Home/Detection rules/Palo Alto Cortex XDR
Tool
EDR / XDR

Palo Alto Cortex XDR

763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB) Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 763
high Moderate High FP
Potential ACTINIUM Persistence Activity
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
status test author Andreas Hunkeler (@Karneades) ATT&CK sub-technique id e1118a8f-82f5-44b3-bb6b-8a284e5df602
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "schtasks" and 
 action_process_image_command_line contains "create" and 
 action_process_image_command_line contains "wscript" and 
 action_process_image_command_line contains " /e:vbscript"))
view Sigma YAML 
title: Potential ACTINIUM Persistence Activity
id: e1118a8f-82f5-44b3-bb6b-8a284e5df602
status: test
description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
references:
    - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations
author: Andreas Hunkeler (@Karneades)
date: 2022-02-07
modified: 2023-03-18
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053
    - attack.t1053.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'schtasks'
            - 'create'
            - 'wscript'
            - ' /e:vbscript'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
status test author Markus Neis, @Kostastsale ATT&CK technique id 30edb182-aa75-42c0-b0a9-e998bb29067c
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "System.Management.Automation.AmsiUtils" and 
 action_process_image_command_line contains "amsiInitFailed") or 
 (action_process_image_command_line contains "[Ref].Assembly.GetType" and 
 action_process_image_command_line contains "SetValue($null,$true)" and 
 action_process_image_command_line contains "NonPublic,Static")))
view Sigma YAML 
title: Potential AMSI Bypass Via .NET Reflection
id: 30edb182-aa75-42c0-b0a9-e998bb29067c
related:
    - id: 4f927692-68b5-4267-871b-073c45f4f6fe
      type: obsolete
status: test
description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
references:
    - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
    - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
author: Markus Neis, @Kostastsale
date: 2018-08-17
modified: 2023-02-03
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
              - 'System.Management.Automation.AmsiUtils'
              - 'amsiInitFailed'
        - CommandLine|contains|all:
              - '[Ref].Assembly.GetType'
              - 'SetValue($null,$true)'
              - 'NonPublic,Static'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Potential AMSI COM Server Hijacking
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 160d2780-31f7-4922-8b3a-efce30e63e96
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)" and 
 (not 
 (action_registry_value_name = "%windir%\system32\amsi.dll" or 
 action_registry_data = "%windir%\system32\amsi.dll"))))
view Sigma YAML 
title: Potential AMSI COM Server Hijacking
id: 160d2780-31f7-4922-8b3a-efce30e63e96
status: test
description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
references:
    - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
    filter:
        Details: '%windir%\system32\amsi.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 911389c7-5ae3-43ea-bab3-a947ebdeb85e
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "-noni -nop -exe bypass -f \\" and 
 action_process_image_command_line contains "ADMIN$") or 
 (action_process_image_command_line contains "-ex bypass -noprof -nolog -nonint -f" and 
 action_process_image_command_line contains "C:\Windows\Temp\")))
view Sigma YAML 
title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e
status: test
description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png
    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.execution
    - attack.g0046
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains|all:
            - '-noni -nop -exe bypass -f \\\\'
            - 'ADMIN$'
    selection_2:
        CommandLine|contains|all:
            - '-ex bypass -noprof -nolog -nonint -f'
            - 'C:\Windows\Temp\'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Potential APT FIN7 Related PowerShell Script Created
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name in ("*_64refl.ps1", "host_ip.ps1")))
view Sigma YAML 
title: Potential APT FIN7 Related PowerShell Script Created
id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
status: test
description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.execution
    - attack.g0046
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|endswith: '_64refl.ps1'
        - TargetFilename: 'host_ip.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential APT Mustang Panda Activity Against Australian Gov
Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 7806bb49-f653-48d3-a915-5115c1a85234
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "copy SolidPDFCreator.dll" and 
 action_process_image_command_line contains "C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll") or 
 (action_process_image_command_line contains "reg " and 
 action_process_image_command_line contains "\Windows\CurrentVersion\Run" and 
 action_process_image_command_line contains "SolidPDF" and 
 action_process_image_command_line contains "C:\Users\Public\Libraries\PhotoTvRHD\")))
view Sigma YAML 
title: Potential APT Mustang Panda Activity Against Australian Gov
id: 7806bb49-f653-48d3-a915-5115c1a85234
status: test
description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
references:
    - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
    - attack.execution
    - attack.g0129
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains|all:
            - 'copy SolidPDFCreator.dll'
            - 'C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll'
    selection_2:
        CommandLine|contains|all:
            - 'reg '
            - '\Windows\CurrentVersion\Run'
            - 'SolidPDF'
            - 'C:\Users\Public\Libraries\PhotoTvRHD\'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Potential APT10 Cloud Hopper Activity
Detects potential process and execution activity related to APT10 Cloud Hopper operation
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 966e4016-627f-44f7-8341-f394905c361f
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\cscript.exe" and 
 action_process_image_command_line contains ".vbs /shell ") or 
 (action_process_image_command_line contains "csvde -f C:\windows\web\" and 
 action_process_image_command_line contains ".log")))
view Sigma YAML 
title: Potential APT10 Cloud Hopper Activity
id: 966e4016-627f-44f7-8341-f394905c361f
status: test
description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
references:
    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
author: Florian Roth (Nextron Systems)
date: 2017-04-07
modified: 2023-03-08
tags:
    - attack.execution
    - attack.g0045
    - attack.t1059.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_cscript:
        Image|endswith: '\cscript.exe'
        CommandLine|contains: '.vbs /shell '
    selection_csvde:
        CommandLine|contains|all:
            - 'csvde -f C:\windows\web\'
            - '.log'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Potential Arbitrary Code Execution Via Node.EXE
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 6640f31c-01ad-49b5-beb5-83498a5cd8bd
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\node.exe" and 
 (action_process_image_command_line in ("* -e *", "* --eval *"))) and 
 (action_process_image_command_line contains ".exec(" and 
 action_process_image_command_line contains "net.socket" and 
 action_process_image_command_line contains ".connect" and 
 action_process_image_command_line contains "child_process")))
view Sigma YAML 
title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
    - https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - ' -e '
            - ' --eval '
    # Add more pattern of abuse as actions
    selection_action_reverse_shell:
        CommandLine|contains|all:
            - '.exec('
            - 'net.socket'
            - '.connect'
            - 'child_process'
    condition: selection_main and 1 of selection_action_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
status test author Bhabesh Raj ATT&CK technique id 245f92e3-c4da-45f1-9070-bc552e06db11
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\Atlassian\Confluence\jre\bin\java.exe" and 
 (action_process_image_command_line in ("*certutil*", "*cmd /c*", "*cmd /k*", "*cscript*", "*curl*", "*ipconfig*", "*powershell*", "*pwsh*", "*regsvr32*", "*rundll32*", "*whoami*", "*wscript*"))))
view Sigma YAML 
title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
id: 245f92e3-c4da-45f1-9070-bc552e06db11
status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26084
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
    - https://github.com/h3v0x/CVE-2021-26084_Confluence
author: Bhabesh Raj
date: 2021-09-08
modified: 2023-02-13
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1190
    - attack.t1059
    - cve.2021-26084
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Monitor suspicious child processes spawned by Confluence
        ParentImage|endswith: '\Atlassian\Confluence\jre\bin\java.exe'
        CommandLine|contains:
            - 'certutil'
            - 'cmd /c'
            - 'cmd /k'
            - 'cscript'
            - 'curl'
            - 'ipconfig'
            - 'powershell'
            - 'pwsh'
            - 'regsvr32'
            - 'rundll32'
            - 'whoami'
            - 'wscript'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\" and 
 ((action_registry_key_name contains "\DefaultFileTypeRisk" and 
 (action_registry_value_name = "DWORD (0x00006152)" or 
 action_registry_data = "DWORD (0x00006152)")) or 
 (action_registry_key_name contains "\LowRiskFileTypes" and 
 ((action_registry_value_name in ("*.zip;*", "*.rar;*", "*.exe;*", "*.bat;*", "*.com;*", "*.cmd;*", "*.reg;*", "*.msi;*", "*.htm;*", "*.html;*")) or 
 (action_registry_data in ("*.zip;*", "*.rar;*", "*.exe;*", "*.bat;*", "*.com;*", "*.cmd;*", "*.reg;*", "*.msi;*", "*.htm;*", "*.html;*")))))))
view Sigma YAML 
title: Potential Attachment Manager Settings Associations Tamper
id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
status: test
description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
references:
    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
    - attack.defense-impairment
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
    selection_value_default_file_type_rsik:
        TargetObject|endswith: '\DefaultFileTypeRisk'
        Details: 'DWORD (0x00006152)'
    selection_value_low_risk_filetypes:
        TargetObject|endswith: '\LowRiskFileTypes'
        Details|contains: # Add more as you see fit
            - '.zip;'
            - '.rar;'
            - '.exe;'
            - '.bat;'
            - '.com;'
            - '.cmd;'
            - '.reg;'
            - '.msi;'
            - '.htm;'
            - '.html;'
    condition: selection_main and 1 of selection_value_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Potential Attachment Manager Settings Attachments Tamper
Detects tampering with attachment manager settings policies attachments (See reference for more information)
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\" and 
 ((action_registry_key_name contains "\HideZoneInfoOnProperties" and 
 (action_registry_value_name = "DWORD (0x00000001)" or 
 action_registry_data = "DWORD (0x00000001)")) or 
 (action_registry_key_name contains "\SaveZoneInformation" and 
 (action_registry_value_name = "DWORD (0x00000002)" or 
 action_registry_data = "DWORD (0x00000002)")) or 
 (action_registry_key_name contains "\ScanWithAntiVirus" and 
 (action_registry_value_name = "DWORD (0x00000001)" or 
 action_registry_data = "DWORD (0x00000001)")))))
view Sigma YAML 
title: Potential Attachment Manager Settings Attachments Tamper
id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
status: test
description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
references:
    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
    - attack.defense-impairment
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\'
    selection_value_hide_zone_info:
        TargetObject|endswith: '\HideZoneInfoOnProperties'
        Details: 'DWORD (0x00000001)' # On
    selection_value_save_zone_info:
        TargetObject|endswith: '\SaveZoneInformation'
        Details: 'DWORD (0x00000002)' # Off
    selection_value_scan_with_av:
        TargetObject|endswith: '\ScanWithAntiVirus'
        Details: 'DWORD (0x00000001)' # Disabled
    condition: selection_main and 1 of selection_value_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Potential AutoLogger Sessions Tampering
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging. The AutoLogger event tracing session records events up that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id f37b4bce-49d0-4087-9f5b-58bffda77316
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "\Control\WMI\Autologger\" and 
 ((action_registry_key_name in ("*\EventLog-*", "*\Defender*")) and 
 (action_registry_key_name in ("*\Enabled", "*\Start")) and 
 (action_registry_value_name = "DWORD (0x00000000)" or 
 action_registry_data = "DWORD (0x00000000)"))) and 
 (not 
 (actor_process_image_path = "C:\Windows\system32\wevtutil.exe" or 
 ((actor_process_image_path in ("C:\ProgramData\Microsoft\Windows Defender\Platform\*", "C:\Program Files\Windows Defender\*", "C:\Program Files (x86)\Windows Defender\*")) and 
 actor_process_image_path contains "\MsMpEng.exe" and 
 (action_registry_key_name in ("*\DefenderApiLogger\*", "*\DefenderAuditLogger\*")))))))
view Sigma YAML 
title: Potential AutoLogger Sessions Tampering
id: f37b4bce-49d0-4087-9f5b-58bffda77316
related:
    - id: d7b81144-b866-48a4-9bcc-275dc69d870e
      type: similar
status: test
description: |
    Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
    The AutoLogger event tracing session records events up that occur early in the operating system boot process.
    Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
    Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
    - https://twitter.com/MichalKoczwara/status/1553634816016498688
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
    - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\Control\WMI\Autologger\'
    selection_values:
        TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
            - '\EventLog-'
            - '\Defender'
        TargetObject|endswith:
            - '\Enabled'
            - '\Start'
        Details: DWORD (0x00000000)
    filter_main_wevtutil:
        Image: 'C:\Windows\system32\wevtutil.exe'
    filter_main_defender:
        Image|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\Program Files (x86)\Windows Defender\'
        Image|endswith: '\MsMpEng.exe'
        TargetObject|contains:
            - '\DefenderApiLogger\'
            - '\DefenderAuditLogger\'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/info.yml
simulation:
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
Convert to SIEM query
high Moderate High FP
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 2b30fa36-3a18-402f-a22d-bf4ce2189f35
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "powershell.exe mshta.exe http" and 
 action_process_image_command_line contains ".hta") or 
 (action_process_image_command_line in ("*reg query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\"*", "*cmd.exe /c taskkill /im cmd.exe*", "*(New-Object System.Net.WebClient).UploadFile('http*"))))
view Sigma YAML 
title: Potential Baby Shark Malware Activity
id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
status: test
description: Detects activity that could be related to Baby Shark malware
references:
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
author: Florian Roth (Nextron Systems)
date: 2019-02-24
modified: 2023-03-08
tags:
    - attack.execution
    - attack.discovery
    - attack.stealth
    - attack.t1012
    - attack.t1059.003
    - attack.t1059.001
    - attack.t1218.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
              - 'powershell.exe mshta.exe http'
              - '.hta'
        - CommandLine|contains:
              - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
              - 'cmd.exe /c taskkill /im cmd.exe'
              - "(New-Object System.Net.WebClient).UploadFile('http"
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Potential Base64 Decoded From Images
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
status test author Joseliyo Sanchez, @Joseliyo_Jstnk ATT&CK technique id 09a910bf-f71f-4737-9c40-88880ba5913d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_MAC and 
 (action_process_image_path contains "/bash" and 
 (action_process_image_command_line contains "tail" and 
 action_process_image_command_line contains "-c") and 
 (action_process_image_command_line contains "base64" and 
 action_process_image_command_line contains "-d" and 
 action_process_image_command_line contains ">") and 
 (action_process_image_command_line in ("*.avif*", "*.gif*", "*.jfif*", "*.jpeg*", "*.jpg*", "*.pjp*", "*.pjpeg*", "*.png*", "*.svg*", "*.webp*"))))
view Sigma YAML 
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
    Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
    - https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
    - https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: macos
    category: process_creation
detection:
    # Example:  /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
    # VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
    selection_image:
        Image|endswith: '/bash'
    selection_view:
        CommandLine|contains|all:
            - 'tail'
            - '-c'
    selection_b64:
        CommandLine|contains|all:
            - 'base64'
            - '-d' # Also covers "--decode"
            - '>'
    selection_files:
        CommandLine|contains:
            - '.avif'
            - '.gif'
            - '.jfif'
            - '.jpeg'
            - '.jpg'
            - '.pjp'
            - '.pjpeg'
            - '.png'
            - '.svg'
            - '.webp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 999e8307-a775-4d5f-addc-4855632335be
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "C:\Users\Public\" and 
 action_process_image_command_line contains " -single ") or 
 (action_process_image_command_line in ("*del C:\Windows\System32\Taskmgr.exe*", "*;Set-Service -StartupType Disabled $*", "*powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(*", "* do start wordpad.exe /p *"))))
view Sigma YAML 
title: Potential BlackByte Ransomware Activity
id: 999e8307-a775-4d5f-addc-4855632335be
status: test
description: Detects command line patterns used by BlackByte ransomware in different operations
references:
    - https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-02-08
tags:
    - attack.execution
    - attack.impact
    - attack.stealth
    - attack.t1485
    - attack.t1498
    - attack.t1059.001
    - attack.t1140
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        Image|startswith: 'C:\Users\Public\'
        CommandLine|contains: ' -single '
    selection_2:
        CommandLine|contains:
            - 'del C:\Windows\System32\Taskmgr.exe'
            - ';Set-Service -StartupType Disabled $'
            - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('
            - ' do start wordpad.exe /p '
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Potential COLDSTEEL Persistence Service DLL Creation
Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
status test author X__Junior (Nextron Systems) ATT&CK tactic-only id 1fea93a2-1524-4a3c-9828-3aa0c2414e27
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "C:\Users\" and 
 action_file_name contains "\AppData\Roaming\newdev.dll"))
view Sigma YAML 
title: Potential COLDSTEEL Persistence Service DLL Creation
id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27
status: test
description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: X__Junior (Nextron Systems)
date: 2023-04-30
tags:
    - attack.persistence
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|endswith: '\AppData\Roaming\newdev.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Potential COLDSTEEL Persistence Service DLL Load
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\svchost.exe" and 
 action_module_path contains "\AppData\Roaming\newdev.dll"))
view Sigma YAML 
title: Potential COLDSTEEL Persistence Service DLL Load
id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5
status: test
description: |
    Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
tags:
    - attack.persistence
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\svchost.exe'
        ImageLoaded|endswith: '\AppData\Roaming\newdev.dll'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id c708a93f-46b4-4674-a5b8-54aa6219c5fa
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_file_name = "C:\users\public\Documents\dllhost.exe")
view Sigma YAML 
title: Potential COLDSTEEL RAT File Indicators
id: c708a93f-46b4-4674-a5b8-54aa6219c5fa
status: test
description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
    - attack.persistence
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename: 'C:\users\public\Documents\dllhost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential COLDSTEEL RAT Windows User Creation
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 95214813-4c7a-4a50-921b-ee5c538e1d16
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-" and 
 action_registry_key_name contains "\ProfileImagePath") and 
 ((action_registry_value_name in ("*ANONYMOUS*", "*_DomainUser_*")) or 
 (action_registry_data in ("*ANONYMOUS*", "*_DomainUser_*")))))
view Sigma YAML 
title: Potential COLDSTEEL RAT Windows User Creation
id: 95214813-4c7a-4a50-921b-ee5c538e1d16
status: test
description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
modified: 2023-08-17
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-'
            - '\ProfileImagePath'
        Details|contains:
            - 'ANONYMOUS'
            - '_DomainUser_'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential CSharp Streamer RAT Loading .NET Executable Image
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
status test author Luca Di Bartolomeo ATT&CK sub-technique id 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_module_path ~= "\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp")
view Sigma YAML 
title: Potential CSharp Streamer RAT Loading .NET Executable Image
id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
status: test
description: |
    Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
references:
    - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
    - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
author: Luca Di Bartolomeo
date: 2024-06-22
tags:
    - attack.command-and-control
    - attack.t1219.002
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Potential CVE-2021-26857 Exploitation Attempt
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
status stable author Bhabesh Raj ATT&CK technique id cd479ccc-d8f0-4c66-ba7d-e06286f3f887
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\UMWorkerProcess.exe" and 
 (not 
 (action_process_image_path in ("*wermgr.exe", "*WerFault.exe")))))
view Sigma YAML 
title: Potential CVE-2021-26857 Exploitation Attempt
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
status: stable
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
references:
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
date: 2021-03-03
modified: 2023-02-07
tags:
    - attack.t1203
    - attack.execution
    - cve.2021-26857
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\UMWorkerProcess.exe'
    filter:
        Image|endswith:
            - 'wermgr.exe'
            - 'WerFault.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Potential CVE-2021-40444 Exploitation Attempt
Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
status test author Florian Roth (Nextron Systems), @neonprimetime ATT&CK technique id 894397c6-da03-425c-a589-3d09e7d1f750
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\control.exe" and 
 (actor_process_image_path in ("*\winword.exe", "*\powerpnt.exe", "*\excel.exe"))) and 
 (not 
 (action_process_image_command_line in ("*\control.exe input.dll", "*\control.exe\" input.dll")))))
view Sigma YAML 
title: Potential CVE-2021-40444 Exploitation Attempt
id: 894397c6-da03-425c-a589-3d09e7d1f750
status: test
description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
    - https://twitter.com/neonprimetime/status/1435584010202255375
    - https://www.joesandbox.com/analysis/476188/1/iochtml
author: Florian Roth (Nextron Systems), @neonprimetime
date: 2021-09-08
modified: 2023-02-04
tags:
    - attack.execution
    - attack.t1059
    - cve.2021-40444
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\control.exe'
        ParentImage|endswith:
            - '\winword.exe'
            - '\powerpnt.exe'
            - '\excel.exe'
    filter:
        CommandLine|endswith:
            - '\control.exe input.dll'
            - '\control.exe" input.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
status test author @kostastsale ATT&CK technique id 3eb91f0a-0060-424a-a676-59f5fdd75610
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\ws_TomcatService.exe" and 
 (not 
 (action_process_image_path in ("*\cmd.exe", "*\powershell.exe")))))
view Sigma YAML 
title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
id: 3eb91f0a-0060-424a-a676-59f5fdd75610
status: test
description: |
    Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
references:
    - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
    - https://twitter.com/TheDFIRReport/status/1482078434327244805
    - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
author: '@kostastsale'
date: 2022-01-14
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-44228
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\ws_TomcatService.exe'
    filter_main_shells:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id a7cd7306-df8b-4398-b711-6f3e4935cf16
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path = "C:\Windows\System32\svchost.exe" and 
 actor_process_command_line contains "-k RPCSS"))
view Sigma YAML 
title: Potential CVE-2022-26809 Exploitation Attempt
id: a7cd7306-df8b-4398-b711-6f3e4935cf16
status: test
description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
    - https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html
    - https://twitter.com/cyb3rops/status/1514217991034097664
    - https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
author: Florian Roth (Nextron Systems)
date: 2022-04-13
modified: 2023-02-03
tags:
    - attack.initial-access
    - attack.t1190
    - attack.execution
    - attack.t1569.002
    - cve.2022-26809
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: 'C:\Windows\System32\svchost.exe'
        ParentCommandLine|contains: '-k RPCSS'
    condition: selection
falsepositives:
    - Unknown
    - Some cases in which the service spawned a werfault.exe process
level: high
Convert to SIEM query
high Moderate Medium FP
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 53207cc2-0745-4c19-bc72-80be1cc16b3f
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\Windows\System32\mqsvc.exe" and 
 (action_process_image_path in ("*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell.exe", "*\pwsh.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\schtasks.exe", "*\wmic.exe", "*\wscript.exe", "*\wsl.exe"))))
view Sigma YAML 
title: Potential CVE-2023-21554 QueueJumper Exploitation
id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
status: test
description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
references:
    - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-12
tags:
    - attack.privilege-escalation
    - attack.execution
    - cve.2023-21554
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\Windows\System32\mqsvc.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wsl.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
status test author Gregory ATT&CK sub-technique id 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\FoxitPDFReader.exe" and 
 action_file_name contains "\Microsoft\Windows\Start Menu\Programs\Startup\" and 
 action_file_name contains ".hta"))
view Sigma YAML 
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: test
description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
    - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
    - https://www.zerodayinitiative.com/advisories/ZDI-23-491/
    - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023-10-11
tags:
    - attack.persistence
    - attack.t1505.001
    - cve.2023-27363
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\FoxitPDFReader.exe'
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
        TargetFilename|endswith: '.hta'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id ad0960eb-0015-4d16-be13-b3d9f18f1342
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "\wermgr.exe" and 
 (not 
 (action_file_name in ("*:\$WINDOWS.~BT\NewOS\*", "*:\$WinREAgent\*", "*:\Windows\servicing\LCU\*", "*:\Windows\System32\*", "*:\Windows\SysWOW64\*", "*:\Windows\WinSxS\*", "*:\WUDownloadCache\*", "*:\Windows\SoftwareDistribution\Download\*")))))
view Sigma YAML 
title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
id: ad0960eb-0015-4d16-be13-b3d9f18f1342
status: test
description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
references:
    - https://github.com/Wh04m1001/CVE-2023-36874
    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
modified: 2025-01-13
tags:
    - attack.execution
    - cve.2023-36874
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\wermgr.exe'
    filter_main_locations:
        TargetFilename|contains:
            - ':\$WINDOWS.~BT\NewOS\'
            - ':\$WinREAgent\' # From "wuauclt.exe"
            - ':\Windows\servicing\LCU\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
            - ':\WUDownloadCache\' # Windows Update Download Cache
            - ':\Windows\SoftwareDistribution\Download\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:). An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource. When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash. HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access. The URI can be delivered via a malicious hyperlink, phishing email, or web page.
status test author Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\SnippingTool.exe" and 
 (action_process_image_command_line in ("*ms-screensketch:edit*&filePath=\\*", "*ms-screensketch:edit*&filePath=%%5C*", "*ms-screensketch:edit*&filePath=%5C*", "*ms-screensketch:edit*&filePath=http*"))))
view Sigma YAML 
title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
status: test
description: |
    Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
    An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
    When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
    HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
    The URI can be delivered via a malicious hyperlink, phishing email, or web page.
references:
    - https://x.com/BlackArrowSec/status/2044374743491424508
    - https://x.com/SBousseaden/status/2044417029721997635
author: Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-28
tags:
    - attack.credential-access
    - attack.t1187
    - detection.emerging-threats
    - cve.2026-33829
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\SnippingTool.exe'
        CommandLine|contains:
            # '\\\\'  = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
            - 'ms-screensketch:edit?&filePath=\\\\'
            - 'ms-screensketch:edit?&filePath=%%5C'
            - 'ms-screensketch:edit?&filePath=%5C'
            - 'ms-screensketch:edit?&filePath=http'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml
Convert to SIEM query
high Strong Medium FP
Potential ClickFix Execution Pattern - Registry
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\" and 
 ((action_registry_value_name in ("*http://*", "*https://*")) or 
 (action_registry_data in ("*http://*", "*https://*"))) and 
 (((action_registry_value_name in ("*account*", "*anti-bot*", "*botcheck*", "*captcha*", "*challenge*", "*confirmation*", "*fraud*", "*human*", "*identification*", "*identificator*", "*identity*", "*robot*", "*validation*", "*verification*", "*verify*")) or 
 (action_registry_data in ("*account*", "*anti-bot*", "*botcheck*", "*captcha*", "*challenge*", "*confirmation*", "*fraud*", "*human*", "*identification*", "*identificator*", "*identity*", "*robot*", "*validation*", "*verification*", "*verify*"))) or 
 ((action_registry_value_name in ("*%comspec%*", "*bitsadmin*", "*certutil*", "*cmd*", "*cscript*", "*curl*", "*finger*", "*mshta*", "*powershell*", "*pwsh*", "*regsvr32*", "*rundll32*", "*schtasks*", "*wget*", "*wscript*")) or 
 (action_registry_data in ("*%comspec%*", "*bitsadmin*", "*certutil*", "*cmd*", "*cscript*", "*curl*", "*finger*", "*mshta*", "*powershell*", "*pwsh*", "*regsvr32*", "*rundll32*", "*schtasks*", "*wget*", "*wscript*"))))))
view Sigma YAML 
title: Potential ClickFix Execution Pattern - Registry
id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
related:
    - id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
      type: similar
status: experimental
description: |
    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
    such as one-liners that execute remotely hosted malicious files or scripts.
