" or tgt.process.cmdline contains "🍇" or tgt.process.cmdline contains "🍓" or tgt.process.cmdline contains "🫐" or tgt.process.cmdline contains "🍈" or tgt.process.cmdline contains "🍒" or tgt.process.cmdline contains "🍑" or tgt.process.cmdline contains "🥭" or tgt.process.cmdline contains "🍍" or tgt.process.cmdline contains "🥥" or tgt.process.cmdline contains "🥝" or tgt.process.cmdline contains "🍅" or tgt.process.cmdline contains "🍆" or tgt.process.cmdline contains "🥑" or tgt.process.cmdline contains "🥦" or tgt.process.cmdline contains "🥬" or tgt.process.cmdline contains "🥒" or tgt.process.cmdline contains "🌶" or tgt.process.cmdline contains "🫑" or tgt.process.cmdline contains "🌽" or tgt.process.cmdline contains "🥕" or tgt.process.cmdline contains "🫒" or tgt.process.cmdline contains "🧄" or tgt.process.cmdline contains "🧅" or tgt.process.cmdline contains "🥔" or tgt.process.cmdline contains "🍠" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🥐" or tgt.process.cmdline contains "🥯" or tgt.process.cmdline contains "🍞" or tgt.process.cmdline contains "🥖" or tgt.process.cmdline contains "🥨" or tgt.process.cmdline contains "🧀" or tgt.process.cmdline contains "🥚" or tgt.process.cmdline contains "🍳" or tgt.process.cmdline contains "🧈" or tgt.process.cmdline contains "🥞" or tgt.process.cmdline contains "🧇" or tgt.process.cmdline contains "🥓" or tgt.process.cmdline contains "🥩" or tgt.process.cmdline contains "🍗" or tgt.process.cmdline contains "🍖" or tgt.process.cmdline contains "🦴" or tgt.process.cmdline contains "🌭" or tgt.process.cmdline contains "🍔" or tgt.process.cmdline contains "🍟" or tgt.process.cmdline contains "🍕" or tgt.process.cmdline contains "🫓" or tgt.process.cmdline contains "🥪" or tgt.process.cmdline contains "🥙" or tgt.process.cmdline contains "🧆" or tgt.process.cmdline contains "🌮" or tgt.process.cmdline contains "🌯" or tgt.process.cmdline contains "🫔" or tgt.process.cmdline contains "🥗" or tgt.process.cmdline contains "🥘" or tgt.process.cmdline contains "🫕" or tgt.process.cmdline contains "🥫" or tgt.process.cmdline contains "🍝" or tgt.process.cmdline contains "🍜" or tgt.process.cmdline contains "🍲" or tgt.process.cmdline contains "🍛" or tgt.process.cmdline contains "🍣" or tgt.process.cmdline contains "🍱" or tgt.process.cmdline contains "🥟" or tgt.process.cmdline contains "🦪" or tgt.process.cmdline contains "🍤" or tgt.process.cmdline contains "🍙" or tgt.process.cmdline contains "🍚" or tgt.process.cmdline contains "🍘" or tgt.process.cmdline contains "🍥" or tgt.process.cmdline contains "🥠" or tgt.process.cmdline contains "🥮" or tgt.process.cmdline contains "🍢" or tgt.process.cmdline contains "🍡" or tgt.process.cmdline contains "🍧" or tgt.process.cmdline contains "🍨" or tgt.process.cmdline contains "🍦" or tgt.process.cmdline contains "🥧" or tgt.process.cmdline contains "🧁" or tgt.process.cmdline contains "🍰" or tgt.process.cmdline contains "🎂" or tgt.process.cmdline contains "🍮" or tgt.process.cmdline contains "🍭" or tgt.process.cmdline contains "🍬" or tgt.process.cmdline contains "🍫" or tgt.process.cmdline contains "🍿" or tgt.process.cmdline contains "🍩" or tgt.process.cmdline contains "🍪" or tgt.process.cmdline contains "🌰" or tgt.process.cmdline contains "🥜" or tgt.process.cmdline contains "🍯" or tgt.process.cmdline contains "🥛" or tgt.process.cmdline contains "🍼" or tgt.process.cmdline contains "🫖" or tgt.process.cmdline contains "☕️" or tgt.process.cmdline contains "🍵" or tgt.process.cmdline contains "🧃" or tgt.process.cmdline contains "🥤" or tgt.process.cmdline contains "🧋" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🍶" or tgt.process.cmdline contains "🍺" or tgt.process.cmdline contains "🍻" or tgt.process.cmdline contains "🥂" or tgt.process.cmdline contains "🍷" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🥃" or tgt.process.cmdline contains "🍸" or tgt.process.cmdline contains "🍹" or tgt.process.cmdline contains "🧉" or tgt.process.cmdline contains "🍾" or tgt.process.cmdline contains "🧊" or tgt.process.cmdline contains "🥄" or tgt.process.cmdline contains "🍴" or tgt.process.cmdline contains "🍽" or tgt.process.cmdline contains "🥣" or tgt.process.cmdline contains "🥡" or tgt.process.cmdline contains "🥢" or tgt.process.cmdline contains "🧂" or tgt.process.cmdline contains "⚽️" or tgt.process.cmdline contains "🏀" or tgt.process.cmdline contains "🏈" or tgt.process.cmdline contains "⚾️" or tgt.process.cmdline contains "🥎" or tgt.process.cmdline contains "🎾" or tgt.process.cmdline contains "🏐" or tgt.process.cmdline contains "🏉" or tgt.process.cmdline contains "🥏" or tgt.process.cmdline contains "🎱" or tgt.process.cmdline contains "🪀" or tgt.process.cmdline contains "🏓" or tgt.process.cmdline contains "🏸" or tgt.process.cmdline contains "🏒" or tgt.process.cmdline contains "🏑" or tgt.process.cmdline contains "🥍" or tgt.process.cmdline contains "🏏" or tgt.process.cmdline contains "🪃" or tgt.process.cmdline contains "🥅" or tgt.process.cmdline contains "⛳️" or tgt.process.cmdline contains "🪁" or tgt.process.cmdline contains "🏹" or tgt.process.cmdline contains "🎣" or tgt.process.cmdline contains "🤿" or tgt.process.cmdline contains "🥊" or tgt.process.cmdline contains "🥋" or tgt.process.cmdline contains "🎽" or tgt.process.cmdline contains "🛹" or tgt.process.cmdline contains "🛼" or tgt.process.cmdline contains "🛷" or tgt.process.cmdline contains "⛸" or tgt.process.cmdline contains "🥌" or tgt.process.cmdline contains "🎿" or tgt.process.cmdline contains "⛷" or tgt.process.cmdline contains "🏂" or tgt.process.cmdline contains "🪂" or tgt.process.cmdline contains "🏋️♀️" or tgt.process.cmdline contains "🏋️" or tgt.process.cmdline contains "🏋️♂️" or tgt.process.cmdline contains "🤼♀️" or tgt.process.cmdline contains "🤼" or tgt.process.cmdline contains "🤼♂️" or tgt.process.cmdline contains "🤸♀️" or tgt.process.cmdline contains "🤸" or tgt.process.cmdline contains "🤸♂️" or tgt.process.cmdline contains "⛹️♀️" or tgt.process.cmdline contains "⛹️" or tgt.process.cmdline contains "⛹️♂️" or tgt.process.cmdline contains "🤺" or tgt.process.cmdline contains "🤾♀️" or tgt.process.cmdline contains "🤾" or tgt.process.cmdline contains "🤾♂️" or tgt.process.cmdline contains "🏌️♀️" or tgt.process.cmdline contains "🏌️" or tgt.process.cmdline contains "🏌️♂️" or tgt.process.cmdline contains "🏇" or tgt.process.cmdline contains "🧘♀️" or tgt.process.cmdline contains "🧘" or tgt.process.cmdline contains "🧘♂️" or tgt.process.cmdline contains "🏄♀️" or tgt.process.cmdline contains "🏄" or tgt.process.cmdline contains "🏄♂️" or tgt.process.cmdline contains "🏊♀️" or tgt.process.cmdline contains "🏊" or tgt.process.cmdline contains "🏊♂️" or tgt.process.cmdline contains "🤽♀️" or tgt.process.cmdline contains "🤽" or tgt.process.cmdline contains "🤽♂️" or tgt.process.cmdline contains "🚣♀️" or tgt.process.cmdline contains "🚣" or tgt.process.cmdline contains "🚣♂️" or tgt.process.cmdline contains "🧗♀️" or tgt.process.cmdline contains "🧗" or tgt.process.cmdline contains "🧗♂️" or tgt.process.cmdline contains "🚵♀️" or tgt.process.cmdline contains "🚵" or tgt.process.cmdline contains "🚵♂️" or tgt.process.cmdline contains "🚴♀️" or tgt.process.cmdline contains "🚴" or tgt.process.cmdline contains "🚴♂️" or tgt.process.cmdline contains "🏆" or tgt.process.cmdline contains "🥇" or tgt.process.cmdline contains "🥈" or tgt.process.cmdline contains "🥉" or tgt.process.cmdline contains "🏅" or tgt.process.cmdline contains "🎖" or tgt.process.cmdline contains "🏵" or tgt.process.cmdline contains "🎗" or tgt.process.cmdline contains "🎫" or tgt.process.cmdline contains "🎟" or tgt.process.cmdline contains "🎪" or tgt.process.cmdline contains "🤹" or tgt.process.cmdline contains "🤹♂️" or tgt.process.cmdline contains "🤹♀️" or tgt.process.cmdline contains "🎭" or tgt.process.cmdline contains "🩰" or tgt.process.cmdline contains "🎨" or tgt.process.cmdline contains "🎬" or tgt.process.cmdline contains "🎤" or tgt.process.cmdline contains "🎧" or tgt.process.cmdline contains "🎼" or tgt.process.cmdline contains "🎹" or tgt.process.cmdline contains "🥁" or tgt.process.cmdline contains "🪘" or tgt.process.cmdline contains "🎷" or tgt.process.cmdline contains "🎺" or tgt.process.cmdline contains "🪗" or tgt.process.cmdline contains "🎸" or tgt.process.cmdline contains "🪕" or tgt.process.cmdline contains "🎻" or tgt.process.cmdline contains "🎲" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "🎯" or tgt.process.cmdline contains "🎳" or tgt.process.cmdline contains "🎮" or tgt.process.cmdline contains "🎰" or tgt.process.cmdline contains "🧩" or tgt.process.cmdline contains "🚗" or tgt.process.cmdline contains "🚕" or tgt.process.cmdline contains "🚙" or tgt.process.cmdline contains "🚌" or tgt.process.cmdline contains "🚎" or tgt.process.cmdline contains "🏎" or tgt.process.cmdline contains "🚓" or tgt.process.cmdline contains "🚑" or tgt.process.cmdline contains "🚒" or tgt.process.cmdline contains "🚐" or tgt.process.cmdline contains "🛻" or tgt.process.cmdline contains "🚚" or tgt.process.cmdline contains "🚛" or tgt.process.cmdline contains "🚜" or tgt.process.cmdline contains "🦯" or tgt.process.cmdline contains "🦽" or tgt.process.cmdline contains "🦼" or tgt.process.cmdline contains "🛴" or tgt.process.cmdline contains "🚲" or tgt.process.cmdline contains "🛵" or tgt.process.cmdline contains "🏍" or tgt.process.cmdline contains "🛺" or tgt.process.cmdline contains "🚨" or tgt.process.cmdline contains "🚔" or tgt.process.cmdline contains "🚍" or tgt.process.cmdline contains "🚘" or tgt.process.cmdline contains "🚖" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🚡" or tgt.process.cmdline contains "🚠" or tgt.process.cmdline contains "🚟" or tgt.process.cmdline contains "🚃" or tgt.process.cmdline contains "🚋" or tgt.process.cmdline contains "🚞" or tgt.process.cmdline contains "🚝" or tgt.process.cmdline contains "🚄" or tgt.process.cmdline contains "🚅" or tgt.process.cmdline contains "🚈" or tgt.process.cmdline contains "🚂" or tgt.process.cmdline contains "🚆" or tgt.process.cmdline contains "🚇" or tgt.process.cmdline contains "🚊" or tgt.process.cmdline contains "🚉" or tgt.process.cmdline contains "✈️" or tgt.process.cmdline contains "🛫" or tgt.process.cmdline contains "🛬" or tgt.process.cmdline contains "🛩" or tgt.process.cmdline contains "💺" or tgt.process.cmdline contains "🛰" or tgt.process.cmdline contains "🚀" or tgt.process.cmdline contains "🛸" or tgt.process.cmdline contains "🚁" or tgt.process.cmdline contains "🛶" or tgt.process.cmdline contains "⛵️" or tgt.process.cmdline contains "🚤" or tgt.process.cmdline contains "🛥" or tgt.process.cmdline contains "🛳" or tgt.process.cmdline contains "⛴" or tgt.process.cmdline contains "🚢" or tgt.process.cmdline contains "⚓️" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪝" or tgt.process.cmdline contains "⛽️" or tgt.process.cmdline contains "🚧" or tgt.process.cmdline contains "🚦" or tgt.process.cmdline contains "🚥" or tgt.process.cmdline contains "🚏" or tgt.process.cmdline contains "🗺" or tgt.process.cmdline contains "🗿" or tgt.process.cmdline contains "🗽" or tgt.process.cmdline contains "🗼" or tgt.process.cmdline contains "🏰" or tgt.process.cmdline contains "🏯" or tgt.process.cmdline contains "🏟" or tgt.process.cmdline contains "🎡" or tgt.process.cmdline contains "🎢" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🎠" or tgt.process.cmdline contains "⛲️" or tgt.process.cmdline contains "⛱" or tgt.process.cmdline contains "🏖" or tgt.process.cmdline contains "🏝" or tgt.process.cmdline contains "🏜" or tgt.process.cmdline contains "🌋" or tgt.process.cmdline contains "⛰" or tgt.process.cmdline contains "🏔" or tgt.process.cmdline contains "🗻" or tgt.process.cmdline contains "🏕" or tgt.process.cmdline contains "⛺️" or tgt.process.cmdline contains "🛖" or tgt.process.cmdline contains "🏠" or tgt.process.cmdline contains "🏡" or tgt.process.cmdline contains "🏘" or tgt.process.cmdline contains "🏚" or tgt.process.cmdline contains "🏗" or tgt.process.cmdline contains "🏭" or tgt.process.cmdline contains "🏢" or tgt.process.cmdline contains "🏬" or tgt.process.cmdline contains "🏣" or tgt.process.cmdline contains "🏤" or tgt.process.cmdline contains "🏥" or tgt.process.cmdline contains "🏦" or tgt.process.cmdline contains "🏨" or tgt.process.cmdline contains "🏪" or tgt.process.cmdline contains "🏫" or tgt.process.cmdline contains "🏩" or tgt.process.cmdline contains "💒" or tgt.process.cmdline contains "🏛" or tgt.process.cmdline contains "⛪️" or tgt.process.cmdline contains "🕌" or tgt.process.cmdline contains "🕍" or tgt.process.cmdline contains "🛕" or tgt.process.cmdline contains "🕋" or tgt.process.cmdline contains "⛩" or tgt.process.cmdline contains "🛤" or tgt.process.cmdline contains "🛣" or tgt.process.cmdline contains "🗾" or tgt.process.cmdline contains "🎑" or tgt.process.cmdline contains "🏞" or tgt.process.cmdline contains "🌅" or tgt.process.cmdline contains "🌄" or tgt.process.cmdline contains "🌠" or tgt.process.cmdline contains "🎇" or tgt.process.cmdline contains "🎆" or tgt.process.cmdline contains "🌇" or tgt.process.cmdline contains "🌆" or tgt.process.cmdline contains "🏙" or tgt.process.cmdline contains "🌃" or tgt.process.cmdline contains "🌌" or tgt.process.cmdline contains "🌉" or tgt.process.cmdline contains "🌁" or tgt.process.cmdline contains "⌚️" or tgt.process.cmdline contains "📱" or tgt.process.cmdline contains "📲" or tgt.process.cmdline contains "💻" or tgt.process.cmdline contains "⌨️" or tgt.process.cmdline contains "🖥" or tgt.process.cmdline contains "🖨" or tgt.process.cmdline contains "🖱" or tgt.process.cmdline contains "🖲" or tgt.process.cmdline contains "🕹" or tgt.process.cmdline contains "🗜" or tgt.process.cmdline contains "💽" or tgt.process.cmdline contains "💾" or tgt.process.cmdline contains "💿" or tgt.process.cmdline contains "📀" or tgt.process.cmdline contains "📼" or tgt.process.cmdline contains "📷" or tgt.process.cmdline contains "📸" or tgt.process.cmdline contains "📹" or tgt.process.cmdline contains "🎥" or tgt.process.cmdline contains "📽" or tgt.process.cmdline contains "🎞" or tgt.process.cmdline contains "📞" or tgt.process.cmdline contains "☎️" or tgt.process.cmdline contains "📟" or tgt.process.cmdline contains "📠" or tgt.process.cmdline contains "📺" or tgt.process.cmdline contains "📻" or tgt.process.cmdline contains "🎙" or tgt.process.cmdline contains "🎚" or tgt.process.cmdline contains "🎛" or tgt.process.cmdline contains "🧭" or tgt.process.cmdline contains "⏱" or tgt.process.cmdline contains "⏲" or tgt.process.cmdline contains "⏰" or tgt.process.cmdline contains "🕰" or tgt.process.cmdline contains "⌛️" or tgt.process.cmdline contains "⏳" or tgt.process.cmdline contains "📡" or tgt.process.cmdline contains "🔋" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🔌" or tgt.process.cmdline contains "💡" or tgt.process.cmdline contains "🔦" or tgt.process.cmdline contains "🕯" or tgt.process.cmdline contains "🪔" or tgt.process.cmdline contains "🧯" or tgt.process.cmdline contains "🛢" or tgt.process.cmdline contains "💸" or tgt.process.cmdline contains "💵" or tgt.process.cmdline contains "💴" or tgt.process.cmdline contains "💶" or tgt.process.cmdline contains "💷" or tgt.process.cmdline contains "🪙" or tgt.process.cmdline contains "💰" or tgt.process.cmdline contains "💳" or tgt.process.cmdline contains "💎" or tgt.process.cmdline contains "⚖️" or tgt.process.cmdline contains "🪜" or tgt.process.cmdline contains "🧰" or tgt.process.cmdline contains "🪛" or tgt.process.cmdline contains "🔧" or tgt.process.cmdline contains "🔨" or tgt.process.cmdline contains "⚒" or tgt.process.cmdline contains "🛠" or tgt.process.cmdline contains "⛏" or tgt.process.cmdline contains "🪚" or tgt.process.cmdline contains "🔩" or tgt.process.cmdline contains "⚙️" or tgt.process.cmdline contains "🪤" or tgt.process.cmdline contains "🧱" or tgt.process.cmdline contains "⛓" or tgt.process.cmdline contains "🧲" or tgt.process.cmdline contains "🔫" or tgt.process.cmdline contains "💣" or tgt.process.cmdline contains "🧨" or tgt.process.cmdline contains "🪓" or tgt.process.cmdline contains "🔪" or tgt.process.cmdline contains "🗡" or tgt.process.cmdline contains "⚔️" or tgt.process.cmdline contains "🛡" or tgt.process.cmdline contains "🚬" or tgt.process.cmdline contains "⚰️" or tgt.process.cmdline contains "🪦" or tgt.process.cmdline contains "⚱️" or tgt.process.cmdline contains "🏺" or tgt.process.cmdline contains "🔮" or tgt.process.cmdline contains "📿" or tgt.process.cmdline contains "🧿" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "💈" or tgt.process.cmdline contains "⚗️" or tgt.process.cmdline contains "🔭" or tgt.process.cmdline contains "🔬" or tgt.process.cmdline contains "🕳" or tgt.process.cmdline contains "🩹" or tgt.process.cmdline contains "🩺" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "💊" or tgt.process.cmdline contains "💉" or tgt.process.cmdline contains "🩸" or tgt.process.cmdline contains "🧬" or tgt.process.cmdline contains "🦠" or tgt.process.cmdline contains "🧫" or tgt.process.cmdline contains "🧪" or tgt.process.cmdline contains "🌡" or tgt.process.cmdline contains "🧹" or tgt.process.cmdline contains "🪠" or tgt.process.cmdline contains "🧺" or tgt.process.cmdline contains "🧻" or tgt.process.cmdline contains "🚽" or tgt.process.cmdline contains "🚰" or tgt.process.cmdline contains "🚿" or tgt.process.cmdline contains "🛁" or tgt.process.cmdline contains "🛀" or tgt.process.cmdline contains "🧼" or tgt.process.cmdline contains "🪥" or tgt.process.cmdline contains "🪒" or tgt.process.cmdline contains "🧽" or tgt.process.cmdline contains "🪣" or tgt.process.cmdline contains "🧴" or tgt.process.cmdline contains "🛎" or tgt.process.cmdline contains "🔑" or tgt.process.cmdline contains "🗝" or tgt.process.cmdline contains "🚪" or tgt.process.cmdline contains "🪑" or tgt.process.cmdline contains "🛋" or tgt.process.cmdline contains "🛏" or tgt.process.cmdline contains "🛌" or tgt.process.cmdline contains "🧸" or tgt.process.cmdline contains "🪆" or tgt.process.cmdline contains "🖼" or tgt.process.cmdline contains "🪞" or tgt.process.cmdline contains "🪟" or tgt.process.cmdline contains "🛍" or tgt.process.cmdline contains "🛒" or tgt.process.cmdline contains "🎁" or tgt.process.cmdline contains "🎈" or tgt.process.cmdline contains "🎏" or tgt.process.cmdline contains "🎀" or tgt.process.cmdline contains "🪄" or tgt.process.cmdline contains "🪅" or tgt.process.cmdline contains "🎊" or tgt.process.cmdline contains "🎉" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🎎" or tgt.process.cmdline contains "🏮" or tgt.process.cmdline contains "🎐" or tgt.process.cmdline contains "🧧" or tgt.process.cmdline contains "✉️" or tgt.process.cmdline contains "📩" or tgt.process.cmdline contains "📨" or tgt.process.cmdline contains "📧" or tgt.process.cmdline contains "💌" or tgt.process.cmdline contains "📥" or tgt.process.cmdline contains "📤" or tgt.process.cmdline contains "📦" or tgt.process.cmdline contains "🏷" or tgt.process.cmdline contains "🪧" or tgt.process.cmdline contains "📪" or tgt.process.cmdline contains "📫" or tgt.process.cmdline contains "📬" or tgt.process.cmdline contains "📭" or tgt.process.cmdline contains "📮" or tgt.process.cmdline contains "📯" or tgt.process.cmdline contains "📜" or tgt.process.cmdline contains "📃" or tgt.process.cmdline contains "📄" or tgt.process.cmdline contains "📑" or tgt.process.cmdline contains "🧾" or tgt.process.cmdline contains "📊" or tgt.process.cmdline contains "📈" or tgt.process.cmdline contains "📉" or tgt.process.cmdline contains "🗒" or tgt.process.cmdline contains "🗓" or tgt.process.cmdline contains "📆" or tgt.process.cmdline contains "📅" or tgt.process.cmdline contains "🗑" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "📇" or tgt.process.cmdline contains "🗃" or tgt.process.cmdline contains "🗳" or tgt.process.cmdline contains "🗄" or tgt.process.cmdline contains "📋" or tgt.process.cmdline contains "📁" or tgt.process.cmdline contains "📂" or tgt.process.cmdline contains "🗂" or tgt.process.cmdline contains "🗞" or tgt.process.cmdline contains "📰" or tgt.process.cmdline contains "📓" or tgt.process.cmdline contains "📔" or tgt.process.cmdline contains "📒" or tgt.process.cmdline contains "📕" or tgt.process.cmdline contains "📗" or tgt.process.cmdline contains "📘" or tgt.process.cmdline contains "📙" or tgt.process.cmdline contains "📚" or tgt.process.cmdline contains "📖" or tgt.process.cmdline contains "🔖" or tgt.process.cmdline contains "🧷" or tgt.process.cmdline contains "🔗" or tgt.process.cmdline contains "📎" or tgt.process.cmdline contains "🖇" or tgt.process.cmdline contains "📐" or tgt.process.cmdline contains "📏" or tgt.process.cmdline contains "🧮" or tgt.process.cmdline contains "📌" or tgt.process.cmdline contains "📍" or tgt.process.cmdline contains "✂️" or tgt.process.cmdline contains "🖊" or tgt.process.cmdline contains "🖋" or tgt.process.cmdline contains "✒️" or tgt.process.cmdline contains "🖌" or tgt.process.cmdline contains "🖍" or tgt.process.cmdline contains "📝" or tgt.process.cmdline contains "✏️" or tgt.process.cmdline contains "🔍" or tgt.process.cmdline contains "🔎" or tgt.process.cmdline contains "🔏" or tgt.process.cmdline contains "🔐" or tgt.process.cmdline contains "🔒" or tgt.process.cmdline contains "🔓❤️" or tgt.process.cmdline contains "🧡" or tgt.process.cmdline contains "💛" or tgt.process.cmdline contains "💚" or tgt.process.cmdline contains "💙" or tgt.process.cmdline contains "💜" or tgt.process.cmdline contains "🖤" or tgt.process.cmdline contains "🤍" or tgt.process.cmdline contains "🤎" or tgt.process.cmdline contains "❤️🔥" or tgt.process.cmdline contains "❤️🩹" or tgt.process.cmdline contains "💔" or tgt.process.cmdline contains "❣️" or tgt.process.cmdline contains "💕" or tgt.process.cmdline contains "💞" or tgt.process.cmdline contains "💓" or tgt.process.cmdline contains "💗" or tgt.process.cmdline contains "💖" or tgt.process.cmdline contains "💘" or tgt.process.cmdline contains "💝" or tgt.process.cmdline contains "💟" or tgt.process.cmdline contains "☮️" or tgt.process.cmdline contains "✝️" or tgt.process.cmdline contains "☪️" or tgt.process.cmdline contains "🕉" or tgt.process.cmdline contains "☸️" or tgt.process.cmdline contains "✡️" or tgt.process.cmdline contains "🔯" or tgt.process.cmdline contains "🕎" or tgt.process.cmdline contains "☯️" or tgt.process.cmdline contains "☦️" or tgt.process.cmdline contains "🛐" or tgt.process.cmdline contains "⛎" or tgt.process.cmdline contains "♈️" or tgt.process.cmdline contains "♉️" or tgt.process.cmdline contains "♊️" or tgt.process.cmdline contains "♋️" or tgt.process.cmdline contains "♌️" or tgt.process.cmdline contains "♍️" or tgt.process.cmdline contains "♎️" or tgt.process.cmdline contains "♏️" or tgt.process.cmdline contains "♐️" or tgt.process.cmdline contains "♑️" or tgt.process.cmdline contains "♒️" or tgt.process.cmdline contains "♓️" or tgt.process.cmdline contains "🆔" or tgt.process.cmdline contains "⚛️" or tgt.process.cmdline contains "🉑" or tgt.process.cmdline contains "☢️" or tgt.process.cmdline contains "☣️" or tgt.process.cmdline contains "📴" or tgt.process.cmdline contains "📳" or tgt.process.cmdline contains "🈶" or tgt.process.cmdline contains "🈚️" or tgt.process.cmdline contains "🈸" or tgt.process.cmdline contains "🈺" or tgt.process.cmdline contains "🈷️" or tgt.process.cmdline contains "✴️" or tgt.process.cmdline contains "🆚" or tgt.process.cmdline contains "💮" or tgt.process.cmdline contains "🉐" or tgt.process.cmdline contains "㊙️" or tgt.process.cmdline contains "㊗️" or tgt.process.cmdline contains "🈴" or tgt.process.cmdline contains "🈵" or tgt.process.cmdline contains "🈹" or tgt.process.cmdline contains "🈲" or tgt.process.cmdline contains "🅰️" or tgt.process.cmdline contains "🅱️" or tgt.process.cmdline contains "🆎" or tgt.process.cmdline contains "🆑" or tgt.process.cmdline contains "🅾️" or tgt.process.cmdline contains "🆘" or tgt.process.cmdline contains "❌" or tgt.process.cmdline contains "⭕️" or tgt.process.cmdline contains "🛑" or tgt.process.cmdline contains "⛔️" or tgt.process.cmdline contains "📛" or tgt.process.cmdline contains "🚫" or tgt.process.cmdline contains "💯" or tgt.process.cmdline contains "💢" or tgt.process.cmdline contains "♨️" or tgt.process.cmdline contains "🚷" or tgt.process.cmdline contains "🚯" or tgt.process.cmdline contains "🚳" or tgt.process.cmdline contains "🚱" or tgt.process.cmdline contains "🔞" or tgt.process.cmdline contains "📵" or tgt.process.cmdline contains "🚭" or tgt.process.cmdline contains "❗️" or tgt.process.cmdline contains "❕" or tgt.process.cmdline contains "❓" or tgt.process.cmdline contains "❔" or tgt.process.cmdline contains "‼️" or tgt.process.cmdline contains "⁉️" or tgt.process.cmdline contains "🔅" or tgt.process.cmdline contains "🔆" or tgt.process.cmdline contains "〽️" or tgt.process.cmdline contains "⚠️" or tgt.process.cmdline contains "🚸" or tgt.process.cmdline contains "🔱" or tgt.process.cmdline contains "⚜️" or tgt.process.cmdline contains "🔰" or tgt.process.cmdline contains "♻️" or tgt.process.cmdline contains "✅" or tgt.process.cmdline contains "🈯️" or tgt.process.cmdline contains "💹" or tgt.process.cmdline contains "❇️" or tgt.process.cmdline contains "✳️" or tgt.process.cmdline contains "❎" or tgt.process.cmdline contains "🌐" or tgt.process.cmdline contains "💠" or tgt.process.cmdline contains "Ⓜ️" or tgt.process.cmdline contains "🌀" or tgt.process.cmdline contains "💤" or tgt.process.cmdline contains "🏧" or tgt.process.cmdline contains "🚾" or tgt.process.cmdline contains "♿️" or tgt.process.cmdline contains "🅿️" or tgt.process.cmdline contains "🛗" or tgt.process.cmdline contains "🈳" or tgt.process.cmdline contains "🈂️" or tgt.process.cmdline contains "🛂" or tgt.process.cmdline contains "🛃" or tgt.process.cmdline contains "🛄" or tgt.process.cmdline contains "🛅" or tgt.process.cmdline contains "🚹" or tgt.process.cmdline contains "🚺" or tgt.process.cmdline contains "🚼" or tgt.process.cmdline contains "⚧" or tgt.process.cmdline contains "🚻" or tgt.process.cmdline contains "🚮" or tgt.process.cmdline contains "🎦" or tgt.process.cmdline contains "📶" or tgt.process.cmdline contains "🈁" or tgt.process.cmdline contains "🔣" or tgt.process.cmdline contains "ℹ️" or tgt.process.cmdline contains "🔤" or tgt.process.cmdline contains "🔡" or tgt.process.cmdline contains "🔠" or tgt.process.cmdline contains "🆖" or tgt.process.cmdline contains "🆗" or tgt.process.cmdline contains "🆙" or tgt.process.cmdline contains "🆒" or tgt.process.cmdline contains "🆕" or tgt.process.cmdline contains "🆓" or tgt.process.cmdline contains "0️⃣" or tgt.process.cmdline contains "1️⃣" or tgt.process.cmdline contains "2️⃣" or tgt.process.cmdline contains "3️⃣" or tgt.process.cmdline contains "4️⃣" or tgt.process.cmdline contains "5️⃣" or tgt.process.cmdline contains "6️⃣" or tgt.process.cmdline contains "7️⃣" or tgt.process.cmdline contains "8️⃣" or tgt.process.cmdline contains "9️⃣" or tgt.process.cmdline contains "🔟" or tgt.process.cmdline contains "🔢" or tgt.process.cmdline contains "#️⃣" or tgt.process.cmdline contains "️⃣" or tgt.process.cmdline contains "⏏️" or tgt.process.cmdline contains "▶️" or tgt.process.cmdline contains "⏸" or tgt.process.cmdline contains "⏯" or tgt.process.cmdline contains "⏹" or tgt.process.cmdline contains "⏺" or tgt.process.cmdline contains "⏭" or tgt.process.cmdline contains "⏮" or tgt.process.cmdline contains "⏩" or tgt.process.cmdline contains "⏪" or tgt.process.cmdline contains "⏫" or tgt.process.cmdline contains "⏬" or tgt.process.cmdline contains "◀️" or tgt.process.cmdline contains "🔼" or tgt.process.cmdline contains "🔽" or tgt.process.cmdline contains "➡️" or tgt.process.cmdline contains "⬅️" or tgt.process.cmdline contains "⬆️" or tgt.process.cmdline contains "⬇️" or tgt.process.cmdline contains "↗️" or tgt.process.cmdline contains "↘️" or tgt.process.cmdline contains "↙️" or tgt.process.cmdline contains "↖️" or tgt.process.cmdline contains "↕️" or tgt.process.cmdline contains "↔️" or tgt.process.cmdline contains "↪️" or tgt.process.cmdline contains "↩️" or tgt.process.cmdline contains "⤴️" or tgt.process.cmdline contains "⤵️" or tgt.process.cmdline contains "🔀" or tgt.process.cmdline contains "🔁" or tgt.process.cmdline contains "🔂" or tgt.process.cmdline contains "🔄" or tgt.process.cmdline contains "🔃" or tgt.process.cmdline contains "🎵" or tgt.process.cmdline contains "🎶" or tgt.process.cmdline contains "➕" or tgt.process.cmdline contains "➖" or tgt.process.cmdline contains "➗" or tgt.process.cmdline contains "✖️" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "♾" or tgt.process.cmdline contains "💲" or tgt.process.cmdline contains "💱" or tgt.process.cmdline contains "™️" or tgt.process.cmdline contains "©️" or tgt.process.cmdline contains "®️" or tgt.process.cmdline contains "〰️" or tgt.process.cmdline contains "➰" or tgt.process.cmdline contains "➿" or tgt.process.cmdline contains "🔚" or tgt.process.cmdline contains "🔙" or tgt.process.cmdline contains "🔛" or tgt.process.cmdline contains "🔝" or tgt.process.cmdline contains "🔜" or tgt.process.cmdline contains "✔️" or tgt.process.cmdline contains "☑️" or tgt.process.cmdline contains "🔘" or tgt.process.cmdline contains "🔴" or tgt.process.cmdline contains "🟠" or tgt.process.cmdline contains "🟡" or tgt.process.cmdline contains "🟢" or tgt.process.cmdline contains "🔵" or tgt.process.cmdline contains "🟣" or tgt.process.cmdline contains "⚫️" or tgt.process.cmdline contains "⚪️" or tgt.process.cmdline contains "🟤" or tgt.process.cmdline contains "🔺" or tgt.process.cmdline contains "🔻"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md
index d7d49c463..5458596d8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_emoji_usage_in_cli_4.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "🔸" or tgt.process.cmdline contains "🔹" or tgt.process.cmdline contains "🔶" or tgt.process.cmdline contains "🔷" or tgt.process.cmdline contains "🔳" or tgt.process.cmdline contains "🔲" or tgt.process.cmdline contains "▪️" or tgt.process.cmdline contains "▫️" or tgt.process.cmdline contains "◾️" or tgt.process.cmdline contains "◽️" or tgt.process.cmdline contains "◼️" or tgt.process.cmdline contains "◻️" or tgt.process.cmdline contains "🟥" or tgt.process.cmdline contains "🟧" or tgt.process.cmdline contains "🟨" or tgt.process.cmdline contains "🟩" or tgt.process.cmdline contains "🟦" or tgt.process.cmdline contains "🟪" or tgt.process.cmdline contains "⬛️" or tgt.process.cmdline contains "⬜️" or tgt.process.cmdline contains "🟫" or tgt.process.cmdline contains "🔈" or tgt.process.cmdline contains "🔇" or tgt.process.cmdline contains "🔉" or tgt.process.cmdline contains "🔊" or tgt.process.cmdline contains "🔔" or tgt.process.cmdline contains "🔕" or tgt.process.cmdline contains "📣" or tgt.process.cmdline contains "📢" or tgt.process.cmdline contains "👁🗨" or tgt.process.cmdline contains "💬" or tgt.process.cmdline contains "💭" or tgt.process.cmdline contains "🗯" or tgt.process.cmdline contains "♠️" or tgt.process.cmdline contains "♣️" or tgt.process.cmdline contains "♥️" or tgt.process.cmdline contains "♦️" or tgt.process.cmdline contains "🃏" or tgt.process.cmdline contains "🎴" or tgt.process.cmdline contains "🀄️" or tgt.process.cmdline contains "🕐" or tgt.process.cmdline contains "🕑" or tgt.process.cmdline contains "🕒" or tgt.process.cmdline contains "🕓" or tgt.process.cmdline contains "🕔" or tgt.process.cmdline contains "🕕" or tgt.process.cmdline contains "🕖" or tgt.process.cmdline contains "🕗" or tgt.process.cmdline contains "🕘" or tgt.process.cmdline contains "🕙" or tgt.process.cmdline contains "🕚" or tgt.process.cmdline contains "🕛" or tgt.process.cmdline contains "🕜" or tgt.process.cmdline contains "🕝" or tgt.process.cmdline contains "🕞" or tgt.process.cmdline contains "🕟" or tgt.process.cmdline contains "🕠" or tgt.process.cmdline contains "🕡" or tgt.process.cmdline contains "🕢" or tgt.process.cmdline contains "🕣" or tgt.process.cmdline contains "🕤" or tgt.process.cmdline contains "🕥" or tgt.process.cmdline contains "🕦" or tgt.process.cmdline contains "🕧✢" or tgt.process.cmdline contains "✣" or tgt.process.cmdline contains "✤" or tgt.process.cmdline contains "✥" or tgt.process.cmdline contains "✦" or tgt.process.cmdline contains "✧" or tgt.process.cmdline contains "★" or tgt.process.cmdline contains "☆" or tgt.process.cmdline contains "✯" or tgt.process.cmdline contains "✡︎" or tgt.process.cmdline contains "✩" or tgt.process.cmdline contains "✪" or tgt.process.cmdline contains "✫" or tgt.process.cmdline contains "✬" or tgt.process.cmdline contains "✭" or tgt.process.cmdline contains "✮" or tgt.process.cmdline contains "✶" or tgt.process.cmdline contains "✷" or tgt.process.cmdline contains "✵" or tgt.process.cmdline contains "✸" or tgt.process.cmdline contains "✹" or tgt.process.cmdline contains "→" or tgt.process.cmdline contains "⇒" or tgt.process.cmdline contains "⟹" or tgt.process.cmdline contains "⇨" or tgt.process.cmdline contains "⇾" or tgt.process.cmdline contains "➾" or tgt.process.cmdline contains "⇢" or tgt.process.cmdline contains "☛" or tgt.process.cmdline contains "☞" or tgt.process.cmdline contains "➔" or tgt.process.cmdline contains "➜" or tgt.process.cmdline contains "➙" or tgt.process.cmdline contains "➛" or tgt.process.cmdline contains "➝" or tgt.process.cmdline contains "➞" or tgt.process.cmdline contains "♠︎" or tgt.process.cmdline contains "♣︎" or tgt.process.cmdline contains "♥︎" or tgt.process.cmdline contains "♦︎" or tgt.process.cmdline contains "♤" or tgt.process.cmdline contains "♧" or tgt.process.cmdline contains "♡" or tgt.process.cmdline contains "♢" or tgt.process.cmdline contains "♚" or tgt.process.cmdline contains "♛" or tgt.process.cmdline contains "♜" or tgt.process.cmdline contains "♝" or tgt.process.cmdline contains "♞" or tgt.process.cmdline contains "♟" or tgt.process.cmdline contains "♔" or tgt.process.cmdline contains "♕" or tgt.process.cmdline contains "♖" or tgt.process.cmdline contains "♗" or tgt.process.cmdline contains "♘" or tgt.process.cmdline contains "♙" or tgt.process.cmdline contains "⚀" or tgt.process.cmdline contains "⚁" or tgt.process.cmdline contains "⚂" or tgt.process.cmdline contains "⚃" or tgt.process.cmdline contains "⚄" or tgt.process.cmdline contains "⚅" or tgt.process.cmdline contains "🂠" or tgt.process.cmdline contains "⚈" or tgt.process.cmdline contains "⚉" or tgt.process.cmdline contains "⚆" or tgt.process.cmdline contains "⚇" or tgt.process.cmdline contains "𓀀" or tgt.process.cmdline contains "𓀁" or tgt.process.cmdline contains "𓀂" or tgt.process.cmdline contains "𓀃" or tgt.process.cmdline contains "𓀄" or tgt.process.cmdline contains "𓀅" or tgt.process.cmdline contains "𓀆" or tgt.process.cmdline contains "𓀇" or tgt.process.cmdline contains "𓀈" or tgt.process.cmdline contains "𓀉" or tgt.process.cmdline contains "𓀊" or tgt.process.cmdline contains "𓀋" or tgt.process.cmdline contains "𓀌" or tgt.process.cmdline contains "𓀍" or tgt.process.cmdline contains "𓀎" or tgt.process.cmdline contains "𓀏" or tgt.process.cmdline contains "𓀐" or tgt.process.cmdline contains "𓀑" or tgt.process.cmdline contains "𓀒" or tgt.process.cmdline contains "𓀓" or tgt.process.cmdline contains "𓀔" or tgt.process.cmdline contains "𓀕" or tgt.process.cmdline contains "𓀖" or tgt.process.cmdline contains "𓀗" or tgt.process.cmdline contains "𓀘" or tgt.process.cmdline contains "𓀙" or tgt.process.cmdline contains "𓀚" or tgt.process.cmdline contains "𓀛" or tgt.process.cmdline contains "𓀜" or tgt.process.cmdline contains "𓀝🏳️" or tgt.process.cmdline contains "🏴" or tgt.process.cmdline contains "🏁" or tgt.process.cmdline contains "🚩" or tgt.process.cmdline contains "🏳️🌈" or tgt.process.cmdline contains "🏳️⚧️" or tgt.process.cmdline contains "🏴☠️" or tgt.process.cmdline contains "🇦🇫" or tgt.process.cmdline contains "🇦🇽" or tgt.process.cmdline contains "🇦🇱" or tgt.process.cmdline contains "🇩🇿" or tgt.process.cmdline contains "🇦🇸" or tgt.process.cmdline contains "🇦🇩" or tgt.process.cmdline contains "🇦🇴" or tgt.process.cmdline contains "🇦🇮" or tgt.process.cmdline contains "🇦🇶" or tgt.process.cmdline contains "🇦🇬" or tgt.process.cmdline contains "🇦🇷" or tgt.process.cmdline contains "🇦🇲" or tgt.process.cmdline contains "🇦🇼" or tgt.process.cmdline contains "🇦🇺" or tgt.process.cmdline contains "🇦🇹" or tgt.process.cmdline contains "🇦🇿" or tgt.process.cmdline contains "🇧🇸" or tgt.process.cmdline contains "🇧🇭" or tgt.process.cmdline contains "🇧🇩" or tgt.process.cmdline contains "🇧🇧" or tgt.process.cmdline contains "🇧🇾" or tgt.process.cmdline contains "🇧🇪" or tgt.process.cmdline contains "🇧🇿" or tgt.process.cmdline contains "🇧🇯" or tgt.process.cmdline contains "🇧🇲" or tgt.process.cmdline contains "🇧🇹" or tgt.process.cmdline contains "🇧🇴" or tgt.process.cmdline contains "🇧🇦" or tgt.process.cmdline contains "🇧🇼" or tgt.process.cmdline contains "🇧🇷" or tgt.process.cmdline contains "🇮🇴" or tgt.process.cmdline contains "🇻🇬" or tgt.process.cmdline contains "🇧🇳" or tgt.process.cmdline contains "🇧🇬" or tgt.process.cmdline contains "🇧🇫" or tgt.process.cmdline contains "🇧🇮" or tgt.process.cmdline contains "🇰🇭" or tgt.process.cmdline contains "🇨🇲" or tgt.process.cmdline contains "🇨🇦" or tgt.process.cmdline contains "🇮🇨" or tgt.process.cmdline contains "🇨🇻" or tgt.process.cmdline contains "🇧🇶" or tgt.process.cmdline contains "🇰🇾" or tgt.process.cmdline contains "🇨🇫" or tgt.process.cmdline contains "🇹🇩" or tgt.process.cmdline contains "🇨🇱" or tgt.process.cmdline contains "🇨🇳" or tgt.process.cmdline contains "🇨🇽" or tgt.process.cmdline contains "🇨🇨" or tgt.process.cmdline contains "🇨🇴" or tgt.process.cmdline contains "🇰🇲" or tgt.process.cmdline contains "🇨🇬" or tgt.process.cmdline contains "🇨🇩" or tgt.process.cmdline contains "🇨🇰" or tgt.process.cmdline contains "🇨🇷" or tgt.process.cmdline contains "🇨🇮" or tgt.process.cmdline contains "🇭🇷" or tgt.process.cmdline contains "🇨🇺" or tgt.process.cmdline contains "🇨🇼" or tgt.process.cmdline contains "🇨🇾" or tgt.process.cmdline contains "🇨🇿" or tgt.process.cmdline contains "🇩🇰" or tgt.process.cmdline contains "🇩🇯" or tgt.process.cmdline contains "🇩🇲" or tgt.process.cmdline contains "🇩🇴" or tgt.process.cmdline contains "🇪🇨" or tgt.process.cmdline contains "🇪🇬" or tgt.process.cmdline contains "🇸🇻" or tgt.process.cmdline contains "🇬🇶" or tgt.process.cmdline contains "🇪🇷" or tgt.process.cmdline contains "🇪🇪" or tgt.process.cmdline contains "🇪🇹" or tgt.process.cmdline contains "🇪🇺" or tgt.process.cmdline contains "🇫🇰" or tgt.process.cmdline contains "🇫🇴" or tgt.process.cmdline contains "🇫🇯" or tgt.process.cmdline contains "🇫🇮" or tgt.process.cmdline contains "🇫🇷" or tgt.process.cmdline contains "🇬🇫" or tgt.process.cmdline contains "🇵🇫" or tgt.process.cmdline contains "🇹🇫" or tgt.process.cmdline contains "🇬🇦" or tgt.process.cmdline contains "🇬🇲" or tgt.process.cmdline contains "🇬🇪" or tgt.process.cmdline contains "🇩🇪" or tgt.process.cmdline contains "🇬🇭" or tgt.process.cmdline contains "🇬🇮" or tgt.process.cmdline contains "🇬🇷" or tgt.process.cmdline contains "🇬🇱" or tgt.process.cmdline contains "🇬🇩" or tgt.process.cmdline contains "🇬🇵" or tgt.process.cmdline contains "🇬🇺" or tgt.process.cmdline contains "🇬🇹" or tgt.process.cmdline contains "🇬🇬" or tgt.process.cmdline contains "🇬🇳" or tgt.process.cmdline contains "🇬🇼" or tgt.process.cmdline contains "🇬🇾" or tgt.process.cmdline contains "🇭🇹" or tgt.process.cmdline contains "🇭🇳" or tgt.process.cmdline contains "🇭🇰" or tgt.process.cmdline contains "🇭🇺" or tgt.process.cmdline contains "🇮🇸" or tgt.process.cmdline contains "🇮🇳" or tgt.process.cmdline contains "🇮🇩" or tgt.process.cmdline contains "🇮🇷" or tgt.process.cmdline contains "🇮🇶" or tgt.process.cmdline contains "🇮🇪" or tgt.process.cmdline contains "🇮🇲" or tgt.process.cmdline contains "🇮🇱" or tgt.process.cmdline contains "🇮🇹" or tgt.process.cmdline contains "🇯🇲" or tgt.process.cmdline contains "🇯🇵" or tgt.process.cmdline contains "🎌" or tgt.process.cmdline contains "🇯🇪" or tgt.process.cmdline contains "🇯🇴" or tgt.process.cmdline contains "🇰🇿" or tgt.process.cmdline contains "🇰🇪" or tgt.process.cmdline contains "🇰🇮" or tgt.process.cmdline contains "🇽🇰" or tgt.process.cmdline contains "🇰🇼" or tgt.process.cmdline contains "🇰🇬" or tgt.process.cmdline contains "🇱🇦" or tgt.process.cmdline contains "🇱🇻" or tgt.process.cmdline contains "🇱🇧" or tgt.process.cmdline contains "🇱🇸" or tgt.process.cmdline contains "🇱🇷" or tgt.process.cmdline contains "🇱🇾" or tgt.process.cmdline contains "🇱🇮" or tgt.process.cmdline contains "🇱🇹" or tgt.process.cmdline contains "🇱🇺" or tgt.process.cmdline contains "🇲🇴" or tgt.process.cmdline contains "🇲🇰" or tgt.process.cmdline contains "🇲🇬" or tgt.process.cmdline contains "🇲🇼" or tgt.process.cmdline contains "🇲🇾" or tgt.process.cmdline contains "🇲🇻" or tgt.process.cmdline contains "🇲🇱" or tgt.process.cmdline contains "🇲🇹" or tgt.process.cmdline contains "🇲🇭" or tgt.process.cmdline contains "🇲🇶" or tgt.process.cmdline contains "🇲🇷" or tgt.process.cmdline contains "🇲🇺" or tgt.process.cmdline contains "🇾🇹" or tgt.process.cmdline contains "🇲🇽" or tgt.process.cmdline contains "🇫🇲" or tgt.process.cmdline contains "🇲🇩" or tgt.process.cmdline contains "🇲🇨" or tgt.process.cmdline contains "🇲🇳" or tgt.process.cmdline contains "🇲🇪" or tgt.process.cmdline contains "🇲🇸" or tgt.process.cmdline contains "🇲🇦" or tgt.process.cmdline contains "🇲🇿" or tgt.process.cmdline contains "🇲🇲" or tgt.process.cmdline contains "🇳🇦" or tgt.process.cmdline contains "🇳🇷" or tgt.process.cmdline contains "🇳🇵" or tgt.process.cmdline contains "🇳🇱" or tgt.process.cmdline contains "🇳🇨" or tgt.process.cmdline contains "🇳🇿" or tgt.process.cmdline contains "🇳🇮" or tgt.process.cmdline contains "🇳🇪" or tgt.process.cmdline contains "🇳🇬" or tgt.process.cmdline contains "🇳🇺" or tgt.process.cmdline contains "🇳🇫" or tgt.process.cmdline contains "🇰🇵" or tgt.process.cmdline contains "🇲🇵" or tgt.process.cmdline contains "🇳🇴" or tgt.process.cmdline contains "🇴🇲" or tgt.process.cmdline contains "🇵🇰" or tgt.process.cmdline contains "🇵🇼" or tgt.process.cmdline contains "🇵🇸" or tgt.process.cmdline contains "🇵🇦" or tgt.process.cmdline contains "🇵🇬" or tgt.process.cmdline contains "🇵🇾" or tgt.process.cmdline contains "🇵🇪" or tgt.process.cmdline contains "🇵🇭" or tgt.process.cmdline contains "🇵🇳" or tgt.process.cmdline contains "🇵🇱" or tgt.process.cmdline contains "🇵🇹" or tgt.process.cmdline contains "🇵🇷" or tgt.process.cmdline contains "🇶🇦" or tgt.process.cmdline contains "🇷🇪" or tgt.process.cmdline contains "🇷🇴" or tgt.process.cmdline contains "🇷🇺" or tgt.process.cmdline contains "🇷🇼" or tgt.process.cmdline contains "🇼🇸" or tgt.process.cmdline contains "🇸🇲" or tgt.process.cmdline contains "🇸🇦" or tgt.process.cmdline contains "🇸🇳" or tgt.process.cmdline contains "🇷🇸" or tgt.process.cmdline contains "🇸🇨" or tgt.process.cmdline contains "🇸🇱" or tgt.process.cmdline contains "🇸🇬" or tgt.process.cmdline contains "🇸🇽" or tgt.process.cmdline contains "🇸🇰" or tgt.process.cmdline contains "🇸🇮" or tgt.process.cmdline contains "🇬🇸" or tgt.process.cmdline contains "🇸🇧" or tgt.process.cmdline