references:
    - https://github.com/JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
    - https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
    - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
    - https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-25
modified: 2025-11-19
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_registry:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
    selection_details:
        Details|contains:
            - 'http://'
            - 'https://'
    selection_susp_pattern:
        - Details|contains:
              # Add more suspicious keywords
              - 'account'
              - 'anti-bot'
              - 'botcheck'
              - 'captcha'
              - 'challenge'
              - 'confirmation'
              - 'fraud'
              - 'human'
              - 'identification'
              - 'identificator'
              - 'identity'
              - 'robot'
              - 'validation'
              - 'verification'
              - 'verify'
        - Details|contains:
              - '%comspec%'
              - 'bitsadmin'
              - 'certutil'
              - 'cmd'
              - 'cscript'
              - 'curl'
              - 'finger'
              - 'mshta'
              - 'powershell'
              - 'pwsh'
              - 'regsvr32'
              - 'rundll32'
              - 'schtasks'
              - 'wget'
              - 'wscript'
    condition: all of selection_*
falsepositives:
    - Legitimate applications using RunMRU with HTTP links
level: high
Convert to SIEM query
high Strong Medium FP
Potential CobaltStrike Process Patterns
Detects potential process patterns related to Cobalt Strike beacon activity
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id f35c5d71-b489-4e22-a115-f003df287317
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "cmd.exe /C whoami" and 
 actor_process_image_path contains "C:\Temp\") or 
 ((actor_process_image_path in ("*\runonce.exe", "*\dllhost.exe")) and 
 (action_process_image_command_line contains "cmd.exe /c echo" and 
 action_process_image_command_line contains "> \\.\pipe")) or 
 ((actor_process_command_line contains "cmd.exe /C echo" and 
 actor_process_command_line contains " > \\.\pipe") and 
 action_process_image_command_line contains "conhost.exe 0xffffffff -ForceV1") or 
 (actor_process_command_line contains "/C whoami" and 
 action_process_image_command_line contains "conhost.exe 0xffffffff -ForceV1")))
view Sigma YAML 
title: Potential CobaltStrike Process Patterns
id: f35c5d71-b489-4e22-a115-f003df287317
status: test
description: Detects potential process patterns related to Cobalt Strike beacon activity
references:
    - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-27
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_generic_1:
        CommandLine|endswith: 'cmd.exe /C whoami'
        ParentImage|startswith: 'C:\Temp\'
    selection_generic_2:
        ParentImage|endswith:
            - '\runonce.exe'
            - '\dllhost.exe'
        CommandLine|contains|all:
            - 'cmd.exe /c echo'
            - '> \\\\.\\pipe'
    selection_conhost_1:
        ParentCommandLine|contains|all:
            - 'cmd.exe /C echo'
            - ' > \\\\.\\pipe'
        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
    selection_conhost_2:
        ParentCommandLine|endswith: '/C whoami'
        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
status test author Wojciech Lesicki ATT&CK sub-technique id 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "\System\CurrentControlSet\Services" or 
 (action_registry_key_name contains "\System\ControlSet" and 
 action_registry_key_name contains "\Services")) and 
 (((action_registry_value_name contains "ADMIN$" and 
 action_registry_value_name contains ".exe") or 
 (action_registry_data contains "ADMIN$" and 
 action_registry_data contains ".exe")) or 
 ((action_registry_value_name contains "%COMSPEC%" and 
 action_registry_value_name contains "start" and 
 action_registry_value_name contains "powershell") or 
 (action_registry_data contains "%COMSPEC%" and 
 action_registry_data contains "start" and 
 action_registry_data contains "powershell")))))
view Sigma YAML 
title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
    - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection_key:
        - TargetObject|contains: '\System\CurrentControlSet\Services'
        - TargetObject|contains|all:
              - '\System\ControlSet'
              - '\Services'
    selection_details:
        - Details|contains|all:
              - 'ADMIN$'
              - '.exe'
        - Details|contains|all:
              - '%COMSPEC%'
              - 'start'
              - 'powershell'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 51eecf75-d069-43c7-9ea2-63f75499edd4
cortex_xdr query
config case_sensitive = false | preset=network_story | filter event_type = ENUM.NETWORK and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\3CXDesktopApp.exe" and 
 (action_external_hostname in ("*akamaicontainer.com*", "*akamaitechcloudservices.com*", "*azuredeploystore.com*", "*azureonlinecloud.com*", "*azureonlinestorage.com*", "*dunamistrd.com*", "*glcloudservice.com*", "*journalide.org*", "*msedgepackageinfo.com*", "*msstorageazure.com*", "*msstorageboxes.com*", "*officeaddons.com*", "*officestoragebox.com*", "*pbxcloudeservices.com*", "*pbxphonenetwork.com*", "*pbxsources.com*", "*qwepoi123098.com*", "*sbmsa.wiki*", "*sourceslabs.com*", "*visualstudiofactory.com*", "*zacharryblogs.com*"))))
view Sigma YAML 
title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
id: 51eecf75-d069-43c7-9ea2-63f75499edd4
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
references:
    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-03-31
tags:
    - attack.command-and-control
    - detection.emerging-threats
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\3CXDesktopApp.exe'
        DestinationHostname|contains:
            - 'akamaicontainer.com'
            - 'akamaitechcloudservices.com'
            - 'azuredeploystore.com'
            - 'azureonlinecloud.com'
            - 'azureonlinestorage.com'
            - 'dunamistrd.com'
            - 'glcloudservice.com'
            - 'journalide.org'
            - 'msedgepackageinfo.com'
            - 'msstorageazure.com'
            - 'msstorageboxes.com'
            - 'officeaddons.com'
            - 'officestoragebox.com'
            - 'pbxcloudeservices.com'
            - 'pbxphonenetwork.com'
            - 'pbxsources.com'
            - 'qwepoi123098.com'
            - 'sbmsa.wiki'
            - 'sourceslabs.com'
            - 'visualstudiofactory.com'
            - 'zacharryblogs.com'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Potential Compromised 3CXDesktopApp Update Activity
Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id e7581747-1e44-4d4b-85a6-0db0b4a00f2a
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\3CXDesktopApp\app\update.exe" and 
 (action_process_image_command_line contains "--update" and 
 action_process_image_command_line contains "http" and 
 action_process_image_command_line contains "/electron/update/win32/18.12")))
view Sigma YAML 
title: Potential Compromised 3CXDesktopApp Update Activity
id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
      type: similar
    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
references:
    - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/
    - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\3CXDesktopApp\app\update.exe'
        CommandLine|contains|all:
            - '--update'
            - 'http'
            - '/electron/update/win32/18.12'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Potential Conti Ransomware Database Dumping Activity Via SQLCmd
Detects a command used by conti to dump database
status test author frack113 ATT&CK technique id 2f47f1fd-0901-466e-a770-3b7092834a1b
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\sqlcmd.exe" or 
 (action_process_image_command_line in ("*sqlcmd *", "*sqlcmd.exe*"))) and 
 action_process_image_command_line contains " -S localhost " and 
 (action_process_image_command_line in ("*sys.sysprocesses*", "*master.dbo.sysdatabases*", "*BACKUP DATABASE*"))))
view Sigma YAML 
title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
status: test
description: Detects a command used by conti to dump database
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
author: frack113
date: 2021-08-16
modified: 2023-05-04
tags:
    - attack.collection
    - attack.t1005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        - Image|endswith: '\sqlcmd.exe'
        - CommandLine|contains:
              - 'sqlcmd '
              - 'sqlcmd.exe'
    selection_svr:
        CommandLine|contains: ' -S localhost '
    selection_query:
        CommandLine|contains:
            - 'sys.sysprocesses'
            - 'master.dbo.sysdatabases'
            - 'BACKUP DATABASE'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential Credential Dumping Attempt Using New NetworkProvider - CLI
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "\System\CurrentControlSet\Services\" and 
 action_process_image_command_line contains "\NetworkProvider"))
view Sigma YAML 
title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
    - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
      type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-02-02
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Services\'
            - '\NetworkProvider'
    # filter:
    #     CommandLine|contains:
    #         - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
    #         - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
    #         - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
    #         - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
    condition: selection
falsepositives:
    - Other legitimate network providers used and not filtred in this rule
level: high
Convert to SIEM query
high Strong Medium FP
Potential Crypto Mining Activity
Detects command line parameters or strings often used by crypto miners
status stable author Florian Roth (Nextron Systems) ATT&CK technique id 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("* --cpu-priority=*", "*--donate-level=0*", "* -o pool.*", "* --nicehash*", "* --algo=rx/0 *", "*stratum+tcp://*", "*stratum+udp://*", "*LS1kb25hdGUtbGV2ZWw9*", "*0tZG9uYXRlLWxldmVsP*", "*tLWRvbmF0ZS1sZXZlbD*", "*c3RyYXR1bSt0Y3A6Ly*", "*N0cmF0dW0rdGNwOi8v*", "*zdHJhdHVtK3RjcDovL*", "*c3RyYXR1bSt1ZHA6Ly*", "*N0cmF0dW0rdWRwOi8v*", "*zdHJhdHVtK3VkcDovL*")) and 
 (not 
 (action_process_image_command_line in ("* pool.c *", "* pool.o *", "*gcc -*")))))
view Sigma YAML 
title: Potential Crypto Mining Activity
id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
status: stable
description: Detects command line parameters or strings often used by crypto miners
references:
    - https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2023-02-13
tags:
    - attack.impact
    - attack.t1496
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' --cpu-priority='
            - '--donate-level=0'
            - ' -o pool.'
            - ' --nicehash'
            - ' --algo=rx/0 '
            - 'stratum+tcp://'
            - 'stratum+udp://'
            # base64 encoded: --donate-level=
            - 'LS1kb25hdGUtbGV2ZWw9'
            - '0tZG9uYXRlLWxldmVsP'
            - 'tLWRvbmF0ZS1sZXZlbD'
            # base64 encoded: stratum+tcp:// and stratum+udp://
            - 'c3RyYXR1bSt0Y3A6Ly'
            - 'N0cmF0dW0rdGNwOi8v'
            - 'zdHJhdHVtK3RjcDovL'
            - 'c3RyYXR1bSt1ZHA6Ly'
            - 'N0cmF0dW0rdWRwOi8v'
            - 'zdHJhdHVtK3VkcDovL'
    filter:
        CommandLine|contains:
            - ' pool.c '
            - ' pool.o '
            - 'gcc -'
    condition: selection and not filter
falsepositives:
    - Legitimate use of crypto miners
    - Some build frameworks
level: high
Convert to SIEM query
high Moderate Medium FP
Potential DLL Sideloading Via VMware Xfer
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 9313dc13-d04c-46d8-af4a-a930cc55d93b
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains "\VMwareXferlogs.exe" and 
 action_module_path contains "\glib-2.0.dll") and 
 (not 
 action_module_path contains "C:\Program Files\VMware\")))
view Sigma YAML 
title: Potential DLL Sideloading Via VMware Xfer
id: 9313dc13-d04c-46d8-af4a-a930cc55d93b
status: test
description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2023-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
        ImageLoaded|endswith: '\glib-2.0.dll'
    filter: # VMware might be installed in another path so update the rule accordingly
        ImageLoaded|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Potential DLL Sideloading Via comctl32.dll
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
status test author Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) ATT&CK sub-technique id 6360757a-d460-456c-8b13-74cf0e60cceb
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_module_path in ("C:\Windows\System32\logonUI.exe.local\*", "C:\Windows\System32\werFault.exe.local\*", "C:\Windows\System32\consent.exe.local\*", "C:\Windows\System32\narrator.exe.local\*", "C:\windows\system32\wermgr.exe.local\*")) and 
 action_module_path contains "\comctl32.dll"))
view Sigma YAML 
title: Potential DLL Sideloading Via comctl32.dll
id: 6360757a-d460-456c-8b13-74cf0e60cceb
status: test
description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
references:
    - https://github.com/binderlabs/DirCreate2System
    - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\logonUI.exe.local\'
            - 'C:\Windows\System32\werFault.exe.local\'
            - 'C:\Windows\System32\consent.exe.local\'
            - 'C:\Windows\System32\narrator.exe.local\'
            - 'C:\windows\system32\wermgr.exe.local\'
        ImageLoaded|endswith: '\comctl32.dll'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Potential Data Exfiltration Activity Via CommandLine Tools
Detects the use of various CLI utilities exfiltrating data via web requests
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((((action_process_image_path in ("*\powershell_ise.exe", "*\powershell.exe", "*\pwsh.exe", "*\cmd.exe")) and 
 (action_process_image_command_line in ("*curl *", "*Invoke-RestMethod*", "*Invoke-WebRequest*", "*irm *", "*iwr *", "*wget *")) and 
 (action_process_image_command_line contains " -ur" and 
 action_process_image_command_line contains " -me" and 
 action_process_image_command_line contains " -b" and 
 action_process_image_command_line contains " POST ")) or 
 ((action_process_image_path contains "\curl.exe" and 
 action_process_image_command_line contains "--ur") and 
 (action_process_image_command_line in ("* -d *", "* --data *"))) or 
 (action_process_image_path contains "\wget.exe" and 
 (action_process_image_command_line in ("*--post-data*", "*--post-file*")))) and 
 ((action_process_image_command_line ~= "net\s+view" or 
 action_process_image_command_line ~= "sc\s+query") or 
 (action_process_image_command_line in ("*Get-Content*", "*GetBytes*", "*hostname*", "*ifconfig*", "*ipconfig*", "*netstat*", "*nltest*", "*qprocess*", "*systeminfo*", "*tasklist*", "*ToBase64String*", "*whoami*")) or 
 (action_process_image_command_line contains "type " and 
 action_process_image_command_line contains " > " and 
 action_process_image_command_line contains " C:\"))))
view Sigma YAML 
title: Potential Data Exfiltration Activity Via CommandLine Tools
id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
status: test
description: Detects the use of various CLI utilities exfiltrating data via web requests
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-10-19
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_iwr:
        Image|endswith:
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'curl '
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
            - 'wget '
        CommandLine|contains|all:
            - ' -ur' # Shortest possible version of the -uri flag
            - ' -me' # Shortest possible version of the -method flag
            - ' -b'
            - ' POST '
    selection_curl:
        Image|endswith: '\curl.exe'
        CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
    selection_curl_data:
        CommandLine|contains:
            - ' -d ' # Shortest possible version of the --data flag
            - ' --data '
    selection_wget:
        Image|endswith: '\wget.exe'
        CommandLine|contains:
            - '--post-data'
            - '--post-file'
    payloads:
        - CommandLine|re:
              - 'net\s+view'
              - 'sc\s+query'
        - CommandLine|contains:
              - 'Get-Content'
              - 'GetBytes'
              - 'hostname'
              - 'ifconfig'
              - 'ipconfig'
              - 'netstat'
              - 'nltest'
              - 'qprocess'
              - 'systeminfo'
              - 'tasklist'
              - 'ToBase64String'
              - 'whoami'
        - CommandLine|contains|all:
              - 'type '
              - ' > '
              - ' C:\'
    condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "--remote-debugging-" and 
 action_process_image_command_line contains "--user-data-dir" and 
 action_process_image_command_line contains "--headless"))
view Sigma YAML 
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
      type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1185
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
            - '--user-data-dir'
            - '--headless'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
status test author @Kostastsale, TheDFIRReport ATT&CK tactic-only id 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*😀*", "*😃*", "*😄*", "*😁*", "*😆*", "*😅*", "*😂*", "*🤣*", "*🥲*", "*🥹*", "*☺️*", "*😊*", "*😇*", "*🙂*", "*🙃*", "*😉*", "*😌*", "*😍*", "*🥰*", "*😘*", "*😗*", "*😙*", "*😚*", "*😋*", "*😛*", "*😝*", "*😜*", "*🤪*", "*🤨*", "*🧐*", "*🤓*", "*😎*", "*🥸*", "*🤩*", "*🥳*", "*😏*", "*😒*", "*😞*", "*😔*", "*😟*", "*😕*", "*🙁*", "*☹️*", "*😣*", "*😖*", "*😫*", "*😩*", "*🥺*", "*😢*", "*😭*", "*😮‍💨*", "*😤*", "*😠*", "*😡*", "*🤬*", "*🤯*", "*😳*", "*🥵*", "*🥶*", "*😱*", "*😨*", "*😰*", "*😥*", "*😓*", "*🫣*", "*🤗*", "*🫡*", "*🤔*", "*🫢*", "*🤭*", "*🤫*", "*🤥*", "*😶*", "*😶‍🌫️*", "*😐*", "*😑*", "*😬*", "*🫠*", "*🙄*", "*😯*", "*😦*", "*😧*", "*😮*", "*😲*", "*🥱*", "*😴*", "*🤤*", "*😪*", "*😵*", "*😵‍💫*", "*🫥*", "*🤐*", "*🥴*", "*🤢*", "*🤮*", "*🤧*", "*😷*", "*🤒*", "*🤕*", "*🤑*", "*🤠*", "*😈*", "*👿*", "*👹*", "*👺*", "*🤡*", "*💩*", "*👻*", "*💀*", "*☠️*", "*👽*", "*👾*", "*🤖*", "*🎃*", "*😺*", "*😸*", "*😹*", "*😻*", "*😼*", "*😽*", "*🙀*", "*😿*", "*😾*", "*👋*", "*🤚*", "*🖐*", "*✋*", "*🖖*", "*👌*", "*🤌*", "*🤏*", "*✌️*", "*🤞*", "*🫰*", "*🤟*", "*🤘*", "*🤙*", "*🫵*", "*🫱*", "*🫲*", "*🫳*", "*🫴*", "*👈*", "*👉*", "*👆*", "*🖕*", "*👇*", "*☝️*", "*👍*", "*👎*", "*✊*", "*👊*", "*🤛*", "*🤜*", "*👏*", "*🫶*", "*🙌*", "*👐*", "*🤲*", "*🤝*", "*🙏*", "*✍️*", "*💪*", "*🦾*", "*🦵*", "*🦿*", "*🦶*", "*👣*", "*👂*", "*🦻*", "*👃*", "*🫀*", "*🫁*", "*🧠*", "*🦷*", "*🦴*", "*👀*", "*👁*", "*👅*", "*👄*", "*🫦*", "*💋*", "*🩸*", "*👶*", "*👧*", "*🧒*", "*👦*", "*👩*", "*🧑*", "*👨*", "*👩‍🦱*", "*🧑‍🦱*", "*👨‍🦱*", "*👩‍🦰*", "*🧑‍🦰*", "*👨‍🦰*", "*👱‍♀️*", "*👱*", "*👱‍♂️*", "*👩‍🦳*", "*🧑‍🦳*", "*👨‍🦳*", "*👩‍🦲*", "*🧑‍🦲*", "*👨‍🦲*", "*🧔‍♀️*", "*🧔*", "*🧔‍♂️*", "*👵*", "*🧓*", "*👴*", "*👲*", "*👳‍♀️*", "*👳*", "*👳‍♂️*", "*🧕*", "*👮‍♀️*", "*👮*", "*👮‍♂️*", "*👷‍♀️*", "*👷*", "*👷‍♂️*", "*💂‍♀️*", "*💂*", "*💂‍♂️*", "*🕵️‍♀️*", "*🕵️*", "*🕵️‍♂️*", "*👩‍⚕️*", "*🧑‍⚕️*", "*👨‍⚕️*", "*👩‍🌾*", "*🧑‍🌾*", "*👨‍🌾*", "*👩‍🍳*", "*🧑‍🍳*", "*👨‍🍳*", "*👩‍🎓*", "*🧑‍🎓*", "*👨‍🎓*", "*👩‍🎤*", "*🧑‍🎤*", "*👨‍🎤*", "*👩‍🏫*", "*🧑‍🏫*", "*👨‍🏫*", "*👩‍🏭*", "*🧑‍🏭*", "*👨‍🏭*", "*👩‍💻*", "*🧑‍💻*", "*👨‍💻*", "*👩‍💼*", "*🧑‍💼*", "*👨‍💼*", "*👩‍🔧*", "*🧑‍🔧*", "*👨‍🔧*", "*👩‍🔬*", "*🧑‍🔬*", "*👨‍🔬*", "*👩‍🎨*", "*🧑‍🎨*", "*👨‍🎨*", "*👩‍🚒*", "*🧑‍🚒*", "*👨‍🚒*", "*👩‍✈️*", "*🧑‍✈️*", "*👨‍✈️*", "*👩‍🚀*", "*🧑‍🚀*", "*👨‍🚀*", "*👩‍⚖️*", "*🧑‍⚖️*", "*👨‍⚖️*", "*👰‍♀️*", "*👰*", "*👰‍♂️*", "*🤵‍♀️*", "*🤵*", "*🤵‍♂️*", "*👸*", "*🫅*", "*🤴*", "*🥷*", "*🦸‍♀️*", "*🦸*", "*🦸‍♂️*", "*🦹‍♀️*", "*🦹*", "*🦹‍♂️*", "*🤶*", "*🧑‍🎄*", "*🎅*", "*🧙‍♀️*", "*🧙*", "*🧙‍♂️*", "*🧝‍♀️*", "*🧝*", "*🧝‍♂️*", "*🧛‍♀️*", "*🧛*", "*🧛‍♂️*", "*🧟‍♀️*", "*🧟*", "*🧟‍♂️*", "*🧞‍♀️*", "*🧞*", "*🧞‍♂️*", "*🧜‍♀️*", "*🧜*", "*🧜‍♂️*", "*🧚‍♀️*", "*🧚*", "*🧚‍♂️*", "*🧌*", "*👼*", "*🤰*", "*🫄*", "*🫃*", "*🤱*", "*👩‍🍼*", "*🧑‍🍼*", "*👨‍🍼*", "*🙇‍♀️*", "*🙇*", "*🙇‍♂️*", "*💁‍♀️*", "*💁*", "*💁‍♂️*", "*🙅‍♀️*", "*🙅*", "*🙅‍♂️*", "*🙆‍♀️*", "*🙆*", "*🙆‍♂️*", "*🙋‍♀️*", "*🙋*", "*🙋‍♂️*", "*🧏‍♀️*", "*🧏*", "*🧏‍♂️*", "*🤦‍♀️*", "*🤦*", "*🤦‍♂️*", "*🤷‍♀️*", "*🤷*", "*🤷‍♂️*", "*🙎‍♀️*", "*🙎*", "*🙎‍♂️*", "*🙍‍♀️*", "*🙍*", "*🙍‍♂️*", "*💇‍♀️*", "*💇*", "*💇‍♂️*", "*💆‍♀️*", "*💆*", "*💆‍♂️*", "*🧖‍♀️*", "*🧖*", "*🧖‍♂️*", "*💅*", "*💃*", "*🕺*", "*👯‍♀️*", "*👯*", "*👯‍♂️*", "*🕴*", "*👩‍🦽*", "*🧑‍🦽*", "*👨‍🦽*", "*👩‍🦼*", "*🧑‍🦼*", "*👨‍🦼*", "*🚶‍♀️*", "*🚶*", "*🚶‍♂️*", "*👩‍🦯*", "*🧑‍🦯*", "*👨‍🦯*", "*🧎‍♀️*", "*🧎*", "*🧎‍♂️*", "*🏃‍♀️*", "*🏃*", "*🏃‍♂️*", "*🧍‍♀️*", "*🧍*", "*🧍‍♂️*", "*👭*", "*🧑‍🤝‍🧑*", "*👬*", "*👫*", "*👩‍❤️‍👩*", "*💑*", "*👨‍❤️‍👨*", "*👩‍❤️‍👨*", "*👩‍❤️‍💋‍👩*", "*💏*", "*👨‍❤️‍💋‍👨*", "*👩‍❤️‍💋‍👨*", "*👪*", "*👨‍👩‍👦*", "*👨‍👩‍👧*", "*👨‍👩‍👧‍👦*", "*👨‍👩‍👦‍👦*", "*👨‍👩‍👧‍👧*", "*👨‍👨‍👦*", "*👨‍👨‍👧*", "*👨‍👨‍👧‍👦*", "*👨‍👨‍👦‍👦*", "*👨‍👨‍👧‍👧*", "*👩‍👩‍👦*", "*👩‍👩‍👧*", "*👩‍👩‍👧‍👦*", "*👩‍👩‍👦‍👦*", "*👩‍👩‍👧‍👧*", "*👨‍👦*", "*👨‍👦‍👦*", "*👨‍👧*", "*👨‍👧‍👦*", "*👨‍👧‍👧*", "*👩‍👦*", "*👩‍👦‍👦*", "*👩‍👧*", "*👩‍👧‍👦*", "*👩‍👧‍👧*", "*🗣*", "*👤*", "*👥*", "*🫂*", "*🧳*", "*🌂*", "*☂️*", "*🧵*", "*🪡*", "*🪢*", "*🧶*", "*👓*", "*🕶*", "*🥽*", "*🥼*", "*🦺*", "*👔*", "*👕*", "*👖*", "*🧣*", "*🧤*", "*🧥*", "*🧦*", "*👗*", "*👘*", "*🥻*", "*🩴*", "*🩱*", "*🩲*", "*🩳*", "*👙*", "*👚*", "*👛*", "*👜*", "*👝*", "*🎒*", "*👞*", "*👟*", "*🥾*", "*🥿*", "*👠*", "*👡*", "*🩰*", "*👢*", "*👑*", "*👒*", "*🎩*", "*🎓*", "*🧢*", "*⛑*", "*🪖*", "*💄*", "*💍*", "*💼*", "*👋🏻*", "*🤚🏻*", "*🖐🏻*", "*✋🏻*", "*🖖🏻*", "*👌🏻*", "*🤌🏻*", "*🤏🏻*", "*✌🏻*", "*🤞🏻*", "*🫰🏻*", "*🤟🏻*", "*🤘🏻*", "*🤙🏻*", "*🫵🏻*", "*🫱🏻*", "*🫲🏻*", "*🫳🏻*", "*🫴🏻*", "*👈🏻*", "*👉🏻*", "*👆🏻*", "*🖕🏻*", "*👇🏻*", "*☝🏻*", "*👍🏻*", "*👎🏻*", "*✊🏻*", "*👊🏻*", "*🤛🏻*", "*🤜🏻*", "*👏🏻*", "*🫶🏻*", "*🙌🏻*", "*👐🏻*", "*🤲🏻*", "*🙏🏻*", "*✍🏻*", "*💪🏻*", "*🦵🏻*", "*🦶🏻*", "*👂🏻*", "*🦻🏻*", "*👃🏻*", "*👶🏻*", "*👧🏻*", "*🧒🏻*", "*👦🏻*", "*👩🏻*", "*🧑🏻*", "*👨🏻*", "*👩🏻‍🦱*", "*🧑🏻‍🦱*", "*👨🏻‍🦱*", "*👩🏻‍🦰*", "*🧑🏻‍🦰*", "*👨🏻‍🦰*", "*👱🏻‍♀️*", "*👱🏻*", "*👱🏻‍♂️*", "*👩🏻‍🦳*", "*🧑🏻‍🦳*", "*👨🏻‍🦳*", "*👩🏻‍🦲*", "*🧑🏻‍🦲*", "*👨🏻‍🦲*", "*🧔🏻‍♀️*", "*🧔🏻*", "*🧔🏻‍♂️*", "*👵🏻*", "*🧓🏻*", "*👴🏻*", "*👲🏻*", "*👳🏻‍♀️*", "*👳🏻*", "*👳🏻‍♂️*", "*🧕🏻*", "*👮🏻‍♀️*", "*👮🏻*", "*👮🏻‍♂️*", "*👷🏻‍♀️*", "*👷🏻*", "*👷🏻‍♂️*", "*💂🏻‍♀️*", "*💂🏻*", "*💂🏻‍♂️*", "*🕵🏻‍♀️*", "*🕵🏻*", "*🕵🏻‍♂️*", "*👩🏻‍⚕️*", "*🧑🏻‍⚕️*", "*👨🏻‍⚕️*", "*👩🏻‍🌾*", "*🧑🏻‍🌾*", "*👨🏻‍🌾*", "*👩🏻‍🍳*", "*🧑🏻‍🍳*", "*👨🏻‍🍳*", "*👩🏻‍🎓*", "*🧑🏻‍🎓*", "*👨🏻‍🎓*", "*👩🏻‍🎤*", "*🧑🏻‍🎤*", "*👨🏻‍🎤*", "*👩🏻‍🏫*", "*🧑🏻‍🏫*", "*👨🏻‍🏫*", "*👩🏻‍🏭*", "*🧑🏻‍🏭*", "*👨🏻‍🏭*", "*👩🏻‍💻*", "*🧑🏻‍💻*", "*👨🏻‍💻*", "*👩🏻‍💼*", "*🧑🏻‍💼*", "*👨🏻‍💼*", "*👩🏻‍🔧*", "*🧑🏻‍🔧*", "*👨🏻‍🔧*", "*👩🏻‍🔬*", "*🧑🏻‍🔬*", "*👨🏻‍🔬*", "*👩🏻‍🎨*", "*🧑🏻‍🎨*", "*👨🏻‍🎨*", "*👩🏻‍🚒*", "*🧑🏻‍🚒*", "*👨🏻‍🚒*", "*👩🏻‍✈️*", "*🧑🏻‍✈️*", "*👨🏻‍✈️*", "*👩🏻‍🚀*", "*🧑🏻‍🚀*", "*👨🏻‍🚀*", "*👩🏻‍⚖️*", "*🧑🏻‍⚖️*", "*👨🏻‍⚖️*", "*👰🏻‍♀️*", "*👰🏻*", "*👰🏻‍♂️*", "*🤵🏻‍♀️*", "*🤵🏻*", "*🤵🏻‍♂️*", "*👸🏻*", "*🫅🏻*", "*🤴🏻*", "*🥷🏻*", "*🦸🏻‍♀️*", "*🦸🏻*", "*🦸🏻‍♂️*", "*🦹🏻‍♀️*", "*🦹🏻*", "*🦹🏻‍♂️*", "*🤶🏻*", "*🧑🏻‍🎄*", "*🎅🏻*", "*🧙🏻‍♀️*", "*🧙🏻*", "*🧙🏻‍♂️*", "*🧝🏻‍♀️*", "*🧝🏻*", "*🧝🏻‍♂️*", "*🧛🏻‍♀️*", "*🧛🏻*", "*🧛🏻‍♂️*", "*🧜🏻‍♀️*", "*🧜🏻*", "*🧜🏻‍♂️*", "*🧚🏻‍♀️*", "*🧚🏻*", "*🧚🏻‍♂️*", "*👼🏻*", "*🤰🏻*", "*🫄🏻*", "*🫃🏻*", "*🤱🏻*", "*👩🏻‍🍼*", "*🧑🏻‍🍼*", "*👨🏻‍🍼*", "*🙇🏻‍♀️*", "*🙇🏻*", "*🙇🏻‍♂️*", "*💁🏻‍♀️*", "*💁🏻*", "*💁🏻‍♂️*", "*🙅🏻‍♀️*", "*🙅🏻*", "*🙅🏻‍♂️*", "*🙆🏻‍♀️*", "*🙆🏻*", "*🙆🏻‍♂️*", "*🙋🏻‍♀️*", "*🙋🏻*", "*🙋🏻‍♂️*", "*🧏🏻‍♀️*", "*🧏🏻*", "*🧏🏻‍♂️*", "*🤦🏻‍♀️*", "*🤦🏻*", "*🤦🏻‍♂️*", "*🤷🏻‍♀️*", "*🤷🏻*", "*🤷🏻‍♂️*", "*🙎🏻‍♀️*", "*🙎🏻*", "*🙎🏻‍♂️*", "*🙍🏻‍♀️*", "*🙍🏻*", "*🙍🏻‍♂️*", "*💇🏻‍♀️*", "*💇🏻*", "*💇🏻‍♂️*", "*💆🏻‍♀️*", "*💆🏻*", "*💆🏻‍♂️*", "*🧖🏻‍♀️*", "*🧖🏻*", "*🧖🏻‍♂️*", "*💃🏻*", "*🕺🏻*", "*🕴🏻*", "*👩🏻‍🦽*", "*🧑🏻‍🦽*", "*👨🏻‍🦽*", "*👩🏻‍🦼*", "*🧑🏻‍🦼*", "*👨🏻‍🦼*", "*🚶🏻‍♀️*", "*🚶🏻*", "*🚶🏻‍♂️*", "*👩🏻‍🦯*", "*🧑🏻‍🦯*", "*👨🏻‍🦯*", "*🧎🏻‍♀️*", "*🧎🏻*", "*🧎🏻‍♂️*", "*🏃🏻‍♀️*", "*🏃🏻*", "*🏃🏻‍♂️*", "*🧍🏻‍♀️*", "*🧍🏻*", "*🧍🏻‍♂️*", "*👭🏻*", "*🧑🏻‍🤝‍🧑🏻*", "*👬🏻*", "*👫🏻*", "*🧗🏻‍♀️*", "*🧗🏻*", "*🧗🏻‍♂️*", "*🏇🏻*", "*🏂🏻*", "*🏌🏻‍♀️*", "*🏌🏻*", "*🏌🏻‍♂️*", "*🏄🏻‍♀️*", "*🏄🏻*", "*🏄🏻‍♂️*", "*🚣🏻‍♀️*", "*🚣🏻*", "*🚣🏻‍♂️*", "*🏊🏻‍♀️*", "*🏊🏻*", "*🏊🏻‍♂️*", "*⛹🏻‍♀️*", "*⛹🏻*", "*⛹🏻‍♂️*", "*🏋🏻‍♀️*", "*🏋🏻*", "*🏋🏻‍♂️*", "*🚴🏻‍♀️*", "*🚴🏻*", "*🚴🏻‍♂️*", "*🚵🏻‍♀️*", "*🚵🏻*", "*🚵🏻‍♂️*", "*🤸🏻‍♀️*", "*🤸🏻*", "*🤸🏻‍♂️*", "*🤽🏻‍♀️*", "*🤽🏻*", "*🤽🏻‍♂️*", "*🤾🏻‍♀️*", "*🤾🏻*", "*🤾🏻‍♂️*", "*🤹🏻‍♀️*", "*🤹🏻*", "*🤹🏻‍♂️*", "*🧘🏻‍♀️*", "*🧘🏻*", "*🧘🏻‍♂️*", "*🛀🏻*", "*🛌🏻*", "*👋🏼*", "*🤚🏼*", "*🖐🏼*", "*✋🏼*", "*🖖🏼*", "*👌🏼*", "*🤌🏼*", "*🤏🏼*", "*✌🏼*", "*🤞🏼*", "*🫰🏼*", "*🤟🏼*", "*🤘🏼*", "*🤙🏼*", "*🫵🏼*", "*🫱🏼*", "*🫲🏼*", "*🫳🏼*", "*🫴🏼*", "*👈🏼*", "*👉🏼*", "*👆🏼*", "*🖕🏼*", "*👇🏼*", "*☝🏼*", "*👍🏼*", "*👎🏼*", "*✊🏼*", "*👊🏼*", "*🤛🏼*", "*🤜🏼*", "*👏🏼*", "*🫶🏼*", "*🙌🏼*", "*👐🏼*", "*🤲🏼*", "*🙏🏼*", "*✍🏼*", "*💪🏼*", "*🦵🏼*", "*🦶🏼*", "*👂🏼*", "*🦻🏼*", "*👃🏼*", "*👶🏼*", "*👧🏼*", "*🧒🏼*", "*👦🏼*", "*👩🏼*", "*🧑🏼*", "*👨🏼*", "*👩🏼‍🦱*", "*🧑🏼‍🦱*", "*👨🏼‍🦱*", "*👩🏼‍🦰*", "*🧑🏼‍🦰*", "*👨🏼‍🦰*", "*👱🏼‍♀️*", "*👱🏼*", "*👱🏼‍♂️*", "*👩🏼‍🦳*", "*🧑🏼‍🦳*", "*👨🏼‍🦳*", "*👩🏼‍🦲*", "*🧑🏼‍🦲*", "*👨🏼‍🦲*", "*🧔🏼‍♀️*", "*🧔🏼*", "*🧔🏼‍♂️*", "*👵🏼*", "*🧓🏼*", "*👴🏼*", "*👲🏼*", "*👳🏼‍♀️*", "*👳🏼*", "*👳🏼‍♂️*", "*🧕🏼*", "*👮🏼‍♀️*", "*👮🏼*", "*👮🏼‍♂️*", "*👷🏼‍♀️*", "*👷🏼*", "*👷🏼‍♂️*", "*💂🏼‍♀️*", "*💂🏼*", "*💂🏼‍♂️*", "*🕵🏼‍♀️*", "*🕵🏼*", "*🕵🏼‍♂️*", "*👩🏼‍⚕️*", "*🧑🏼‍⚕️*", "*👨🏼‍⚕️*", "*👩🏼‍🌾*", "*🧑🏼‍🌾*", "*👨🏼‍🌾*", "*👩🏼‍🍳*", "*🧑🏼‍🍳*", "*👨🏼‍🍳*", "*👩🏼‍🎓*", "*🧑🏼‍🎓*", "*👨🏼‍🎓*", "*👩🏼‍🎤*", "*🧑🏼‍🎤*", "*👨🏼‍🎤*", "*👩🏼‍🏫*", "*🧑🏼‍🏫*", "*👨🏼‍🏫*", "*👩🏼‍🏭*", "*🧑🏼‍🏭*", "*👨🏼‍🏭*", "*👩🏼‍💻*", "*🧑🏼‍💻*", "*👨🏼‍💻*", "*👩🏼‍💼*", "*🧑🏼‍💼*", "*👨🏼‍💼*", "*👩🏼‍🔧*", "*🧑🏼‍🔧*", "*👨🏼‍🔧*", "*👩🏼‍🔬*", "*🧑🏼‍🔬*", "*👨🏼‍🔬*", "*👩🏼‍🎨*", "*🧑🏼‍🎨*", "*👨🏼‍🎨*", "*👩🏼‍🚒*", "*🧑🏼‍🚒*", "*👨🏼‍🚒*", "*👩🏼‍✈️*", "*🧑🏼‍✈️*", "*👨🏼‍✈️*", "*👩🏼‍🚀*", "*🧑🏼‍🚀*", "*👨🏼‍🚀*", "*👩🏼‍⚖️*", "*🧑🏼‍⚖️*", "*👨🏼‍⚖️*", "*👰🏼‍♀️*", "*👰🏼*", "*👰🏼‍♂️*", "*🤵🏼‍♀️*", "*🤵🏼*", "*🤵🏼‍♂️*", "*👸🏼*", "*🫅🏼*", "*🤴🏼*", "*🥷🏼*", "*🦸🏼‍♀️*", "*🦸🏼*", "*🦸🏼‍♂️*", "*🦹🏼‍♀️*", "*🦹🏼*", "*🦹🏼‍♂️*", "*🤶🏼*", "*🧑🏼‍🎄*", "*🎅🏼*", "*🧙🏼‍♀️*", "*🧙🏼*", "*🧙🏼‍♂️*", "*🧝🏼‍♀️*", "*🧝🏼*", "*🧝🏼‍♂️*", "*🧛🏼‍♀️*", "*🧛🏼*", "*🧛🏼‍♂️*", "*🧜🏼‍♀️*", "*🧜🏼*", "*🧜🏼‍♂️*", "*🧚🏼‍♀️*", "*🧚🏼*", "*🧚🏼‍♂️*", "*👼🏼*", "*🤰🏼*", "*🫄🏼*", "*🫃🏼*", "*🤱🏼*", "*👩🏼‍🍼*", "*🧑🏼‍🍼*", "*👨🏼‍🍼*", "*🙇🏼‍♀️*", "*🙇🏼*", "*🙇🏼‍♂️*", "*💁🏼‍♀️*", "*💁🏼*", "*💁🏼‍♂️*", "*🙅🏼‍♀️*", "*🙅🏼*", "*🙅🏼‍♂️*", "*🙆🏼‍♀️*", "*🙆🏼*", "*🙆🏼‍♂️*", "*🙋🏼‍♀️*", "*🙋🏼*", "*🙋🏼‍♂️*", "*🧏🏼‍♀️*", "*🧏🏼*", "*🧏🏼‍♂️*", "*🤦🏼‍♀️*", "*🤦🏼*", "*🤦🏼‍♂️*", "*🤷🏼‍♀️*")))
view Sigma YAML 
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
id: 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '😀'
            - '😃'
            - '😄'
            - '😁'
            - '😆'
            - '😅'
            - '😂'
            - '🤣'
            - '🥲'
            - '🥹'
            - '☺️'
            - '😊'
            - '😇'
            - '🙂'
            - '🙃'
            - '😉'
            - '😌'
            - '😍'
            - '🥰'
            - '😘'
            - '😗'
            - '😙'
            - '😚'
            - '😋'
            - '😛'
            - '😝'
            - '😜'
            - '🤪'
            - '🤨'
            - '🧐'
            - '🤓'
            - '😎'
            - '🥸'
            - '🤩'
            - '🥳'
            - '😏'
            - '😒'
            - '😞'
            - '😔'
            - '😟'
            - '😕'
            - '🙁'
            - '☹️'
            - '😣'
            - '😖'
            - '😫'
            - '😩'
            - '🥺'
            - '😢'
            - '😭'
            - '😮‍💨'
            - '😤'
            - '😠'
            - '😡'
            - '🤬'
            - '🤯'
            - '😳'
            - '🥵'
            - '🥶'
            - '😱'
            - '😨'
            - '😰'
            - '😥'
            - '😓'
            - '🫣'
            - '🤗'
            - '🫡'
            - '🤔'
            - '🫢'
            - '🤭'
            - '🤫'
            - '🤥'
            - '😶'
            - '😶‍🌫️'
            - '😐'
            - '😑'
            - '😬'
            - '🫠'
            - '🙄'
            - '😯'
            - '😦'
            - '😧'
            - '😮'
            - '😲'
            - '🥱'
            - '😴'
            - '🤤'
            - '😪'
            - '😵'
            - '😵‍💫'
            - '🫥'
            - '🤐'
            - '🥴'
            - '🤢'
            - '🤮'
            - '🤧'
            - '😷'
            - '🤒'
            - '🤕'
            - '🤑'
            - '🤠'
            - '😈'
            - '👿'
            - '👹'
            - '👺'
            - '🤡'
            - '💩'
            - '👻'
            - '💀'
            - '☠️'
            - '👽'
            - '👾'
            - '🤖'
            - '🎃'
            - '😺'
            - '😸'
            - '😹'
            - '😻'
            - '😼'
            - '😽'
            - '🙀'
            - '😿'
            - '😾'
            - '👋'
            - '🤚'
            - '🖐'
            - '✋'
            - '🖖'
            - '👌'
            - '🤌'
            - '🤏'
            - '✌️'
            - '🤞'
            - '🫰'
            - '🤟'
            - '🤘'
            - '🤙'
            - '🫵'
            - '🫱'
            - '🫲'
            - '🫳'
            - '🫴'
            - '👈'
            - '👉'
            - '👆'
            - '🖕'
            - '👇'
            - '☝️'
            - '👍'
            - '👎'
            - '✊'
            - '👊'
            - '🤛'
            - '🤜'
            - '👏'
            - '🫶'
            - '🙌'
            - '👐'
            - '🤲'
            - '🤝'
            - '🙏'
            - '✍️'
            - '💪'
            - '🦾'
            - '🦵'
            - '🦿'
            - '🦶'
            - '👣'
            - '👂'
            - '🦻'
            - '👃'
            - '🫀'
            - '🫁'
            - '🧠'
            - '🦷'
            - '🦴'
            - '👀'
            - '👁'
            - '👅'
            - '👄'
            - '🫦'
            - '💋'
            - '🩸'
            - '👶'
            - '👧'
            - '🧒'
            - '👦'
            - '👩'
            - '🧑'
            - '👨'
            - '👩‍🦱'
            - '🧑‍🦱'
            - '👨‍🦱'
            - '👩‍🦰'
            - '🧑‍🦰'
            - '👨‍🦰'
            - '👱‍♀️'
            - '👱'
            - '👱‍♂️'
            - '👩‍🦳'
            - '🧑‍🦳'
            - '👨‍🦳'
            - '👩‍🦲'
            - '🧑‍🦲'
            - '👨‍🦲'
            - '🧔‍♀️'
            - '🧔'
            - '🧔‍♂️'
            - '👵'
            - '🧓'
            - '👴'
            - '👲'
            - '👳‍♀️'
            - '👳'
            - '👳‍♂️'
            - '🧕'
            - '👮‍♀️'
            - '👮'
            - '👮‍♂️'
            - '👷‍♀️'
            - '👷'
            - '👷‍♂️'
            - '💂‍♀️'
            - '💂'
            - '💂‍♂️'
            - '🕵️‍♀️'
            - '🕵️'
            - '🕵️‍♂️'
            - '👩‍⚕️'
            - '🧑‍⚕️'
            - '👨‍⚕️'
            - '👩‍🌾'
            - '🧑‍🌾'
            - '👨‍🌾'
            - '👩‍🍳'
            - '🧑‍🍳'
            - '👨‍🍳'
            - '👩‍🎓'
            - '🧑‍🎓'
            - '👨‍🎓'
            - '👩‍🎤'
            - '🧑‍🎤'
            - '👨‍🎤'
            - '👩‍🏫'
            - '🧑‍🏫'
            - '👨‍🏫'
            - '👩‍🏭'
            - '🧑‍🏭'
            - '👨‍🏭'
            - '👩‍💻'
            - '🧑‍💻'
            - '👨‍💻'
            - '👩‍💼'
            - '🧑‍💼'
            - '👨‍💼'
            - '👩‍🔧'
            - '🧑‍🔧'
            - '👨‍🔧'
            - '👩‍🔬'
            - '🧑‍🔬'
            - '👨‍🔬'
            - '👩‍🎨'
            - '🧑‍🎨'
            - '👨‍🎨'
            - '👩‍🚒'
            - '🧑‍🚒'
            - '👨‍🚒'
            - '👩‍✈️'
            - '🧑‍✈️'
            - '👨‍✈️'
            - '👩‍🚀'
            - '🧑‍🚀'
            - '👨‍🚀'
            - '👩‍⚖️'
            - '🧑‍⚖️'
            - '👨‍⚖️'
            - '👰‍♀️'
            - '👰'
            - '👰‍♂️'
            - '🤵‍♀️'
            - '🤵'
            - '🤵‍♂️'
            - '👸'
            - '🫅'
            - '🤴'
            - '🥷'
            - '🦸‍♀️'
            - '🦸'
            - '🦸‍♂️'
            - '🦹‍♀️'
            - '🦹'
            - '🦹‍♂️'
            - '🤶'
            - '🧑‍🎄'
            - '🎅'
            - '🧙‍♀️'
            - '🧙'
            - '🧙‍♂️'
            - '🧝‍♀️'
            - '🧝'
            - '🧝‍♂️'
            - '🧛‍♀️'
            - '🧛'
            - '🧛‍♂️'
            - '🧟‍♀️'
            - '🧟'
            - '🧟‍♂️'
            - '🧞‍♀️'
            - '🧞'
            - '🧞‍♂️'
            - '🧜‍♀️'
            - '🧜'
            - '🧜‍♂️'
            - '🧚‍♀️'
            - '🧚'
            - '🧚‍♂️'
            - '🧌'
            - '👼'
            - '🤰'
            - '🫄'
            - '🫃'
            - '🤱'