contains "🇸🇴" or tgt.process.cmdline contains "🇿🇦" or tgt.process.cmdline contains "🇰🇷" or tgt.process.cmdline contains "🇸🇸" or tgt.process.cmdline contains "🇪🇸" or tgt.process.cmdline contains "🇱🇰" or tgt.process.cmdline contains "🇧🇱" or tgt.process.cmdline contains "🇸🇭" or tgt.process.cmdline contains "🇰🇳" or tgt.process.cmdline contains "🇱🇨" or tgt.process.cmdline contains "🇵🇲" or tgt.process.cmdline contains "🇻🇨" or tgt.process.cmdline contains "🇸🇩" or tgt.process.cmdline contains "🇸🇷" or tgt.process.cmdline contains "🇸🇿" or tgt.process.cmdline contains "🇸🇪" or tgt.process.cmdline contains "🇨🇭" or tgt.process.cmdline contains "🇸🇾" or tgt.process.cmdline contains "🇹🇼" or tgt.process.cmdline contains "🇹🇯" or tgt.process.cmdline contains "🇹🇿" or tgt.process.cmdline contains "🇹🇭" or tgt.process.cmdline contains "🇹🇱" or tgt.process.cmdline contains "🇹🇬" or tgt.process.cmdline contains "🇹🇰" or tgt.process.cmdline contains "🇹🇴" or tgt.process.cmdline contains "🇹🇹" or tgt.process.cmdline contains "🇹🇳" or tgt.process.cmdline contains "🇹🇷" or tgt.process.cmdline contains "🇹🇲" or tgt.process.cmdline contains "🇹🇨" or tgt.process.cmdline contains "🇹🇻" or tgt.process.cmdline contains "🇻🇮" or tgt.process.cmdline contains "🇺🇬" or tgt.process.cmdline contains "🇺🇦" or tgt.process.cmdline contains "🇦🇪" or tgt.process.cmdline contains "🇬🇧" or tgt.process.cmdline contains "🏴" or tgt.process.cmdline contains "🏴" or tgt.process.cmdline contains "🏴" or tgt.process.cmdline contains "🇺🇳" or tgt.process.cmdline contains "🇺🇸" or tgt.process.cmdline contains "🇺🇾" or tgt.process.cmdline contains "🇺🇿" or tgt.process.cmdline contains "🇻🇺" or tgt.process.cmdline contains "🇻🇦" or tgt.process.cmdline contains "🇻🇪" or tgt.process.cmdline contains "🇻🇳" or tgt.process.cmdline contains "🇼🇫" or tgt.process.cmdline contains "🇪🇭" or tgt.process.cmdline contains "🇾🇪" or tgt.process.cmdline contains "🇿🇲" or tgt.process.cmdline contains "🇿🇼🫠" or tgt.process.cmdline contains "🫢" or tgt.process.cmdline contains "🫣" or tgt.process.cmdline contains "🫡" or tgt.process.cmdline contains "🫥" or tgt.process.cmdline contains "🫤" or tgt.process.cmdline contains "🥹" or tgt.process.cmdline contains "🫱" or tgt.process.cmdline contains "🫱🏻" or tgt.process.cmdline contains "🫱🏼" or tgt.process.cmdline contains "🫱🏽" or tgt.process.cmdline contains "🫱🏾" or tgt.process.cmdline contains "🫱🏿" or tgt.process.cmdline contains "🫲" or tgt.process.cmdline contains "🫲🏻" or tgt.process.cmdline contains "🫲🏼" or tgt.process.cmdline contains "🫲🏽" or tgt.process.cmdline contains "🫲🏾" or tgt.process.cmdline contains "🫲🏿" or tgt.process.cmdline contains "🫳" or tgt.process.cmdline contains "🫳🏻" or tgt.process.cmdline contains "🫳🏼" or tgt.process.cmdline contains "🫳🏽" or tgt.process.cmdline contains "🫳🏾" or tgt.process.cmdline contains "🫳🏿" or tgt.process.cmdline contains "🫴" or tgt.process.cmdline contains "🫴🏻" or tgt.process.cmdline contains "🫴🏼" or tgt.process.cmdline contains "🫴🏽" or tgt.process.cmdline contains "🫴🏾" or tgt.process.cmdline contains "🫴🏿" or tgt.process.cmdline contains "🫰" or tgt.process.cmdline contains "🫰🏻" or tgt.process.cmdline contains "🫰🏼" or tgt.process.cmdline contains "🫰🏽" or tgt.process.cmdline contains "🫰🏾" or tgt.process.cmdline contains "🫰🏿" or tgt.process.cmdline contains "🫵" or tgt.process.cmdline contains "🫵🏻" or tgt.process.cmdline contains "🫵🏼" or tgt.process.cmdline contains "🫵🏽" or tgt.process.cmdline contains "🫵🏾" or tgt.process.cmdline contains "🫵🏿" or tgt.process.cmdline contains "🫶" or tgt.process.cmdline contains "🫶🏻" or tgt.process.cmdline contains "🫶🏼" or tgt.process.cmdline contains "🫶🏽" or tgt.process.cmdline contains "🫶🏾" or tgt.process.cmdline contains "🫶🏿" or tgt.process.cmdline contains "🤝🏻" or tgt.process.cmdline contains "🤝🏼" or tgt.process.cmdline contains "🤝🏽" or tgt.process.cmdline contains "🤝🏾" or tgt.process.cmdline contains "🤝🏿" or tgt.process.cmdline contains "🫱🏻🫲🏼" or tgt.process.cmdline contains "🫱🏻🫲🏽" or tgt.process.cmdline contains "🫱🏻🫲🏾" or tgt.process.cmdline contains "🫱🏻🫲🏿" or tgt.process.cmdline contains "🫱🏼🫲🏻" or tgt.process.cmdline contains "🫱🏼🫲🏽" or tgt.process.cmdline contains "🫱🏼🫲🏾" or tgt.process.cmdline contains "🫱🏼🫲🏿" or tgt.process.cmdline contains "🫱🏽🫲🏻" or tgt.process.cmdline contains "🫱🏽🫲🏼" or tgt.process.cmdline contains "🫱🏽🫲🏾" or tgt.process.cmdline contains "🫱🏽🫲🏿" or tgt.process.cmdline contains "🫱🏾🫲🏻" or tgt.process.cmdline contains "🫱🏾🫲🏼" or tgt.process.cmdline contains "🫱🏾🫲🏽" or tgt.process.cmdline contains "🫱🏾🫲🏿" or tgt.process.cmdline contains "🫱🏿🫲🏻" or tgt.process.cmdline contains "🫱🏿🫲🏼" or tgt.process.cmdline contains "🫱🏿🫲🏽" or tgt.process.cmdline contains "🫱🏿🫲🏾" or tgt.process.cmdline contains "🫦" or tgt.process.cmdline contains "🫅" or tgt.process.cmdline contains "🫅🏻" or tgt.process.cmdline contains "🫅🏼" or tgt.process.cmdline contains "🫅🏽" or tgt.process.cmdline contains "🫅🏾" or tgt.process.cmdline contains "🫅🏿" or tgt.process.cmdline contains "🫃" or tgt.process.cmdline contains "🫃🏻" or tgt.process.cmdline contains "🫃🏼" or tgt.process.cmdline contains "🫃🏽" or tgt.process.cmdline contains "🫃🏾" or tgt.process.cmdline contains "🫃🏿" or tgt.process.cmdline contains "🫄" or tgt.process.cmdline contains "🫄🏻" or tgt.process.cmdline contains "🫄🏼" or tgt.process.cmdline contains "🫄🏽" or tgt.process.cmdline contains "🫄🏾" or tgt.process.cmdline contains "🫄🏿" or tgt.process.cmdline contains "🧌" or tgt.process.cmdline contains "🪸" or tgt.process.cmdline contains "🪷" or tgt.process.cmdline contains "🪹" or tgt.process.cmdline contains "🪺" or tgt.process.cmdline contains "🫘" or tgt.process.cmdline contains "🫗" or tgt.process.cmdline contains "🫙" or tgt.process.cmdline contains "🛝" or tgt.process.cmdline contains "🛞" or tgt.process.cmdline contains "🛟" or tgt.process.cmdline contains "🪬" or tgt.process.cmdline contains "🪩" or tgt.process.cmdline contains "🪫" or tgt.process.cmdline contains "🩼" or tgt.process.cmdline contains "🩻" or tgt.process.cmdline contains "🫧" or tgt.process.cmdline contains "🪪" or tgt.process.cmdline contains "🟰" or tgt.process.cmdline contains "😮💨" or tgt.process.cmdline contains "😵💫" or tgt.process.cmdline contains "😶🌫️" or tgt.process.cmdline contains "❤️🔥" or tgt.process.cmdline contains "❤️🩹" or tgt.process.cmdline contains "🧔♀️" or tgt.process.cmdline contains "🧔🏻♀️" or tgt.process.cmdline contains "🧔🏼♀️" or tgt.process.cmdline contains "🧔🏽♀️" or tgt.process.cmdline contains "🧔🏾♀️" or tgt.process.cmdline contains "🧔🏿♀️" or tgt.process.cmdline contains "🧔♂️" or tgt.process.cmdline contains "🧔🏻♂️" or tgt.process.cmdline contains "🧔🏼♂️" or tgt.process.cmdline contains "🧔🏽♂️" or tgt.process.cmdline contains "🧔🏾♂️" or tgt.process.cmdline contains "🧔🏿♂️" or tgt.process.cmdline contains "💑🏻" or tgt.process.cmdline contains "💑🏼" or tgt.process.cmdline contains "💑🏽" or tgt.process.cmdline contains "💑🏾" or tgt.process.cmdline contains "💑🏿" or tgt.process.cmdline contains "💏🏻" or tgt.process.cmdline contains "💏🏼" or tgt.process.cmdline contains "💏🏽" or tgt.process.cmdline contains "💏🏾" or tgt.process.cmdline contains "💏🏿" or tgt.process.cmdline contains "👨🏻❤️👨🏻" or tgt.process.cmdline contains "👨🏻❤️👨🏼" or tgt.process.cmdline contains "👨🏻❤️👨🏽" or tgt.process.cmdline contains "👨🏻❤️👨🏾" or tgt.process.cmdline contains "👨🏻❤️👨🏿" or tgt.process.cmdline contains "👨🏼❤️👨🏻" or tgt.process.cmdline contains "👨🏼❤️👨🏼" or tgt.process.cmdline contains "👨🏼❤️👨🏽" or tgt.process.cmdline contains "👨🏼❤️👨🏾" or tgt.process.cmdline contains "👨🏼❤️👨🏿" or tgt.process.cmdline contains "👨🏽❤️👨🏻" or tgt.process.cmdline contains "👨🏽❤️👨🏼" or tgt.process.cmdline contains "👨🏽❤️👨🏽" or tgt.process.cmdline contains "👨🏽❤️👨🏾" or tgt.process.cmdline contains "👨🏽❤️👨🏿" or tgt.process.cmdline contains "👨🏾❤️👨🏻" or tgt.process.cmdline contains "👨🏾❤️👨🏼" or tgt.process.cmdline contains "👨🏾❤️👨🏽" or tgt.process.cmdline contains "👨🏾❤️👨🏾" or tgt.process.cmdline contains "👨🏾❤️👨🏿" or tgt.process.cmdline contains "👨🏿❤️👨🏻" or tgt.process.cmdline contains "👨🏿❤️👨🏼" or tgt.process.cmdline contains "👨🏿❤️👨🏽" or tgt.process.cmdline contains "👨🏿❤️👨🏾" or tgt.process.cmdline contains "👨🏿❤️👨🏿" or tgt.process.cmdline contains "👩🏻❤️👨🏻" or tgt.process.cmdline contains "👩🏻❤️👨🏼" or tgt.process.cmdline contains "👩🏻❤️👨🏽" or tgt.process.cmdline contains "👩🏻❤️👨🏾" or tgt.process.cmdline contains "👩🏻❤️👨🏿" or tgt.process.cmdline contains "👩🏻❤️👩🏻" or tgt.process.cmdline contains "👩🏻❤️👩🏼" or tgt.process.cmdline contains "👩🏻❤️👩🏽" or tgt.process.cmdline contains "👩🏻❤️👩🏾" or tgt.process.cmdline contains "👩🏻❤️👩🏿" or tgt.process.cmdline contains "👩🏼❤️👨🏻" or tgt.process.cmdline contains "👩🏼❤️👨🏼" or tgt.process.cmdline contains "👩🏼❤️👨🏽" or tgt.process.cmdline contains "👩🏼❤️👨🏾" or tgt.process.cmdline contains "👩🏼❤️👨🏿" or tgt.process.cmdline contains "👩🏼❤️👩🏻" or tgt.process.cmdline contains "👩🏼❤️👩🏼" or tgt.process.cmdline contains "👩🏼❤️👩🏽" or tgt.process.cmdline contains "👩🏼❤️👩🏾" or tgt.process.cmdline contains "👩🏼❤️👩🏿" or tgt.process.cmdline contains "👩🏽❤️👨🏻" or tgt.process.cmdline contains "👩🏽❤️👨🏼" or tgt.process.cmdline contains "👩🏽❤️👨🏽" or tgt.process.cmdline contains "👩🏽❤️👨🏾" or tgt.process.cmdline contains "👩🏽❤️👨🏿" or tgt.process.cmdline contains "👩🏽❤️👩🏻" or tgt.process.cmdline contains "👩🏽❤️👩🏼" or tgt.process.cmdline contains "👩🏽❤️👩🏽" or tgt.process.cmdline contains "👩🏽❤️👩🏾" or tgt.process.cmdline contains "👩🏽❤️👩🏿" or tgt.process.cmdline contains "👩🏾❤️👨🏻" or tgt.process.cmdline contains "👩🏾❤️👨🏼" or tgt.process.cmdline contains "👩🏾❤️👨🏽" or tgt.process.cmdline contains "👩🏾❤️👨🏾" or tgt.process.cmdline contains "👩🏾❤️👨🏿" or tgt.process.cmdline contains "👩🏾❤️👩🏻" or tgt.process.cmdline contains "👩🏾❤️👩🏼" or tgt.process.cmdline contains "👩🏾❤️👩🏽" or tgt.process.cmdline contains "👩🏾❤️👩🏾" or tgt.process.cmdline contains "👩🏾❤️👩🏿" or tgt.process.cmdline contains "👩🏿❤️👨🏻" or tgt.process.cmdline contains "👩🏿❤️👨🏼" or tgt.process.cmdline contains "👩🏿❤️👨🏽" or tgt.process.cmdline contains "👩🏿❤️👨🏾" or tgt.process.cmdline contains "👩🏿❤️👨🏿" or tgt.process.cmdline contains "👩🏿❤️👩🏻" or tgt.process.cmdline contains "👩🏿❤️👩🏼" or tgt.process.cmdline contains "👩🏿❤️👩🏽" or tgt.process.cmdline contains "👩🏿❤️👩🏾" or tgt.process.cmdline contains "👩🏿❤️👩🏿" or tgt.process.cmdline contains "🧑🏻❤️🧑🏼" or tgt.process.cmdline contains "🧑🏻❤️🧑🏽" or tgt.process.cmdline contains "🧑🏻❤️🧑🏾" or tgt.process.cmdline contains "🧑🏻❤️🧑🏿" or tgt.process.cmdline contains "🧑🏼❤️🧑🏻" or tgt.process.cmdline contains "🧑🏼❤️🧑🏽" or tgt.process.cmdline contains "🧑🏼❤️🧑🏾" or tgt.process.cmdline contains "🧑🏼❤️🧑🏿" or tgt.process.cmdline contains "🧑🏽❤️🧑🏻" or tgt.process.cmdline contains "🧑🏽❤️🧑🏼" or tgt.process.cmdline contains "🧑🏽❤️🧑🏾" or tgt.process.cmdline contains "🧑🏽❤️🧑🏿" or tgt.process.cmdline contains "🧑🏾❤️🧑🏻" or tgt.process.cmdline contains "🧑🏾❤️🧑🏼" or tgt.process.cmdline contains "🧑🏾❤️🧑🏽" or tgt.process.cmdline contains "🧑🏾❤️🧑🏿" or tgt.process.cmdline contains "🧑🏿❤️🧑🏻" or tgt.process.cmdline contains "🧑🏿❤️🧑🏼" or tgt.process.cmdline contains "🧑🏿❤️🧑🏽" or tgt.process.cmdline contains "🧑🏿❤️🧑🏾" or tgt.process.cmdline contains "👨🏻❤️💋👨🏻" or tgt.process.cmdline contains "👨🏻❤️💋👨🏼" or tgt.process.cmdline contains "👨🏻❤️💋👨🏽" or tgt.process.cmdline contains "👨🏻❤️💋👨🏾" or tgt.process.cmdline contains "👨🏻❤️💋👨🏿" or tgt.process.cmdline contains "👨🏼❤️💋👨🏻" or tgt.process.cmdline contains "👨🏼❤️💋👨🏼" or tgt.process.cmdline contains "👨🏼❤️💋👨🏽" or tgt.process.cmdline contains "👨🏼❤️💋👨🏾" or tgt.process.cmdline contains "👨🏼❤️💋👨🏿" or tgt.process.cmdline contains "👨🏽❤️💋👨🏻" or tgt.process.cmdline contains "👨🏽❤️💋👨🏼" or tgt.process.cmdline contains "👨🏽❤️💋👨🏽" or tgt.process.cmdline contains "👨🏽❤️💋👨🏾" or tgt.process.cmdline contains "👨🏽❤️💋👨🏿" or tgt.process.cmdline contains "👨🏾❤️💋👨🏻" or tgt.process.cmdline contains "👨🏾❤️💋👨🏼" or tgt.process.cmdline contains "👨🏾❤️💋👨🏽" or tgt.process.cmdline contains "👨🏾❤️💋👨🏾" or tgt.process.cmdline contains "👨🏾❤️💋👨🏿" or tgt.process.cmdline contains "👨🏿❤️💋👨🏻" or tgt.process.cmdline contains "👨🏿❤️💋👨🏼" or tgt.process.cmdline contains "👨🏿❤️💋👨🏽" or tgt.process.cmdline contains "👨🏿❤️💋👨🏾" or tgt.process.cmdline contains "👨🏿❤️💋👨🏿" or tgt.process.cmdline contains "👩🏻❤️💋👨🏻" or tgt.process.cmdline contains "👩🏻❤️💋👨🏼" or tgt.process.cmdline contains "👩🏻❤️💋👨🏽" or tgt.process.cmdline contains "👩🏻❤️💋👨🏾" or tgt.process.cmdline contains "👩🏻❤️💋👨🏿" or tgt.process.cmdline contains "👩🏻❤️💋👩🏻" or tgt.process.cmdline contains "👩🏻❤️💋👩🏼" or tgt.process.cmdline contains "👩🏻❤️💋👩🏽" or tgt.process.cmdline contains "👩🏻❤️💋👩🏾" or tgt.process.cmdline contains "👩🏻❤️💋👩🏿" or tgt.process.cmdline contains "👩🏼❤️💋👨🏻" or tgt.process.cmdline contains "👩🏼❤️💋👨🏼" or tgt.process.cmdline contains "👩🏼❤️💋👨🏽" or tgt.process.cmdline contains "👩🏼❤️💋👨🏾" or tgt.process.cmdline contains "👩🏼❤️💋👨🏿" or tgt.process.cmdline contains "👩🏼❤️💋👩🏻" or tgt.process.cmdline contains "👩🏼❤️💋👩🏼" or tgt.process.cmdline contains "👩🏼❤️💋👩🏽" or tgt.process.cmdline contains "👩🏼❤️💋👩🏾" or tgt.process.cmdline contains "👩🏼❤️💋👩🏿" or tgt.process.cmdline contains "👩🏽❤️💋👨🏻" or tgt.process.cmdline contains "👩🏽❤️💋👨🏼" or tgt.process.cmdline contains "👩🏽❤️💋👨🏽" or tgt.process.cmdline contains "👩🏽❤️💋👨🏾" or tgt.process.cmdline contains "👩🏽❤️💋👨🏿" or tgt.process.cmdline contains "👩🏽❤️💋👩🏻" or tgt.process.cmdline contains "👩🏽❤️💋👩🏼" or tgt.process.cmdline contains "👩🏽❤️💋👩🏽" or tgt.process.cmdline contains "👩🏽❤️💋👩🏾" or tgt.process.cmdline contains "👩🏽❤️💋👩🏿" or tgt.process.cmdline contains "👩🏾❤️💋👨🏻" or tgt.process.cmdline contains "👩🏾❤️💋👨🏼" or tgt.process.cmdline contains "👩🏾❤️💋👨🏽" or tgt.process.cmdline contains "👩🏾❤️💋👨🏾" or tgt.process.cmdline contains "👩🏾❤️💋👨🏿" or tgt.process.cmdline contains "👩🏾❤️💋👩🏻" or tgt.process.cmdline contains "👩🏾❤️💋👩🏼" or tgt.process.cmdline contains "👩🏾❤️💋👩🏽" or tgt.process.cmdline contains "👩🏾❤️💋👩🏾" or tgt.process.cmdline contains "👩🏾❤️💋👩🏿" or tgt.process.cmdline contains "👩🏿❤️💋👨🏻" or tgt.process.cmdline contains "👩🏿❤️💋👨🏼" or tgt.process.cmdline contains "👩🏿❤️💋👨🏽" or tgt.process.cmdline contains "👩🏿❤️💋👨🏾" or tgt.process.cmdline contains "👩🏿❤️💋👨🏿" or tgt.process.cmdline contains "👩🏿❤️💋👩🏻" or tgt.process.cmdline contains "👩🏿❤️💋👩🏼" or tgt.process.cmdline contains "👩🏿❤️💋👩🏽" or tgt.process.cmdline contains "👩🏿❤️💋👩🏾" or tgt.process.cmdline contains "👩🏿❤️💋👩🏿" or tgt.process.cmdline contains "🧑🏻❤️💋🧑🏼" or tgt.process.cmdline contains "🧑🏻❤️💋🧑🏽" or tgt.process.cmdline contains "🧑🏻❤️💋🧑🏾" or tgt.process.cmdline contains "🧑🏻❤️💋🧑🏿" or tgt.process.cmdline contains "🧑🏼❤️💋🧑🏻" or tgt.process.cmdline contains "🧑🏼❤️💋🧑🏽" or tgt.process.cmdline contains "🧑🏼❤️💋🧑🏾" or tgt.process.cmdline contains "🧑🏼❤️💋🧑🏿" or tgt.process.cmdline contains "🧑🏽❤️💋🧑🏻" or tgt.process.cmdline contains "🧑🏽❤️💋🧑🏼" or tgt.process.cmdline contains "🧑🏽❤️💋🧑🏾" or tgt.process.cmdline contains "🧑🏽❤️💋🧑🏿" or tgt.process.cmdline contains "🧑🏾❤️💋🧑🏻" or tgt.process.cmdline contains "🧑🏾❤️💋🧑🏼" or tgt.process.cmdline contains "🧑🏾❤️💋🧑🏽" or tgt.process.cmdline contains "🧑🏾❤️💋🧑🏿" or tgt.process.cmdline contains "🧑🏿❤️💋🧑🏻" or tgt.process.cmdline contains "🧑🏿❤️💋🧑🏼" or tgt.process.cmdline contains "🧑🏿❤️💋🧑🏽" or tgt.process.cmdline contains "🧑🏿❤️💋🧑🏾"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md
index 05b72b998..52a1be9f4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_modification_cmdline.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "COMPlus_ETWEnabled" or tgt.process.cmdline contains "COMPlus_ETWFlags"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md
index 6db3f3621..4cddfd5fb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_etw_trace_evasion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "cl" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "clear-log" and tgt.process.cmdline contains "/Trace") or (tgt.process.cmdline contains "sl" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "set-log" and tgt.process.cmdline contains "/e:false") or (tgt.process.cmdline contains "logman" and tgt.process.cmdline contains "update" and tgt.process.cmdline contains "trace" and tgt.process.cmdline contains "--p" and tgt.process.cmdline contains "-ets") or tgt.process.cmdline contains "Remove-EtwTraceProvider" or (tgt.process.cmdline contains "Set-EtwTraceProvider" and tgt.process.cmdline contains "0x11")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md
index 4de4bba1e..342bfb15e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_eventlog_clear.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\wevtutil.exe" and (tgt.process.cmdline contains "clear-log " or tgt.process.cmdline contains " cl " or tgt.process.cmdline contains "set-log " or tgt.process.cmdline contains " sl " or tgt.process.cmdline contains "lfn:")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and (tgt.process.cmdline contains "Clear-EventLog " or tgt.process.cmdline contains "Remove-EventLog " or tgt.process.cmdline contains "Limit-EventLog " or tgt.process.cmdline contains "Clear-WinEvent ")) or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wmic.exe") and tgt.process.cmdline contains "ClearEventLog")) and (not ((src.process.image.path in ("C:\Windows\SysWOW64\msiexec.exe","C:\Windows\System32\msiexec.exe")) and tgt.process.cmdline contains " sl "))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md
index 76c9f2bd7..9d14159a4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_from_public_folder_as_parent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains ":\Users\Public\" and ((tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md
index 12817d9a5..279e8ead1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_execution_path.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\Perflogs\" or tgt.process.image.path contains ":\Users\All Users\" or tgt.process.image.path contains ":\Users\Default\" or tgt.process.image.path contains ":\Users\NetworkService\" or tgt.process.image.path contains ":\Windows\addins\" or tgt.process.image.path contains ":\Windows\debug\" or tgt.process.image.path contains ":\Windows\Fonts\" or tgt.process.image.path contains ":\Windows\Help\" or tgt.process.image.path contains ":\Windows\IME\" or tgt.process.image.path contains ":\Windows\Media\" or tgt.process.image.path contains ":\Windows\repair\" or tgt.process.image.path contains ":\Windows\security\" or tgt.process.image.path contains ":\Windows\System32\Tasks\" or tgt.process.image.path contains ":\Windows\Tasks\" or tgt.process.image.path contains "$Recycle.bin" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Intel\Logs\" or tgt.process.image.path contains "\RSA\MachineKeys\") and (not (tgt.process.image.path contains "C:\Users\Public\IBM\ClientSolutions\Start_Programs\" or (tgt.process.image.path contains "C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\" and tgt.process.image.path contains "\CitrixReceiverUpdater.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md
index 980cc04a4..cc6379bb0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_gather_network_info_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "gatherNetworkInfo.vbs" and (not (tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md
index b0cdbf30d..3cb6dfd5f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hidden_dir_index_allocation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "::$index_allocation")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md
index 623653d13..fda54e3a3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo" or tgt.process.cmdline contains "copy" or tgt.process.cmdline contains "type" or tgt.process.cmdline contains "file createnew" or tgt.process.cmdline contains "cacls") and tgt.process.cmdline contains "C:\Windows\Fonts\" and (tgt.process.cmdline contains ".sh" or tgt.process.cmdline contains ".exe" or tgt.process.cmdline contains ".dll" or tgt.process.cmdline contains ".bin" or tgt.process.cmdline contains ".bat" or tgt.process.cmdline contains ".cmd" or tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".msh" or tgt.process.cmdline contains ".reg" or tgt.process.cmdline contains ".scr" or tgt.process.cmdline contains ".ps" or tgt.process.cmdline contains ".vb" or tgt.process.cmdline contains ".jar" or tgt.process.cmdline contains ".pl" or tgt.process.cmdline contains ".inf" or tgt.process.cmdline contains ".cpl" or tgt.process.cmdline contains ".hta" or tgt.process.cmdline contains ".msi" or tgt.process.cmdline contains ".vbs")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md
index 555771014..3f2144302 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "А" or tgt.process.cmdline contains "В" or tgt.process.cmdline contains "Е" or tgt.process.cmdline contains "К" or tgt.process.cmdline contains "М" or tgt.process.cmdline contains "Н" or tgt.process.cmdline contains "О" or tgt.process.cmdline contains "Р" or tgt.process.cmdline contains "С" or tgt.process.cmdline contains "Т" or tgt.process.cmdline contains "Х" or tgt.process.cmdline contains "Ѕ" or tgt.process.cmdline contains "І" or tgt.process.cmdline contains "Ј" or tgt.process.cmdline contains "Ү" or tgt.process.cmdline contains "Ӏ" or tgt.process.cmdline contains "Ԍ" or tgt.process.cmdline contains "Ԛ" or tgt.process.cmdline contains "Ԝ" or tgt.process.cmdline contains "Α" or tgt.process.cmdline contains "Β" or tgt.process.cmdline contains "Ε" or tgt.process.cmdline contains "Ζ" or tgt.process.cmdline contains "Η" or tgt.process.cmdline contains "Ι" or tgt.process.cmdline contains "Κ" or tgt.process.cmdline contains "Μ" or tgt.process.cmdline contains "Ν" or tgt.process.cmdline contains "Ο" or tgt.process.cmdline contains "Ρ" or tgt.process.cmdline contains "Τ" or tgt.process.cmdline contains "Υ" or tgt.process.cmdline contains "Χ") or (tgt.process.cmdline contains "а" or tgt.process.cmdline contains "е" or tgt.process.cmdline contains "о" or tgt.process.cmdline contains "р" or tgt.process.cmdline contains "с" or tgt.process.cmdline contains "х" or tgt.process.cmdline contains "ѕ" or tgt.process.cmdline contains "і" or tgt.process.cmdline contains "ӏ" or tgt.process.cmdline contains "ј" or tgt.process.cmdline contains "һ" or tgt.process.cmdline contains "ԁ" or tgt.process.cmdline contains "ԛ" or tgt.process.cmdline contains "ԝ" or tgt.process.cmdline contains "ο")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md