            - '👩‍🍼'
            - '🧑‍🍼'
            - '👨‍🍼'
            - '🙇‍♀️'
            - '🙇'
            - '🙇‍♂️'
            - '💁‍♀️'
            - '💁'
            - '💁‍♂️'
            - '🙅‍♀️'
            - '🙅'
            - '🙅‍♂️'
            - '🙆‍♀️'
            - '🙆'
            - '🙆‍♂️'
            - '🙋‍♀️'
            - '🙋'
            - '🙋‍♂️'
            - '🧏‍♀️'
            - '🧏'
            - '🧏‍♂️'
            - '🤦‍♀️'
            - '🤦'
            - '🤦‍♂️'
            - '🤷‍♀️'
            - '🤷'
            - '🤷‍♂️'
            - '🙎‍♀️'
            - '🙎'
            - '🙎‍♂️'
            - '🙍‍♀️'
            - '🙍'
            - '🙍‍♂️'
            - '💇‍♀️'
            - '💇'
            - '💇‍♂️'
            - '💆‍♀️'
            - '💆'
            - '💆‍♂️'
            - '🧖‍♀️'
            - '🧖'
            - '🧖‍♂️'
            - '💅'
            - '💃'
            - '🕺'
            - '👯‍♀️'
            - '👯'
            - '👯‍♂️'
            - '🕴'
            - '👩‍🦽'
            - '🧑‍🦽'
            - '👨‍🦽'
            - '👩‍🦼'
            - '🧑‍🦼'
            - '👨‍🦼'
            - '🚶‍♀️'
            - '🚶'
            - '🚶‍♂️'
            - '👩‍🦯'
            - '🧑‍🦯'
            - '👨‍🦯'
            - '🧎‍♀️'
            - '🧎'
            - '🧎‍♂️'
            - '🏃‍♀️'
            - '🏃'
            - '🏃‍♂️'
            - '🧍‍♀️'
            - '🧍'
            - '🧍‍♂️'
            - '👭'
            - '🧑‍🤝‍🧑'
            - '👬'
            - '👫'
            - '👩‍❤️‍👩'
            - '💑'
            - '👨‍❤️‍👨'
            - '👩‍❤️‍👨'
            - '👩‍❤️‍💋‍👩'
            - '💏'
            - '👨‍❤️‍💋‍👨'
            - '👩‍❤️‍💋‍👨'
            - '👪'
            - '👨‍👩‍👦'
            - '👨‍👩‍👧'
            - '👨‍👩‍👧‍👦'
            - '👨‍👩‍👦‍👦'
            - '👨‍👩‍👧‍👧'
            - '👨‍👨‍👦'
            - '👨‍👨‍👧'
            - '👨‍👨‍👧‍👦'
            - '👨‍👨‍👦‍👦'
            - '👨‍👨‍👧‍👧'
            - '👩‍👩‍👦'
            - '👩‍👩‍👧'
            - '👩‍👩‍👧‍👦'
            - '👩‍👩‍👦‍👦'
            - '👩‍👩‍👧‍👧'
            - '👨‍👦'
            - '👨‍👦‍👦'
            - '👨‍👧'
            - '👨‍👧‍👦'
            - '👨‍👧‍👧'
            - '👩‍👦'
            - '👩‍👦‍👦'
            - '👩‍👧'
            - '👩‍👧‍👦'
            - '👩‍👧‍👧'
            - '🗣'
            - '👤'
            - '👥'
            - '🫂'
            - '🧳'
            - '🌂'
            - '☂️'
            - '🧵'
            - '🪡'
            - '🪢'
            - '🧶'
            - '👓'
            - '🕶'
            - '🥽'
            - '🥼'
            - '🦺'
            - '👔'
            - '👕'
            - '👖'
            - '🧣'
            - '🧤'
            - '🧥'
            - '🧦'
            - '👗'
            - '👘'
            - '🥻'
            - '🩴'
            - '🩱'
            - '🩲'
            - '🩳'
            - '👙'
            - '👚'
            - '👛'
            - '👜'
            - '👝'
            - '🎒'
            - '👞'
            - '👟'
            - '🥾'
            - '🥿'
            - '👠'
            - '👡'
            - '🩰'
            - '👢'
            - '👑'
            - '👒'
            - '🎩'
            - '🎓'
            - '🧢'
            - '⛑'
            - '🪖'
            - '💄'
            - '💍'
            - '💼'
            - '👋🏻'
            - '🤚🏻'
            - '🖐🏻'
            - '✋🏻'
            - '🖖🏻'
            - '👌🏻'
            - '🤌🏻'
            - '🤏🏻'
            - '✌🏻'
            - '🤞🏻'
            - '🫰🏻'
            - '🤟🏻'
            - '🤘🏻'
            - '🤙🏻'
            - '🫵🏻'
            - '🫱🏻'
            - '🫲🏻'
            - '🫳🏻'
            - '🫴🏻'
            - '👈🏻'
            - '👉🏻'
            - '👆🏻'
            - '🖕🏻'
            - '👇🏻'
            - '☝🏻'
            - '👍🏻'
            - '👎🏻'
            - '✊🏻'
            - '👊🏻'
            - '🤛🏻'
            - '🤜🏻'
            - '👏🏻'
            - '🫶🏻'
            - '🙌🏻'
            - '👐🏻'
            - '🤲🏻'
            - '🙏🏻'
            - '✍🏻'
            - '💪🏻'
            - '🦵🏻'
            - '🦶🏻'
            - '👂🏻'
            - '🦻🏻'
            - '👃🏻'
            - '👶🏻'
            - '👧🏻'
            - '🧒🏻'
            - '👦🏻'
            - '👩🏻'
            - '🧑🏻'
            - '👨🏻'
            - '👩🏻‍🦱'
            - '🧑🏻‍🦱'
            - '👨🏻‍🦱'
            - '👩🏻‍🦰'
            - '🧑🏻‍🦰'
            - '👨🏻‍🦰'
            - '👱🏻‍♀️'
            - '👱🏻'
            - '👱🏻‍♂️'
            - '👩🏻‍🦳'
            - '🧑🏻‍🦳'
            - '👨🏻‍🦳'
            - '👩🏻‍🦲'
            - '🧑🏻‍🦲'
            - '👨🏻‍🦲'
            - '🧔🏻‍♀️'
            - '🧔🏻'
            - '🧔🏻‍♂️'
            - '👵🏻'
            - '🧓🏻'
            - '👴🏻'
            - '👲🏻'
            - '👳🏻‍♀️'
            - '👳🏻'
            - '👳🏻‍♂️'
            - '🧕🏻'
            - '👮🏻‍♀️'
            - '👮🏻'
            - '👮🏻‍♂️'
            - '👷🏻‍♀️'
            - '👷🏻'
            - '👷🏻‍♂️'
            - '💂🏻‍♀️'
            - '💂🏻'
            - '💂🏻‍♂️'
            - '🕵🏻‍♀️'
            - '🕵🏻'
            - '🕵🏻‍♂️'
            - '👩🏻‍⚕️'
            - '🧑🏻‍⚕️'
            - '👨🏻‍⚕️'
            - '👩🏻‍🌾'
            - '🧑🏻‍🌾'
            - '👨🏻‍🌾'
            - '👩🏻‍🍳'
            - '🧑🏻‍🍳'
            - '👨🏻‍🍳'
            - '👩🏻‍🎓'
            - '🧑🏻‍🎓'
            - '👨🏻‍🎓'
            - '👩🏻‍🎤'
            - '🧑🏻‍🎤'
            - '👨🏻‍🎤'
            - '👩🏻‍🏫'
            - '🧑🏻‍🏫'
            - '👨🏻‍🏫'
            - '👩🏻‍🏭'
            - '🧑🏻‍🏭'
            - '👨🏻‍🏭'
            - '👩🏻‍💻'
            - '🧑🏻‍💻'
            - '👨🏻‍💻'
            - '👩🏻‍💼'
            - '🧑🏻‍💼'
            - '👨🏻‍💼'
            - '👩🏻‍🔧'
            - '🧑🏻‍🔧'
            - '👨🏻‍🔧'
            - '👩🏻‍🔬'
            - '🧑🏻‍🔬'
            - '👨🏻‍🔬'
            - '👩🏻‍🎨'
            - '🧑🏻‍🎨'
            - '👨🏻‍🎨'
            - '👩🏻‍🚒'
            - '🧑🏻‍🚒'
            - '👨🏻‍🚒'
            - '👩🏻‍✈️'
            - '🧑🏻‍✈️'
            - '👨🏻‍✈️'
            - '👩🏻‍🚀'
            - '🧑🏻‍🚀'
            - '👨🏻‍🚀'
            - '👩🏻‍⚖️'
            - '🧑🏻‍⚖️'
            - '👨🏻‍⚖️'
            - '👰🏻‍♀️'
            - '👰🏻'
            - '👰🏻‍♂️'
            - '🤵🏻‍♀️'
            - '🤵🏻'
            - '🤵🏻‍♂️'
            - '👸🏻'
            - '🫅🏻'
            - '🤴🏻'
            - '🥷🏻'
            - '🦸🏻‍♀️'
            - '🦸🏻'
            - '🦸🏻‍♂️'
            - '🦹🏻‍♀️'
            - '🦹🏻'
            - '🦹🏻‍♂️'
            - '🤶🏻'
            - '🧑🏻‍🎄'
            - '🎅🏻'
            - '🧙🏻‍♀️'
            - '🧙🏻'
            - '🧙🏻‍♂️'
            - '🧝🏻‍♀️'
            - '🧝🏻'
            - '🧝🏻‍♂️'
            - '🧛🏻‍♀️'
            - '🧛🏻'
            - '🧛🏻‍♂️'
            - '🧜🏻‍♀️'
            - '🧜🏻'
            - '🧜🏻‍♂️'
            - '🧚🏻‍♀️'
            - '🧚🏻'
            - '🧚🏻‍♂️'
            - '👼🏻'
            - '🤰🏻'
            - '🫄🏻'
            - '🫃🏻'
            - '🤱🏻'
            - '👩🏻‍🍼'
            - '🧑🏻‍🍼'
            - '👨🏻‍🍼'
            - '🙇🏻‍♀️'
            - '🙇🏻'
            - '🙇🏻‍♂️'
            - '💁🏻‍♀️'
            - '💁🏻'
            - '💁🏻‍♂️'
            - '🙅🏻‍♀️'
            - '🙅🏻'
            - '🙅🏻‍♂️'
            - '🙆🏻‍♀️'
            - '🙆🏻'
            - '🙆🏻‍♂️'
            - '🙋🏻‍♀️'
            - '🙋🏻'
            - '🙋🏻‍♂️'
            - '🧏🏻‍♀️'
            - '🧏🏻'
            - '🧏🏻‍♂️'
            - '🤦🏻‍♀️'
            - '🤦🏻'
            - '🤦🏻‍♂️'
            - '🤷🏻‍♀️'
            - '🤷🏻'
            - '🤷🏻‍♂️'
            - '🙎🏻‍♀️'
            - '🙎🏻'
            - '🙎🏻‍♂️'
            - '🙍🏻‍♀️'
            - '🙍🏻'
            - '🙍🏻‍♂️'
            - '💇🏻‍♀️'
            - '💇🏻'
            - '💇🏻‍♂️'
            - '💆🏻‍♀️'
            - '💆🏻'
            - '💆🏻‍♂️'
            - '🧖🏻‍♀️'
            - '🧖🏻'
            - '🧖🏻‍♂️'
            - '💃🏻'
            - '🕺🏻'
            - '🕴🏻'
            - '👩🏻‍🦽'
            - '🧑🏻‍🦽'
            - '👨🏻‍🦽'
            - '👩🏻‍🦼'
            - '🧑🏻‍🦼'
            - '👨🏻‍🦼'
            - '🚶🏻‍♀️'
            - '🚶🏻'
            - '🚶🏻‍♂️'
            - '👩🏻‍🦯'
            - '🧑🏻‍🦯'
            - '👨🏻‍🦯'
            - '🧎🏻‍♀️'
            - '🧎🏻'
            - '🧎🏻‍♂️'
            - '🏃🏻‍♀️'
            - '🏃🏻'
            - '🏃🏻‍♂️'
            - '🧍🏻‍♀️'
            - '🧍🏻'
            - '🧍🏻‍♂️'
            - '👭🏻'
            - '🧑🏻‍🤝‍🧑🏻'
            - '👬🏻'
            - '👫🏻'
            - '🧗🏻‍♀️'
            - '🧗🏻'
            - '🧗🏻‍♂️'
            - '🏇🏻'
            - '🏂🏻'
            - '🏌🏻‍♀️'
            - '🏌🏻'
            - '🏌🏻‍♂️'
            - '🏄🏻‍♀️'
            - '🏄🏻'
            - '🏄🏻‍♂️'
            - '🚣🏻‍♀️'
            - '🚣🏻'
            - '🚣🏻‍♂️'
            - '🏊🏻‍♀️'
            - '🏊🏻'
            - '🏊🏻‍♂️'
            - '⛹🏻‍♀️'
            - '⛹🏻'
            - '⛹🏻‍♂️'
            - '🏋🏻‍♀️'
            - '🏋🏻'
            - '🏋🏻‍♂️'
            - '🚴🏻‍♀️'
            - '🚴🏻'
            - '🚴🏻‍♂️'
            - '🚵🏻‍♀️'
            - '🚵🏻'
            - '🚵🏻‍♂️'
            - '🤸🏻‍♀️'
            - '🤸🏻'
            - '🤸🏻‍♂️'
            - '🤽🏻‍♀️'
            - '🤽🏻'
            - '🤽🏻‍♂️'
            - '🤾🏻‍♀️'
            - '🤾🏻'
            - '🤾🏻‍♂️'
            - '🤹🏻‍♀️'
            - '🤹🏻'
            - '🤹🏻‍♂️'
            - '🧘🏻‍♀️'
            - '🧘🏻'
            - '🧘🏻‍♂️'
            - '🛀🏻'
            - '🛌🏻'
            - '👋🏼'
            - '🤚🏼'
            - '🖐🏼'
            - '✋🏼'
            - '🖖🏼'
            - '👌🏼'
            - '🤌🏼'
            - '🤏🏼'
            - '✌🏼'
            - '🤞🏼'
            - '🫰🏼'
            - '🤟🏼'
            - '🤘🏼'
            - '🤙🏼'
            - '🫵🏼'
            - '🫱🏼'
            - '🫲🏼'
            - '🫳🏼'
            - '🫴🏼'
            - '👈🏼'
            - '👉🏼'
            - '👆🏼'
            - '🖕🏼'
            - '👇🏼'
            - '☝🏼'
            - '👍🏼'
            - '👎🏼'
            - '✊🏼'
            - '👊🏼'
            - '🤛🏼'
            - '🤜🏼'
            - '👏🏼'
            - '🫶🏼'
            - '🙌🏼'
            - '👐🏼'
            - '🤲🏼'
            - '🙏🏼'
            - '✍🏼'
            - '💪🏼'
            - '🦵🏼'
            - '🦶🏼'
            - '👂🏼'
            - '🦻🏼'
            - '👃🏼'
            - '👶🏼'
            - '👧🏼'
            - '🧒🏼'
            - '👦🏼'
            - '👩🏼'
            - '🧑🏼'
            - '👨🏼'
            - '👩🏼‍🦱'
            - '🧑🏼‍🦱'
            - '👨🏼‍🦱'
            - '👩🏼‍🦰'
            - '🧑🏼‍🦰'
            - '👨🏼‍🦰'
            - '👱🏼‍♀️'
            - '👱🏼'
            - '👱🏼‍♂️'
            - '👩🏼‍🦳'
            - '🧑🏼‍🦳'
            - '👨🏼‍🦳'
            - '👩🏼‍🦲'
            - '🧑🏼‍🦲'
            - '👨🏼‍🦲'
            - '🧔🏼‍♀️'
            - '🧔🏼'
            - '🧔🏼‍♂️'
            - '👵🏼'
            - '🧓🏼'
            - '👴🏼'
            - '👲🏼'
            - '👳🏼‍♀️'
            - '👳🏼'
            - '👳🏼‍♂️'
            - '🧕🏼'
            - '👮🏼‍♀️'
            - '👮🏼'
            - '👮🏼‍♂️'
            - '👷🏼‍♀️'
            - '👷🏼'
            - '👷🏼‍♂️'
            - '💂🏼‍♀️'
            - '💂🏼'
            - '💂🏼‍♂️'
            - '🕵🏼‍♀️'
            - '🕵🏼'
            - '🕵🏼‍♂️'
            - '👩🏼‍⚕️'
            - '🧑🏼‍⚕️'
            - '👨🏼‍⚕️'
            - '👩🏼‍🌾'
            - '🧑🏼‍🌾'
            - '👨🏼‍🌾'
            - '👩🏼‍🍳'
            - '🧑🏼‍🍳'
            - '👨🏼‍🍳'
            - '👩🏼‍🎓'
            - '🧑🏼‍🎓'
            - '👨🏼‍🎓'
            - '👩🏼‍🎤'
            - '🧑🏼‍🎤'
            - '👨🏼‍🎤'
            - '👩🏼‍🏫'
            - '🧑🏼‍🏫'
            - '👨🏼‍🏫'
            - '👩🏼‍🏭'
            - '🧑🏼‍🏭'
            - '👨🏼‍🏭'
            - '👩🏼‍💻'
            - '🧑🏼‍💻'
            - '👨🏼‍💻'
            - '👩🏼‍💼'
            - '🧑🏼‍💼'
            - '👨🏼‍💼'
            - '👩🏼‍🔧'
            - '🧑🏼‍🔧'
            - '👨🏼‍🔧'
            - '👩🏼‍🔬'
            - '🧑🏼‍🔬'
            - '👨🏼‍🔬'
            - '👩🏼‍🎨'
            - '🧑🏼‍🎨'
            - '👨🏼‍🎨'
            - '👩🏼‍🚒'
            - '🧑🏼‍🚒'
            - '👨🏼‍🚒'
            - '👩🏼‍✈️'
            - '🧑🏼‍✈️'
            - '👨🏼‍✈️'
            - '👩🏼‍🚀'
            - '🧑🏼‍🚀'
            - '👨🏼‍🚀'
            - '👩🏼‍⚖️'
            - '🧑🏼‍⚖️'
            - '👨🏼‍⚖️'
            - '👰🏼‍♀️'
            - '👰🏼'
            - '👰🏼‍♂️'
            - '🤵🏼‍♀️'
            - '🤵🏼'
            - '🤵🏼‍♂️'
            - '👸🏼'
            - '🫅🏼'
            - '🤴🏼'
            - '🥷🏼'
            - '🦸🏼‍♀️'
            - '🦸🏼'
            - '🦸🏼‍♂️'
            - '🦹🏼‍♀️'
            - '🦹🏼'
            - '🦹🏼‍♂️'
            - '🤶🏼'
            - '🧑🏼‍🎄'
            - '🎅🏼'
            - '🧙🏼‍♀️'
            - '🧙🏼'
            - '🧙🏼‍♂️'
            - '🧝🏼‍♀️'
            - '🧝🏼'
            - '🧝🏼‍♂️'
            - '🧛🏼‍♀️'
            - '🧛🏼'
            - '🧛🏼‍♂️'
            - '🧜🏼‍♀️'
            - '🧜🏼'
            - '🧜🏼‍♂️'
            - '🧚🏼‍♀️'
            - '🧚🏼'
            - '🧚🏼‍♂️'
            - '👼🏼'
            - '🤰🏼'
            - '🫄🏼'
            - '🫃🏼'
            - '🤱🏼'
            - '👩🏼‍🍼'
            - '🧑🏼‍🍼'
            - '👨🏼‍🍼'
            - '🙇🏼‍♀️'
            - '🙇🏼'
            - '🙇🏼‍♂️'
            - '💁🏼‍♀️'
            - '💁🏼'
            - '💁🏼‍♂️'
            - '🙅🏼‍♀️'
            - '🙅🏼'
            - '🙅🏼‍♂️'
            - '🙆🏼‍♀️'
            - '🙆🏼'
            - '🙆🏼‍♂️'
            - '🙋🏼‍♀️'
            - '🙋🏼'
            - '🙋🏼‍♂️'
            - '🧏🏼‍♀️'
            - '🧏🏼'
            - '🧏🏼‍♂️'
            - '🤦🏼‍♀️'
            - '🤦🏼'
            - '🤦🏼‍♂️'
            - '🤷🏼‍♀️'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
status test author @Kostastsale, TheDFIRReport ATT&CK tactic-only id c98f2a0d-e1b8-4f76-90d3-359caf88d6b9
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*🤷🏼*", "*🤷🏼‍♂️*", "*🙎🏼‍♀️*", "*🙎🏼*", "*🙎🏼‍♂️*", "*🙍🏼‍♀️*", "*🙍🏼*", "*🙍🏼‍♂️*", "*💇🏼‍♀️*", "*💇🏼*", "*💇🏼‍♂️*", "*💆🏼‍♀️*", "*💆🏼*", "*💆🏼‍♂️*", "*🧖🏼‍♀️*", "*🧖🏼*", "*🧖🏼‍♂️*", "*💃🏼*", "*🕺🏼*", "*🕴🏼*", "*👩🏼‍🦽*", "*🧑🏼‍🦽*", "*👨🏼‍🦽*", "*👩🏼‍🦼*", "*🧑🏼‍🦼*", "*👨🏼‍🦼*", "*🚶🏼‍♀️*", "*🚶🏼*", "*🚶🏼‍♂️*", "*👩🏼‍🦯*", "*🧑🏼‍🦯*", "*👨🏼‍🦯*", "*🧎🏼‍♀️*", "*🧎🏼*", "*🧎🏼‍♂️*", "*🏃🏼‍♀️*", "*🏃🏼*", "*🏃🏼‍♂️*", "*🧍🏼‍♀️*", "*🧍🏼*", "*🧍🏼‍♂️*", "*👭🏼*", "*🧑🏼‍🤝‍🧑🏼*", "*👬🏼*", "*👫🏼*", "*🧗🏼‍♀️*", "*🧗🏼*", "*🧗🏼‍♂️*", "*🏇🏼*", "*🏂🏼*", "*🏌🏼‍♀️*", "*🏌🏼*", "*🏌🏼‍♂️*", "*🏄🏼‍♀️*", "*🏄🏼*", "*🏄🏼‍♂️*", "*🚣🏼‍♀️*", "*🚣🏼*", "*🚣🏼‍♂️*", "*🏊🏼‍♀️*", "*🏊🏼*", "*🏊🏼‍♂️*", "*⛹🏼‍♀️*", "*⛹🏼*", "*⛹🏼‍♂️*", "*🏋🏼‍♀️*", "*🏋🏼*", "*🏋🏼‍♂️*", "*🚴🏼‍♀️*", "*🚴🏼*", "*🚴🏼‍♂️*", "*🚵🏼‍♀️*", "*🚵🏼*", "*🚵🏼‍♂️*", "*🤸🏼‍♀️*", "*🤸🏼*", "*🤸🏼‍♂️*", "*🤽🏼‍♀️*", "*🤽🏼*", "*🤽🏼‍♂️*", "*🤾🏼‍♀️*", "*🤾🏼*", "*🤾🏼‍♂️*", "*🤹🏼‍♀️*", "*🤹🏼*", "*🤹🏼‍♂️*", "*🧘🏼‍♀️*", "*🧘🏼*", "*🧘🏼‍♂️*", "*🛀🏼*", "*🛌🏼*", "*👋🏽*", "*🤚🏽*", "*🖐🏽*", "*✋🏽*", "*🖖🏽*", "*👌🏽*", "*🤌🏽*", "*🤏🏽*", "*✌🏽*", "*🤞🏽*", "*🫰🏽*", "*🤟🏽*", "*🤘🏽*", "*🤙🏽*", "*🫵🏽*", "*🫱🏽*", "*🫲🏽*", "*🫳🏽*", "*🫴🏽*", "*👈🏽*", "*👉🏽*", "*👆🏽*", "*🖕🏽*", "*👇🏽*", "*☝🏽*", "*👍🏽*", "*👎🏽*", "*✊🏽*", "*👊🏽*", "*🤛🏽*", "*🤜🏽*", "*👏🏽*", "*🫶🏽*", "*🙌🏽*", "*👐🏽*", "*🤲🏽*", "*🙏🏽*", "*✍🏽*", "*💪🏽*", "*🦵🏽*", "*🦶🏽*", "*👂🏽*", "*🦻🏽*", "*👃🏽*", "*👶🏽*", "*👧🏽*", "*🧒🏽*", "*👦🏽*", "*👩🏽*", "*🧑🏽*", "*👨🏽*", "*👩🏽‍🦱*", "*🧑🏽‍🦱*", "*👨🏽‍🦱*", "*👩🏽‍🦰*", "*🧑🏽‍🦰*", "*👨🏽‍🦰*", "*👱🏽‍♀️*", "*👱🏽*", "*👱🏽‍♂️*", "*👩🏽‍🦳*", "*🧑🏽‍🦳*", "*👨🏽‍🦳*", "*👩🏽‍🦲*", "*🧑🏽‍🦲*", "*👨🏽‍🦲*", "*🧔🏽‍♀️*", "*🧔🏽*", "*🧔🏽‍♂️*", "*👵🏽*", "*🧓🏽*", "*👴🏽*", "*👲🏽*", "*👳🏽‍♀️*", "*👳🏽*", "*👳🏽‍♂️*", "*🧕🏽*", "*👮🏽‍♀️*", "*👮🏽*", "*👮🏽‍♂️*", "*👷🏽‍♀️*", "*👷🏽*", "*👷🏽‍♂️*", "*💂🏽‍♀️*", "*💂🏽*", "*💂🏽‍♂️*", "*🕵🏽‍♀️*", "*🕵🏽*", "*🕵🏽‍♂️*", "*👩🏽‍⚕️*", "*🧑🏽‍⚕️*", "*👨🏽‍⚕️*", "*👩🏽‍🌾*", "*🧑🏽‍🌾*", "*👨🏽‍🌾*", "*👩🏽‍🍳*", "*🧑🏽‍🍳*", "*👨🏽‍🍳*", "*👩🏽‍🎓*", "*🧑🏽‍🎓*", "*👨🏽‍🎓*", "*👩🏽‍🎤*", "*🧑🏽‍🎤*", "*👨🏽‍🎤*", "*👩🏽‍🏫*", "*🧑🏽‍🏫*", "*👨🏽‍🏫*", "*👩🏽‍🏭*", "*🧑🏽‍🏭*", "*👨🏽‍🏭*", "*👩🏽‍💻*", "*🧑🏽‍💻*", "*👨🏽‍💻*", "*👩🏽‍💼*", "*🧑🏽‍💼*", "*👨🏽‍💼*", "*👩🏽‍🔧*", "*🧑🏽‍🔧*", "*👨🏽‍🔧*", "*👩🏽‍🔬*", "*🧑🏽‍🔬*", "*👨🏽‍🔬*", "*👩🏽‍🎨*", "*🧑🏽‍🎨*", "*👨🏽‍🎨*", "*👩🏽‍🚒*", "*🧑🏽‍🚒*", "*👨🏽‍🚒*", "*👩🏽‍✈️*", "*🧑🏽‍✈️*", "*👨🏽‍✈️*", "*👩🏽‍🚀*", "*🧑🏽‍🚀*", "*👨🏽‍🚀*", "*👩🏽‍⚖️*", "*🧑🏽‍⚖️*", "*👨🏽‍⚖️*", "*👰🏽‍♀️*", "*👰🏽*", "*👰🏽‍♂️*", "*🤵🏽‍♀️*", "*🤵🏽*", "*🤵🏽‍♂️*", "*👸🏽*", "*🫅🏽*", "*🤴🏽*", "*🥷🏽*", "*🦸🏽‍♀️*", "*🦸🏽*", "*🦸🏽‍♂️*", "*🦹🏽‍♀️*", "*🦹🏽*", "*🦹🏽‍♂️*", "*🤶🏽*", "*🧑🏽‍🎄*", "*🎅🏽*", "*🧙🏽‍♀️*", "*🧙🏽*", "*🧙🏽‍♂️*", "*🧝🏽‍♀️*", "*🧝🏽*", "*🧝🏽‍♂️*", "*🧛🏽‍♀️*", "*🧛🏽*", "*🧛🏽‍♂️*", "*🧜🏽‍♀️*", "*🧜🏽*", "*🧜🏽‍♂️*", "*🧚🏽‍♀️*", "*🧚🏽*", "*🧚🏽‍♂️*", "*👼🏽*", "*🤰🏽*", "*🫄🏽*", "*🫃🏽*", "*🤱🏽*", "*👩🏽‍🍼*", "*🧑🏽‍🍼*", "*👨🏽‍🍼*", "*🙇🏽‍♀️*", "*🙇🏽*", "*🙇🏽‍♂️*", "*💁🏽‍♀️*", "*💁🏽*", "*💁🏽‍♂️*", "*🙅🏽‍♀️*", "*🙅🏽*", "*🙅🏽‍♂️*", "*🙆🏽‍♀️*", "*🙆🏽*", "*🙆🏽‍♂️*", "*🙋🏽‍♀️*", "*🙋🏽*", "*🙋🏽‍♂️*", "*🧏🏽‍♀️*", "*🧏🏽*", "*🧏🏽‍♂️*", "*🤦🏽‍♀️*", "*🤦🏽*", "*🤦🏽‍♂️*", "*🤷🏽‍♀️*", "*🤷🏽*", "*🤷🏽‍♂️*", "*🙎🏽‍♀️*", "*🙎🏽*", "*🙎🏽‍♂️*", "*🙍🏽‍♀️*", "*🙍🏽*", "*🙍🏽‍♂️*", "*💇🏽‍♀️*", "*💇🏽*", "*💇🏽‍♂️*", "*💆🏽‍♀️*", "*💆🏽*", "*💆🏽‍♂️*", "*🧖🏽‍♀️*", "*🧖🏽*", "*🧖🏽‍♂️*", "*💃🏽*", "*🕺🏽*", "*🕴🏽*", "*👩🏽‍🦽*", "*🧑🏽‍🦽*", "*👨🏽‍🦽*", "*👩🏽‍🦼*", "*🧑🏽‍🦼*", "*👨🏽‍🦼*", "*🚶🏽‍♀️*", "*🚶🏽*", "*🚶🏽‍♂️*", "*👩🏽‍🦯*", "*🧑🏽‍🦯*", "*👨🏽‍🦯*", "*🧎🏽‍♀️*", "*🧎🏽*", "*🧎🏽‍♂️*", "*🏃🏽‍♀️*", "*🏃🏽*", "*🏃🏽‍♂️*", "*🧍🏽‍♀️*", "*🧍🏽*", "*🧍🏽‍♂️*", "*👭🏽*", "*🧑🏽‍🤝‍🧑🏽*", "*👬🏽*", "*👫🏽*", "*🧗🏽‍♀️*", "*🧗🏽*", "*🧗🏽‍♂️*", "*🏇🏽*", "*🏂🏽*", "*🏌🏽‍♀️*", "*🏌🏽*", "*🏌🏽‍♂️*", "*🏄🏽‍♀️*", "*🏄🏽*", "*🏄🏽‍♂️*", "*🚣🏽‍♀️*", "*🚣🏽*", "*🚣🏽‍♂️*", "*🏊🏽‍♀️*", "*🏊🏽*", "*🏊🏽‍♂️*", "*⛹🏽‍♀️*", "*⛹🏽*", "*⛹🏽‍♂️*", "*🏋🏽‍♀️*", "*🏋🏽*", "*🏋🏽‍♂️*", "*🚴🏽‍♀️*", "*🚴🏽*", "*🚴🏽‍♂️*", "*🚵🏽‍♀️*", "*🚵🏽*", "*🚵🏽‍♂️*", "*🤸🏽‍♀️*", "*🤸🏽*", "*🤸🏽‍♂️*", "*🤽🏽‍♀️*", "*🤽🏽*", "*🤽🏽‍♂️*", "*🤾🏽‍♀️*", "*🤾🏽*", "*🤾🏽‍♂️*", "*🤹🏽‍♀️*", "*🤹🏽*", "*🤹🏽‍♂️*", "*🧘🏽‍♀️*", "*🧘🏽*", "*🧘🏽‍♂️*", "*🛀🏽*", "*🛌🏽*", "*👋🏾*", "*🤚🏾*", "*🖐🏾*", "*✋🏾*", "*🖖🏾*", "*👌🏾*", "*🤌🏾*", "*🤏🏾*", "*✌🏾*", "*🤞🏾*", "*🫰🏾*", "*🤟🏾*", "*🤘🏾*", "*🤙🏾*", "*🫵🏾*", "*🫱🏾*", "*🫲🏾*", "*🫳🏾*", "*🫴🏾*", "*👈🏾*", "*👉🏾*", "*👆🏾*", "*🖕🏾*", "*👇🏾*", "*☝🏾*", "*👍🏾*", "*👎🏾*", "*✊🏾*", "*👊🏾*", "*🤛🏾*", "*🤜🏾*", "*👏🏾*", "*🫶🏾*", "*🙌🏾*", "*👐🏾*", "*🤲🏾*", "*🙏🏾*", "*✍🏾*", "*💪🏾*", "*🦵🏾*", "*🦶🏾*", "*👂🏾*", "*🦻🏾*", "*👃🏾*", "*👶🏾*", "*👧🏾*", "*🧒🏾*", "*👦🏾*", "*👩🏾*", "*🧑🏾*", "*👨🏾*", "*👩🏾‍🦱*", "*🧑🏾‍🦱*", "*👨🏾‍🦱*", "*👩🏾‍🦰*", "*🧑🏾‍🦰*", "*👨🏾‍🦰*", "*👱🏾‍♀️*", "*👱🏾*", "*👱🏾‍♂️*", "*👩🏾‍🦳*", "*🧑🏾‍🦳*", "*👨🏾‍🦳*", "*👩🏾‍🦲*", "*🧑🏾‍🦲*", "*👨🏾‍🦲*", "*🧔🏾‍♀️*", "*🧔🏾*", "*🧔🏾‍♂️*", "*👵🏾*", "*🧓🏾*", "*👴🏾*", "*👲🏾*", "*👳🏾‍♀️*", "*👳🏾*", "*👳🏾‍♂️*", "*🧕🏾*", "*👮🏾‍♀️*", "*👮🏾*", "*👮🏾‍♂️*", "*👷🏾‍♀️*", "*👷🏾*", "*👷🏾‍♂️*", "*💂🏾‍♀️*", "*💂🏾*", "*💂🏾‍♂️*", "*🕵🏾‍♀️*", "*🕵🏾*", "*🕵🏾‍♂️*", "*👩🏾‍⚕️*", "*🧑🏾‍⚕️*", "*👨🏾‍⚕️*", "*👩🏾‍🌾*", "*🧑🏾‍🌾*", "*👨🏾‍🌾*", "*👩🏾‍🍳*", "*🧑🏾‍🍳*", "*👨🏾‍🍳*", "*👩🏾‍🎓*", "*🧑🏾‍🎓*", "*👨🏾‍🎓*", "*👩🏾‍🎤*", "*🧑🏾‍🎤*", "*👨🏾‍🎤*", "*👩🏾‍🏫*", "*🧑🏾‍🏫*", "*👨🏾‍🏫*", "*👩🏾‍🏭*", "*🧑🏾‍🏭*", "*👨🏾‍🏭*", "*👩🏾‍💻*", "*🧑🏾‍💻*", "*👨🏾‍💻*", "*👩🏾‍💼*", "*🧑🏾‍💼*", "*👨🏾‍💼*", "*👩🏾‍🔧*", "*🧑🏾‍🔧*", "*👨🏾‍🔧*", "*👩🏾‍🔬*", "*🧑🏾‍🔬*", "*👨🏾‍🔬*", "*👩🏾‍🎨*", "*🧑🏾‍🎨*", "*👨🏾‍🎨*", "*👩🏾‍🚒*", "*🧑🏾‍🚒*", "*👨🏾‍🚒*", "*👩🏾‍✈️*", "*🧑🏾‍✈️*", "*👨🏾‍✈️*", "*👩🏾‍🚀*", "*🧑🏾‍🚀*", "*👨🏾‍🚀*", "*👩🏾‍⚖️*", "*🧑🏾‍⚖️*", "*👨🏾‍⚖️*", "*👰🏾‍♀️*", "*👰🏾*", "*👰🏾‍♂️*", "*🤵🏾‍♀️*", "*🤵🏾*", "*🤵🏾‍♂️*", "*👸🏾*", "*🫅🏾*", "*🤴🏾*", "*🥷🏾*", "*🦸🏾‍♀️*", "*🦸🏾*", "*🦸🏾‍♂️*", "*🦹🏾‍♀️*", "*🦹🏾*", "*🦹🏾‍♂️*", "*🤶🏾*", "*🧑🏾‍🎄*", "*🎅🏾*", "*🧙🏾‍♀️*", "*🧙🏾*", "*🧙🏾‍♂️*", "*🧝🏾‍♀️*", "*🧝🏾*", "*🧝🏾‍♂️*", "*🧛🏾‍♀️*", "*🧛🏾*", "*🧛🏾‍♂️*", "*🧜🏾‍♀️*", "*🧜🏾*", "*🧜🏾‍♂️*", "*🧚🏾‍♀️*", "*🧚🏾*", "*🧚🏾‍♂️*", "*👼🏾*", "*🤰🏾*", "*🫄🏾*", "*🫃🏾*", "*🤱🏾*", "*👩🏾‍🍼*", "*🧑🏾‍🍼*", "*👨🏾‍🍼*", "*🙇🏾‍♀️*", "*🙇🏾*", "*🙇🏾‍♂️*", "*💁🏾‍♀️*", "*💁🏾*", "*💁🏾‍♂️*", "*🙅🏾‍♀️*", "*🙅🏾*", "*🙅🏾‍♂️*", "*🙆🏾‍♀️*", "*🙆🏾*", "*🙆🏾‍♂️*", "*🙋🏾‍♀️*", "*🙋🏾*", "*🙋🏾‍♂️*", "*🧏🏾‍♀️*", "*🧏🏾*", "*🧏🏾‍♂️*", "*🤦🏾‍♀️*", "*🤦🏾*", "*🤦🏾‍♂️*", "*🤷🏾‍♀️*", "*🤷🏾*", "*🤷🏾‍♂️*", "*🙎🏾‍♀️*", "*🙎🏾*", "*🙎🏾‍♂️*", "*🙍🏾‍♀️*", "*🙍🏾*", "*🙍🏾‍♂️*", "*💇🏾‍♀️*", "*💇🏾*", "*💇🏾‍♂️*", "*💆🏾‍♀️*", "*💆🏾*", "*💆🏾‍♂️*", "*🧖🏾‍♀️*", "*🧖🏾*", "*🧖🏾‍♂️*", "*💃🏾*", "*🕺🏾*", "*👩🏾‍🦽*", "*🧑🏾‍🦽*", "*👨🏾‍🦽*", "*👩🏾‍🦼*", "*🧑🏾‍🦼*", "*👨🏾‍🦼*", "*🚶🏾‍♀️*", "*🚶🏾*", "*🚶🏾‍♂️*", "*👩🏾‍🦯*", "*🧑🏾‍🦯*", "*👨🏾‍🦯*", "*🧎🏾‍♀️*", "*🧎🏾*", "*🧎🏾‍♂️*", "*🏃🏾‍♀️*", "*🏃🏾*", "*🏃🏾‍♂️*", "*🧍🏾‍♀️*", "*🧍🏾*", "*🧍🏾‍♂️*", "*👭🏾*", "*🧑🏾‍🤝‍🧑🏾*", "*👬🏾*", "*👫🏾*", "*🧗🏾‍♀️*", "*🧗🏾*", "*🧗🏾‍♂️*", "*🏇🏾*", "*🏂🏾*", "*🏌🏾‍♀️*", "*🏌🏾*", "*🏌🏾‍♂️*", "*🏄🏾‍♀️*", "*🏄🏾*", "*🏄🏾‍♂️*", "*🚣🏾‍♀️*", "*🚣🏾*", "*🚣🏾‍♂️*", "*🏊🏾‍♀️*", "*🏊🏾*", "*🏊🏾‍♂️*", "*⛹🏾‍♀️*", "*⛹🏾*", "*⛹🏾‍♂️*", "*🏋🏾‍♀️*", "*🏋🏾*", "*🏋🏾‍♂️*", "*🚴🏾‍♀️*", "*🚴🏾*", "*🚴🏾‍♂️*", "*🚵🏾‍♀️*", "*🚵🏾*", "*🚵🏾‍♂️*", "*🤸🏾‍♀️*", "*🤸🏾*", "*🤸🏾‍♂️*", "*🤽🏾‍♀️*", "*🤽🏾*", "*🤽🏾‍♂️*", "*🤾🏾‍♀️*", "*🤾🏾*", "*🤾🏾‍♂️*", "*🤹🏾‍♀️*", "*🤹🏾*", "*🤹🏾‍♂️*", "*🧘🏾‍♀️*", "*🧘🏾*", "*🧘🏾‍♂️*", "*🛀🏾*", "*🛌🏾*", "*👋🏿*", "*🤚🏿*", "*🖐🏿*", "*✋🏿*", "*🖖🏿*", "*👌🏿*", "*🤌🏿*", "*🤏🏿*", "*✌🏿*", "*🤞🏿*", "*🫰🏿*", "*🤟🏿*", "*🤘🏿*", "*🤙🏿*", "*🫵🏿*", "*🫱🏿*", "*🫲🏿*", "*🫳🏿*", "*🫴🏿*", "*👈🏿*", "*👉🏿*", "*👆🏿*", "*🖕🏿*", "*👇🏿*", "*☝🏿*", "*👍🏿*", "*👎🏿*", "*✊🏿*", "*👊🏿*", "*🤛🏿*", "*🤜🏿*", "*👏🏿*", "*🫶🏿*", "*🙌🏿*", "*👐🏿*", "*🤲🏿*", "*🙏🏿*", "*✍🏿*", "*🤳🏿*", "*💪🏿*", "*🦵🏿*", "*🦶🏿*", "*👂🏿*", "*🦻🏿*", "*👃🏿*", "*👶🏿*", "*👧🏿*", "*🧒🏿*", "*👦🏿*", "*👩🏿*", "*🧑🏿*", "*👨🏿*", "*👩🏿‍🦱*", "*🧑🏿‍🦱*", "*👨🏿‍🦱*", "*👩🏿‍🦰*", "*🧑🏿‍🦰*", "*👨🏿‍🦰*", "*👱🏿‍♀️*", "*👱🏿*", "*👱🏿‍♂️*", "*👩🏿‍🦳*", "*🧑🏿‍🦳*", "*👨🏿‍🦳*", "*👩🏿‍🦲*", "*🧑🏿‍🦲*", "*👨🏿‍🦲*", "*🧔🏿‍♀️*", "*🧔🏿*", "*🧔🏿‍♂️*", "*👵🏿*", "*🧓🏿*", "*👴🏿*", "*👲🏿*", "*👳🏿‍♀️*", "*👳🏿*", "*👳🏿‍♂️*", "*🧕🏿*", "*👮🏿‍♀️*", "*👮🏿*", "*👮🏿‍♂️*", "*👷🏿‍♀️*", "*👷🏿*", "*👷🏿‍♂️*", "*💂🏿‍♀️*", "*💂🏿*", "*💂🏿‍♂️*", "*🕵🏿‍♀️*", "*🕵🏿*", "*🕵🏿‍♂️*", "*👩🏿‍⚕️*", "*🧑🏿‍⚕️*", "*👨🏿‍⚕️*", "*👩🏿‍🌾*", "*🧑🏿‍🌾*", "*👨🏿‍🌾*", "*👩🏿‍🍳*", "*🧑🏿‍🍳*", "*👨🏿‍🍳*", "*👩🏿‍🎓*", "*🧑🏿‍🎓*", "*👨🏿‍🎓*", "*👩🏿‍🎤*", "*🧑🏿‍🎤*", "*👨🏿‍🎤*", "*👩🏿‍🏫*", "*🧑🏿‍🏫*", "*👨🏿‍🏫*", "*👩🏿‍🏭*", "*🧑🏿‍🏭*", "*👨🏿‍🏭*", "*👩🏿‍💻*", "*🧑🏿‍💻*", "*👨🏿‍💻*", "*👩🏿‍💼*", "*🧑🏿‍💼*", "*👨🏿‍💼*", "*👩🏿‍🔧*", "*🧑🏿‍🔧*", "*👨🏿‍🔧*", "*👩🏿‍🔬*", "*🧑🏿‍🔬*", "*👨🏿‍🔬*", "*👩🏿‍🎨*", "*🧑🏿‍🎨*", "*👨🏿‍🎨*", "*👩🏿‍🚒*", "*🧑🏿‍🚒*", "*👨🏿‍🚒*", "*👩🏿‍✈️*", "*🧑🏿‍✈️*", "*👨🏿‍✈️*", "*👩🏿‍🚀*", "*🧑🏿‍🚀*", "*👨🏿‍🚀*", "*👩🏿‍⚖️*", "*🧑🏿‍⚖️*", "*👨🏿‍⚖️*", "*👰🏿‍♀️*", "*👰🏿*", "*👰🏿‍♂️*", "*🤵🏿‍♀️*", "*🤵🏿*", "*🤵🏿‍♂️*", "*👸🏿*", "*🫅🏿*", "*🤴🏿*", "*🥷🏿*", "*🦸🏿‍♀️*", "*🦸🏿*", "*🦸🏿‍♂️*", "*🦹🏿‍♀️*", "*🦹🏿*", "*🦹🏿‍♂️*", "*🤶🏿*", "*🧑🏿‍🎄*", "*🎅🏿*", "*🧙🏿‍♀️*", "*🧙🏿*", "*🧙🏿‍♂️*", "*🧝🏿‍♀️*", "*🧝🏿*", "*🧝🏿‍♂️*", "*🧛🏿‍♀️*", "*🧛🏿*", "*🧛🏿‍♂️*", "*🧜🏿‍♀️*", "*🧜🏿*", "*🧜🏿‍♂️*", "*🧚🏿‍♀️*", "*🧚🏿*", "*🧚🏿‍♂️*", "*👼🏿*", "*🤰🏿*", "*🫄🏿*", "*🫃🏿*", "*🤱🏿*", "*👩🏿‍🍼*", "*🧑🏿‍🍼*", "*👨🏿‍🍼*", "*🙇🏿‍♀️*", "*🙇🏿*", "*🙇🏿‍♂️*", "*💁🏿‍♀️*", "*💁🏿*", "*💁🏿‍♂️*", "*🙅🏿‍♀️*", "*🙅🏿*", "*🙅🏿‍♂️*", "*🙆🏿‍♀️*", "*🙆🏿*", "*🙆🏿‍♂️*", "*🙋🏿‍♀️*", "*🙋🏿*", "*🙋🏿‍♂️*", "*🧏🏿‍♀️*", "*🧏🏿*", "*🧏🏿‍♂️*", "*🤦🏿‍♀️*", "*🤦🏿*", "*🤦🏿‍♂️*", "*🤷🏿‍♀️*", "*🤷🏿*", "*🤷🏿‍♂️*", "*🙎🏿‍♀️*", "*🙎🏿*", "*🙎🏿‍♂️*", "*🙍🏿‍♀️*", "*🙍🏿*", "*🙍🏿‍♂️*", "*💇🏿‍♀️*", "*💇🏿*", "*💇🏿‍♂️*", "*💆🏿‍♀️*", "*💆🏿*", "*💆🏿‍♂️*", "*🧖🏿‍♀️*", "*🧖🏿*", "*🧖🏿‍♂️*", "*💃🏿*", "*🕺🏿*", "*🕴🏿*", "*👩🏿‍🦽*", "*🧑🏿‍🦽*", "*👨🏿‍🦽*", "*👩🏿‍🦼*", "*🧑🏿‍🦼*", "*👨🏿‍🦼*", "*🚶🏿‍♀️*", "*🚶🏿*", "*🚶🏿‍♂️*", "*👩🏿‍🦯*", "*🧑🏿‍🦯*", "*👨🏿‍🦯*", "*🧎🏿‍♀️*", "*🧎🏿*", "*🧎🏿‍♂️*", "*🏃🏿‍♀️*", "*🏃🏿*", "*🏃🏿‍♂️*", "*🧍🏿‍♀️*", "*🧍🏿*", "*🧍🏿‍♂️*", "*👭🏿*", "*🧑🏿‍🤝‍🧑🏿*", "*👬🏿*", "*👫🏿*", "*🧗🏿‍♀️*", "*🧗🏿*", "*🧗🏿‍♂️*", "*🏇🏿*", "*🏂🏿*", "*🏌🏿‍♀️*", "*🏌🏿*", "*🏌🏿‍♂️*", "*🏄🏿‍♀️*", "*🏄🏿*", "*🏄🏿‍♂️*", "*🚣🏿‍♀️*", "*🚣🏿*", "*🚣🏿‍♂️*", "*🏊🏿‍♀️*", "*🏊🏿*", "*🏊🏿‍♂️*", "*⛹🏿‍♀️*", "*⛹🏿*", "*⛹🏿‍♂️*", "*🏋🏿‍♀️*", "*🏋🏿*", "*🏋🏿‍♂️*", "*🚴🏿‍♀️*", "*🚴🏿*", "*🚴🏿‍♂️*", "*🚵🏿‍♀️*", "*🚵🏿*", "*🚵🏿‍♂️*", "*🤸🏿‍♀️*", "*🤸🏿*", "*🤸🏿‍♂️*", "*🤽🏿‍♀️*", "*🤽🏿*", "*🤽🏿‍♂️*", "*🤾🏿‍♀️*", "*🤾🏿*", "*🤾🏿‍♂️*", "*🤹🏿‍♀️*", "*🤹🏿*", "*🤹🏿‍♂️*", "*🧘🏿‍♀️*", "*🧘🏿*", "*🧘🏿‍♂️*", "*🛀🏿*", "*🛌🏿*", "*🐶*", "*🐱*", "*🐭*", "*🐹*", "*🐰*", "*🦊*", "*🐻*", "*🐼*", "*🐻‍❄️*", "*🐨*", "*🐯*", "*🦁*", "*🐮*", "*🐷*", "*🐽*", "*🐸*", "*🐵*", "*🙈*", "*🙉*", "*🙊*", "*🐒*", "*🐔*", "*🐧*", "*🐦*", "*🐤*", "*🐣*", "*🐥*")))
view Sigma YAML 
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
id: c98f2a0d-e1b8-4f76-90d3-359caf88d6b9
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '🤷🏼'
            - '🤷🏼‍♂️'
            - '🙎🏼‍♀️'
            - '🙎🏼'
            - '🙎🏼‍♂️'
            - '🙍🏼‍♀️'
            - '🙍🏼'
            - '🙍🏼‍♂️'
            - '💇🏼‍♀️'
            - '💇🏼'
            - '💇🏼‍♂️'
            - '💆🏼‍♀️'
            - '💆🏼'
            - '💆🏼‍♂️'
            - '🧖🏼‍♀️'
            - '🧖🏼'
            - '🧖🏼‍♂️'
            - '💃🏼'
            - '🕺🏼'
            - '🕴🏼'
            - '👩🏼‍🦽'
            - '🧑🏼‍🦽'
            - '👨🏼‍🦽'
            - '👩🏼‍🦼'
            - '🧑🏼‍🦼'
            - '👨🏼‍🦼'
            - '🚶🏼‍♀️'
            - '🚶🏼'
            - '🚶🏼‍♂️'
            - '👩🏼‍🦯'
            - '🧑🏼‍🦯'
            - '👨🏼‍🦯'
            - '🧎🏼‍♀️'
            - '🧎🏼'
            - '🧎🏼‍♂️'
            - '🏃🏼‍♀️'
            - '🏃🏼'
            - '🏃🏼‍♂️'
            - '🧍🏼‍♀️'
            - '🧍🏼'
            - '🧍🏼‍♂️'
            - '👭🏼'
            - '🧑🏼‍🤝‍🧑🏼'
            - '👬🏼'
            - '👫🏼'
            - '🧗🏼‍♀️'
            - '🧗🏼'
            - '🧗🏼‍♂️'
            - '🏇🏼'
            - '🏂🏼'
            - '🏌🏼‍♀️'
            - '🏌🏼'
            - '🏌🏼‍♂️'
            - '🏄🏼‍♀️'
            - '🏄🏼'
            - '🏄🏼‍♂️'
            - '🚣🏼‍♀️'
            - '🚣🏼'
            - '🚣🏼‍♂️'
            - '🏊🏼‍♀️'
            - '🏊🏼'
            - '🏊🏼‍♂️'
            - '⛹🏼‍♀️'
            - '⛹🏼'
            - '⛹🏼‍♂️'
            - '🏋🏼‍♀️'
            - '🏋🏼'
            - '🏋🏼‍♂️'
            - '🚴🏼‍♀️'
            - '🚴🏼'
            - '🚴🏼‍♂️'
            - '🚵🏼‍♀️'
            - '🚵🏼'
            - '🚵🏼‍♂️'
            - '🤸🏼‍♀️'
            - '🤸🏼'
            - '🤸🏼‍♂️'
            - '🤽🏼‍♀️'
            - '🤽🏼'
            - '🤽🏼‍♂️'
            - '🤾🏼‍♀️'
            - '🤾🏼'
            - '🤾🏼‍♂️'
            - '🤹🏼‍♀️'
            - '🤹🏼'
            - '🤹🏼‍♂️'
            - '🧘🏼‍♀️'
            - '🧘🏼'
            - '🧘🏼‍♂️'
            - '🛀🏼'
            - '🛌🏼'
            - '👋🏽'
            - '🤚🏽'
            - '🖐🏽'
            - '✋🏽'
            - '🖖🏽'
            - '👌🏽'
            - '🤌🏽'
            - '🤏🏽'
            - '✌🏽'
            - '🤞🏽'
            - '🫰🏽'
            - '🤟🏽'
            - '🤘🏽'
            - '🤙🏽'
            - '🫵🏽'
            - '🫱🏽'
            - '🫲🏽'
            - '🫳🏽'
            - '🫴🏽'
            - '👈🏽'
            - '👉🏽'
            - '👆🏽'
            - '🖕🏽'
            - '👇🏽'
            - '☝🏽'
            - '👍🏽'
            - '👎🏽'
            - '✊🏽'
            - '👊🏽'
            - '🤛🏽'
            - '🤜🏽'
            - '👏🏽'
            - '🫶🏽'
            - '🙌🏽'
            - '👐🏽'
            - '🤲🏽'
            - '🙏🏽'
            - '✍🏽'
            - '💪🏽'
            - '🦵🏽'
            - '🦶🏽'
            - '👂🏽'
            - '🦻🏽'
            - '👃🏽'
            - '👶🏽'
            - '👧🏽'
            - '🧒🏽'
            - '👦🏽'
            - '👩🏽'
            - '🧑🏽'
            - '👨🏽'
            - '👩🏽‍🦱'
            - '🧑🏽‍🦱'
            - '👨🏽‍🦱'
            - '👩🏽‍🦰'
            - '🧑🏽‍🦰'
            - '👨🏽‍🦰'
            - '👱🏽‍♀️'
            - '👱🏽'
            - '👱🏽‍♂️'
            - '👩🏽‍🦳'
            - '🧑🏽‍🦳'
            - '👨🏽‍🦳'
            - '👩🏽‍🦲'
            - '🧑🏽‍🦲'
            - '👨🏽‍🦲'
            - '🧔🏽‍♀️'
            - '🧔🏽'
            - '🧔🏽‍♂️'
            - '👵🏽'
            - '🧓🏽'
            - '👴🏽'
            - '👲🏽'
            - '👳🏽‍♀️'
            - '👳🏽'
            - '👳🏽‍♂️'
            - '🧕🏽'
            - '👮🏽‍♀️'
            - '👮🏽'
            - '👮🏽‍♂️'
            - '👷🏽‍♀️'
            - '👷🏽'
            - '👷🏽‍♂️'
            - '💂🏽‍♀️'
            - '💂🏽'
            - '💂🏽‍♂️'
            - '🕵🏽‍♀️'
            - '🕵🏽'
            - '🕵🏽‍♂️'
            - '👩🏽‍⚕️'
            - '🧑🏽‍⚕️'
            - '👨🏽‍⚕️'
            - '👩🏽‍🌾'
            - '🧑🏽‍🌾'
            - '👨🏽‍🌾'
            - '👩🏽‍🍳'
            - '🧑🏽‍🍳'
            - '👨🏽‍🍳'
            - '👩🏽‍🎓'
            - '🧑🏽‍🎓'
            - '👨🏽‍🎓'
            - '👩🏽‍🎤'
            - '🧑🏽‍🎤'
            - '👨🏽‍🎤'
            - '👩🏽‍🏫'
            - '🧑🏽‍🏫'
            - '👨🏽‍🏫'
            - '👩🏽‍🏭'
            - '🧑🏽‍🏭'
            - '👨🏽‍🏭'
            - '👩🏽‍💻'
            - '🧑🏽‍💻'
            - '👨🏽‍💻'
            - '👩🏽‍💼'
            - '🧑🏽‍💼'
            - '👨🏽‍💼'
            - '👩🏽‍🔧'
            - '🧑🏽‍🔧'
            - '👨🏽‍🔧'
            - '👩🏽‍🔬'
            - '🧑🏽‍🔬'
            - '👨🏽‍🔬'
            - '👩🏽‍🎨'
            - '🧑🏽‍🎨'
            - '👨🏽‍🎨'
            - '👩🏽‍🚒'
            - '🧑🏽‍🚒'
            - '👨🏽‍🚒'
            - '👩🏽‍✈️'
            - '🧑🏽‍✈️'
            - '👨🏽‍✈️'
            - '👩🏽‍🚀'
            - '🧑🏽‍🚀'
            - '👨🏽‍🚀'
            - '👩🏽‍⚖️'
            - '🧑🏽‍⚖️'
            - '👨🏽‍⚖️'
            - '👰🏽‍♀️'
            - '👰🏽'
            - '👰🏽‍♂️'
            - '🤵🏽‍♀️'
            - '🤵🏽'
            - '🤵🏽‍♂️'
            - '👸🏽'
            - '🫅🏽'
            - '🤴🏽'
            - '🥷🏽'
            - '🦸🏽‍♀️'
            - '🦸🏽'
            - '🦸🏽‍♂️'
            - '🦹🏽‍♀️'
            - '🦹🏽'
            - '🦹🏽‍♂️'
            - '🤶🏽'
            - '🧑🏽‍🎄'
            - '🎅🏽'
            - '🧙🏽‍♀️'
            - '🧙🏽'
            - '🧙🏽‍♂️'
            - '🧝🏽‍♀️'
            - '🧝🏽'
            - '🧝🏽‍♂️'
            - '🧛🏽‍♀️'
            - '🧛🏽'
            - '🧛🏽‍♂️'
            - '🧜🏽‍♀️'
            - '🧜🏽'
            - '🧜🏽‍♂️'
            - '🧚🏽‍♀️'
            - '🧚🏽'
            - '🧚🏽‍♂️'
            - '👼🏽'
            - '🤰🏽'
            - '🫄🏽'
            - '🫃🏽'
            - '🤱🏽'
            - '👩🏽‍🍼'
            - '🧑🏽‍🍼'
            - '👨🏽‍🍼'
            - '🙇🏽‍♀️'
            - '🙇🏽'
            - '🙇🏽‍♂️'
            - '💁🏽‍♀️'
            - '💁🏽'
            - '💁🏽‍♂️'
            - '🙅🏽‍♀️'
            - '🙅🏽'
            - '🙅🏽‍♂️'
            - '🙆🏽‍♀️'
            - '🙆🏽'
            - '🙆🏽‍♂️'
            - '🙋🏽‍♀️'
            - '🙋🏽'
            - '🙋🏽‍♂️'
            - '🧏🏽‍♀️'
            - '🧏🏽'
            - '🧏🏽‍♂️'
            - '🤦🏽‍♀️'
            - '🤦🏽'
            - '🤦🏽‍♂️'
            - '🤷🏽‍♀️'
            - '🤷🏽'
            - '🤷🏽‍♂️'
            - '🙎🏽‍♀️'
            - '🙎🏽'
            - '🙎🏽‍♂️'
            - '🙍🏽‍♀️'
            - '🙍🏽'
            - '🙍🏽‍♂️'
            - '💇🏽‍♀️'
            - '💇🏽'
            - '💇🏽‍♂️'
            - '💆🏽‍♀️'
            - '💆🏽'
            - '💆🏽‍♂️'
            - '🧖🏽‍♀️'
            - '🧖🏽'
            - '🧖🏽‍♂️'
            - '💃🏽'
            - '🕺🏽'
            - '🕴🏽'
            - '👩🏽‍🦽'
            - '🧑🏽‍🦽'
            - '👨🏽‍🦽'
            - '👩🏽‍🦼'
            - '🧑🏽‍🦼'
            - '👨🏽‍🦼'
            - '🚶🏽‍♀️'
            - '🚶🏽'
            - '🚶🏽‍♂️'
            - '👩🏽‍🦯'
            - '🧑🏽‍🦯'
            - '👨🏽‍🦯'
            - '🧎🏽‍♀️'
            - '🧎🏽'
            - '🧎🏽‍♂️'
            - '🏃🏽‍♀️'
            - '🏃🏽'
            - '🏃🏽‍♂️'
            - '🧍🏽‍♀️'
            - '🧍🏽'
            - '🧍🏽‍♂️'
            - '👭🏽'
            - '🧑🏽‍🤝‍🧑🏽'
            - '👬🏽'
            - '👫🏽'
            - '🧗🏽‍♀️'
            - '🧗🏽'
            - '🧗🏽‍♂️'
            - '🏇🏽'
            - '🏂🏽'
            - '🏌🏽‍♀️'
            - '🏌🏽'
            - '🏌🏽‍♂️'
            - '🏄🏽‍♀️'
            - '🏄🏽'
            - '🏄🏽‍♂️'
            - '🚣🏽‍♀️'
            - '🚣🏽'
            - '🚣🏽‍♂️'
            - '🏊🏽‍♀️'
            - '🏊🏽'
            - '🏊🏽‍♂️'
            - '⛹🏽‍♀️'
            - '⛹🏽'
            - '⛹🏽‍♂️'
            - '🏋🏽‍♀️'
            - '🏋🏽'
            - '🏋🏽‍♂️'
            - '🚴🏽‍♀️'
            - '🚴🏽'
            - '🚴🏽‍♂️'
            - '🚵🏽‍♀️'
            - '🚵🏽'
            - '🚵🏽‍♂️'
            - '🤸🏽‍♀️'
            - '🤸🏽'
            - '🤸🏽‍♂️'
            - '🤽🏽‍♀️'
            - '🤽🏽'
            - '🤽🏽‍♂️'
            - '🤾🏽‍♀️'
            - '🤾🏽'
            - '🤾🏽‍♂️'
            - '🤹🏽‍♀️'
            - '🤹🏽'
            - '🤹🏽‍♂️'
            - '🧘🏽‍♀️'
            - '🧘🏽'
            - '🧘🏽‍♂️'
            - '🛀🏽'
            - '🛌🏽'
            - '👋🏾'
            - '🤚🏾'
            - '🖐🏾'
            - '✋🏾'
            - '🖖🏾'
            - '👌🏾'
            - '🤌🏾'
            - '🤏🏾'
            - '✌🏾'
            - '🤞🏾'
            - '🫰🏾'
            - '🤟🏾'
            - '🤘🏾'
            - '🤙🏾'
            - '🫵🏾'
            - '🫱🏾'
            - '🫲🏾'
            - '🫳🏾'
            - '🫴🏾'
            - '👈🏾'
            - '👉🏾'
            - '👆🏾'
            - '🖕🏾'
            - '👇🏾'
            - '☝🏾'
            - '👍🏾'
            - '👎🏾'
            - '✊🏾'
            - '👊🏾'
            - '🤛🏾'
            - '🤜🏾'
            - '👏🏾'
            - '🫶🏾'
            - '🙌🏾'
            - '👐🏾'
            - '🤲🏾'
            - '🙏🏾'
            - '✍🏾'
            - '💪🏾'
            - '🦵🏾'
            - '🦶🏾'
            - '👂🏾'
            - '🦻🏾'
            - '👃🏾'
            - '👶🏾'
            - '👧🏾'
            - '🧒🏾'
            - '👦🏾'
            - '👩🏾'
            - '🧑🏾'
            - '👨🏾'
            - '👩🏾‍🦱'
            - '🧑🏾‍🦱'
            - '👨🏾‍🦱'
            - '👩🏾‍🦰'
            - '🧑🏾‍🦰'
            - '👨🏾‍🦰'
            - '👱🏾‍♀️'
            - '👱🏾'
            - '👱🏾‍♂️'
            - '👩🏾‍🦳'
            - '🧑🏾‍🦳'
            - '👨🏾‍🦳'
            - '👩🏾‍🦲'
            - '🧑🏾‍🦲'
            - '👨🏾‍🦲'
            - '🧔🏾‍♀️'
            - '🧔🏾'
            - '🧔🏾‍♂️'
            - '👵🏾'
            - '🧓🏾'
            - '👴🏾'
            - '👲🏾'
            - '👳🏾‍♀️'
            - '👳🏾'
            - '👳🏾‍♂️'
            - '🧕🏾'
            - '👮🏾‍♀️'
            - '👮🏾'
            - '👮🏾‍♂️'
            - '👷🏾‍♀️'
            - '👷🏾'
            - '👷🏾‍♂️'
            - '💂🏾‍♀️'
            - '💂🏾'
            - '💂🏾‍♂️'
            - '🕵🏾‍♀️'