index 1687d4ca9..eda22d492 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_image_missing.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((not tgt.process.image.path contains "\") and (not (not (tgt.process.image.path matches "\.*") or (tgt.process.image.path in ("-","")) or ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or (tgt.process.cmdline in ("Registry","MemCompression","vmmem")))))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md
index 23b562239..1e326cbe0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_base64_mz_header.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "TVqQAAMAAAAEAAAA" or tgt.process.cmdline contains "TVpQAAIAAAAEAA8A" or tgt.process.cmdline contains "TVqAAAEAAAAEABAA" or tgt.process.cmdline contains "TVoAAAAAAAAAAAAA" or tgt.process.cmdline contains "TVpTAQEAAAAEAAAA"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md
index 02e85ea48..12050b1eb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_inline_win_api_access.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "AddSecurityPackage" or tgt.process.cmdline contains "AdjustTokenPrivileges" or tgt.process.cmdline contains "Advapi32" or tgt.process.cmdline contains "CloseHandle" or tgt.process.cmdline contains "CreateProcessWithToken" or tgt.process.cmdline contains "CreatePseudoConsole" or tgt.process.cmdline contains "CreateRemoteThread" or tgt.process.cmdline contains "CreateThread" or tgt.process.cmdline contains "CreateUserThread" or tgt.process.cmdline contains "DangerousGetHandle" or tgt.process.cmdline contains "DuplicateTokenEx" or tgt.process.cmdline contains "EnumerateSecurityPackages" or tgt.process.cmdline contains "FreeHGlobal" or tgt.process.cmdline contains "FreeLibrary" or tgt.process.cmdline contains "GetDelegateForFunctionPointer" or tgt.process.cmdline contains "GetLogonSessionData" or tgt.process.cmdline contains "GetModuleHandle" or tgt.process.cmdline contains "GetProcAddress" or tgt.process.cmdline contains "GetProcessHandle" or tgt.process.cmdline contains "GetTokenInformation" or tgt.process.cmdline contains "ImpersonateLoggedOnUser" or tgt.process.cmdline contains "kernel32" or tgt.process.cmdline contains "LoadLibrary" or tgt.process.cmdline contains "memcpy" or tgt.process.cmdline contains "MiniDumpWriteDump" or tgt.process.cmdline contains "ntdll" or tgt.process.cmdline contains "OpenDesktop" or tgt.process.cmdline contains "OpenProcess" or tgt.process.cmdline contains "OpenProcessToken" or tgt.process.cmdline contains "OpenThreadToken" or tgt.process.cmdline contains "OpenWindowStation" or tgt.process.cmdline contains "PtrToString" or tgt.process.cmdline contains "QueueUserApc" or tgt.process.cmdline contains "ReadProcessMemory" or tgt.process.cmdline contains "RevertToSelf" or tgt.process.cmdline contains "RtlCreateUserThread" or tgt.process.cmdline contains "secur32" or tgt.process.cmdline contains "SetThreadToken" or tgt.process.cmdline contains "VirtualAlloc" or tgt.process.cmdline contains "VirtualFree" or tgt.process.cmdline contains "VirtualProtect" or tgt.process.cmdline contains "WaitForSingleObject" or tgt.process.cmdline contains "WriteInt32" or tgt.process.cmdline contains "WriteProcessMemory" or tgt.process.cmdline contains "ZeroFreeGlobalAllocUnicode") and (not (tgt.process.image.path contains "\MpCmdRun.exe" and tgt.process.cmdline contains "GetLoadLibraryWAddress32"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md
index d7ab4b719..f3b75850e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_jwt_token_search.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "eyJ0eXAiOi" or tgt.process.cmdline contains "eyJhbGciOi" or tgt.process.cmdline contains " eyJ0eX" or tgt.process.cmdline contains " \"eyJ0eX\"" or tgt.process.cmdline contains " 'eyJ0eX'" or tgt.process.cmdline contains " eyJhbG" or tgt.process.cmdline contains " \"eyJhbG\"" or tgt.process.cmdline contains " 'eyJhbG'"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md
index ebf373c0c..44eea4915 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_local_system_owner_account_discovery.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains " /c" and tgt.process.cmdline contains "dir " and tgt.process.cmdline contains "\Users\")) and (not tgt.process.cmdline contains " rmdir ")) or (((tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe") and tgt.process.cmdline contains "user") and (not (tgt.process.cmdline contains "/domain" or tgt.process.cmdline contains "/add" or tgt.process.cmdline contains "/delete" or tgt.process.cmdline contains "/active" or tgt.process.cmdline contains "/expires" or tgt.process.cmdline contains "/passwordreq" or tgt.process.cmdline contains "/scriptpath" or tgt.process.cmdline contains "/times" or tgt.process.cmdline contains "/workstations"))) or ((tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\quser.exe" or tgt.process.image.path contains "\qwinsta.exe") or (tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "useraccount" and tgt.process.cmdline contains "get")) or (tgt.process.image.path contains "\cmdkey.exe" and tgt.process.cmdline contains " /l"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md
index 98fa1c344..fab94fe82 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_lsass_dmp_cli_keywords.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "lsass.dmp" or tgt.process.cmdline contains "lsass.zip" or tgt.process.cmdline contains "lsass.rar" or tgt.process.cmdline contains "Andrew.dmp" or tgt.process.cmdline contains "Coredump.dmp" or tgt.process.cmdline contains "NotLSASS.zip" or tgt.process.cmdline contains "lsass_2" or tgt.process.cmdline contains "lsassdump" or tgt.process.cmdline contains "lsassdmp") or (tgt.process.cmdline contains "lsass" and tgt.process.cmdline contains ".dmp") or (tgt.process.cmdline contains "SQLDmpr" and tgt.process.cmdline contains ".mdmp") or (tgt.process.cmdline contains "nanodump" and tgt.process.cmdline contains ".dmp")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md
index d9b8b161b..1f2f08ea2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ms_appinstaller_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="*ms-appinstaller://*source=*" and tgt.process.cmdline contains "http"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md
index 9a6fd9cf5..85ea11d54 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_command.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ipconfig /all" or tgt.process.cmdline contains "netsh interface show interface" or tgt.process.cmdline contains "arp -a" or tgt.process.cmdline contains "nbtstat -n" or tgt.process.cmdline contains "net config" or tgt.process.cmdline contains "route print"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md
index 253f09cad..3cb522632 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_scan_loop.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "for " or tgt.process.cmdline contains "foreach ") and (tgt.process.cmdline contains "nslookup" or tgt.process.cmdline contains "ping")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md
index b1ec2bd7b..cb16b0175 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_network_sniffing.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\tshark.exe" and tgt.process.cmdline contains "-i") or tgt.process.image.path contains "\windump.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md
index 922ac64dc..298bec4f7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_no_image_name.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "\.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md
index 030add89a..2963eb6af 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_exe_image.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((not (tgt.process.image.path contains ".bin" or tgt.process.image.path contains ".cgi" or tgt.process.image.path contains ".com" or tgt.process.image.path contains ".exe" or tgt.process.image.path contains ".scr" or tgt.process.image.path contains ".tmp")) and (not ((tgt.process.image.path in ("System","Registry","MemCompression","vmmem")) or tgt.process.image.path contains ":\Windows\Installer\MSI" or tgt.process.image.path contains ":\Windows\System32\DriverStore\FileRepository\" or (tgt.process.image.path contains ":\Config.Msi\" and (tgt.process.image.path contains ".rbf" or tgt.process.image.path contains ".rbs")) or (src.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Windows\Temp\") or tgt.process.image.path contains ":\$Extend\$Deleted\" or (tgt.process.image.path in ("-","")) or not (tgt.process.image.path matches "\.*"))) and (not (src.process.image.path contains ":\ProgramData\Avira\" or (tgt.process.image.path contains "NVIDIA\NvBackend\" and tgt.process.image.path contains ".dat") or ((tgt.process.image.path contains ":\Program Files (x86)\WINPAKPRO\" or tgt.process.image.path contains ":\Program Files\WINPAKPRO\") and tgt.process.image.path contains ".ngn") or (tgt.process.image.path contains ":\Program Files (x86)\MyQ\Server\pcltool.dll" or tgt.process.image.path contains ":\Program Files\MyQ\Server\pcltool.dll") or (tgt.process.image.path contains "\AppData\Local\Packages\" and tgt.process.image.path contains "\LocalState\rootfs\") or tgt.process.image.path contains "\LZMA_EXE" or tgt.process.image.path contains ":\Program Files\Mozilla Firefox\" or (src.process.image.path="C:\Windows\System32\services.exe" and tgt.process.image.path contains "com.docker.service")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md
index 3da358861..e8a277f9c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_non_priv_reg_or_ps.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add") or (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "set-itemproperty" or tgt.process.cmdline contains " sp " or tgt.process.cmdline contains "new-itemproperty")) and (tgt.process.integrityLevel="Medium" and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "Services") and (tgt.process.cmdline contains "ImagePath" or tgt.process.cmdline contains "FailureCommand" or tgt.process.cmdline contains "ServiceDLL")))) | columns EventID,tgt.process.integrityLevel,tgt.process.cmdline
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "reg " and tgt.process.cmdline contains "add") or (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "set-itemproperty" or tgt.process.cmdline contains " sp " or tgt.process.cmdline contains "new-itemproperty")) and ((tgt.process.integrityLevel in ("Medium","S-1-16-8192")) and (tgt.process.cmdline contains "ControlSet" and tgt.process.cmdline contains "Services") and (tgt.process.cmdline contains "ImagePath" or tgt.process.cmdline contains "FailureCommand" or tgt.process.cmdline contains "ServiceDLL"))))
```
@@ -14,7 +14,7 @@ references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
-modified: 2022-07-07
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1112
@@ -22,18 +22,19 @@ logsource:
category: process_creation
product: windows
detection:
- reg:
- CommandLine|contains|all:
- - 'reg '
- - 'add'
- powershell:
- CommandLine|contains:
- - 'powershell'
- - 'set-itemproperty'
- - ' sp '
- - 'new-itemproperty'
- select_data:
- IntegrityLevel: 'Medium'
+ selection_cli:
+ - CommandLine|contains|all:
+ - 'reg '
+ - 'add'
+ - CommandLine|contains:
+ - 'powershell'
+ - 'set-itemproperty'
+ - ' sp '
+ - 'new-itemproperty'
+ selection_data:
+ IntegrityLevel:
+ - 'Medium'
+ - 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'Services'
@@ -41,11 +42,7 @@ detection:
- 'ImagePath'
- 'FailureCommand'
- 'ServiceDLL'
- condition: (reg or powershell) and select_data
-fields:
- - EventID
- - IntegrityLevel
- - CommandLine
+ condition: all of selection_*
falsepositives:
- Unknown
level: high
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md
index e50d66ca9..b5b4b9d70 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntds.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.image.path contains "\NTDSDump.exe" or tgt.process.image.path contains "\NTDSDumpEx.exe") or (tgt.process.cmdline contains "ntds.dit" and tgt.process.cmdline contains "system.hiv") or tgt.process.cmdline contains "NTDSgrab.ps1") or (tgt.process.cmdline contains "ac i ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "/c copy " and tgt.process.cmdline contains "\windows\ntds\ntds.dit") or (tgt.process.cmdline contains "activate instance ntds" and tgt.process.cmdline contains "create full") or (tgt.process.cmdline contains "powershell" and tgt.process.cmdline contains "ntds.dit")) or (tgt.process.cmdline contains "ntds.dit" and ((src.process.image.path contains "\apache" or src.process.image.path contains "\tomcat" or src.process.image.path contains "\AppData\" or src.process.image.path contains "\Temp\" or src.process.image.path contains "\Public\" or src.process.image.path contains "\PerfLogs\") or (tgt.process.image.path contains "\apache" or tgt.process.image.path contains "\tomcat" or tgt.process.image.path contains "\AppData\" or tgt.process.image.path contains "\Temp\" or tgt.process.image.path contains "\Public\" or tgt.process.image.path contains "\PerfLogs\")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md
index 5fd27731a..b31712241 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_nteventlogfile_usage.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "Win32_NTEventlogFile" and (tgt.process.cmdline contains ".BackupEventlog(" or tgt.process.cmdline contains ".ChangeSecurityPermissions(" or tgt.process.cmdline contains ".ChangeSecurityPermissionsEx(" or tgt.process.cmdline contains ".ClearEventLog(" or tgt.process.cmdline contains ".Delete(" or tgt.process.cmdline contains ".DeleteEx(" or tgt.process.cmdline contains ".Rename(" or tgt.process.cmdline contains ".TakeOwnerShip(" or tgt.process.cmdline contains ".TakeOwnerShipEx(")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md
index c241108a7..56e03f964 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1\" or tgt.process.cmdline contains "~2\") and (not ((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe","C:\Program Files\GPSoftware\Directory Opus\dopus.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or src.process.image.path contains "\veam.backup.shell.exe" or src.process.image.path contains "\winget.exe" or src.process.image.path contains "\Everything\Everything.exe") or src.process.image.path contains "\AppData\Local\Temp\WinGet\" or (tgt.process.cmdline contains "\appdata\local\webex\webex64\meetings\wbxreport.exe" or tgt.process.cmdline contains "C:\Program Files\Git\post-install.bat" or tgt.process.cmdline contains "C:\Program Files\Git\cmd\scalar.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md
index 5c93bef7d..c445e774f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_path_use_image.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1\" or tgt.process.image.path contains "~2\") and (not (((src.process.image.path in ("C:\Windows\System32\Dism.exe","C:\Windows\System32\cleanmgr.exe")) or (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.displayName="InstallShield (R)" or tgt.process.displayName="InstallShield (R) Setup Engine" or tgt.process.publisher="InstallShield Software Corporation") or ((tgt.process.image.path contains "\AppData\" and tgt.process.image.path contains "\Temp\") or (tgt.process.image.path contains "~1\unzip.exe" or tgt.process.image.path contains "~1\7zG.exe"))))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md
index 9ac9f1ec1..143e2f5f1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_cli.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "~1.exe" or tgt.process.cmdline contains "~1.bat" or tgt.process.cmdline contains "~1.msi" or tgt.process.cmdline contains "~1.vbe" or tgt.process.cmdline contains "~1.vbs" or tgt.process.cmdline contains "~1.dll" or tgt.process.cmdline contains "~1.ps1" or tgt.process.cmdline contains "~1.js" or tgt.process.cmdline contains "~1.hta" or tgt.process.cmdline contains "~2.exe" or tgt.process.cmdline contains "~2.bat" or tgt.process.cmdline contains "~2.msi" or tgt.process.cmdline contains "~2.vbe" or tgt.process.cmdline contains "~2.vbs" or tgt.process.cmdline contains "~2.dll" or tgt.process.cmdline contains "~2.ps1" or tgt.process.cmdline contains "~2.js" or tgt.process.cmdline contains "~2.hta") and (not ((src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe") or tgt.process.cmdline contains "C:\xampp\vcredist\VCREDI~1.EXE"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md
index 8009e78dc..35240bec7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_ntfs_short_name_use_image.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "~1.bat" or tgt.process.image.path contains "~1.dll" or tgt.process.image.path contains "~1.exe" or tgt.process.image.path contains "~1.hta" or tgt.process.image.path contains "~1.js" or tgt.process.image.path contains "~1.msi" or tgt.process.image.path contains "~1.ps1" or tgt.process.image.path contains "~1.tmp" or tgt.process.image.path contains "~1.vbe" or tgt.process.image.path contains "~1.vbs" or tgt.process.image.path contains "~2.bat" or tgt.process.image.path contains "~2.dll" or tgt.process.image.path contains "~2.exe" or tgt.process.image.path contains "~2.hta" or tgt.process.image.path contains "~2.js" or tgt.process.image.path contains "~2.msi" or tgt.process.image.path contains "~2.ps1" or tgt.process.image.path contains "~2.tmp" or tgt.process.image.path contains "~2.vbe" or tgt.process.image.path contains "~2.vbs") and (not src.process.image.path="C:\Windows\explorer.exe") and (not (src.process.image.path contains "\WebEx\WebexHost.exe" or src.process.image.path contains "\thor\thor64.exe" or tgt.process.image.path="C:\PROGRA~1\WinZip\WZPREL~1.EXE" or tgt.process.image.path contains "\VCREDI~1.EXE"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md
index d575500b8..ba0791041 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_download.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "DownloadFile" or tgt.process.cmdline contains "DownloadString") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md
index 9c08273b9..5beb498ab 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_obfuscated_ip_via_cli.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\arp.exe") and ((tgt.process.cmdline contains " 0x" or tgt.process.cmdline contains "//0x" or tgt.process.cmdline contains ".0x" or tgt.process.cmdline contains ".00x") or (tgt.process.cmdline contains "http://%" and tgt.process.cmdline contains "%2e") or (tgt.process.cmdline matches "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or tgt.process.cmdline matches "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or tgt.process.cmdline matches "https?://0[0-9]{3,11}" or tgt.process.cmdline matches "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or tgt.process.cmdline matches "https?://0[0-9]{1,11}" or tgt.process.cmdline matches " [0-7]{7,13}")) and (not tgt.process.cmdline matches "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md
index edbb8dc49..4f6745dac 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_parents.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\minesweeper.exe" or src.process.image.path contains "\winver.exe" or src.process.image.path contains "\bitsadmin.exe") or ((src.process.image.path contains "\csrss.exe" or src.process.image.path contains "\certutil.exe" or src.process.image.path contains "\eventvwr.exe" or src.process.image.path contains "\calc.exe" or src.process.image.path contains "\notepad.exe") and (not ((tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\wermgr.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\mmc.exe" or tgt.process.image.path contains "\win32calc.exe" or tgt.process.image.path contains "\notepad.exe") or not (tgt.process.image.path matches "\.*"))))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md
index d6e34aef1..2551f8a45 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_privilege_escalation_cli_patterns.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -u system " or tgt.process.cmdline contains " --user system " or tgt.process.cmdline contains " -u NT" or tgt.process.cmdline contains " -u \"NT" or tgt.process.cmdline contains " -u 'NT" or tgt.process.cmdline contains " --system " or tgt.process.cmdline contains " -u administrator ") and (tgt.process.cmdline contains " -c cmd" or tgt.process.cmdline contains " -c \"cmd" or tgt.process.cmdline contains " -c powershell" or tgt.process.cmdline contains " -c \"powershell" or tgt.process.cmdline contains " --command cmd" or tgt.process.cmdline contains " --command powershell" or tgt.process.cmdline contains " -c whoami" or tgt.process.cmdline contains " -c wscript" or tgt.process.cmdline contains " -c cscript")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md
index 5fc370ca3..4f2a22e51 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_proc_wrong_parent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\lsaiso.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe") and (not (((src.process.image.path contains "\SavService.exe" or src.process.image.path contains "\ngen.exe") or (src.process.image.path contains "\System32\" or src.process.image.path contains "\SysWOW64\")) or ((src.process.image.path contains "\Windows Defender\" or src.process.image.path contains "\Microsoft Security Client\") and src.process.image.path contains "\MsMpEng.exe") or (not (src.process.image.path matches "\.*") or src.process.image.path="-")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md
index 8d54fbadc..b51267049 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_progname.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\CVE-202" or tgt.process.image.path contains "\CVE202") or (tgt.process.image.path contains "\poc.exe" or tgt.process.image.path contains "\artifact.exe" or tgt.process.image.path contains "\artifact64.exe" or tgt.process.image.path contains "\artifact_protected.exe" or tgt.process.image.path contains "\artifact32.exe" or tgt.process.image.path contains "\artifact32big.exe" or tgt.process.image.path contains "obfuscated.exe" or tgt.process.image.path contains "obfusc.exe" or tgt.process.image.path contains "\meterpreter")) or (tgt.process.cmdline contains "inject.ps1" or tgt.process.cmdline contains "Invoke-CVE" or tgt.process.cmdline contains "pupy.ps1" or tgt.process.cmdline contains "payload.ps1" or tgt.process.cmdline contains "beacon.ps1" or tgt.process.cmdline contains "PowerView.ps1" or tgt.process.cmdline contains "bypass.ps1" or tgt.process.cmdline contains "obfuscated.ps1" or tgt.process.cmdline contains "obfusc.ps1" or tgt.process.cmdline contains "obfus.ps1" or tgt.process.cmdline contains "obfs.ps1" or tgt.process.cmdline contains "evil.ps1" or tgt.process.cmdline contains "MiniDogz.ps1" or tgt.process.cmdline contains "_enc.ps1" or tgt.process.cmdline contains "\shell.ps1" or tgt.process.cmdline contains "\rshell.ps1" or tgt.process.cmdline contains "revshell.ps1" or tgt.process.cmdline contains "\av.ps1" or tgt.process.cmdline contains "\av_test.ps1" or tgt.process.cmdline contains "adrecon.ps1" or tgt.process.cmdline contains "mimikatz.ps1" or tgt.process.cmdline contains "\PowerUp_" or tgt.process.cmdline contains "powerup.ps1" or tgt.process.cmdline contains "\Temp\a.ps1" or tgt.process.cmdline contains "\Temp\p.ps1" or tgt.process.cmdline contains "\Temp\1.ps1" or tgt.process.cmdline contains "Hound.ps1" or tgt.process.cmdline contains "encode.ps1" or tgt.process.cmdline contains "powercat.ps1"))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md
index 7f5c70b31..ba3c0022a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_recycle_bin_fake_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "RECYCLERS.BIN\" or tgt.process.image.path contains "RECYCLER.BIN\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md
index 670d73e01..4c628bd9c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_redirect_local_admin_share.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ">" and (tgt.process.cmdline contains "\\127.0.0.1\admin$\" or tgt.process.cmdline contains "\\localhost\admin$\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md
index 30d1ee2ea..f3e96b4bb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_remote_desktop_tunneling.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":3389" and (tgt.process.cmdline contains " -L " or tgt.process.cmdline contains " -P " or tgt.process.cmdline contains " -R " or tgt.process.cmdline contains " -pw " or tgt.process.cmdline contains " -ssh ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md
index 95275e06e..96d9e8d97 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_right_to_left_override.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains "")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md
index fd0540746..351d89f40 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_script_exec_from_temp.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains "\Windows\Temp" or tgt.process.cmdline contains "\Temporary Internet" or tgt.process.cmdline contains "\AppData\Local\Temp" or tgt.process.cmdline contains "\AppData\Roaming\Temp" or tgt.process.cmdline contains "%TEMP%" or tgt.process.cmdline contains "%TMP%" or tgt.process.cmdline contains "%LocalAppData%\Temp")) and (not (tgt.process.cmdline contains " >" or tgt.process.cmdline contains "Out-File" or tgt.process.cmdline contains "ConvertTo-Json" or tgt.process.cmdline contains "-WindowStyle hidden -Verb runAs" or tgt.process.cmdline contains "\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md
index 9de8543ad..5afd210f0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" and (tgt.process.cmdline contains "\NTDS.dit" or tgt.process.cmdline contains "\SYSTEM" or tgt.process.cmdline contains "\SECURITY")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md
index 4fde938ef..8868692d2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_creation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\sc.exe" and (tgt.process.cmdline contains "create" and tgt.process.cmdline contains "binPath=")) or (tgt.process.cmdline contains "New-Service" and tgt.process.cmdline contains "-BinaryPathName")) and (tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "svchost" or tgt.process.cmdline contains "dllhost" or tgt.process.cmdline contains "cmd " or tgt.process.cmdline contains "cmd.exe /c" or tgt.process.cmdline contains "cmd.exe /k" or tgt.process.cmdline contains "cmd.exe /r" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "C:\Users\Public" or tgt.process.cmdline contains "\Downloads\" or tgt.process.cmdline contains "\Desktop\" or tgt.process.cmdline contains "\Microsoft\Windows\Start Menu\Programs\Startup\" or tgt.process.cmdline contains "C:\Windows\TEMP\" or tgt.process.cmdline contains "\AppData\Local\Temp")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md
index fe02c2640..6c7e9a46c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_service_dir.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\Users\Public\" or tgt.process.image.path contains "\$Recycle.bin" or tgt.process.image.path contains "\Users\All Users\" or tgt.process.image.path contains "\Users\Default\" or tgt.process.image.path contains "\Users\Contacts\" or tgt.process.image.path contains "\Users\Searches\" or tgt.process.image.path contains "C:\Perflogs\" or tgt.process.image.path contains "\config\systemprofile\" or tgt.process.image.path contains "\Windows\Fonts\" or tgt.process.image.path contains "\Windows\IME\" or tgt.process.image.path contains "\Windows\addins\") and (src.process.image.path contains "\services.exe" or src.process.image.path contains "\svchost.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md
index 7b4f3394a..a2f88dcc4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_shell_spawn_susp_program.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\mshta.exe" or src.process.image.path contains "\powershell.exe" or src.process.image.path contains "\pwsh.exe" or src.process.image.path contains "\rundll32.exe" or src.process.image.path contains "\cscript.exe" or src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\wmiprvse.exe" or src.process.image.path contains "\regsvr32.exe") and (tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\mshta.exe")) and (not (tgt.process.image.path contains "\ccmcache\" or (src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1" or src.process.cmdline contains "\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1" or src.process.cmdline contains "\nessus_") or tgt.process.cmdline contains "\nessus_" or (src.process.image.path contains "\mshta.exe" and tgt.process.image.path contains "\mshta.exe" and (src.process.cmdline contains "C:\MEM_Configmgr_" and src.process.cmdline contains "\splash.hta" and src.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}") and (tgt.process.cmdline contains "C:\MEM_Configmgr_" and tgt.process.cmdline contains "\SMSSETUP\BIN\" and tgt.process.cmdline contains "\autorun.hta" and tgt.process.cmdline contains "{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}")))))) | columns tgt.process.cmdline,src.process.cmdline,tgt.process.image.path,tgt.process.image.path,src.process.image.path
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md
index c8ecff9d6..adaac0ef6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysnative.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains ":\Windows\Sysnative\" or tgt.process.image.path contains ":\Windows\Sysnative\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md
index 32c1c223e..38827dc36 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_exe_anomaly.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\atbroker.exe" or tgt.process.image.path contains "\audiodg.exe" or tgt.process.image.path contains "\bcdedit.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certreq.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmstp.exe" or tgt.process.image.path contains "\conhost.exe" or tgt.process.image.path contains "\consent.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\csrss.exe" or tgt.process.image.path contains "\dashost.exe" or tgt.process.image.path contains "\defrag.exe" or tgt.process.image.path contains "\dfrgui.exe" or tgt.process.image.path contains "\dism.exe" or tgt.process.image.path contains "\dllhost.exe" or tgt.process.image.path contains "\dllhst3g.exe" or tgt.process.image.path contains "\dwm.exe" or tgt.process.image.path contains "\eventvwr.exe" or tgt.process.image.path contains "\logonui.exe" or tgt.process.image.path contains "\LsaIso.exe" or tgt.process.image.path contains "\lsass.exe" or tgt.process.image.path contains "\lsm.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\ntoskrnl.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\runonce.exe" or tgt.process.image.path contains "\RuntimeBroker.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\services.exe" or tgt.process.image.path contains "\sihost.exe" or tgt.process.image.path contains "\smartscreen.exe" or tgt.process.image.path contains "\smss.exe" or tgt.process.image.path contains "\spoolsv.exe" or tgt.process.image.path contains "\svchost.exe" or tgt.process.image.path contains "\taskhost.exe" or tgt.process.image.path contains "\Taskmgr.exe" or tgt.process.image.path contains "\userinit.exe" or tgt.process.image.path contains "\wininit.exe" or tgt.process.image.path contains "\winlogon.exe" or tgt.process.image.path contains "\winver.exe" or tgt.process.image.path contains "\wlanext.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\wsmprovhost.exe") and (not ((tgt.process.image.path contains "C:\$WINDOWS.~BT\" or tgt.process.image.path contains "C:\$WinREAgent\" or tgt.process.image.path contains "C:\Windows\SoftwareDistribution\" or tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SystemTemp\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\uus\" or tgt.process.image.path contains "C:\Windows\WinSxS\") or (tgt.process.image.path in ("C:\Program Files\PowerShell\7\pwsh.exe","C:\Program Files\PowerShell\7-preview\pwsh.exe")) or (tgt.process.image.path contains "C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux" and tgt.process.image.path contains "\wsl.exe"))) and (not tgt.process.image.path contains "\SystemRoot\System32\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md
index 34d9f527e..480ef0e53 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_system_user_anomaly.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel="System" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /urlcache " or tgt.process.cmdline contains " -urlcache " or tgt.process.cmdline="* -e* JAB*" or tgt.process.cmdline="* -e* SUVYI*" or tgt.process.cmdline="* -e* SQBFAFgA*" or tgt.process.cmdline="* -e* aWV4I*" or tgt.process.cmdline="* -e* IAB*" or tgt.process.cmdline="* -e* PAA*" or tgt.process.cmdline="* -e* aQBlAHgA*" or tgt.process.cmdline contains "vssadmin delete shadows" or tgt.process.cmdline contains "reg SAVE HKLM" or tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains "Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "event::clear" or tgt.process.cmdline contains "event::drop" or tgt.process.cmdline contains "id::modify" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "misc::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "sid::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "vault::cred" or tgt.process.cmdline contains "vault::list" or tgt.process.cmdline contains " p::d " or tgt.process.cmdline contains ";iex(" or tgt.process.cmdline contains "MiniDump" or tgt.process.cmdline contains "net user "))) and (not ((tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "127.0.0.1" and tgt.process.cmdline contains " -n ") or (tgt.process.image.path contains "\PING.EXE" and src.process.cmdline contains "\DismFoDInstall.cmd") or src.process.image.path contains ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or ((src.process.image.path contains ":\Program Files (x86)\Java\" or src.process.image.path contains ":\Program Files\Java\") and src.process.image.path contains "\bin\javaws.exe" and (tgt.process.image.path contains ":\Program Files (x86)\Java\" or tgt.process.image.path contains ":\Program Files\Java\") and tgt.process.image.path contains "\bin\jp2launcher.exe" and tgt.process.cmdline contains " -ma ")))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((((tgt.process.integrityLevel in ("System","S-1-16-16384")) and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")) and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\forfiles.exe" or tgt.process.image.path contains "\hh.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\ping.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /urlcache " or tgt.process.cmdline contains " -urlcache " or tgt.process.cmdline="* -e* JAB*" or tgt.process.cmdline="* -e* SUVYI*" or tgt.process.cmdline="* -e* SQBFAFgA*" or tgt.process.cmdline="* -e* aWV4I*" or tgt.process.cmdline="* -e* IAB*" or tgt.process.cmdline="* -e* PAA*" or tgt.process.cmdline="* -e* aQBlAHgA*" or tgt.process.cmdline contains "vssadmin delete shadows" or tgt.process.cmdline contains "reg SAVE HKLM" or tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains "Microsoft\Windows\CurrentVersion\Run" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains "dpapi::" or tgt.process.cmdline contains "event::clear" or tgt.process.cmdline contains "event::drop" or tgt.process.cmdline contains "id::modify" or tgt.process.cmdline contains "kerberos::" or tgt.process.cmdline contains "lsadump::" or tgt.process.cmdline contains "misc::" or tgt.process.cmdline contains "privilege::" or tgt.process.cmdline contains "rpc::" or tgt.process.cmdline contains "sekurlsa::" or tgt.process.cmdline contains "sid::" or tgt.process.cmdline contains "token::" or tgt.process.cmdline contains "vault::cred" or tgt.process.cmdline contains "vault::list" or tgt.process.cmdline contains " p::d " or tgt.process.cmdline contains ";iex(" or tgt.process.cmdline contains "MiniDump" or tgt.process.cmdline contains "net user "))) and (not ((tgt.process.cmdline contains "ping" and tgt.process.cmdline contains "127.0.0.1" and tgt.process.cmdline contains " -n ") or (tgt.process.image.path contains "\PING.EXE" and src.process.cmdline contains "\DismFoDInstall.cmd") or src.process.image.path contains ":\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or ((src.process.image.path contains ":\Program Files (x86)\Java\" or src.process.image.path contains ":\Program Files\Java\") and src.process.image.path contains "\bin\javaws.exe" and (tgt.process.image.path contains ":\Program Files (x86)\Java\" or tgt.process.image.path contains ":\Program Files\Java\") and tgt.process.image.path contains "\bin\jp2launcher.exe" and tgt.process.cmdline contains " -ma ")))))
```
@@ -15,7 +15,7 @@ references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
-modified: 2024-11-11
+modified: 2024-12-01
tags:
- attack.credential-access
- attack.defense-evasion
@@ -28,7 +28,9 @@ logsource:
product: windows
detection:
selection:
- IntegrityLevel: System
+ IntegrityLevel:
+ - 'System'
+ - 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md
index eae44b766..59e6e8315 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_sysvol_access.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\SYSVOL\" and tgt.process.cmdline contains "\policies\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md
index b32fd0b82..c68449619 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_task_folder_evasion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "echo " or tgt.process.cmdline contains "copy " or tgt.process.cmdline contains "type " or tgt.process.cmdline contains "file createnew") and (tgt.process.cmdline contains " C:\Windows\System32\Tasks\" or tgt.process.cmdline contains " C:\Windows\SysWow64\Tasks\"))) | columns tgt.process.cmdline,ParentProcess
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md
index 706e4f475..bbab208f2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\vsjitdebugger.exe" and (not (tgt.process.image.path="*\vsimmersiveactivatehelper*.exe" or tgt.process.image.path contains "\devenv.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md
index 0bc2a2914..c93ed1529 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_weak_or_abused_passwords.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "123456789" or tgt.process.cmdline contains "123123qwE" or tgt.process.cmdline contains "Asd123.aaaa" or tgt.process.cmdline contains "Decryptme" or tgt.process.cmdline contains "P@ssw0rd!" or tgt.process.cmdline contains "Pass8080" or tgt.process.cmdline contains "password123" or tgt.process.cmdline contains "test@202"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md
index b4beae4fa..80353ff94 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "[System.Net.WebRequest]::create" or tgt.process.cmdline contains "curl " or tgt.process.cmdline contains "Invoke-RestMethod" or tgt.process.cmdline contains "Invoke-WebRequest" or tgt.process.cmdline contains "iwr " or tgt.process.cmdline contains "Net.WebClient" or tgt.process.cmdline contains "Resume-BitsTransfer" or tgt.process.cmdline contains "Start-BitsTransfer" or tgt.process.cmdline contains "wget " or tgt.process.cmdline contains "WinHttp.WinHttpRequest"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md
index 8a884f2db..9048a9070 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_whoami_as_param.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains ".exe whoami")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md
index aa30a8841..c7c95d1bb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_susp_workfolders.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\control.exe" and src.process.image.path contains "\WorkFolders.exe") and (not tgt.process.image.path="C:\Windows\System32\control.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md
index 2d3a3c2bf..dc08063c9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_execution_with_no_cli_flags.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "svchost.exe" and tgt.process.image.path contains "\svchost.exe") and (not ((src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\rpcnetp.exe") or not (tgt.process.cmdline matches "\.*"))))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md
index 9b18d8d78..c4de0f378 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_termserv_proc_spawn.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.cmdline contains "\svchost.exe" and src.process.cmdline contains "termsvcs") and (not ((tgt.process.image.path contains "\rdpclip.exe" or tgt.process.image.path contains ":\Windows\System32\csrss.exe" or tgt.process.image.path contains ":\Windows\System32\wininit.exe" or tgt.process.image.path contains ":\Windows\System32\winlogon.exe") or not (tgt.process.image.path matches "\.*")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md
index d8c65bd08..544c52763 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_svchost_uncommon_parent_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\svchost.exe" and (not ((src.process.image.path contains "\Mrt.exe" or src.process.image.path contains "\MsMpEng.exe" or src.process.image.path contains "\ngen.exe" or src.process.image.path contains "\rpcnet.exe" or src.process.image.path contains "\services.exe" or src.process.image.path contains "\TiWorker.exe") or not (src.process.image.path matches "\.*") or (src.process.image.path in ("-",""))))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md
index ebac017a1..f297c50ce 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_eula_accepted.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains " -accepteula" or tgt.process.cmdline contains " /accepteula" or tgt.process.cmdline contains " –accepteula" or tgt.process.cmdline contains " —accepteula" or tgt.process.cmdline contains " ―accepteula"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md
index 5e9325e71..693a1037e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md