            - '🕵🏾'
            - '🕵🏾‍♂️'
            - '👩🏾‍⚕️'
            - '🧑🏾‍⚕️'
            - '👨🏾‍⚕️'
            - '👩🏾‍🌾'
            - '🧑🏾‍🌾'
            - '👨🏾‍🌾'
            - '👩🏾‍🍳'
            - '🧑🏾‍🍳'
            - '👨🏾‍🍳'
            - '👩🏾‍🎓'
            - '🧑🏾‍🎓'
            - '👨🏾‍🎓'
            - '👩🏾‍🎤'
            - '🧑🏾‍🎤'
            - '👨🏾‍🎤'
            - '👩🏾‍🏫'
            - '🧑🏾‍🏫'
            - '👨🏾‍🏫'
            - '👩🏾‍🏭'
            - '🧑🏾‍🏭'
            - '👨🏾‍🏭'
            - '👩🏾‍💻'
            - '🧑🏾‍💻'
            - '👨🏾‍💻'
            - '👩🏾‍💼'
            - '🧑🏾‍💼'
            - '👨🏾‍💼'
            - '👩🏾‍🔧'
            - '🧑🏾‍🔧'
            - '👨🏾‍🔧'
            - '👩🏾‍🔬'
            - '🧑🏾‍🔬'
            - '👨🏾‍🔬'
            - '👩🏾‍🎨'
            - '🧑🏾‍🎨'
            - '👨🏾‍🎨'
            - '👩🏾‍🚒'
            - '🧑🏾‍🚒'
            - '👨🏾‍🚒'
            - '👩🏾‍✈️'
            - '🧑🏾‍✈️'
            - '👨🏾‍✈️'
            - '👩🏾‍🚀'
            - '🧑🏾‍🚀'
            - '👨🏾‍🚀'
            - '👩🏾‍⚖️'
            - '🧑🏾‍⚖️'
            - '👨🏾‍⚖️'
            - '👰🏾‍♀️'
            - '👰🏾'
            - '👰🏾‍♂️'
            - '🤵🏾‍♀️'
            - '🤵🏾'
            - '🤵🏾‍♂️'
            - '👸🏾'
            - '🫅🏾'
            - '🤴🏾'
            - '🥷🏾'
            - '🦸🏾‍♀️'
            - '🦸🏾'
            - '🦸🏾‍♂️'
            - '🦹🏾‍♀️'
            - '🦹🏾'
            - '🦹🏾‍♂️'
            - '🤶🏾'
            - '🧑🏾‍🎄'
            - '🎅🏾'
            - '🧙🏾‍♀️'
            - '🧙🏾'
            - '🧙🏾‍♂️'
            - '🧝🏾‍♀️'
            - '🧝🏾'
            - '🧝🏾‍♂️'
            - '🧛🏾‍♀️'
            - '🧛🏾'
            - '🧛🏾‍♂️'
            - '🧜🏾‍♀️'
            - '🧜🏾'
            - '🧜🏾‍♂️'
            - '🧚🏾‍♀️'
            - '🧚🏾'
            - '🧚🏾‍♂️'
            - '👼🏾'
            - '🤰🏾'
            - '🫄🏾'
            - '🫃🏾'
            - '🤱🏾'
            - '👩🏾‍🍼'
            - '🧑🏾‍🍼'
            - '👨🏾‍🍼'
            - '🙇🏾‍♀️'
            - '🙇🏾'
            - '🙇🏾‍♂️'
            - '💁🏾‍♀️'
            - '💁🏾'
            - '💁🏾‍♂️'
            - '🙅🏾‍♀️'
            - '🙅🏾'
            - '🙅🏾‍♂️'
            - '🙆🏾‍♀️'
            - '🙆🏾'
            - '🙆🏾‍♂️'
            - '🙋🏾‍♀️'
            - '🙋🏾'
            - '🙋🏾‍♂️'
            - '🧏🏾‍♀️'
            - '🧏🏾'
            - '🧏🏾‍♂️'
            - '🤦🏾‍♀️'
            - '🤦🏾'
            - '🤦🏾‍♂️'
            - '🤷🏾‍♀️'
            - '🤷🏾'
            - '🤷🏾‍♂️'
            - '🙎🏾‍♀️'
            - '🙎🏾'
            - '🙎🏾‍♂️'
            - '🙍🏾‍♀️'
            - '🙍🏾'
            - '🙍🏾‍♂️'
            - '💇🏾‍♀️'
            - '💇🏾'
            - '💇🏾‍♂️'
            - '💆🏾‍♀️'
            - '💆🏾'
            - '💆🏾‍♂️'
            - '🧖🏾‍♀️'
            - '🧖🏾'
            - '🧖🏾‍♂️'
            - '💃🏾'
            - '🕺🏾'
            - '👩🏾‍🦽'
            - '🧑🏾‍🦽'
            - '👨🏾‍🦽'
            - '👩🏾‍🦼'
            - '🧑🏾‍🦼'
            - '👨🏾‍🦼'
            - '🚶🏾‍♀️'
            - '🚶🏾'
            - '🚶🏾‍♂️'
            - '👩🏾‍🦯'
            - '🧑🏾‍🦯'
            - '👨🏾‍🦯'
            - '🧎🏾‍♀️'
            - '🧎🏾'
            - '🧎🏾‍♂️'
            - '🏃🏾‍♀️'
            - '🏃🏾'
            - '🏃🏾‍♂️'
            - '🧍🏾‍♀️'
            - '🧍🏾'
            - '🧍🏾‍♂️'
            - '👭🏾'
            - '🧑🏾‍🤝‍🧑🏾'
            - '👬🏾'
            - '👫🏾'
            - '🧗🏾‍♀️'
            - '🧗🏾'
            - '🧗🏾‍♂️'
            - '🏇🏾'
            - '🏂🏾'
            - '🏌🏾‍♀️'
            - '🏌🏾'
            - '🏌🏾‍♂️'
            - '🏄🏾‍♀️'
            - '🏄🏾'
            - '🏄🏾‍♂️'
            - '🚣🏾‍♀️'
            - '🚣🏾'
            - '🚣🏾‍♂️'
            - '🏊🏾‍♀️'
            - '🏊🏾'
            - '🏊🏾‍♂️'
            - '⛹🏾‍♀️'
            - '⛹🏾'
            - '⛹🏾‍♂️'
            - '🏋🏾‍♀️'
            - '🏋🏾'
            - '🏋🏾‍♂️'
            - '🚴🏾‍♀️'
            - '🚴🏾'
            - '🚴🏾‍♂️'
            - '🚵🏾‍♀️'
            - '🚵🏾'
            - '🚵🏾‍♂️'
            - '🤸🏾‍♀️'
            - '🤸🏾'
            - '🤸🏾‍♂️'
            - '🤽🏾‍♀️'
            - '🤽🏾'
            - '🤽🏾‍♂️'
            - '🤾🏾‍♀️'
            - '🤾🏾'
            - '🤾🏾‍♂️'
            - '🤹🏾‍♀️'
            - '🤹🏾'
            - '🤹🏾‍♂️'
            - '🧘🏾‍♀️'
            - '🧘🏾'
            - '🧘🏾‍♂️'
            - '🛀🏾'
            - '🛌🏾'
            - '👋🏿'
            - '🤚🏿'
            - '🖐🏿'
            - '✋🏿'
            - '🖖🏿'
            - '👌🏿'
            - '🤌🏿'
            - '🤏🏿'
            - '✌🏿'
            - '🤞🏿'
            - '🫰🏿'
            - '🤟🏿'
            - '🤘🏿'
            - '🤙🏿'
            - '🫵🏿'
            - '🫱🏿'
            - '🫲🏿'
            - '🫳🏿'
            - '🫴🏿'
            - '👈🏿'
            - '👉🏿'
            - '👆🏿'
            - '🖕🏿'
            - '👇🏿'
            - '☝🏿'
            - '👍🏿'
            - '👎🏿'
            - '✊🏿'
            - '👊🏿'
            - '🤛🏿'
            - '🤜🏿'
            - '👏🏿'
            - '🫶🏿'
            - '🙌🏿'
            - '👐🏿'
            - '🤲🏿'
            - '🙏🏿'
            - '✍🏿'
            - '🤳🏿'
            - '💪🏿'
            - '🦵🏿'
            - '🦶🏿'
            - '👂🏿'
            - '🦻🏿'
            - '👃🏿'
            - '👶🏿'
            - '👧🏿'
            - '🧒🏿'
            - '👦🏿'
            - '👩🏿'
            - '🧑🏿'
            - '👨🏿'
            - '👩🏿‍🦱'
            - '🧑🏿‍🦱'
            - '👨🏿‍🦱'
            - '👩🏿‍🦰'
            - '🧑🏿‍🦰'
            - '👨🏿‍🦰'
            - '👱🏿‍♀️'
            - '👱🏿'
            - '👱🏿‍♂️'
            - '👩🏿‍🦳'
            - '🧑🏿‍🦳'
            - '👨🏿‍🦳'
            - '👩🏿‍🦲'
            - '🧑🏿‍🦲'
            - '👨🏿‍🦲'
            - '🧔🏿‍♀️'
            - '🧔🏿'
            - '🧔🏿‍♂️'
            - '👵🏿'
            - '🧓🏿'
            - '👴🏿'
            - '👲🏿'
            - '👳🏿‍♀️'
            - '👳🏿'
            - '👳🏿‍♂️'
            - '🧕🏿'
            - '👮🏿‍♀️'
            - '👮🏿'
            - '👮🏿‍♂️'
            - '👷🏿‍♀️'
            - '👷🏿'
            - '👷🏿‍♂️'
            - '💂🏿‍♀️'
            - '💂🏿'
            - '💂🏿‍♂️'
            - '🕵🏿‍♀️'
            - '🕵🏿'
            - '🕵🏿‍♂️'
            - '👩🏿‍⚕️'
            - '🧑🏿‍⚕️'
            - '👨🏿‍⚕️'
            - '👩🏿‍🌾'
            - '🧑🏿‍🌾'
            - '👨🏿‍🌾'
            - '👩🏿‍🍳'
            - '🧑🏿‍🍳'
            - '👨🏿‍🍳'
            - '👩🏿‍🎓'
            - '🧑🏿‍🎓'
            - '👨🏿‍🎓'
            - '👩🏿‍🎤'
            - '🧑🏿‍🎤'
            - '👨🏿‍🎤'
            - '👩🏿‍🏫'
            - '🧑🏿‍🏫'
            - '👨🏿‍🏫'
            - '👩🏿‍🏭'
            - '🧑🏿‍🏭'
            - '👨🏿‍🏭'
            - '👩🏿‍💻'
            - '🧑🏿‍💻'
            - '👨🏿‍💻'
            - '👩🏿‍💼'
            - '🧑🏿‍💼'
            - '👨🏿‍💼'
            - '👩🏿‍🔧'
            - '🧑🏿‍🔧'
            - '👨🏿‍🔧'
            - '👩🏿‍🔬'
            - '🧑🏿‍🔬'
            - '👨🏿‍🔬'
            - '👩🏿‍🎨'
            - '🧑🏿‍🎨'
            - '👨🏿‍🎨'
            - '👩🏿‍🚒'
            - '🧑🏿‍🚒'
            - '👨🏿‍🚒'
            - '👩🏿‍✈️'
            - '🧑🏿‍✈️'
            - '👨🏿‍✈️'
            - '👩🏿‍🚀'
            - '🧑🏿‍🚀'
            - '👨🏿‍🚀'
            - '👩🏿‍⚖️'
            - '🧑🏿‍⚖️'
            - '👨🏿‍⚖️'
            - '👰🏿‍♀️'
            - '👰🏿'
            - '👰🏿‍♂️'
            - '🤵🏿‍♀️'
            - '🤵🏿'
            - '🤵🏿‍♂️'
            - '👸🏿'
            - '🫅🏿'
            - '🤴🏿'
            - '🥷🏿'
            - '🦸🏿‍♀️'
            - '🦸🏿'
            - '🦸🏿‍♂️'
            - '🦹🏿‍♀️'
            - '🦹🏿'
            - '🦹🏿‍♂️'
            - '🤶🏿'
            - '🧑🏿‍🎄'
            - '🎅🏿'
            - '🧙🏿‍♀️'
            - '🧙🏿'
            - '🧙🏿‍♂️'
            - '🧝🏿‍♀️'
            - '🧝🏿'
            - '🧝🏿‍♂️'
            - '🧛🏿‍♀️'
            - '🧛🏿'
            - '🧛🏿‍♂️'
            - '🧜🏿‍♀️'
            - '🧜🏿'
            - '🧜🏿‍♂️'
            - '🧚🏿‍♀️'
            - '🧚🏿'
            - '🧚🏿‍♂️'
            - '👼🏿'
            - '🤰🏿'
            - '🫄🏿'
            - '🫃🏿'
            - '🤱🏿'
            - '👩🏿‍🍼'
            - '🧑🏿‍🍼'
            - '👨🏿‍🍼'
            - '🙇🏿‍♀️'
            - '🙇🏿'
            - '🙇🏿‍♂️'
            - '💁🏿‍♀️'
            - '💁🏿'
            - '💁🏿‍♂️'
            - '🙅🏿‍♀️'
            - '🙅🏿'
            - '🙅🏿‍♂️'
            - '🙆🏿‍♀️'
            - '🙆🏿'
            - '🙆🏿‍♂️'
            - '🙋🏿‍♀️'
            - '🙋🏿'
            - '🙋🏿‍♂️'
            - '🧏🏿‍♀️'
            - '🧏🏿'
            - '🧏🏿‍♂️'
            - '🤦🏿‍♀️'
            - '🤦🏿'
            - '🤦🏿‍♂️'
            - '🤷🏿‍♀️'
            - '🤷🏿'
            - '🤷🏿‍♂️'
            - '🙎🏿‍♀️'
            - '🙎🏿'
            - '🙎🏿‍♂️'
            - '🙍🏿‍♀️'
            - '🙍🏿'
            - '🙍🏿‍♂️'
            - '💇🏿‍♀️'
            - '💇🏿'
            - '💇🏿‍♂️'
            - '💆🏿‍♀️'
            - '💆🏿'
            - '💆🏿‍♂️'
            - '🧖🏿‍♀️'
            - '🧖🏿'
            - '🧖🏿‍♂️'
            - '💃🏿'
            - '🕺🏿'
            - '🕴🏿'
            - '👩🏿‍🦽'
            - '🧑🏿‍🦽'
            - '👨🏿‍🦽'
            - '👩🏿‍🦼'
            - '🧑🏿‍🦼'
            - '👨🏿‍🦼'
            - '🚶🏿‍♀️'
            - '🚶🏿'
            - '🚶🏿‍♂️'
            - '👩🏿‍🦯'
            - '🧑🏿‍🦯'
            - '👨🏿‍🦯'
            - '🧎🏿‍♀️'
            - '🧎🏿'
            - '🧎🏿‍♂️'
            - '🏃🏿‍♀️'
            - '🏃🏿'
            - '🏃🏿‍♂️'
            - '🧍🏿‍♀️'
            - '🧍🏿'
            - '🧍🏿‍♂️'
            - '👭🏿'
            - '🧑🏿‍🤝‍🧑🏿'
            - '👬🏿'
            - '👫🏿'
            - '🧗🏿‍♀️'
            - '🧗🏿'
            - '🧗🏿‍♂️'
            - '🏇🏿'
            - '🏂🏿'
            - '🏌🏿‍♀️'
            - '🏌🏿'
            - '🏌🏿‍♂️'
            - '🏄🏿‍♀️'
            - '🏄🏿'
            - '🏄🏿‍♂️'
            - '🚣🏿‍♀️'
            - '🚣🏿'
            - '🚣🏿‍♂️'
            - '🏊🏿‍♀️'
            - '🏊🏿'
            - '🏊🏿‍♂️'
            - '⛹🏿‍♀️'
            - '⛹🏿'
            - '⛹🏿‍♂️'
            - '🏋🏿‍♀️'
            - '🏋🏿'
            - '🏋🏿‍♂️'
            - '🚴🏿‍♀️'
            - '🚴🏿'
            - '🚴🏿‍♂️'
            - '🚵🏿‍♀️'
            - '🚵🏿'
            - '🚵🏿‍♂️'
            - '🤸🏿‍♀️'
            - '🤸🏿'
            - '🤸🏿‍♂️'
            - '🤽🏿‍♀️'
            - '🤽🏿'
            - '🤽🏿‍♂️'
            - '🤾🏿‍♀️'
            - '🤾🏿'
            - '🤾🏿‍♂️'
            - '🤹🏿‍♀️'
            - '🤹🏿'
            - '🤹🏿‍♂️'
            - '🧘🏿‍♀️'
            - '🧘🏿'
            - '🧘🏿‍♂️'
            - '🛀🏿'
            - '🛌🏿'
            - '🐶'
            - '🐱'
            - '🐭'
            - '🐹'
            - '🐰'
            - '🦊'
            - '🐻'
            - '🐼'
            - '🐻‍❄️'
            - '🐨'
            - '🐯'
            - '🦁'
            - '🐮'
            - '🐷'
            - '🐽'
            - '🐸'
            - '🐵'
            - '🙈'
            - '🙉'
            - '🙊'
            - '🐒'
            - '🐔'
            - '🐧'
            - '🐦'
            - '🐤'
            - '🐣'
            - '🐥'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
status test author @Kostastsale, TheDFIRReport ATT&CK tactic-only id f9578658-9e71-4711-b634-3f9b50cd3c06
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*🦆*", "*🦅*", "*🦉*", "*🦇*", "*🐺*", "*🐗*", "*🐴*", "*🦄*", "*🐝*", "*🪱*", "*🐛*", "*🦋*", "*🐌*", "*🐞*", "*🐜*", "*🪰*", "*🪲*", "*🪳*", "*🦟*", "*🦗*", "*🕷*", "*🕸*", "*🦂*", "*🐢*", "*🐍*", "*🦎*", "*🦖*", "*🦕*", "*🐙*", "*🦑*", "*🦐*", "*🦞*", "*🦀*", "*🪸*", "*🐡*", "*🐠*", "*🐟*", "*🐬*", "*🐳*", "*🐋*", "*🦈*", "*🐊*", "*🐅*", "*🐆*", "*🦓*", "*🦍*", "*🦧*", "*🦣*", "*🐘*", "*🦛*", "*🦏*", "*🐪*", "*🐫*", "*🦒*", "*🦘*", "*🦬*", "*🐃*", "*🐂*", "*🐄*", "*🐎*", "*🐖*", "*🐏*", "*🐑*", "*🦙*", "*🐐*", "*🦌*", "*🐕*", "*🐩*", "*🦮*", "*🐕‍🦺*", "*🐈*", "*🐈‍⬛*", "*🪶*", "*🐓*", "*🦃*", "*🦤*", "*🦚*", "*🦜*", "*🦢*", "*🦩*", "*🕊*", "*🐇*", "*🦝*", "*🦨*", "*🦡*", "*🦫*", "*🦦*", "*🦥*", "*🐁*", "*🐀*", "*🐿*", "*🦔*", "*🐾*", "*🐉*", "*🐲*", "*🌵*", "*🎄*", "*🌲*", "*🌳*", "*🌴*", "*🪹*", "*🪺*", "*🪵*", "*🌱*", "*🌿*", "*☘️*", "*🍀*", "*🎍*", "*🪴*", "*🎋*", "*🍃*", "*🍂*", "*🍁*", "*🍄*", "*🐚*", "*🪨*", "*🌾*", "*💐*", "*🌷*", "*🪷*", "*🌹*", "*🥀*", "*🌺*", "*🌸*", "*🌼*", "*🌻*", "*🌞*", "*🌝*", "*🌛*", "*🌜*", "*🌚*", "*🌕*", "*🌖*", "*🌗*", "*🌘*", "*🌑*", "*🌒*", "*🌓*", "*🌔*", "*🌙*", "*🌎*", "*🌍*", "*🌏*", "*🪐*", "*💫*", "*⭐️*", "*🌟*", "*✨*", "*⚡️*", "*☄️*", "*💥*", "*🔥*", "*🌪*", "*🌈*", "*☀️*", "*🌤*", "*⛅️*", "*🌥*", "*☁️*", "*🌦*", "*🌧*", "*⛈*", "*🌩*", "*🌨*", "*❄️*", "*☃️*", "*⛄️*", "*🌬*", "*💨*", "*💧*", "*💦*", "*🫧*", "*☔️*", "*☂️*", "*🌊*", "*🌫🍏*", "*🍎*", "*🍐*", "*🍊*", "*🍋*", "*🍌*", "*🍉*", "*🍇*", "*🍓*", "*🫐*", "*🍈*", "*🍒*", "*🍑*", "*🥭*", "*🍍*", "*🥥*", "*🥝*", "*🍅*", "*🍆*", "*🥑*", "*🥦*", "*🥬*", "*🥒*", "*🌶*", "*🫑*", "*🌽*", "*🥕*", "*🫒*", "*🧄*", "*🧅*", "*🥔*", "*🍠*", "*🫘*", "*🥐*", "*🥯*", "*🍞*", "*🥖*", "*🥨*", "*🧀*", "*🥚*", "*🍳*", "*🧈*", "*🥞*", "*🧇*", "*🥓*", "*🥩*", "*🍗*", "*🍖*", "*🦴*", "*🌭*", "*🍔*", "*🍟*", "*🍕*", "*🫓*", "*🥪*", "*🥙*", "*🧆*", "*🌮*", "*🌯*", "*🫔*", "*🥗*", "*🥘*", "*🫕*", "*🥫*", "*🍝*", "*🍜*", "*🍲*", "*🍛*", "*🍣*", "*🍱*", "*🥟*", "*🦪*", "*🍤*", "*🍙*", "*🍚*", "*🍘*", "*🍥*", "*🥠*", "*🥮*", "*🍢*", "*🍡*", "*🍧*", "*🍨*", "*🍦*", "*🥧*", "*🧁*", "*🍰*", "*🎂*", "*🍮*", "*🍭*", "*🍬*", "*🍫*", "*🍿*", "*🍩*", "*🍪*", "*🌰*", "*🥜*", "*🍯*", "*🥛*", "*🍼*", "*🫖*", "*☕️*", "*🍵*", "*🧃*", "*🥤*", "*🧋*", "*🫙*", "*🍶*", "*🍺*", "*🍻*", "*🥂*", "*🍷*", "*🫗*", "*🥃*", "*🍸*", "*🍹*", "*🧉*", "*🍾*", "*🧊*", "*🥄*", "*🍴*", "*🍽*", "*🥣*", "*🥡*", "*🥢*", "*🧂*", "*⚽️*", "*🏀*", "*🏈*", "*⚾️*", "*🥎*", "*🎾*", "*🏐*", "*🏉*", "*🥏*", "*🎱*", "*🪀*", "*🏓*", "*🏸*", "*🏒*", "*🏑*", "*🥍*", "*🏏*", "*🪃*", "*🥅*", "*⛳️*", "*🪁*", "*🏹*", "*🎣*", "*🤿*", "*🥊*", "*🥋*", "*🎽*", "*🛹*", "*🛼*", "*🛷*", "*⛸*", "*🥌*", "*🎿*", "*⛷*", "*🏂*", "*🪂*", "*🏋️‍♀️*", "*🏋️*", "*🏋️‍♂️*", "*🤼‍♀️*", "*🤼*", "*🤼‍♂️*", "*🤸‍♀️*", "*🤸*", "*🤸‍♂️*", "*⛹️‍♀️*", "*⛹️*", "*⛹️‍♂️*", "*🤺*", "*🤾‍♀️*", "*🤾*", "*🤾‍♂️*", "*🏌️‍♀️*", "*🏌️*", "*🏌️‍♂️*", "*🏇*", "*🧘‍♀️*", "*🧘*", "*🧘‍♂️*", "*🏄‍♀️*", "*🏄*", "*🏄‍♂️*", "*🏊‍♀️*", "*🏊*", "*🏊‍♂️*", "*🤽‍♀️*", "*🤽*", "*🤽‍♂️*", "*🚣‍♀️*", "*🚣*", "*🚣‍♂️*", "*🧗‍♀️*", "*🧗*", "*🧗‍♂️*", "*🚵‍♀️*", "*🚵*", "*🚵‍♂️*", "*🚴‍♀️*", "*🚴*", "*🚴‍♂️*", "*🏆*", "*🥇*", "*🥈*", "*🥉*", "*🏅*", "*🎖*", "*🏵*", "*🎗*", "*🎫*", "*🎟*", "*🎪*", "*🤹*", "*🤹‍♂️*", "*🤹‍♀️*", "*🎭*", "*🩰*", "*🎨*", "*🎬*", "*🎤*", "*🎧*", "*🎼*", "*🎹*", "*🥁*", "*🪘*", "*🎷*", "*🎺*", "*🪗*", "*🎸*", "*🪕*", "*🎻*", "*🎲*", "*♟*", "*🎯*", "*🎳*", "*🎮*", "*🎰*", "*🧩*", "*🚗*", "*🚕*", "*🚙*", "*🚌*", "*🚎*", "*🏎*", "*🚓*", "*🚑*", "*🚒*", "*🚐*", "*🛻*", "*🚚*", "*🚛*", "*🚜*", "*🦯*", "*🦽*", "*🦼*", "*🛴*", "*🚲*", "*🛵*", "*🏍*", "*🛺*", "*🚨*", "*🚔*", "*🚍*", "*🚘*", "*🚖*", "*🛞*", "*🚡*", "*🚠*", "*🚟*", "*🚃*", "*🚋*", "*🚞*", "*🚝*", "*🚄*", "*🚅*", "*🚈*", "*🚂*", "*🚆*", "*🚇*", "*🚊*", "*🚉*", "*✈️*", "*🛫*", "*🛬*", "*🛩*", "*💺*", "*🛰*", "*🚀*", "*🛸*", "*🚁*", "*🛶*", "*⛵️*", "*🚤*", "*🛥*", "*🛳*", "*⛴*", "*🚢*", "*⚓️*", "*🛟*", "*🪝*", "*⛽️*", "*🚧*", "*🚦*", "*🚥*", "*🚏*", "*🗺*", "*🗿*", "*🗽*", "*🗼*", "*🏰*", "*🏯*", "*🏟*", "*🎡*", "*🎢*", "*🛝*", "*🎠*", "*⛲️*", "*⛱*", "*🏖*", "*🏝*", "*🏜*", "*🌋*", "*⛰*", "*🏔*", "*🗻*", "*🏕*", "*⛺️*", "*🛖*", "*🏠*", "*🏡*", "*🏘*", "*🏚*", "*🏗*", "*🏭*", "*🏢*", "*🏬*", "*🏣*", "*🏤*", "*🏥*", "*🏦*", "*🏨*", "*🏪*", "*🏫*", "*🏩*", "*💒*", "*🏛*", "*⛪️*", "*🕌*", "*🕍*", "*🛕*", "*🕋*", "*⛩*", "*🛤*", "*🛣*", "*🗾*", "*🎑*", "*🏞*", "*🌅*", "*🌄*", "*🌠*", "*🎇*", "*🎆*", "*🌇*", "*🌆*", "*🏙*", "*🌃*", "*🌌*", "*🌉*", "*🌁*", "*⌚️*", "*📱*", "*📲*", "*💻*", "*⌨️*", "*🖥*", "*🖨*", "*🖱*", "*🖲*", "*🕹*", "*🗜*", "*💽*", "*💾*", "*💿*", "*📀*", "*📼*", "*📷*", "*📸*", "*📹*", "*🎥*", "*📽*", "*🎞*", "*📞*", "*☎️*", "*📟*", "*📠*", "*📺*", "*📻*", "*🎙*", "*🎚*", "*🎛*", "*🧭*", "*⏱*", "*⏲*", "*⏰*", "*🕰*", "*⌛️*", "*⏳*", "*📡*", "*🔋*", "*🪫*", "*🔌*", "*💡*", "*🔦*", "*🕯*", "*🪔*", "*🧯*", "*🛢*", "*💸*", "*💵*", "*💴*", "*💶*", "*💷*", "*🪙*", "*💰*", "*💳*", "*💎*", "*⚖️*", "*🪜*", "*🧰*", "*🪛*", "*🔧*", "*🔨*", "*⚒*", "*🛠*", "*⛏*", "*🪚*", "*🔩*", "*⚙️*", "*🪤*", "*🧱*", "*⛓*", "*🧲*", "*🔫*", "*💣*", "*🧨*", "*🪓*", "*🔪*", "*🗡*", "*⚔️*", "*🛡*", "*🚬*", "*⚰️*", "*🪦*", "*⚱️*", "*🏺*", "*🔮*", "*📿*", "*🧿*", "*🪬*", "*💈*", "*⚗️*", "*🔭*", "*🔬*", "*🕳*", "*🩹*", "*🩺*", "*🩻*", "*🩼*", "*💊*", "*💉*", "*🩸*", "*🧬*", "*🦠*", "*🧫*", "*🧪*", "*🌡*", "*🧹*", "*🪠*", "*🧺*", "*🧻*", "*🚽*", "*🚰*", "*🚿*", "*🛁*", "*🛀*", "*🧼*", "*🪥*", "*🪒*", "*🧽*", "*🪣*", "*🧴*", "*🛎*", "*🔑*", "*🗝*", "*🚪*", "*🪑*", "*🛋*", "*🛏*", "*🛌*", "*🧸*", "*🪆*", "*🖼*", "*🪞*", "*🪟*", "*🛍*", "*🛒*", "*🎁*", "*🎈*", "*🎏*", "*🎀*", "*🪄*", "*🪅*", "*🎊*", "*🎉*", "*🪩*", "*🎎*", "*🏮*", "*🎐*", "*🧧*", "*✉️*", "*📩*", "*📨*", "*📧*", "*💌*", "*📥*", "*📤*", "*📦*", "*🏷*", "*🪧*", "*📪*", "*📫*", "*📬*", "*📭*", "*📮*", "*📯*", "*📜*", "*📃*", "*📄*", "*📑*", "*🧾*", "*📊*", "*📈*", "*📉*", "*🗒*", "*🗓*", "*📆*", "*📅*", "*🗑*", "*🪪*", "*📇*", "*🗃*", "*🗳*", "*🗄*", "*📋*", "*📁*", "*📂*", "*🗂*", "*🗞*", "*📰*", "*📓*", "*📔*", "*📒*", "*📕*", "*📗*", "*📘*", "*📙*", "*📚*", "*📖*", "*🔖*", "*🧷*", "*🔗*", "*📎*", "*🖇*", "*📐*", "*📏*", "*🧮*", "*📌*", "*📍*", "*✂️*", "*🖊*", "*🖋*", "*✒️*", "*🖌*", "*🖍*", "*📝*", "*✏️*", "*🔍*", "*🔎*", "*🔏*", "*🔐*", "*🔒*", "*🔓❤️*", "*🧡*", "*💛*", "*💚*", "*💙*", "*💜*", "*🖤*", "*🤍*", "*🤎*", "*❤️‍🔥*", "*❤️‍🩹*", "*💔*", "*❣️*", "*💕*", "*💞*", "*💓*", "*💗*", "*💖*", "*💘*", "*💝*", "*💟*", "*☮️*", "*✝️*", "*☪️*", "*🕉*", "*☸️*", "*✡️*", "*🔯*", "*🕎*", "*☯️*", "*☦️*", "*🛐*", "*⛎*", "*♈️*", "*♉️*", "*♊️*", "*♋️*", "*♌️*", "*♍️*", "*♎️*", "*♏️*", "*♐️*", "*♑️*", "*♒️*", "*♓️*", "*🆔*", "*⚛️*", "*🉑*", "*☢️*", "*☣️*", "*📴*", "*📳*", "*🈶*", "*🈚️*", "*🈸*", "*🈺*", "*🈷️*", "*✴️*", "*🆚*", "*💮*", "*🉐*", "*㊙️*", "*㊗️*", "*🈴*", "*🈵*", "*🈹*", "*🈲*", "*🅰️*", "*🅱️*", "*🆎*", "*🆑*", "*🅾️*", "*🆘*", "*❌*", "*⭕️*", "*🛑*", "*⛔️*", "*📛*", "*🚫*", "*💯*", "*💢*", "*♨️*", "*🚷*", "*🚯*", "*🚳*", "*🚱*", "*🔞*", "*📵*", "*🚭*", "*❗️*", "*❕*", "*❓*", "*❔*", "*‼️*", "*⁉️*", "*🔅*", "*🔆*", "*〽️*", "*⚠️*", "*🚸*", "*🔱*", "*⚜️*", "*🔰*", "*♻️*", "*✅*", "*🈯️*", "*💹*", "*❇️*", "*✳️*", "*❎*", "*🌐*", "*💠*", "*Ⓜ️*", "*🌀*", "*💤*", "*🏧*", "*🚾*", "*♿️*", "*🅿️*", "*🛗*", "*🈳*", "*🈂️*", "*🛂*", "*🛃*", "*🛄*", "*🛅*", "*🚹*", "*🚺*", "*🚼*", "*⚧*", "*🚻*", "*🚮*", "*🎦*", "*📶*", "*🈁*", "*🔣*", "*ℹ️*", "*🔤*", "*🔡*", "*🔠*", "*🆖*", "*🆗*", "*🆙*", "*🆒*", "*🆕*", "*🆓*", "*0️⃣*", "*1️⃣*", "*2️⃣*", "*3️⃣*", "*4️⃣*", "*5️⃣*", "*6️⃣*", "*7️⃣*", "*8️⃣*", "*9️⃣*", "*🔟*", "*🔢*", "*#️⃣*", "*️⃣*", "*⏏️*", "*▶️*", "*⏸*", "*⏯*", "*⏹*", "*⏺*", "*⏭*", "*⏮*", "*⏩*", "*⏪*", "*⏫*", "*⏬*", "*◀️*", "*🔼*", "*🔽*", "*➡️*", "*⬅️*", "*⬆️*", "*⬇️*", "*↗️*", "*↘️*", "*↙️*", "*↖️*", "*↕️*", "*↔️*", "*↪️*", "*↩️*", "*⤴️*", "*⤵️*", "*🔀*", "*🔁*", "*🔂*", "*🔄*", "*🔃*", "*🎵*", "*🎶*", "*➕*", "*➖*", "*➗*", "*✖️*", "*🟰*", "*♾*", "*💲*", "*💱*", "*™️*", "*©️*", "*®️*", "*〰️*", "*➰*", "*➿*", "*🔚*", "*🔙*", "*🔛*", "*🔝*", "*🔜*", "*✔️*", "*☑️*", "*🔘*", "*🔴*", "*🟠*", "*🟡*", "*🟢*", "*🔵*", "*🟣*", "*⚫️*", "*⚪️*", "*🟤*", "*🔺*", "*🔻*")))
view Sigma YAML 
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
id: f9578658-9e71-4711-b634-3f9b50cd3c06
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '🦆'
            - '🦅'
            - '🦉'
            - '🦇'
            - '🐺'
            - '🐗'
            - '🐴'
            - '🦄'
            - '🐝'
            - '🪱'
            - '🐛'
            - '🦋'
            - '🐌'
            - '🐞'
            - '🐜'
            - '🪰'
            - '🪲'
            - '🪳'
            - '🦟'
            - '🦗'
            - '🕷'
            - '🕸'
            - '🦂'
            - '🐢'
            - '🐍'
            - '🦎'
            - '🦖'
            - '🦕'
            - '🐙'
            - '🦑'
            - '🦐'
            - '🦞'
            - '🦀'
            - '🪸'
            - '🐡'
            - '🐠'
            - '🐟'
            - '🐬'
            - '🐳'
            - '🐋'
            - '🦈'
            - '🐊'
            - '🐅'
            - '🐆'
            - '🦓'
            - '🦍'
            - '🦧'
            - '🦣'
            - '🐘'
            - '🦛'
            - '🦏'
            - '🐪'
            - '🐫'
            - '🦒'
            - '🦘'
            - '🦬'
            - '🐃'
            - '🐂'
            - '🐄'
            - '🐎'
            - '🐖'
            - '🐏'
            - '🐑'
            - '🦙'
            - '🐐'
            - '🦌'
            - '🐕'
            - '🐩'
            - '🦮'
            - '🐕‍🦺'
            - '🐈'
            - '🐈‍⬛'
            - '🪶'
            - '🐓'
            - '🦃'
            - '🦤'
            - '🦚'
            - '🦜'
            - '🦢'
            - '🦩'
            - '🕊'
            - '🐇'
            - '🦝'
            - '🦨'
            - '🦡'
            - '🦫'
            - '🦦'
            - '🦥'
            - '🐁'
            - '🐀'
            - '🐿'
            - '🦔'
            - '🐾'
            - '🐉'
            - '🐲'
            - '🌵'
            - '🎄'
            - '🌲'
            - '🌳'
            - '🌴'
            - '🪹'
            - '🪺'
            - '🪵'
            - '🌱'
            - '🌿'
            - '☘️'
            - '🍀'
            - '🎍'
            - '🪴'
            - '🎋'
            - '🍃'
            - '🍂'
            - '🍁'
            - '🍄'
            - '🐚'
            - '🪨'
            - '🌾'
            - '💐'
            - '🌷'
            - '🪷'
            - '🌹'
            - '🥀'
            - '🌺'
            - '🌸'
            - '🌼'
            - '🌻'
            - '🌞'
            - '🌝'
            - '🌛'
            - '🌜'
            - '🌚'
            - '🌕'
            - '🌖'
            - '🌗'
            - '🌘'
            - '🌑'
            - '🌒'
            - '🌓'
            - '🌔'
            - '🌙'
            - '🌎'
            - '🌍'
            - '🌏'
            - '🪐'
            - '💫'
            - '⭐️'
            - '🌟'
            - '✨'
            - '⚡️'
            - '☄️'
            - '💥'
            - '🔥'
            - '🌪'
            - '🌈'
            - '☀️'
            - '🌤'
            - '⛅️'
            - '🌥'
            - '☁️'
            - '🌦'
            - '🌧'
            - '⛈'
            - '🌩'
            - '🌨'
            - '❄️'
            - '☃️'
            - '⛄️'
            - '🌬'
            - '💨'
            - '💧'
            - '💦'
            - '🫧'
            - '☔️'
            - '☂️'
            - '🌊'
            - '🌫🍏'
            - '🍎'
            - '🍐'
            - '🍊'
            - '🍋'
            - '🍌'
            - '🍉'
            - '🍇'
            - '🍓'
            - '🫐'
            - '🍈'
            - '🍒'
            - '🍑'
            - '🥭'
            - '🍍'
            - '🥥'
            - '🥝'
            - '🍅'
            - '🍆'
            - '🥑'
            - '🥦'
            - '🥬'
            - '🥒'
            - '🌶'
            - '🫑'
            - '🌽'
            - '🥕'
            - '🫒'
            - '🧄'
            - '🧅'
            - '🥔'
            - '🍠'
            - '🫘'
            - '🥐'
            - '🥯'
            - '🍞'
            - '🥖'
            - '🥨'
            - '🧀'
            - '🥚'
            - '🍳'
            - '🧈'
            - '🥞'
            - '🧇'
            - '🥓'
            - '🥩'
            - '🍗'
            - '🍖'
            - '🦴'
            - '🌭'
            - '🍔'
            - '🍟'
            - '🍕'
            - '🫓'
            - '🥪'
            - '🥙'
            - '🧆'
            - '🌮'
            - '🌯'
            - '🫔'
            - '🥗'
            - '🥘'
            - '🫕'
            - '🥫'
            - '🍝'
            - '🍜'
            - '🍲'
            - '🍛'
            - '🍣'
            - '🍱'
            - '🥟'
            - '🦪'
            - '🍤'
            - '🍙'
            - '🍚'
            - '🍘'
            - '🍥'
            - '🥠'
            - '🥮'
            - '🍢'
            - '🍡'
            - '🍧'
            - '🍨'
            - '🍦'
            - '🥧'
            - '🧁'
            - '🍰'
            - '🎂'
            - '🍮'
            - '🍭'
            - '🍬'
            - '🍫'
            - '🍿'
            - '🍩'
            - '🍪'
            - '🌰'
            - '🥜'
            - '🍯'
            - '🥛'
            - '🍼'
            - '🫖'
            - '☕️'
            - '🍵'
            - '🧃'
            - '🥤'
            - '🧋'
            - '🫙'
            - '🍶'
            - '🍺'
            - '🍻'
            - '🥂'
            - '🍷'
            - '🫗'
            - '🥃'
            - '🍸'
            - '🍹'
            - '🧉'
            - '🍾'
            - '🧊'
            - '🥄'
            - '🍴'
            - '🍽'
            - '🥣'
            - '🥡'
            - '🥢'
            - '🧂'
            - '⚽️'
            - '🏀'
            - '🏈'
            - '⚾️'
            - '🥎'
            - '🎾'
            - '🏐'
            - '🏉'
            - '🥏'
            - '🎱'
            - '🪀'
            - '🏓'
            - '🏸'
            - '🏒'
            - '🏑'
            - '🥍'
            - '🏏'
            - '🪃'
            - '🥅'
            - '⛳️'
            - '🪁'
            - '🏹'
            - '🎣'
            - '🤿'
            - '🥊'
            - '🥋'
            - '🎽'
            - '🛹'
            - '🛼'
            - '🛷'
            - '⛸'
            - '🥌'
            - '🎿'
            - '⛷'
            - '🏂'
            - '🪂'
            - '🏋️‍♀️'
            - '🏋️'
            - '🏋️‍♂️'
            - '🤼‍♀️'
            - '🤼'
            - '🤼‍♂️'
            - '🤸‍♀️'
            - '🤸'
            - '🤸‍♂️'
            - '⛹️‍♀️'
            - '⛹️'
            - '⛹️‍♂️'
            - '🤺'
            - '🤾‍♀️'
            - '🤾'
            - '🤾‍♂️'
            - '🏌️‍♀️'
            - '🏌️'
            - '🏌️‍♂️'
            - '🏇'
            - '🧘‍♀️'
            - '🧘'
            - '🧘‍♂️'
            - '🏄‍♀️'
            - '🏄'
            - '🏄‍♂️'
            - '🏊‍♀️'
            - '🏊'
            - '🏊‍♂️'
            - '🤽‍♀️'
            - '🤽'
            - '🤽‍♂️'
            - '🚣‍♀️'
            - '🚣'
            - '🚣‍♂️'
            - '🧗‍♀️'
            - '🧗'
            - '🧗‍♂️'
            - '🚵‍♀️'
            - '🚵'
            - '🚵‍♂️'
            - '🚴‍♀️'
            - '🚴'
            - '🚴‍♂️'
            - '🏆'
            - '🥇'
            - '🥈'
            - '🥉'
            - '🏅'
            - '🎖'
            - '🏵'
            - '🎗'
            - '🎫'
            - '🎟'
            - '🎪'
            - '🤹'
            - '🤹‍♂️'
            - '🤹‍♀️'
            - '🎭'
            - '🩰'
            - '🎨'
            - '🎬'
            - '🎤'
            - '🎧'
            - '🎼'
            - '🎹'
            - '🥁'
            - '🪘'
            - '🎷'
            - '🎺'
            - '🪗'
            - '🎸'
            - '🪕'
            - '🎻'
            - '🎲'
            - '♟'
            - '🎯'
            - '🎳'
            - '🎮'
            - '🎰'
            - '🧩'
            - '🚗'
            - '🚕'
            - '🚙'
            - '🚌'
            - '🚎'
            - '🏎'
            - '🚓'
            - '🚑'
            - '🚒'
            - '🚐'
            - '🛻'
            - '🚚'
            - '🚛'
            - '🚜'
            - '🦯'
            - '🦽'
            - '🦼'
            - '🛴'
            - '🚲'
            - '🛵'
            - '🏍'
            - '🛺'
            - '🚨'
            - '🚔'
            - '🚍'
            - '🚘'
            - '🚖'
            - '🛞'
            - '🚡'
            - '🚠'
            - '🚟'
            - '🚃'
            - '🚋'
            - '🚞'
            - '🚝'
            - '🚄'
            - '🚅'
            - '🚈'
            - '🚂'
            - '🚆'
            - '🚇'
            - '🚊'
            - '🚉'
            - '✈️'
            - '🛫'
            - '🛬'
            - '🛩'
            - '💺'
            - '🛰'
            - '🚀'
            - '🛸'
            - '🚁'
            - '🛶'
            - '⛵️'
            - '🚤'
            - '🛥'
            - '🛳'
            - '⛴'
            - '🚢'
            - '⚓️'
            - '🛟'
            - '🪝'
            - '⛽️'
            - '🚧'
            - '🚦'
            - '🚥'
            - '🚏'
            - '🗺'
            - '🗿'
            - '🗽'
            - '🗼'
            - '🏰'
            - '🏯'
            - '🏟'
            - '🎡'
            - '🎢'
            - '🛝'
            - '🎠'
            - '⛲️'
            - '⛱'
            - '🏖'
            - '🏝'
            - '🏜'
            - '🌋'
            - '⛰'
            - '🏔'
            - '🗻'
            - '🏕'
            - '⛺️'
            - '🛖'
            - '🏠'
            - '🏡'
            - '🏘'
            - '🏚'
            - '🏗'
            - '🏭'
            - '🏢'
            - '🏬'
            - '🏣'
            - '🏤'
            - '🏥'
            - '🏦'
            - '🏨'
            - '🏪'
            - '🏫'
            - '🏩'
            - '💒'
            - '🏛'
            - '⛪️'
            - '🕌'
            - '🕍'
            - '🛕'
            - '🕋'
            - '⛩'
            - '🛤'
            - '🛣'
            - '🗾'
            - '🎑'
            - '🏞'
            - '🌅'
            - '🌄'
            - '🌠'
            - '🎇'
            - '🎆'
            - '🌇'
            - '🌆'
            - '🏙'
            - '🌃'
            - '🌌'
            - '🌉'
            - '🌁'
            - '⌚️'
            - '📱'
            - '📲'
            - '💻'
            - '⌨️'
            - '🖥'
            - '🖨'
            - '🖱'
            - '🖲'
            - '🕹'
            - '🗜'
            - '💽'
            - '💾'
            - '💿'
            - '📀'
            - '📼'
            - '📷'
            - '📸'
            - '📹'
            - '🎥'
            - '📽'
            - '🎞'
            - '📞'
            - '☎️'
            - '📟'
            - '📠'
            - '📺'
            - '📻'
            - '🎙'
            - '🎚'
            - '🎛'
            - '🧭'
            - '⏱'
            - '⏲'
            - '⏰'
            - '🕰'
            - '⌛️'
            - '⏳'
            - '📡'
            - '🔋'
            - '🪫'
            - '🔌'
            - '💡'
            - '🔦'
            - '🕯'
            - '🪔'
            - '🧯'
            - '🛢'
            - '💸'
            - '💵'
            - '💴'
            - '💶'
            - '💷'
            - '🪙'
            - '💰'
            - '💳'
            - '💎'
            - '⚖️'
            - '🪜'
            - '🧰'
            - '🪛'
            - '🔧'
            - '🔨'
            - '⚒'
            - '🛠'
            - '⛏'
            - '🪚'
            - '🔩'
            - '⚙️'
            - '🪤'
            - '🧱'
            - '⛓'
            - '🧲'
            - '🔫'
            - '💣'
            - '🧨'
            - '🪓'
            - '🔪'
            - '🗡'
            - '⚔️'
            - '🛡'
            - '🚬'
            - '⚰️'
            - '🪦'
            - '⚱️'
            - '🏺'
            - '🔮'
            - '📿'
            - '🧿'
            - '🪬'
            - '💈'
            - '⚗️'
            - '🔭'
            - '🔬'
            - '🕳'
            - '🩹'
            - '🩺'
            - '🩻'
            - '🩼'
            - '💊'
            - '💉'
            - '🩸'
            - '🧬'
            - '🦠'
            - '🧫'
            - '🧪'
            - '🌡'
            - '🧹'
            - '🪠'
            - '🧺'
            - '🧻'
            - '🚽'
            - '🚰'
            - '🚿'
            - '🛁'
            - '🛀'
            - '🧼'
            - '🪥'
            - '🪒'
            - '🧽'
            - '🪣'
            - '🧴'
            - '🛎'
            - '🔑'
            - '🗝'
            - '🚪'
            - '🪑'
            - '🛋'
            - '🛏'
            - '🛌'
            - '🧸'
            - '🪆'
            - '🖼'
            - '🪞'
            - '🪟'
            - '🛍'
            - '🛒'
            - '🎁'
            - '🎈'
            - '🎏'
            - '🎀'
            - '🪄'
            - '🪅'
            - '🎊'
            - '🎉'
            - '🪩'
            - '🎎'
            - '🏮'
            - '🎐'
            - '🧧'
            - '✉️'
            - '📩'
            - '📨'
            - '📧'
            - '💌'
            - '📥'
            - '📤'
            - '📦'
            - '🏷'
            - '🪧'
            - '📪'
            - '📫'
            - '📬'
            - '📭'
            - '📮'
            - '📯'
            - '📜'
            - '📃'
            - '📄'
            - '📑'
            - '🧾'
            - '📊'
            - '📈'
            - '📉'
            - '🗒'
            - '🗓'
            - '📆'
            - '📅'
            - '🗑'
            - '🪪'
            - '📇'
            - '🗃'
            - '🗳'
            - '🗄'
            - '📋'
            - '📁'
            - '📂'
            - '🗂'
            - '🗞'
            - '📰'
            - '📓'
            - '📔'
            - '📒'
            - '📕'
            - '📗'
            - '📘'
            - '📙'
            - '📚'
            - '📖'
            - '🔖'
            - '🧷'
            - '🔗'
            - '📎'
            - '🖇'
            - '📐'
            - '📏'
            - '🧮'
            - '📌'
            - '📍'
            - '✂️'
            - '🖊'
            - '🖋'
            - '✒️'
            - '🖌'
            - '🖍'
            - '📝'
            - '✏️'
            - '🔍'
            - '🔎'
            - '🔏'
            - '🔐'
            - '🔒'
            - '🔓❤️'
            - '🧡'
            - '💛'
            - '💚'
            - '💙'
            - '💜'
            - '🖤'
            - '🤍'
            - '🤎'
            - '❤️‍🔥'
            - '❤️‍🩹'
            - '💔'
            - '❣️'
            - '💕'
            - '💞'
            - '💓'