index 28facd20f..39c7a8d5f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_evasion.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "copy procdump" or tgt.process.cmdline contains "move procdump") or ((tgt.process.cmdline contains "copy " and tgt.process.cmdline contains ".dmp ") and (tgt.process.cmdline contains "2.dmp" or tgt.process.cmdline contains "lsass" or tgt.process.cmdline contains "out.dmp")) or (tgt.process.cmdline contains "copy lsass.exe_" or tgt.process.cmdline contains "move lsass.exe_")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md
index d5c27eeff..27f42e2ce 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_procdump_lsass.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -ma " or tgt.process.cmdline contains " /ma " or tgt.process.cmdline contains " –ma " or tgt.process.cmdline contains " —ma " or tgt.process.cmdline contains " ―ma ") and tgt.process.cmdline contains " ls"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md
index c4fda49c2..ab202b816 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (tgt.process.cmdline contains "psexec" or tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "accepteula")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md
index 4944c7dfb..7382c9a3a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexec_remote_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "accepteula" and tgt.process.cmdline contains " -u " and tgt.process.cmdline contains " -p " and tgt.process.cmdline contains " \\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md
index bd7bf1127..eb98ef0ab 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_psexesvc_as_system.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path="C:\Windows\PSEXESVC.exe" and (tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md
index 59c9d55c2..94986640d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains " -s cmd" or tgt.process.cmdline contains " /s cmd" or tgt.process.cmdline contains " –s cmd" or tgt.process.cmdline contains " —s cmd" or tgt.process.cmdline contains " ―s cmd" or tgt.process.cmdline contains " -s -i cmd" or tgt.process.cmdline contains " -s /i cmd" or tgt.process.cmdline contains " -s –i cmd" or tgt.process.cmdline contains " -s —i cmd" or tgt.process.cmdline contains " -s ―i cmd" or tgt.process.cmdline contains " /s -i cmd" or tgt.process.cmdline contains " /s /i cmd" or tgt.process.cmdline contains " /s –i cmd" or tgt.process.cmdline contains " /s —i cmd" or tgt.process.cmdline contains " /s ―i cmd" or tgt.process.cmdline contains " –s -i cmd" or tgt.process.cmdline contains " –s /i cmd" or tgt.process.cmdline contains " –s –i cmd" or tgt.process.cmdline contains " –s —i cmd" or tgt.process.cmdline contains " –s ―i cmd" or tgt.process.cmdline contains " —s -i cmd" or tgt.process.cmdline contains " —s /i cmd" or tgt.process.cmdline contains " —s –i cmd" or tgt.process.cmdline contains " —s —i cmd" or tgt.process.cmdline contains " —s ―i cmd" or tgt.process.cmdline contains " ―s -i cmd" or tgt.process.cmdline contains " ―s /i cmd" or tgt.process.cmdline contains " ―s –i cmd" or tgt.process.cmdline contains " ―s —i cmd" or tgt.process.cmdline contains " ―s ―i cmd" or tgt.process.cmdline contains " -i -s cmd" or tgt.process.cmdline contains " -i /s cmd" or tgt.process.cmdline contains " -i –s cmd" or tgt.process.cmdline contains " -i —s cmd" or tgt.process.cmdline contains " -i ―s cmd" or tgt.process.cmdline contains " /i -s cmd" or tgt.process.cmdline contains " /i /s cmd" or tgt.process.cmdline contains " /i –s cmd" or tgt.process.cmdline contains " /i —s cmd" or tgt.process.cmdline contains " /i ―s cmd" or tgt.process.cmdline contains " –i -s cmd" or tgt.process.cmdline contains " –i /s cmd" or tgt.process.cmdline contains " –i –s cmd" or tgt.process.cmdline contains " –i —s cmd" or tgt.process.cmdline contains " –i ―s cmd" or tgt.process.cmdline contains " —i -s cmd" or tgt.process.cmdline contains " —i /s cmd" or tgt.process.cmdline contains " —i –s cmd" or tgt.process.cmdline contains " —i —s cmd" or tgt.process.cmdline contains " —i ―s cmd" or tgt.process.cmdline contains " ―i -s cmd" or tgt.process.cmdline contains " ―i /s cmd" or tgt.process.cmdline contains " ―i –s cmd" or tgt.process.cmdline contains " ―i —s cmd" or tgt.process.cmdline contains " ―i ―s cmd" or tgt.process.cmdline contains " -s pwsh" or tgt.process.cmdline contains " /s pwsh" or tgt.process.cmdline contains " –s pwsh" or tgt.process.cmdline contains " —s pwsh" or tgt.process.cmdline contains " ―s pwsh" or tgt.process.cmdline contains " -s -i pwsh" or tgt.process.cmdline contains " -s /i pwsh" or tgt.process.cmdline contains " -s –i pwsh" or tgt.process.cmdline contains " -s —i pwsh" or tgt.process.cmdline contains " -s ―i pwsh" or tgt.process.cmdline contains " /s -i pwsh" or tgt.process.cmdline contains " /s /i pwsh" or tgt.process.cmdline contains " /s –i pwsh" or tgt.process.cmdline contains " /s —i pwsh" or tgt.process.cmdline contains " /s ―i pwsh" or tgt.process.cmdline contains " –s -i pwsh" or tgt.process.cmdline contains " –s /i pwsh" or tgt.process.cmdline contains " –s –i pwsh" or tgt.process.cmdline contains " –s —i pwsh" or tgt.process.cmdline contains " –s ―i pwsh" or tgt.process.cmdline contains " —s -i pwsh" or tgt.process.cmdline contains " —s /i pwsh" or tgt.process.cmdline contains " —s –i pwsh" or tgt.process.cmdline contains " —s —i pwsh" or tgt.process.cmdline contains " —s ―i pwsh" or tgt.process.cmdline contains " ―s -i pwsh" or tgt.process.cmdline contains " ―s /i pwsh" or tgt.process.cmdline contains " ―s –i pwsh" or tgt.process.cmdline contains " ―s —i pwsh" or tgt.process.cmdline contains " ―s ―i pwsh" or tgt.process.cmdline contains " -i -s pwsh" or tgt.process.cmdline contains " -i /s pwsh" or tgt.process.cmdline contains " -i –s pwsh" or tgt.process.cmdline contains " -i —s pwsh" or tgt.process.cmdline contains " -i ―s pwsh" or tgt.process.cmdline contains " /i -s pwsh" or tgt.process.cmdline contains " /i /s pwsh" or tgt.process.cmdline contains " /i –s pwsh" or tgt.process.cmdline contains " /i —s pwsh" or tgt.process.cmdline contains " /i ―s pwsh" or tgt.process.cmdline contains " –i -s pwsh" or tgt.process.cmdline contains " –i /s pwsh" or tgt.process.cmdline contains " –i –s pwsh" or tgt.process.cmdline contains " –i —s pwsh" or tgt.process.cmdline contains " –i ―s pwsh" or tgt.process.cmdline contains " —i -s pwsh" or tgt.process.cmdline contains " —i /s pwsh" or tgt.process.cmdline contains " —i –s pwsh" or tgt.process.cmdline contains " —i —s pwsh" or tgt.process.cmdline contains " —i ―s pwsh" or tgt.process.cmdline contains " ―i -s pwsh" or tgt.process.cmdline contains " ―i /s pwsh" or tgt.process.cmdline contains " ―i –s pwsh" or tgt.process.cmdline contains " ―i —s pwsh" or tgt.process.cmdline contains " ―i ―s pwsh" or tgt.process.cmdline contains " -s powershell" or tgt.process.cmdline contains " /s powershell" or tgt.process.cmdline contains " –s powershell" or tgt.process.cmdline contains " —s powershell" or tgt.process.cmdline contains " ―s powershell" or tgt.process.cmdline contains " -s -i powershell" or tgt.process.cmdline contains " -s /i powershell" or tgt.process.cmdline contains " -s –i powershell" or tgt.process.cmdline contains " -s —i powershell" or tgt.process.cmdline contains " -s ―i powershell" or tgt.process.cmdline contains " /s -i powershell" or tgt.process.cmdline contains " /s /i powershell" or tgt.process.cmdline contains " /s –i powershell" or tgt.process.cmdline contains " /s —i powershell" or tgt.process.cmdline contains " /s ―i powershell" or tgt.process.cmdline contains " –s -i powershell" or tgt.process.cmdline contains " –s /i powershell" or tgt.process.cmdline contains " –s –i powershell" or tgt.process.cmdline contains " –s —i powershell" or tgt.process.cmdline contains " –s ―i powershell" or tgt.process.cmdline contains " —s -i powershell" or tgt.process.cmdline contains " —s /i powershell" or tgt.process.cmdline contains " —s –i powershell" or tgt.process.cmdline contains " —s —i powershell" or tgt.process.cmdline contains " —s ―i powershell" or tgt.process.cmdline contains " ―s -i powershell" or tgt.process.cmdline contains " ―s /i powershell" or tgt.process.cmdline contains " ―s –i powershell" or tgt.process.cmdline contains " ―s —i powershell" or tgt.process.cmdline contains " ―s ―i powershell" or tgt.process.cmdline contains " -i -s powershell" or tgt.process.cmdline contains " -i /s powershell" or tgt.process.cmdline contains " -i –s powershell" or tgt.process.cmdline contains " -i —s powershell" or tgt.process.cmdline contains " -i ―s powershell" or tgt.process.cmdline contains " /i -s powershell" or tgt.process.cmdline contains " /i /s powershell" or tgt.process.cmdline contains " /i –s powershell" or tgt.process.cmdline contains " /i —s powershell" or tgt.process.cmdline contains " /i ―s powershell" or tgt.process.cmdline contains " –i -s powershell" or tgt.process.cmdline contains " –i /s powershell" or tgt.process.cmdline contains " –i –s powershell" or tgt.process.cmdline contains " –i —s powershell" or tgt.process.cmdline contains " –i ―s powershell" or tgt.process.cmdline contains " —i -s powershell" or tgt.process.cmdline contains " —i /s powershell" or tgt.process.cmdline contains " —i –s powershell" or tgt.process.cmdline contains " —i —s powershell" or tgt.process.cmdline contains " —i ―s powershell" or tgt.process.cmdline contains " ―i -s powershell" or tgt.process.cmdline contains " ―i /s powershell" or tgt.process.cmdline contains " ―i –s powershell" or tgt.process.cmdline contains " ―i —s powershell" or tgt.process.cmdline contains " ―i ―s powershell") and (not (tgt.process.cmdline contains "paexec" or tgt.process.cmdline contains "PsExec" or tgt.process.cmdline contains "accepteula"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md
index 17ef14ad5..23cb234bc 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_config_update.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-c" or tgt.process.cmdline contains "/c" or tgt.process.cmdline contains "–c" or tgt.process.cmdline contains "—c" or tgt.process.cmdline contains "―c")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md
index 9112a200f..bbd9859b3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_sysmon_uninstall.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\Sysmon.exe") or tgt.process.displayName="System activity monitor") and (tgt.process.cmdline contains "-u" or tgt.process.cmdline contains "/u" or tgt.process.cmdline contains "–u" or tgt.process.cmdline contains "—u" or tgt.process.cmdline contains "―u")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md
index d25d80955..dc8b4159f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysinternals_tools_masquerading.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\accesschk.exe" or tgt.process.image.path contains "\accesschk64.exe" or tgt.process.image.path contains "\AccessEnum.exe" or tgt.process.image.path contains "\ADExplorer.exe" or tgt.process.image.path contains "\ADExplorer64.exe" or tgt.process.image.path contains "\ADInsight.exe" or tgt.process.image.path contains "\ADInsight64.exe" or tgt.process.image.path contains "\adrestore.exe" or tgt.process.image.path contains "\adrestore64.exe" or tgt.process.image.path contains "\Autologon.exe" or tgt.process.image.path contains "\Autologon64.exe" or tgt.process.image.path contains "\Autoruns.exe" or tgt.process.image.path contains "\Autoruns64.exe" or tgt.process.image.path contains "\autorunsc.exe" or tgt.process.image.path contains "\autorunsc64.exe" or tgt.process.image.path contains "\Bginfo.exe" or tgt.process.image.path contains "\Bginfo64.exe" or tgt.process.image.path contains "\Cacheset.exe" or tgt.process.image.path contains "\Cacheset64.exe" or tgt.process.image.path contains "\Clockres.exe" or tgt.process.image.path contains "\Clockres64.exe" or tgt.process.image.path contains "\Contig.exe" or tgt.process.image.path contains "\Contig64.exe" or tgt.process.image.path contains "\Coreinfo.exe" or tgt.process.image.path contains "\Coreinfo64.exe" or tgt.process.image.path contains "\CPUSTRES.EXE" or tgt.process.image.path contains "\CPUSTRES64.EXE" or tgt.process.image.path contains "\ctrl2cap.exe" or tgt.process.image.path contains "\Dbgview.exe" or tgt.process.image.path contains "\dbgview64.exe" or tgt.process.image.path contains "\Desktops.exe" or tgt.process.image.path contains "\Desktops64.exe" or tgt.process.image.path contains "\disk2vhd.exe" or tgt.process.image.path contains "\disk2vhd64.exe" or tgt.process.image.path contains "\diskext.exe" or tgt.process.image.path contains "\diskext64.exe" or tgt.process.image.path contains "\Diskmon.exe" or tgt.process.image.path contains "\Diskmon64.exe" or tgt.process.image.path contains "\DiskView.exe" or tgt.process.image.path contains "\DiskView64.exe" or tgt.process.image.path contains "\du.exe" or tgt.process.image.path contains "\du64.exe" or tgt.process.image.path contains "\efsdump.exe" or tgt.process.image.path contains "\FindLinks.exe" or tgt.process.image.path contains "\FindLinks64.exe" or tgt.process.image.path contains "\handle.exe" or tgt.process.image.path contains "\handle64.exe" or tgt.process.image.path contains "\hex2dec.exe" or tgt.process.image.path contains "\hex2dec64.exe" or tgt.process.image.path contains "\junction.exe" or tgt.process.image.path contains "\junction64.exe" or tgt.process.image.path contains "\ldmdump.exe" or tgt.process.image.path contains "\listdlls.exe" or tgt.process.image.path contains "\listdlls64.exe" or tgt.process.image.path contains "\livekd.exe" or tgt.process.image.path contains "\livekd64.exe" or tgt.process.image.path contains "\loadOrd.exe" or tgt.process.image.path contains "\loadOrd64.exe" or tgt.process.image.path contains "\loadOrdC.exe" or tgt.process.image.path contains "\loadOrdC64.exe" or tgt.process.image.path contains "\logonsessions.exe" or tgt.process.image.path contains "\logonsessions64.exe" or tgt.process.image.path contains "\movefile.exe" or tgt.process.image.path contains "\movefile64.exe" or tgt.process.image.path contains "\notmyfault.exe" or tgt.process.image.path contains "\notmyfault64.exe" or tgt.process.image.path contains "\notmyfaultc.exe" or tgt.process.image.path contains "\notmyfaultc64.exe" or tgt.process.image.path contains "\ntfsinfo.exe" or tgt.process.image.path contains "\ntfsinfo64.exe" or tgt.process.image.path contains "\pendmoves.exe" or tgt.process.image.path contains "\pendmoves64.exe" or tgt.process.image.path contains "\pipelist.exe" or tgt.process.image.path contains "\pipelist64.exe" or tgt.process.image.path contains "\portmon.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\procdump64.exe" or tgt.process.image.path contains "\procexp.exe" or tgt.process.image.path contains "\procexp64.exe" or tgt.process.image.path contains "\Procmon.exe" or tgt.process.image.path contains "\Procmon64.exe" or tgt.process.image.path contains "\psExec.exe" or tgt.process.image.path contains "\psExec64.exe" or tgt.process.image.path contains "\psfile.exe" or tgt.process.image.path contains "\psfile64.exe" or tgt.process.image.path contains "\psGetsid.exe" or tgt.process.image.path contains "\psGetsid64.exe" or tgt.process.image.path contains "\psInfo.exe" or tgt.process.image.path contains "\psInfo64.exe" or tgt.process.image.path contains "\pskill.exe" or tgt.process.image.path contains "\pskill64.exe" or tgt.process.image.path contains "\pslist.exe" or tgt.process.image.path contains "\pslist64.exe" or tgt.process.image.path contains "\psLoggedon.exe" or tgt.process.image.path contains "\psLoggedon64.exe" or tgt.process.image.path contains "\psloglist.exe" or tgt.process.image.path contains "\psloglist64.exe" or tgt.process.image.path contains "\pspasswd.exe" or tgt.process.image.path contains "\pspasswd64.exe" or tgt.process.image.path contains "\psping.exe" or tgt.process.image.path contains "\psping64.exe" or tgt.process.image.path contains "\psService.exe" or tgt.process.image.path contains "\psService64.exe" or tgt.process.image.path contains "\psshutdown.exe" or tgt.process.image.path contains "\psshutdown64.exe" or tgt.process.image.path contains "\pssuspend.exe" or tgt.process.image.path contains "\pssuspend64.exe" or tgt.process.image.path contains "\RAMMap.exe" or tgt.process.image.path contains "\RDCMan.exe" or tgt.process.image.path contains "\RegDelNull.exe" or tgt.process.image.path contains "\RegDelNull64.exe" or tgt.process.image.path contains "\regjump.exe" or tgt.process.image.path contains "\ru.exe" or tgt.process.image.path contains "\ru64.exe" or tgt.process.image.path contains "\sdelete.exe" or tgt.process.image.path contains "\sdelete64.exe" or tgt.process.image.path contains "\ShareEnum.exe" or tgt.process.image.path contains "\ShareEnum64.exe" or tgt.process.image.path contains "\shellRunas.exe" or tgt.process.image.path contains "\sigcheck.exe" or tgt.process.image.path contains "\sigcheck64.exe" or tgt.process.image.path contains "\streams.exe" or tgt.process.image.path contains "\streams64.exe" or tgt.process.image.path contains "\strings.exe" or tgt.process.image.path contains "\strings64.exe" or tgt.process.image.path contains "\sync.exe" or tgt.process.image.path contains "\sync64.exe" or tgt.process.image.path contains "\Sysmon.exe" or tgt.process.image.path contains "\Sysmon64.exe" or tgt.process.image.path contains "\tcpvcon.exe" or tgt.process.image.path contains "\tcpvcon64.exe" or tgt.process.image.path contains "\tcpview.exe" or tgt.process.image.path contains "\tcpview64.exe" or tgt.process.image.path contains "\Testlimit.exe" or tgt.process.image.path contains "\Testlimit64.exe" or tgt.process.image.path contains "\vmmap.exe" or tgt.process.image.path contains "\vmmap64.exe" or tgt.process.image.path contains "\Volumeid.exe" or tgt.process.image.path contains "\Volumeid64.exe" or tgt.process.image.path contains "\whois.exe" or tgt.process.image.path contains "\whois64.exe" or tgt.process.image.path contains "\Winobj.exe" or tgt.process.image.path contains "\Winobj64.exe" or tgt.process.image.path contains "\ZoomIt.exe" or tgt.process.image.path contains "\ZoomIt64.exe") and (not ((tgt.process.publisher in ("Sysinternals - www.sysinternals.com","Sysinternals")) or not (tgt.process.publisher matches "\.*")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md
index 1cceca8c5..5e9b23ba9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_sysprep_appdata.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\sysprep.exe" and tgt.process.cmdline contains "\AppData\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md
index 32e9dc1ab..ab4677af5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_takeown_recursive_own.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\takeown.exe" and (tgt.process.cmdline contains "/f " and tgt.process.cmdline contains "/r"))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md
index a47f2775c..e16067fd7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tapinstall_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\tapinstall.exe" and (not ((tgt.process.image.path contains ":\Program Files\Avast Software\SecureLine VPN\" or tgt.process.image.path contains ":\Program Files (x86)\Avast Software\SecureLine VPN\") or tgt.process.image.path contains ":\Program Files\OpenVPN Connect\drivers\tap\" or tgt.process.image.path contains ":\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md
index 4beaa9c30..c5515714a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskkill_sep.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "taskkill" and tgt.process.cmdline contains " /F " and tgt.process.cmdline contains " /IM " and tgt.process.cmdline contains "ccSvcHst.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md
index 3cd005cf1..bf92fa689 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_localsystem.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\taskmgr.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md
index 3f2a5150c..be90a0503 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_taskmgr_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\taskmgr.exe" and (not (tgt.process.image.path contains ":\Windows\System32\mmc.exe" or tgt.process.image.path contains ":\Windows\System32\resmon.exe" or tgt.process.image.path contains ":\Windows\System32\Taskmgr.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md
index b7c5c4d3e..71a8f28e9 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_teams_suspicious_command_line_cred_access.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Microsoft\Teams\Cookies" or tgt.process.cmdline contains "\Microsoft\Teams\Local Storage\leveldb") and (not tgt.process.image.path contains "\Microsoft\Teams\current\Teams.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md
index 430608d38..c61aa05e0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_localsystem.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.user contains "AUTHORI" or tgt.process.user contains "AUTORI") and tgt.process.image.path contains "\tscon.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md
index a43f04ce2..6def30143 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_tscon_rdp_redirect.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.cmdline contains " /dest:rdp-tcp#")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md
index 34f46e5eb..43fce19cb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_changepk_slui.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\changepk.exe" and src.process.image.path contains "\slui.exe" and (tgt.process.integrityLevel in ("High","System"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\changepk.exe" and src.process.image.path contains "\slui.exe" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -16,7 +16,7 @@ references:
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -31,6 +31,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md
index 68a3fa8d3..47b03ef36 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cleanmgr.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\"\system32\cleanmgr.exe /autoclean /d C:" and src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.integrityLevel in ("High","System"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\"\system32\cleanmgr.exe /autoclean /d C:" and src.process.cmdline="C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -29,6 +29,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md
index 55583a18a..517280ccd 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_cmstp_com_object_access.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and (src.process.cmdline contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or src.process.cmdline contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or src.process.cmdline contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or src.process.cmdline contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or src.process.cmdline contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and (tgt.process.integrityLevel in ("High","System"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and (src.process.cmdline contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or src.process.cmdline contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or src.process.cmdline contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or src.process.cmdline contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or src.process.cmdline contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -17,7 +17,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
-modified: 2022-09-21
+modified: 2024-12-01
tags:
- attack.execution
- attack.defense-evasion
@@ -41,6 +41,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md
index 588f206c4..a049e4fcb 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_computerdefaults.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel in ("High","System")) and tgt.process.image.path="C:\Windows\System32\ComputerDefaults.exe") and (not (src.process.image.path contains ":\Windows\System32" or src.process.image.path contains ":\Program Files"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")) and tgt.process.image.path="C:\Windows\System32\ComputerDefaults.exe") and (not (src.process.image.path contains ":\Windows\System32" or src.process.image.path contains ":\Program Files"))))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-31
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -27,6 +27,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
Image: 'C:\Windows\System32\ComputerDefaults.exe'
filter:
ParentImage|contains:
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md
index 1338e3389..e99e116c3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_consent_comctl32.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\consent.exe" and tgt.process.image.path contains "\werfault.exe" and (tgt.process.integrityLevel in ("High","System"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\consent.exe" and tgt.process.image.path contains "\werfault.exe" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -29,6 +29,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md
index cd6f37f13..3873fa079 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_dismhost.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "C:\Users\" and src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "\DismHost.exe") and (tgt.process.integrityLevel in ("High","System"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "C:\Users\" and src.process.image.path contains "\AppData\Local\Temp\" and src.process.image.path contains "\DismHost.exe") and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -31,6 +31,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md
index 23c427767..0c7cc4444 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_eventvwr_recentviews.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\Event Viewer\RecentViews" or tgt.process.cmdline contains "\EventV~1\RecentViews") and tgt.process.cmdline contains ">"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md
index c6f4ac078..c9d6f2676 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_fodhelper.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and src.process.image.path contains "\fodhelper.exe") | columns ComputerName,tgt.process.user,tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md
index 5f2561a2b..690661da3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\mmc.exe" and src.process.cmdline contains "WF.msc") and (not tgt.process.image.path contains "\WerFault.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md
index ddedbfd72..3c51b3fe8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_idiagnostic_profile.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and src.process.cmdline contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and (tgt.process.integrityLevel in ("High","System"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\DllHost.exe" and src.process.cmdline contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -14,6 +14,7 @@ references:
- https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
+modified: 2024-12-01
tags:
- attack.execution
- attack.defense-evasion
@@ -29,6 +30,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md
index e9e919deb..abdb72f35 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ieinstal.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\ieinstal.exe" and tgt.process.image.path contains "\AppData\Local\Temp\" and tgt.process.image.path contains "consent.exe"))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")) and src.process.image.path contains "\ieinstal.exe" and tgt.process.image.path contains "\AppData\Local\Temp\" and tgt.process.image.path contains "consent.exe"))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -27,6 +27,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
ParentImage|endswith: '\ieinstal.exe'
Image|contains: '\AppData\Local\Temp\'
Image|endswith: 'consent.exe'
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md
index 10fbba17f..5f177b69d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_msconfig_gui.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\AppData\Local\Temp\pkgmgr.exe" and tgt.process.cmdline="\"C:\Windows\system32\msconfig.exe\" -5"))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")) and src.process.image.path contains "\AppData\Local\Temp\pkgmgr.exe" and tgt.process.cmdline="\"C:\Windows\system32\msconfig.exe\" -5"))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -27,6 +27,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe'
CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
condition: selection
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md
index d8c460c10..7dc017b31 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_ntfs_reparse_point.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\"C:\Windows\system32\wusa.exe\" /quiet C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\update.msu" and (tgt.process.integrityLevel in ("High","System"))) or (src.process.cmdline="\"C:\Windows\system32\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\Windows\system32\pe386\" /ignorecheck" and (tgt.process.integrityLevel in ("High","System")) and (tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "\dismhost.exe {") and tgt.process.image.path contains "\DismHost.exe")))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "\"C:\Windows\system32\wusa.exe\" /quiet C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\update.msu" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))) or (src.process.cmdline="\"C:\Windows\system32\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\Windows\system32\pe386\" /ignorecheck" and (tgt.process.integrityLevel in ("High","System")) and (tgt.process.cmdline contains "C:\Users\" and tgt.process.cmdline contains "\AppData\Local\Temp\" and tgt.process.cmdline contains "\dismhost.exe {") and tgt.process.image.path contains "\DismHost.exe")))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -29,6 +29,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
selection2:
ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
IntegrityLevel:
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md
index 0967e0392..9185f07fe 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_pkgmgr_dism.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\pkgmgr.exe" and tgt.process.image.path contains "\dism.exe" and (tgt.process.integrityLevel in ("High","System"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\pkgmgr.exe" and tgt.process.image.path contains "\dism.exe" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -29,6 +29,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md
index 16269d7cb..c12a54ba8 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_sdclt.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "sdclt.exe" and tgt.process.integrityLevel="High"))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "sdclt.exe" and (tgt.process.integrityLevel in ("High","S-1-16-12288"))))
```
@@ -15,7 +15,7 @@ references:
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
-modified: 2023-02-14
+modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.defense-evasion
@@ -26,7 +26,9 @@ logsource:
detection:
selection:
Image|endswith: 'sdclt.exe'
- IntegrityLevel: 'High'
+ IntegrityLevel:
+ - 'High'
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md
index a7030ee6d..cdc633781 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_trustedpath.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path contains "C:\Windows \System32\")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md
index c4928f7ac..1b9400972 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_winsat.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System")) and src.process.image.path contains "\AppData\Local\Temp\system32\winsat.exe" and src.process.cmdline contains "C:\Windows \system32\winsat.exe"))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288")) and src.process.image.path contains "\AppData\Local\Temp\system32\winsat.exe" and src.process.cmdline contains "C:\Windows \system32\winsat.exe"))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -27,6 +27,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe'
ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe'
condition: selection
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md
index 8ddb42d1e..343d68cf3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wmp.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path="C:\Program Files\Windows Media Player\osk.exe" and (tgt.process.integrityLevel in ("High","System"))) or (tgt.process.image.path="C:\Windows\System32\cmd.exe" and src.process.cmdline="\"C:\Windows\system32\mmc.exe\" \"C:\Windows\system32\eventvwr.msc\" /s" and (tgt.process.integrityLevel in ("High","System")))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path="C:\Program Files\Windows Media Player\osk.exe" or (tgt.process.image.path="C:\Windows\System32\cmd.exe" and src.process.cmdline="\"C:\Windows\system32\mmc.exe\" \"C:\Windows\system32\eventvwr.msc\" /s")) and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -14,7 +14,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -23,18 +23,18 @@ logsource:
category: process_creation
product: windows
detection:
- selection1:
+ selection_img_1:
Image: 'C:\Program Files\Windows Media Player\osk.exe'
- IntegrityLevel:
- - 'High'
- - 'System'
- selection2:
+ selection_img_2:
Image: 'C:\Windows\System32\cmd.exe'
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
+ selection_integrity:
IntegrityLevel:
- 'High'
- 'System'
- condition: 1 of selection*
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
+ condition: 1 of selection_img_* and selection_integrity
falsepositives:
- Unknown
level: high
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md
index cd3ecd57a..bd358ea8c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uac_bypass_wsreset_integrity_level.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsreset.exe" and (tgt.process.integrityLevel in ("High","System"))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsreset.exe" and (tgt.process.integrityLevel in ("High","System","S-1-16-16384","S-1-16-12288"))))
```
@@ -16,7 +16,7 @@ references:
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
-modified: 2022-10-09
+modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
@@ -30,6 +30,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
+ - 'S-1-16-16384' # System
+ - 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md
index 066f3d82d..7fabab054 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_ultravnc_susp_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "-autoreconnect " and tgt.process.cmdline contains "-connect " and tgt.process.cmdline contains "-id:"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md
index 8364894ca..128921462 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_uninstall_crowdstrike_falcon.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "\WindowsSensor.exe" and tgt.process.cmdline contains " /uninstall" and tgt.process.cmdline contains " /quiet"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md
index 0ef7af0f4..f8118b6ce 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_userinit_uncommon_child_processes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\userinit.exe" and (not tgt.process.image.path contains ":\WINDOWS\explorer.exe") and (not ((tgt.process.cmdline contains "netlogon.bat" or tgt.process.cmdline contains "UsrLogon.cmd") or tgt.process.cmdline="PowerShell.exe" or (tgt.process.image.path contains ":\Windows\System32\proquota.exe" or tgt.process.image.path contains ":\Windows\SysWOW64\proquota.exe") or (tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files (x86)\Citrix\System32\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\cmstart.exe" or tgt.process.image.path contains ":\Program Files\Citrix\HDX\bin\icast.exe" or tgt.process.image.path contains ":\Program Files\Citrix\System32\icast.exe") or not (tgt.process.image.path matches "\.*")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md
index fc100e9a4..003e555a5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "VBoxRT.dll,RTR3Init" or tgt.process.cmdline contains "VBoxC.dll" or tgt.process.cmdline contains "VBoxDrv.sys") or (tgt.process.cmdline contains "startvm" or tgt.process.cmdline contains "controlvm"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md
index 70e12e988..81d162db1 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_virtualbox_vboxdrvinst_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\VBoxDrvInst.exe" and (tgt.process.cmdline contains "driver" and tgt.process.cmdline contains "executeinf"))) | columns ComputerName,tgt.process.user,tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md
index 5e4245493..d68bfc6c6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_child_processes_anomalies.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\code.exe" and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe") or ((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\cmd.exe") and (tgt.process.cmdline contains "Invoke-Expressions" or tgt.process.cmdline contains "IEX" or tgt.process.cmdline contains "Invoke-Command" or tgt.process.cmdline contains "ICM" or tgt.process.cmdline contains "DownloadString" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "cscript")) or (tgt.process.image.path contains ":\Users\Public\" or tgt.process.image.path contains ":\Windows\Temp\" or tgt.process.image.path contains ":\Temp\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md
index 6f3977bfb..6e9ebbe08 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_remote_shell_.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\servers\Stable-" and src.process.image.path contains "\server\node.exe" and src.process.cmdline contains ".vscode-server") and (((tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and tgt.process.cmdline contains "\terminal\browser\media\shellIntegration.ps1") or (tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\bash.exe"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md
index f6228dbe0..c813a6808 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vscode_tunnel_service_install.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "tunnel " and tgt.process.cmdline contains "service" and tgt.process.cmdline contains "internal-run" and tgt.process.cmdline contains "tunnel-service.log"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md
index 76e4fa9d1..4a74db45f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_vslsagent_agentextensionpath_load.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\vsls-agent.exe" and tgt.process.cmdline contains "--agentExtensionPath") and (not tgt.process.cmdline contains "Microsoft.VisualStudio.LiveShare.Agent."))) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md
index 71d109252..4ea545c67 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_execution_from_non_default_location.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe") and (not (tgt.process.image.path contains "C:\Windows\WinSxS\" or tgt.process.image.path contains "C:\Program Files\Windows Mail\" or tgt.process.image.path contains "C:\Program Files (x86)\Windows Mail\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md
index 66a2a7689..4fbee1c90 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wab_unusual_parents.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WmiPrvSE.exe" or src.process.image.path contains "\svchost.exe" or src.process.image.path contains "\dllhost.exe") and (tgt.process.image.path contains "\wab.exe" or tgt.process.image.path contains "\wabmig.exe")) or (src.process.image.path contains "\wab.exe" or src.process.image.path contains "\wabmig.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md
index 0977c6972..e68d69b78 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webdav_lnk_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\explorer.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wscript.exe") and tgt.process.cmdline contains "\DavWWWRoot\"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md
index 5c485e403..8c7b85da5 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_chopper.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\w3wp.exe") and (tgt.process.cmdline contains "&ipconfig&echo" or tgt.process.cmdline contains "&quser&echo" or tgt.process.cmdline contains "&whoami&echo" or tgt.process.cmdline contains "&c:&echo" or tgt.process.cmdline contains "&cd&echo" or tgt.process.cmdline contains "&dir&echo" or tgt.process.cmdline contains "&echo [E]" or tgt.process.cmdline contains "&echo [S]")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md
index 58c4fb82a..958100d6b 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_hacking.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "catalina.jar" or tgt.process.cmdline contains "CATALINA_HOME"))) and ((tgt.process.cmdline contains "rundll32" and tgt.process.cmdline contains "comsvcs") or (tgt.process.cmdline contains " -hp" and tgt.process.cmdline contains " a " and tgt.process.cmdline contains " -m") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " user " and tgt.process.cmdline contains " /add") or (tgt.process.cmdline contains "net" and tgt.process.cmdline contains " localgroup " and tgt.process.cmdline contains " administrators " and tgt.process.cmdline contains "/add") or (tgt.process.image.path contains "\ntdsutil.exe" or tgt.process.image.path contains "\ldifde.exe" or tgt.process.image.path contains "\adfind.exe" or tgt.process.image.path contains "\procdump.exe" or tgt.process.image.path contains "\Nanodump.exe" or tgt.process.image.path contains "\vssadmin.exe" or tgt.process.image.path contains "\fsutil.exe") or (tgt.process.cmdline contains " -decode " or tgt.process.cmdline contains " -NoP " or tgt.process.cmdline contains " -W Hidden " or tgt.process.cmdline contains " /decode " or tgt.process.cmdline contains " /ticket:" or tgt.process.cmdline contains " sekurlsa" or tgt.process.cmdline contains ".dmp full" or tgt.process.cmdline contains ".downloadfile(" or tgt.process.cmdline contains ".downloadstring(" or tgt.process.cmdline contains "FromBase64String" or tgt.process.cmdline contains "process call create" or tgt.process.cmdline contains "reg save " or tgt.process.cmdline contains "whoami /priv"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md
index 15c707639..42b5e034e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.md
@@ -1,6 +1,6 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
-event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\php.exe" or src.process.image.path contains "\tomcat.exe" or src.process.image.path contains "\UMWorkerProcess.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_TomcatService.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.cmdline contains "CATALINA_HOME" or src.process.cmdline contains "catalina.home" or src.process.cmdline contains "catalina.jar"))) and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\at.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dsget.exe" or tgt.process.image.path contains "\hostname.exe" or tgt.process.image.path contains "\nbtstat.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netdom.exe" or tgt.process.image.path contains "\netsh.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ntdutil.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\qprocess.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\qwinsta.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sc.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wusa.exe") and (not ((src.process.image.path contains "\java.exe" and tgt.process.cmdline contains "Windows\system32\cmd.exe /c C:\ManageEngine\ADManager \"Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") or (src.process.image.path contains "\java.exe" and (tgt.process.cmdline contains "sc query" and tgt.process.cmdline contains "ADManager Plus"))))))
+// Translated content (automatically translated on 02-12-2024 01:27:48):
+event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\php.exe" or src.process.image.path contains "\tomcat.exe" or src.process.image.path contains "\UMWorkerProcess.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_TomcatService.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.cmdline contains "CATALINA_HOME" or src.process.cmdline contains "catalina.home" or src.process.cmdline contains "catalina.jar"))) and (tgt.process.image.path contains "\arp.exe" or tgt.process.image.path contains "\at.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\bitsadmin.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\dsget.exe" or tgt.process.image.path contains "\hostname.exe" or tgt.process.image.path contains "\nbtstat.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netdom.exe" or tgt.process.image.path contains "\netsh.exe" or tgt.process.image.path contains "\nltest.exe" or tgt.process.image.path contains "\ntdsutil.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\qprocess.exe" or tgt.process.image.path contains "\query.exe" or tgt.process.image.path contains "\qwinsta.exe" or tgt.process.image.path contains "\reg.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\sc.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\wmic.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\wusa.exe") and (not ((src.process.image.path contains "\java.exe" and tgt.process.cmdline contains "Windows\system32\cmd.exe /c C:\ManageEngine\ADManager \"Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") or (src.process.image.path contains "\java.exe" and (tgt.process.cmdline contains "sc query" and tgt.process.cmdline contains "ADManager Plus"))))))
```
@@ -15,7 +15,7 @@ references:
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
-modified: 2023-11-11
+modified: 2024-11-26
tags:
- attack.persistence
- attack.t1505.003
@@ -67,7 +67,7 @@ detection:
- '\netdom.exe'
- '\netsh.exe'
- '\nltest.exe'
- - '\ntdutil.exe'
+ - '\ntdsutil.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md
index b13f358b1..889231d49 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_webshell_tool_recon.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\caddy.exe" or src.process.image.path contains "\httpd.exe" or src.process.image.path contains "\nginx.exe" or src.process.image.path contains "\php-cgi.exe" or src.process.image.path contains "\w3wp.exe" or src.process.image.path contains "\ws_tomcatservice.exe") or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (src.process.image.path contains "-tomcat-" or src.process.image.path contains "\tomcat")) or ((src.process.image.path contains "\java.exe" or src.process.image.path contains "\javaw.exe") and (tgt.process.cmdline contains "CATALINA_HOME" or tgt.process.cmdline contains "catalina.jar"))) and (tgt.process.cmdline contains "perl --help" or tgt.process.cmdline contains "perl -h" or tgt.process.cmdline contains "python --help" or tgt.process.cmdline contains "python -h" or tgt.process.cmdline contains "python3 --help" or tgt.process.cmdline contains "python3 -h" or tgt.process.cmdline contains "wget --help")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md
index 26bf22f01..fb35c75c7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wermgr.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\ipconfig.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\net.exe" or tgt.process.image.path contains "\net1.exe" or tgt.process.image.path contains "\netstat.exe" or tgt.process.image.path contains "\nslookup.exe" or tgt.process.image.path contains "\powershell_ise.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\systeminfo.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\wscript.exe")) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "C:\Windows\system32\WerConCpl.dll" and tgt.process.cmdline contains "LaunchErcApp ") and (tgt.process.cmdline contains "-queuereporting" or tgt.process.cmdline contains "-responsepester")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md
index 25b5a36c5..6756b13f2 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wermgr_susp_exec_location.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wermgr.exe" and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\" or tgt.process.image.path contains "C:\Windows\WinSxS\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md
index e99dac8c8..83cfc0ca0 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_windows_terminal_susp_children.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((src.process.image.path contains "\WindowsTerminal.exe" or src.process.image.path contains "\wt.exe") and ((tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\csc.exe") or (tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\" or tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "\Windows\TEMP\") or (tgt.process.cmdline contains " iex " or tgt.process.cmdline contains " icm" or tgt.process.cmdline contains "Invoke-" or tgt.process.cmdline contains "Import-Module " or tgt.process.cmdline contains "ipmo " or tgt.process.cmdline contains "DownloadString(" or tgt.process.cmdline contains " /c " or tgt.process.cmdline contains " /k " or tgt.process.cmdline contains " /r "))) and (not ((tgt.process.cmdline contains "Import-Module" and tgt.process.cmdline contains "Microsoft.VisualStudio.DevShell.dll" and tgt.process.cmdline contains "Enter-VsDevShell") or (tgt.process.cmdline contains "\AppData\Local\Packages\Microsoft.WindowsTerminal_" and tgt.process.cmdline contains "\LocalState\settings.json") or (tgt.process.cmdline contains "C:\Program Files\Microsoft Visual Studio\" and tgt.process.cmdline contains "\Common7\Tools\VsDevCmd.bat")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md
index 119820bd9..e130b202d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_exfil_dmp_files.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (tgt.process.cmdline contains ".dmp" or tgt.process.cmdline contains ".dump" or tgt.process.cmdline contains ".hdmp")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md
index 4d29db8a0..f26b76532 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrar_uncommon_folder_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\rar.exe" or tgt.process.image.path contains "\winrar.exe") or tgt.process.displayName="Command line RAR") and (not (tgt.process.image.path contains "\UnRAR.exe" or (tgt.process.image.path contains ":\Program Files (x86)\WinRAR\" or tgt.process.image.path contains ":\Program Files\WinRAR\"))) and (not tgt.process.image.path contains ":\Windows\Temp\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md
index 0f831ef15..c1e3755f4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_awl_bypass.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "winrm" and ((tgt.process.cmdline contains "format:pretty" or tgt.process.cmdline contains "format:\"pretty\"" or tgt.process.cmdline contains "format:\"text\"" or tgt.process.cmdline contains "format:text") and (not (tgt.process.image.path contains "C:\Windows\System32\" or tgt.process.image.path contains "C:\Windows\SysWOW64\")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md
index f8038e764..b6ea617a4 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_remote_powershell_session_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wsmprovhost.exe" or src.process.image.path contains "\wsmprovhost.exe")) | columns ComputerName,tgt.process.user,tgt.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md
index 1c576bd12..e103aa85c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winrm_susp_child_process.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wsmprovhost.exe" and (tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\sh.exe" or tgt.process.image.path contains "\bash.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\wsl.exe" or tgt.process.image.path contains "\schtasks.exe" or tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\whoami.exe" or tgt.process.image.path contains "\bitsadmin.exe")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md
index 2e5345390..e02d10376 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_winzip_password_compression.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "winzip.exe" or tgt.process.cmdline contains "winzip64.exe") and tgt.process.cmdline contains "-s\"" and (tgt.process.cmdline contains " -min " or tgt.process.cmdline contains " -a ")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md
index 17b4c74bd..19c7df244 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\EdgeTransport.exe" and (not (tgt.process.image.path="C:\Windows\System32\conhost.exe" or (tgt.process.image.path contains "C:\Program Files\Microsoft\Exchange Server\" and tgt.process.image.path contains "\Bin\OleConverter.exe")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md
index 2d3362eec..c3e91207e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmi_persistence_script_event_consumer.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path="C:\WINDOWS\system32\wbem\scrcons.exe" and src.process.image.path="C:\Windows\System32\svchost.exe"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md
index 2ccbbf280..3f74eb21c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_eventconsumer_creation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "ActiveScriptEventConsumer" and tgt.process.cmdline contains " CREATE ")) | columns tgt.process.cmdline,src.process.cmdline
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md
index 0a4604ced..91e2bc5e7 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_susp_process_creation.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.cmdline contains "process " and tgt.process.cmdline contains "call " and tgt.process.cmdline contains "create ") and (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "bitsadmin" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "cmd.exe /c " or tgt.process.cmdline contains "cmd.exe /k " or tgt.process.cmdline contains "cmd.exe /r " or tgt.process.cmdline contains "cmd /c " or tgt.process.cmdline contains "cmd /k " or tgt.process.cmdline contains "cmd /r " or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "certutil" or tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "wscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "\Users\Public\" or tgt.process.cmdline contains "\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\" or tgt.process.cmdline contains "%temp%" or tgt.process.cmdline contains "%tmp%" or tgt.process.cmdline contains "%ProgramData%" or tgt.process.cmdline contains "%appdata%" or tgt.process.cmdline contains "%comspec%" or tgt.process.cmdline contains "%localappdata%")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md
index 807e1c59a..a581c47be 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_uninstall_security_products.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "product where " and tgt.process.cmdline contains "call" and tgt.process.cmdline contains "uninstall" and tgt.process.cmdline contains "/nointeractive") or ((tgt.process.cmdline contains "wmic" and tgt.process.cmdline contains "caption like ") and (tgt.process.cmdline contains "call delete" or tgt.process.cmdline contains "call terminate")) or (tgt.process.cmdline contains "process " and tgt.process.cmdline contains "where " and tgt.process.cmdline contains "delete")) and (tgt.process.cmdline contains "%carbon%" or tgt.process.cmdline contains "%cylance%" or tgt.process.cmdline contains "%endpoint%" or tgt.process.cmdline contains "%eset%" or tgt.process.cmdline contains "%malware%" or tgt.process.cmdline contains "%Sophos%" or tgt.process.cmdline contains "%symantec%" or tgt.process.cmdline contains "Antivirus" or tgt.process.cmdline contains "AVG " or tgt.process.cmdline contains "Carbon Black" or tgt.process.cmdline contains "CarbonBlack" or tgt.process.cmdline contains "Cb Defense Sensor 64-bit" or tgt.process.cmdline contains "Crowdstrike Sensor" or tgt.process.cmdline contains "Cylance " or tgt.process.cmdline contains "Dell Threat Defense" or tgt.process.cmdline contains "DLP Endpoint" or tgt.process.cmdline contains "Endpoint Detection" or tgt.process.cmdline contains "Endpoint Protection" or tgt.process.cmdline contains "Endpoint Security" or tgt.process.cmdline contains "Endpoint Sensor" or tgt.process.cmdline contains "ESET File Security" or tgt.process.cmdline contains "LogRhythm System Monitor Service" or tgt.process.cmdline contains "Malwarebytes" or tgt.process.cmdline contains "McAfee Agent" or tgt.process.cmdline contains "Microsoft Security Client" or tgt.process.cmdline contains "Sophos Anti-Virus" or tgt.process.cmdline contains "Sophos AutoUpdate" or tgt.process.cmdline contains "Sophos Credential Store" or tgt.process.cmdline contains "Sophos Management Console" or tgt.process.cmdline contains "Sophos Management Database" or tgt.process.cmdline contains "Sophos Management Server" or tgt.process.cmdline contains "Sophos Remote Management System" or tgt.process.cmdline contains "Sophos Update Manager" or tgt.process.cmdline contains "Threat Protection" or tgt.process.cmdline contains "VirusScan" or tgt.process.cmdline contains "Webroot SecureAnywhere" or tgt.process.cmdline contains "Windows Defender")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md
index b0ca14a62..f09251b1f 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmic_xsl_script_processing.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wmic.exe" and (tgt.process.cmdline contains "-format" or tgt.process.cmdline contains "/format" or tgt.process.cmdline contains "–format" or tgt.process.cmdline contains "—format" or tgt.process.cmdline contains "―format")) and (not (tgt.process.cmdline contains "Format:List" or tgt.process.cmdline contains "Format:htable" or tgt.process.cmdline contains "Format:hform" or tgt.process.cmdline contains "Format:table" or tgt.process.cmdline contains "Format:mof" or tgt.process.cmdline contains "Format:value" or tgt.process.cmdline contains "Format:rawxml" or tgt.process.cmdline contains "Format:xml" or tgt.process.cmdline contains "Format:csv"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md
index 77d2473f5..da062924a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wmiprvse_susp_child_processes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\wbem\WmiPrvSE.exe" and ((tgt.process.image.path contains "\certutil.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\msiexec.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\verclsid.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\cmd.exe" and (tgt.process.cmdline contains "cscript" or tgt.process.cmdline contains "mshta" or tgt.process.cmdline contains "powershell" or tgt.process.cmdline contains "pwsh" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "wscript"))) and (not (tgt.process.image.path contains "\WerFault.exe" or tgt.process.image.path contains "\WmiPrvSE.exe" or (tgt.process.image.path contains "\msiexec.exe" and tgt.process.cmdline contains "/i ")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md
index 96f9dad7b..488ae42a3 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wpbbin_potential_persistence.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and tgt.process.image.path="C:\Windows\System32\wpbbin.exe")
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md
index 8d150de77..1ad4d5289 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_dropper.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wscript.exe" or tgt.process.image.path contains "\cscript.exe") and (tgt.process.cmdline contains ":\Temp\" or tgt.process.cmdline contains ":\Tmp\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\AppData\Local\Temp\") and (tgt.process.cmdline contains ".js" or tgt.process.cmdline contains ".jse" or tgt.process.cmdline contains ".vba" or tgt.process.cmdline contains ".vbe" or tgt.process.cmdline contains ".vbs" or tgt.process.cmdline contains ".wsf")))
```
@@ -11,7 +11,7 @@ id: cea72823-df4d-4567-950c-0b579eaf0846
related:
- id: 1e33157c-53b1-41ad-bbcc-780b80b58288
type: similar
-status: experimental
+status: test
description: Detects wscript/cscript executions of scripts located in user directories
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md
index 9f6423610..90773ea9e 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wscript_cscript_susp_child_processes.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wscript.exe" or src.process.image.path contains "\cscript.exe") and (tgt.process.image.path contains "\rundll32.exe" or ((tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe") and ((tgt.process.cmdline contains "mshta" and tgt.process.cmdline contains "http") or (tgt.process.cmdline contains "rundll32" or tgt.process.cmdline contains "regsvr32" or tgt.process.cmdline contains "msiexec")))) and (not (tgt.process.image.path contains "\rundll32.exe" and (tgt.process.cmdline contains "UpdatePerUserSystemParameters" or tgt.process.cmdline contains "PrintUIEntry" or tgt.process.cmdline contains "ClearMyTracksByProcess")))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md
index b561f1680..644e5548c 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_child_processes_anomalies.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\wsl.exe" or src.process.image.path contains "\wslhost.exe") and ((tgt.process.image.path contains "\calc.exe" or tgt.process.image.path contains "\cmd.exe" or tgt.process.image.path contains "\cscript.exe" or tgt.process.image.path contains "\mshta.exe" or tgt.process.image.path contains "\powershell.exe" or tgt.process.image.path contains "\pwsh.exe" or tgt.process.image.path contains "\regsvr32.exe" or tgt.process.image.path contains "\rundll32.exe" or tgt.process.image.path contains "\wscript.exe") or (tgt.process.image.path contains "\AppData\Local\Temp\" or tgt.process.image.path contains "C:\Users\Public\" or tgt.process.image.path contains "C:\Windows\Temp\" or tgt.process.image.path contains "C:\Temp\" or tgt.process.image.path contains "\Downloads\" or tgt.process.image.path contains "\Desktop\"))))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md
index 94d865179..c2353e58d 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wsl_windows_binaries_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path matches "[a-zA-Z]:\\\\" and tgt.process.image.path contains "\\wsl.localhost"))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md
index 4fc86a89b..c43c5c4d6 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\wusa.exe" and tgt.process.cmdline contains "/extract:") and (tgt.process.cmdline contains ":\PerfLogs\" or tgt.process.cmdline contains ":\Users\Public\" or tgt.process.cmdline contains ":\Windows\Temp\" or tgt.process.cmdline contains "\Appdata\Local\Temp\")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md
index fbf64b76e..b15ef8cbd 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_wusa_susp_parent_execution.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\wusa.exe" and ((src.process.image.path contains ":\Perflogs\" or src.process.image.path contains ":\Users\Public\" or src.process.image.path contains ":\Windows\Temp\" or src.process.image.path contains "\Appdata\Local\Temp\" or src.process.image.path contains "\Temporary Internet") or ((src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favorites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Favourites\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Contacts\") or (src.process.image.path contains ":\Users\" and src.process.image.path contains "\Pictures\"))) and (not tgt.process.cmdline contains ".msu")))
```
diff --git a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md
index 3d823c015..05866526a 100644
--- a/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md
+++ b/SentinelOne_PQ - Windows Process Creation/proc_creation_win_xwizard_runwizard_com_object_exec.md
@@ -1,5 +1,5 @@
```sql
-// Translated content (automatically translated on 01-12-2024 01:45:27):
+// Translated content (automatically translated on 02-12-2024 01:27:48):
event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline="RunWizard" and tgt.process.cmdline matches "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}"))
```
diff --git a/sigma b/sigma
index 374f00350..6048be5a7 160000
--- a/sigma
+++ b/sigma
@@ -1 +1 @@
-Subproject commit 374f00350761a05cd2b1513cd2f1c625a2189acd
+Subproject commit 6048be5a7a3bf3b923fd4ee8236fed59ef7ff6a1