            - '💗'
            - '💖'
            - '💘'
            - '💝'
            - '💟'
            - '☮️'
            - '✝️'
            - '☪️'
            - '🕉'
            - '☸️'
            - '✡️'
            - '🔯'
            - '🕎'
            - '☯️'
            - '☦️'
            - '🛐'
            - '⛎'
            - '♈️'
            - '♉️'
            - '♊️'
            - '♋️'
            - '♌️'
            - '♍️'
            - '♎️'
            - '♏️'
            - '♐️'
            - '♑️'
            - '♒️'
            - '♓️'
            - '🆔'
            - '⚛️'
            - '🉑'
            - '☢️'
            - '☣️'
            - '📴'
            - '📳'
            - '🈶'
            - '🈚️'
            - '🈸'
            - '🈺'
            - '🈷️'
            - '✴️'
            - '🆚'
            - '💮'
            - '🉐'
            - '㊙️'
            - '㊗️'
            - '🈴'
            - '🈵'
            - '🈹'
            - '🈲'
            - '🅰️'
            - '🅱️'
            - '🆎'
            - '🆑'
            - '🅾️'
            - '🆘'
            - '❌'
            - '⭕️'
            - '🛑'
            - '⛔️'
            - '📛'
            - '🚫'
            - '💯'
            - '💢'
            - '♨️'
            - '🚷'
            - '🚯'
            - '🚳'
            - '🚱'
            - '🔞'
            - '📵'
            - '🚭'
            - '❗️'
            - '❕'
            - '❓'
            - '❔'
            - '‼️'
            - '⁉️'
            - '🔅'
            - '🔆'
            - '〽️'
            - '⚠️'
            - '🚸'
            - '🔱'
            - '⚜️'
            - '🔰'
            - '♻️'
            - '✅'
            - '🈯️'
            - '💹'
            - '❇️'
            - '✳️'
            - '❎'
            - '🌐'
            - '💠'
            - 'Ⓜ️'
            - '🌀'
            - '💤'
            - '🏧'
            - '🚾'
            - '♿️'
            - '🅿️'
            - '🛗'
            - '🈳'
            - '🈂️'
            - '🛂'
            - '🛃'
            - '🛄'
            - '🛅'
            - '🚹'
            - '🚺'
            - '🚼'
            - '⚧'
            - '🚻'
            - '🚮'
            - '🎦'
            - '📶'
            - '🈁'
            - '🔣'
            - 'ℹ️'
            - '🔤'
            - '🔡'
            - '🔠'
            - '🆖'
            - '🆗'
            - '🆙'
            - '🆒'
            - '🆕'
            - '🆓'
            - '0️⃣'
            - '1️⃣'
            - '2️⃣'
            - '3️⃣'
            - '4️⃣'
            - '5️⃣'
            - '6️⃣'
            - '7️⃣'
            - '8️⃣'
            - '9️⃣'
            - '🔟'
            - '🔢'
            - '#️⃣'
            - '*️⃣'
            - '⏏️'
            - '▶️'
            - '⏸'
            - '⏯'
            - '⏹'
            - '⏺'
            - '⏭'
            - '⏮'
            - '⏩'
            - '⏪'
            - '⏫'
            - '⏬'
            - '◀️'
            - '🔼'
            - '🔽'
            - '➡️'
            - '⬅️'
            - '⬆️'
            - '⬇️'
            - '↗️'
            - '↘️'
            - '↙️'
            - '↖️'
            - '↕️'
            - '↔️'
            - '↪️'
            - '↩️'
            - '⤴️'
            - '⤵️'
            - '🔀'
            - '🔁'
            - '🔂'
            - '🔄'
            - '🔃'
            - '🎵'
            - '🎶'
            - '➕'
            - '➖'
            - '➗'
            - '✖️'
            - '🟰'
            - '♾'
            - '💲'
            - '💱'
            - '™️'
            - '©️'
            - '®️'
            - '〰️'
            - '➰'
            - '➿'
            - '🔚'
            - '🔙'
            - '🔛'
            - '🔝'
            - '🔜'
            - '✔️'
            - '☑️'
            - '🔘'
            - '🔴'
            - '🟠'
            - '🟡'
            - '🟢'
            - '🔵'
            - '🟣'
            - '⚫️'
            - '⚪️'
            - '🟤'
            - '🔺'
            - '🔻'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
status test author @Kostastsale, TheDFIRReport ATT&CK tactic-only id 225274c4-8dd1-40db-9e09-71dff4f6fb3c
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*🔸*", "*🔹*", "*🔶*", "*🔷*", "*🔳*", "*🔲*", "*▪️*", "*▫️*", "*◾️*", "*◽️*", "*◼️*", "*◻️*", "*🟥*", "*🟧*", "*🟨*", "*🟩*", "*🟦*", "*🟪*", "*⬛️*", "*⬜️*", "*🟫*", "*🔈*", "*🔇*", "*🔉*", "*🔊*", "*🔔*", "*🔕*", "*📣*", "*📢*", "*👁‍🗨*", "*💬*", "*💭*", "*🗯*", "*♠️*", "*♣️*", "*♥️*", "*♦️*", "*🃏*", "*🎴*", "*🀄️*", "*🕐*", "*🕑*", "*🕒*", "*🕓*", "*🕔*", "*🕕*", "*🕖*", "*🕗*", "*🕘*", "*🕙*", "*🕚*", "*🕛*", "*🕜*", "*🕝*", "*🕞*", "*🕟*", "*🕠*", "*🕡*", "*🕢*", "*🕣*", "*🕤*", "*🕥*", "*🕦*", "*🕧✢*", "*✣*", "*✤*", "*✥*", "*✦*", "*✧*", "*★*", "*☆*", "*✯*", "*✡︎*", "*✩*", "*✪*", "*✫*", "*✬*", "*✭*", "*✮*", "*✶*", "*✷*", "*✵*", "*✸*", "*✹*", "*→*", "*⇒*", "*⟹*", "*⇨*", "*⇾*", "*➾*", "*⇢*", "*☛*", "*☞*", "*➔*", "*➜*", "*➙*", "*➛*", "*➝*", "*➞*", "*♠︎*", "*♣︎*", "*♥︎*", "*♦︎*", "*♤*", "*♧*", "*♡*", "*♢*", "*♚*", "*♛*", "*♜*", "*♝*", "*♞*", "*♟*", "*♔*", "*♕*", "*♖*", "*♗*", "*♘*", "*♙*", "*⚀*", "*⚁*", "*⚂*", "*⚃*", "*⚄*", "*⚅*", "*🂠*", "*⚈*", "*⚉*", "*⚆*", "*⚇*", "*𓀀*", "*𓀁*", "*𓀂*", "*𓀃*", "*𓀄*", "*𓀅*", "*𓀆*", "*𓀇*", "*𓀈*", "*𓀉*", "*𓀊*", "*𓀋*", "*𓀌*", "*𓀍*", "*𓀎*", "*𓀏*", "*𓀐*", "*𓀑*", "*𓀒*", "*𓀓*", "*𓀔*", "*𓀕*", "*𓀖*", "*𓀗*", "*𓀘*", "*𓀙*", "*𓀚*", "*𓀛*", "*𓀜*", "*𓀝🏳️*", "*🏴*", "*🏁*", "*🚩*", "*🏳️‍🌈*", "*🏳️‍⚧️*", "*🏴‍☠️*", "*🇦🇫*", "*🇦🇽*", "*🇦🇱*", "*🇩🇿*", "*🇦🇸*", "*🇦🇩*", "*🇦🇴*", "*🇦🇮*", "*🇦🇶*", "*🇦🇬*", "*🇦🇷*", "*🇦🇲*", "*🇦🇼*", "*🇦🇺*", "*🇦🇹*", "*🇦🇿*", "*🇧🇸*", "*🇧🇭*", "*🇧🇩*", "*🇧🇧*", "*🇧🇾*", "*🇧🇪*", "*🇧🇿*", "*🇧🇯*", "*🇧🇲*", "*🇧🇹*", "*🇧🇴*", "*🇧🇦*", "*🇧🇼*", "*🇧🇷*", "*🇮🇴*", "*🇻🇬*", "*🇧🇳*", "*🇧🇬*", "*🇧🇫*", "*🇧🇮*", "*🇰🇭*", "*🇨🇲*", "*🇨🇦*", "*🇮🇨*", "*🇨🇻*", "*🇧🇶*", "*🇰🇾*", "*🇨🇫*", "*🇹🇩*", "*🇨🇱*", "*🇨🇳*", "*🇨🇽*", "*🇨🇨*", "*🇨🇴*", "*🇰🇲*", "*🇨🇬*", "*🇨🇩*", "*🇨🇰*", "*🇨🇷*", "*🇨🇮*", "*🇭🇷*", "*🇨🇺*", "*🇨🇼*", "*🇨🇾*", "*🇨🇿*", "*🇩🇰*", "*🇩🇯*", "*🇩🇲*", "*🇩🇴*", "*🇪🇨*", "*🇪🇬*", "*🇸🇻*", "*🇬🇶*", "*🇪🇷*", "*🇪🇪*", "*🇪🇹*", "*🇪🇺*", "*🇫🇰*", "*🇫🇴*", "*🇫🇯*", "*🇫🇮*", "*🇫🇷*", "*🇬🇫*", "*🇵🇫*", "*🇹🇫*", "*🇬🇦*", "*🇬🇲*", "*🇬🇪*", "*🇩🇪*", "*🇬🇭*", "*🇬🇮*", "*🇬🇷*", "*🇬🇱*", "*🇬🇩*", "*🇬🇵*", "*🇬🇺*", "*🇬🇹*", "*🇬🇬*", "*🇬🇳*", "*🇬🇼*", "*🇬🇾*", "*🇭🇹*", "*🇭🇳*", "*🇭🇰*", "*🇭🇺*", "*🇮🇸*", "*🇮🇳*", "*🇮🇩*", "*🇮🇷*", "*🇮🇶*", "*🇮🇪*", "*🇮🇲*", "*🇮🇱*", "*🇮🇹*", "*🇯🇲*", "*🇯🇵*", "*🎌*", "*🇯🇪*", "*🇯🇴*", "*🇰🇿*", "*🇰🇪*", "*🇰🇮*", "*🇽🇰*", "*🇰🇼*", "*🇰🇬*", "*🇱🇦*", "*🇱🇻*", "*🇱🇧*", "*🇱🇸*", "*🇱🇷*", "*🇱🇾*", "*🇱🇮*", "*🇱🇹*", "*🇱🇺*", "*🇲🇴*", "*🇲🇰*", "*🇲🇬*", "*🇲🇼*", "*🇲🇾*", "*🇲🇻*", "*🇲🇱*", "*🇲🇹*", "*🇲🇭*", "*🇲🇶*", "*🇲🇷*", "*🇲🇺*", "*🇾🇹*", "*🇲🇽*", "*🇫🇲*", "*🇲🇩*", "*🇲🇨*", "*🇲🇳*", "*🇲🇪*", "*🇲🇸*", "*🇲🇦*", "*🇲🇿*", "*🇲🇲*", "*🇳🇦*", "*🇳🇷*", "*🇳🇵*", "*🇳🇱*", "*🇳🇨*", "*🇳🇿*", "*🇳🇮*", "*🇳🇪*", "*🇳🇬*", "*🇳🇺*", "*🇳🇫*", "*🇰🇵*", "*🇲🇵*", "*🇳🇴*", "*🇴🇲*", "*🇵🇰*", "*🇵🇼*", "*🇵🇸*", "*🇵🇦*", "*🇵🇬*", "*🇵🇾*", "*🇵🇪*", "*🇵🇭*", "*🇵🇳*", "*🇵🇱*", "*🇵🇹*", "*🇵🇷*", "*🇶🇦*", "*🇷🇪*", "*🇷🇴*", "*🇷🇺*", "*🇷🇼*", "*🇼🇸*", "*🇸🇲*", "*🇸🇦*", "*🇸🇳*", "*🇷🇸*", "*🇸🇨*", "*🇸🇱*", "*🇸🇬*", "*🇸🇽*", "*🇸🇰*", "*🇸🇮*", "*🇬🇸*", "*🇸🇧*", "*🇸🇴*", "*🇿🇦*", "*🇰🇷*", "*🇸🇸*", "*🇪🇸*", "*🇱🇰*", "*🇧🇱*", "*🇸🇭*", "*🇰🇳*", "*🇱🇨*", "*🇵🇲*", "*🇻🇨*", "*🇸🇩*", "*🇸🇷*", "*🇸🇿*", "*🇸🇪*", "*🇨🇭*", "*🇸🇾*", "*🇹🇼*", "*🇹🇯*", "*🇹🇿*", "*🇹🇭*", "*🇹🇱*", "*🇹🇬*", "*🇹🇰*", "*🇹🇴*", "*🇹🇹*", "*🇹🇳*", "*🇹🇷*", "*🇹🇲*", "*🇹🇨*", "*🇹🇻*", "*🇻🇮*", "*🇺🇬*", "*🇺🇦*", "*🇦🇪*", "*🇬🇧*", "*🏴󠁧󠁢󠁥󠁮󠁧󠁿*", "*🏴󠁧󠁢󠁳󠁣󠁴󠁿*", "*🏴󠁧󠁢󠁷󠁬󠁳󠁿*", "*🇺🇳*", "*🇺🇸*", "*🇺🇾*", "*🇺🇿*", "*🇻🇺*", "*🇻🇦*", "*🇻🇪*", "*🇻🇳*", "*🇼🇫*", "*🇪🇭*", "*🇾🇪*", "*🇿🇲*", "*🇿🇼🫠*", "*🫢*", "*🫣*", "*🫡*", "*🫥*", "*🫤*", "*🥹*", "*🫱*", "*🫱🏻*", "*🫱🏼*", "*🫱🏽*", "*🫱🏾*", "*🫱🏿*", "*🫲*", "*🫲🏻*", "*🫲🏼*", "*🫲🏽*", "*🫲🏾*", "*🫲🏿*", "*🫳*", "*🫳🏻*", "*🫳🏼*", "*🫳🏽*", "*🫳🏾*", "*🫳🏿*", "*🫴*", "*🫴🏻*", "*🫴🏼*", "*🫴🏽*", "*🫴🏾*", "*🫴🏿*", "*🫰*", "*🫰🏻*", "*🫰🏼*", "*🫰🏽*", "*🫰🏾*", "*🫰🏿*", "*🫵*", "*🫵🏻*", "*🫵🏼*", "*🫵🏽*", "*🫵🏾*", "*🫵🏿*", "*🫶*", "*🫶🏻*", "*🫶🏼*", "*🫶🏽*", "*🫶🏾*", "*🫶🏿*", "*🤝🏻*", "*🤝🏼*", "*🤝🏽*", "*🤝🏾*", "*🤝🏿*", "*🫱🏻‍🫲🏼*", "*🫱🏻‍🫲🏽*", "*🫱🏻‍🫲🏾*", "*🫱🏻‍🫲🏿*", "*🫱🏼‍🫲🏻*", "*🫱🏼‍🫲🏽*", "*🫱🏼‍🫲🏾*", "*🫱🏼‍🫲🏿*", "*🫱🏽‍🫲🏻*", "*🫱🏽‍🫲🏼*", "*🫱🏽‍🫲🏾*", "*🫱🏽‍🫲🏿*", "*🫱🏾‍🫲🏻*", "*🫱🏾‍🫲🏼*", "*🫱🏾‍🫲🏽*", "*🫱🏾‍🫲🏿*", "*🫱🏿‍🫲🏻*", "*🫱🏿‍🫲🏼*", "*🫱🏿‍🫲🏽*", "*🫱🏿‍🫲🏾*", "*🫦*", "*🫅*", "*🫅🏻*", "*🫅🏼*", "*🫅🏽*", "*🫅🏾*", "*🫅🏿*", "*🫃*", "*🫃🏻*", "*🫃🏼*", "*🫃🏽*", "*🫃🏾*", "*🫃🏿*", "*🫄*", "*🫄🏻*", "*🫄🏼*", "*🫄🏽*", "*🫄🏾*", "*🫄🏿*", "*🧌*", "*🪸*", "*🪷*", "*🪹*", "*🪺*", "*🫘*", "*🫗*", "*🫙*", "*🛝*", "*🛞*", "*🛟*", "*🪬*", "*🪩*", "*🪫*", "*🩼*", "*🩻*", "*🫧*", "*🪪*", "*🟰*", "*😮‍💨*", "*😵‍💫*", "*😶‍🌫️*", "*❤️‍🔥*", "*❤️‍🩹*", "*🧔‍♀️*", "*🧔🏻‍♀️*", "*🧔🏼‍♀️*", "*🧔🏽‍♀️*", "*🧔🏾‍♀️*", "*🧔🏿‍♀️*", "*🧔‍♂️*", "*🧔🏻‍♂️*", "*🧔🏼‍♂️*", "*🧔🏽‍♂️*", "*🧔🏾‍♂️*", "*🧔🏿‍♂️*", "*💑🏻*", "*💑🏼*", "*💑🏽*", "*💑🏾*", "*💑🏿*", "*💏🏻*", "*💏🏼*", "*💏🏽*", "*💏🏾*", "*💏🏿*", "*👨🏻‍❤️‍👨🏻*", "*👨🏻‍❤️‍👨🏼*", "*👨🏻‍❤️‍👨🏽*", "*👨🏻‍❤️‍👨🏾*", "*👨🏻‍❤️‍👨🏿*", "*👨🏼‍❤️‍👨🏻*", "*👨🏼‍❤️‍👨🏼*", "*👨🏼‍❤️‍👨🏽*", "*👨🏼‍❤️‍👨🏾*", "*👨🏼‍❤️‍👨🏿*", "*👨🏽‍❤️‍👨🏻*", "*👨🏽‍❤️‍👨🏼*", "*👨🏽‍❤️‍👨🏽*", "*👨🏽‍❤️‍👨🏾*", "*👨🏽‍❤️‍👨🏿*", "*👨🏾‍❤️‍👨🏻*", "*👨🏾‍❤️‍👨🏼*", "*👨🏾‍❤️‍👨🏽*", "*👨🏾‍❤️‍👨🏾*", "*👨🏾‍❤️‍👨🏿*", "*👨🏿‍❤️‍👨🏻*", "*👨🏿‍❤️‍👨🏼*", "*👨🏿‍❤️‍👨🏽*", "*👨🏿‍❤️‍👨🏾*", "*👨🏿‍❤️‍👨🏿*", "*👩🏻‍❤️‍👨🏻*", "*👩🏻‍❤️‍👨🏼*", "*👩🏻‍❤️‍👨🏽*", "*👩🏻‍❤️‍👨🏾*", "*👩🏻‍❤️‍👨🏿*", "*👩🏻‍❤️‍👩🏻*", "*👩🏻‍❤️‍👩🏼*", "*👩🏻‍❤️‍👩🏽*", "*👩🏻‍❤️‍👩🏾*", "*👩🏻‍❤️‍👩🏿*", "*👩🏼‍❤️‍👨🏻*", "*👩🏼‍❤️‍👨🏼*", "*👩🏼‍❤️‍👨🏽*", "*👩🏼‍❤️‍👨🏾*", "*👩🏼‍❤️‍👨🏿*", "*👩🏼‍❤️‍👩🏻*", "*👩🏼‍❤️‍👩🏼*", "*👩🏼‍❤️‍👩🏽*", "*👩🏼‍❤️‍👩🏾*", "*👩🏼‍❤️‍👩🏿*", "*👩🏽‍❤️‍👨🏻*", "*👩🏽‍❤️‍👨🏼*", "*👩🏽‍❤️‍👨🏽*", "*👩🏽‍❤️‍👨🏾*", "*👩🏽‍❤️‍👨🏿*", "*👩🏽‍❤️‍👩🏻*", "*👩🏽‍❤️‍👩🏼*", "*👩🏽‍❤️‍👩🏽*", "*👩🏽‍❤️‍👩🏾*", "*👩🏽‍❤️‍👩🏿*", "*👩🏾‍❤️‍👨🏻*", "*👩🏾‍❤️‍👨🏼*", "*👩🏾‍❤️‍👨🏽*", "*👩🏾‍❤️‍👨🏾*", "*👩🏾‍❤️‍👨🏿*", "*👩🏾‍❤️‍👩🏻*", "*👩🏾‍❤️‍👩🏼*", "*👩🏾‍❤️‍👩🏽*", "*👩🏾‍❤️‍👩🏾*", "*👩🏾‍❤️‍👩🏿*", "*👩🏿‍❤️‍👨🏻*", "*👩🏿‍❤️‍👨🏼*", "*👩🏿‍❤️‍👨🏽*", "*👩🏿‍❤️‍👨🏾*", "*👩🏿‍❤️‍👨🏿*", "*👩🏿‍❤️‍👩🏻*", "*👩🏿‍❤️‍👩🏼*", "*👩🏿‍❤️‍👩🏽*", "*👩🏿‍❤️‍👩🏾*", "*👩🏿‍❤️‍👩🏿*", "*🧑🏻‍❤️‍🧑🏼*", "*🧑🏻‍❤️‍🧑🏽*", "*🧑🏻‍❤️‍🧑🏾*", "*🧑🏻‍❤️‍🧑🏿*", "*🧑🏼‍❤️‍🧑🏻*", "*🧑🏼‍❤️‍🧑🏽*", "*🧑🏼‍❤️‍🧑🏾*", "*🧑🏼‍❤️‍🧑🏿*", "*🧑🏽‍❤️‍🧑🏻*", "*🧑🏽‍❤️‍🧑🏼*", "*🧑🏽‍❤️‍🧑🏾*", "*🧑🏽‍❤️‍🧑🏿*", "*🧑🏾‍❤️‍🧑🏻*", "*🧑🏾‍❤️‍🧑🏼*", "*🧑🏾‍❤️‍🧑🏽*", "*🧑🏾‍❤️‍🧑🏿*", "*🧑🏿‍❤️‍🧑🏻*", "*🧑🏿‍❤️‍🧑🏼*", "*🧑🏿‍❤️‍🧑🏽*", "*🧑🏿‍❤️‍🧑🏾*", "*👨🏻‍❤️‍💋‍👨🏻*", "*👨🏻‍❤️‍💋‍👨🏼*", "*👨🏻‍❤️‍💋‍👨🏽*", "*👨🏻‍❤️‍💋‍👨🏾*", "*👨🏻‍❤️‍💋‍👨🏿*", "*👨🏼‍❤️‍💋‍👨🏻*", "*👨🏼‍❤️‍💋‍👨🏼*", "*👨🏼‍❤️‍💋‍👨🏽*", "*👨🏼‍❤️‍💋‍👨🏾*", "*👨🏼‍❤️‍💋‍👨🏿*", "*👨🏽‍❤️‍💋‍👨🏻*", "*👨🏽‍❤️‍💋‍👨🏼*", "*👨🏽‍❤️‍💋‍👨🏽*", "*👨🏽‍❤️‍💋‍👨🏾*", "*👨🏽‍❤️‍💋‍👨🏿*", "*👨🏾‍❤️‍💋‍👨🏻*", "*👨🏾‍❤️‍💋‍👨🏼*", "*👨🏾‍❤️‍💋‍👨🏽*", "*👨🏾‍❤️‍💋‍👨🏾*", "*👨🏾‍❤️‍💋‍👨🏿*", "*👨🏿‍❤️‍💋‍👨🏻*", "*👨🏿‍❤️‍💋‍👨🏼*", "*👨🏿‍❤️‍💋‍👨🏽*", "*👨🏿‍❤️‍💋‍👨🏾*", "*👨🏿‍❤️‍💋‍👨🏿*", "*👩🏻‍❤️‍💋‍👨🏻*", "*👩🏻‍❤️‍💋‍👨🏼*", "*👩🏻‍❤️‍💋‍👨🏽*", "*👩🏻‍❤️‍💋‍👨🏾*", "*👩🏻‍❤️‍💋‍👨🏿*", "*👩🏻‍❤️‍💋‍👩🏻*", "*👩🏻‍❤️‍💋‍👩🏼*", "*👩🏻‍❤️‍💋‍👩🏽*", "*👩🏻‍❤️‍💋‍👩🏾*", "*👩🏻‍❤️‍💋‍👩🏿*", "*👩🏼‍❤️‍💋‍👨🏻*", "*👩🏼‍❤️‍💋‍👨🏼*", "*👩🏼‍❤️‍💋‍👨🏽*", "*👩🏼‍❤️‍💋‍👨🏾*", "*👩🏼‍❤️‍💋‍👨🏿*", "*👩🏼‍❤️‍💋‍👩🏻*", "*👩🏼‍❤️‍💋‍👩🏼*", "*👩🏼‍❤️‍💋‍👩🏽*", "*👩🏼‍❤️‍💋‍👩🏾*", "*👩🏼‍❤️‍💋‍👩🏿*", "*👩🏽‍❤️‍💋‍👨🏻*", "*👩🏽‍❤️‍💋‍👨🏼*", "*👩🏽‍❤️‍💋‍👨🏽*", "*👩🏽‍❤️‍💋‍👨🏾*", "*👩🏽‍❤️‍💋‍👨🏿*", "*👩🏽‍❤️‍💋‍👩🏻*", "*👩🏽‍❤️‍💋‍👩🏼*", "*👩🏽‍❤️‍💋‍👩🏽*", "*👩🏽‍❤️‍💋‍👩🏾*", "*👩🏽‍❤️‍💋‍👩🏿*", "*👩🏾‍❤️‍💋‍👨🏻*", "*👩🏾‍❤️‍💋‍👨🏼*", "*👩🏾‍❤️‍💋‍👨🏽*", "*👩🏾‍❤️‍💋‍👨🏾*", "*👩🏾‍❤️‍💋‍👨🏿*", "*👩🏾‍❤️‍💋‍👩🏻*", "*👩🏾‍❤️‍💋‍👩🏼*", "*👩🏾‍❤️‍💋‍👩🏽*", "*👩🏾‍❤️‍💋‍👩🏾*", "*👩🏾‍❤️‍💋‍👩🏿*", "*👩🏿‍❤️‍💋‍👨🏻*", "*👩🏿‍❤️‍💋‍👨🏼*", "*👩🏿‍❤️‍💋‍👨🏽*", "*👩🏿‍❤️‍💋‍👨🏾*", "*👩🏿‍❤️‍💋‍👨🏿*", "*👩🏿‍❤️‍💋‍👩🏻*", "*👩🏿‍❤️‍💋‍👩🏼*", "*👩🏿‍❤️‍💋‍👩🏽*", "*👩🏿‍❤️‍💋‍👩🏾*", "*👩🏿‍❤️‍💋‍👩🏿*", "*🧑🏻‍❤️‍💋‍🧑🏼*", "*🧑🏻‍❤️‍💋‍🧑🏽*", "*🧑🏻‍❤️‍💋‍🧑🏾*", "*🧑🏻‍❤️‍💋‍🧑🏿*", "*🧑🏼‍❤️‍💋‍🧑🏻*", "*🧑🏼‍❤️‍💋‍🧑🏽*", "*🧑🏼‍❤️‍💋‍🧑🏾*", "*🧑🏼‍❤️‍💋‍🧑🏿*", "*🧑🏽‍❤️‍💋‍🧑🏻*", "*🧑🏽‍❤️‍💋‍🧑🏼*", "*🧑🏽‍❤️‍💋‍🧑🏾*", "*🧑🏽‍❤️‍💋‍🧑🏿*", "*🧑🏾‍❤️‍💋‍🧑🏻*", "*🧑🏾‍❤️‍💋‍🧑🏼*", "*🧑🏾‍❤️‍💋‍🧑🏽*", "*🧑🏾‍❤️‍💋‍🧑🏿*", "*🧑🏿‍❤️‍💋‍🧑🏻*", "*🧑🏿‍❤️‍💋‍🧑🏼*", "*🧑🏿‍❤️‍💋‍🧑🏽*", "*🧑🏿‍❤️‍💋‍🧑🏾*")))
view Sigma YAML 
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
id: 225274c4-8dd1-40db-9e09-71dff4f6fb3c
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '🔸'
            - '🔹'
            - '🔶'
            - '🔷'
            - '🔳'
            - '🔲'
            - '▪️'
            - '▫️'
            - '◾️'
            - '◽️'
            - '◼️'
            - '◻️'
            - '🟥'
            - '🟧'
            - '🟨'
            - '🟩'
            - '🟦'
            - '🟪'
            - '⬛️'
            - '⬜️'
            - '🟫'
            - '🔈'
            - '🔇'
            - '🔉'
            - '🔊'
            - '🔔'
            - '🔕'
            - '📣'
            - '📢'
            - '👁‍🗨'
            - '💬'
            - '💭'
            - '🗯'
            - '♠️'
            - '♣️'
            - '♥️'
            - '♦️'
            - '🃏'
            - '🎴'
            - '🀄️'
            - '🕐'
            - '🕑'
            - '🕒'
            - '🕓'
            - '🕔'
            - '🕕'
            - '🕖'
            - '🕗'
            - '🕘'
            - '🕙'
            - '🕚'
            - '🕛'
            - '🕜'
            - '🕝'
            - '🕞'
            - '🕟'
            - '🕠'
            - '🕡'
            - '🕢'
            - '🕣'
            - '🕤'
            - '🕥'
            - '🕦'
            - '🕧✢'
            - '✣'
            - '✤'
            - '✥'
            - '✦'
            - '✧'
            - '★'
            - '☆'
            - '✯'
            - '✡︎'
            - '✩'
            - '✪'
            - '✫'
            - '✬'
            - '✭'
            - '✮'
            - '✶'
            - '✷'
            - '✵'
            - '✸'
            - '✹'
            - '→'
            - '⇒'
            - '⟹'
            - '⇨'
            - '⇾'
            - '➾'
            - '⇢'
            - '☛'
            - '☞'
            - '➔'
            - '➜'
            - '➙'
            - '➛'
            - '➝'
            - '➞'
            - '♠︎'
            - '♣︎'
            - '♥︎'
            - '♦︎'
            - '♤'
            - '♧'
            - '♡'
            - '♢'
            - '♚'
            - '♛'
            - '♜'
            - '♝'
            - '♞'
            - '♟'
            - '♔'
            - '♕'
            - '♖'
            - '♗'
            - '♘'
            - '♙'
            - '⚀'
            - '⚁'
            - '⚂'
            - '⚃'
            - '⚄'
            - '⚅'
            - '🂠'
            - '⚈'
            - '⚉'
            - '⚆'
            - '⚇'
            - '𓀀'
            - '𓀁'
            - '𓀂'
            - '𓀃'
            - '𓀄'
            - '𓀅'
            - '𓀆'
            - '𓀇'
            - '𓀈'
            - '𓀉'
            - '𓀊'
            - '𓀋'
            - '𓀌'
            - '𓀍'
            - '𓀎'
            - '𓀏'
            - '𓀐'
            - '𓀑'
            - '𓀒'
            - '𓀓'
            - '𓀔'
            - '𓀕'
            - '𓀖'
            - '𓀗'
            - '𓀘'
            - '𓀙'
            - '𓀚'
            - '𓀛'
            - '𓀜'
            - '𓀝🏳️'
            - '🏴'
            - '🏁'
            - '🚩'
            - '🏳️‍🌈'
            - '🏳️‍⚧️'
            - '🏴‍☠️'
            - '🇦🇫'
            - '🇦🇽'
            - '🇦🇱'
            - '🇩🇿'
            - '🇦🇸'
            - '🇦🇩'
            - '🇦🇴'
            - '🇦🇮'
            - '🇦🇶'
            - '🇦🇬'
            - '🇦🇷'
            - '🇦🇲'
            - '🇦🇼'
            - '🇦🇺'
            - '🇦🇹'
            - '🇦🇿'
            - '🇧🇸'
            - '🇧🇭'
            - '🇧🇩'
            - '🇧🇧'
            - '🇧🇾'
            - '🇧🇪'
            - '🇧🇿'
            - '🇧🇯'
            - '🇧🇲'
            - '🇧🇹'
            - '🇧🇴'
            - '🇧🇦'
            - '🇧🇼'
            - '🇧🇷'
            - '🇮🇴'
            - '🇻🇬'
            - '🇧🇳'
            - '🇧🇬'
            - '🇧🇫'
            - '🇧🇮'
            - '🇰🇭'
            - '🇨🇲'
            - '🇨🇦'
            - '🇮🇨'
            - '🇨🇻'
            - '🇧🇶'
            - '🇰🇾'
            - '🇨🇫'
            - '🇹🇩'
            - '🇨🇱'
            - '🇨🇳'
            - '🇨🇽'
            - '🇨🇨'
            - '🇨🇴'
            - '🇰🇲'
            - '🇨🇬'
            - '🇨🇩'
            - '🇨🇰'
            - '🇨🇷'
            - '🇨🇮'
            - '🇭🇷'
            - '🇨🇺'
            - '🇨🇼'
            - '🇨🇾'
            - '🇨🇿'
            - '🇩🇰'
            - '🇩🇯'
            - '🇩🇲'
            - '🇩🇴'
            - '🇪🇨'
            - '🇪🇬'
            - '🇸🇻'
            - '🇬🇶'
            - '🇪🇷'
            - '🇪🇪'
            - '🇪🇹'
            - '🇪🇺'
            - '🇫🇰'
            - '🇫🇴'
            - '🇫🇯'
            - '🇫🇮'
            - '🇫🇷'
            - '🇬🇫'
            - '🇵🇫'
            - '🇹🇫'
            - '🇬🇦'
            - '🇬🇲'
            - '🇬🇪'
            - '🇩🇪'
            - '🇬🇭'
            - '🇬🇮'
            - '🇬🇷'
            - '🇬🇱'
            - '🇬🇩'
            - '🇬🇵'
            - '🇬🇺'
            - '🇬🇹'
            - '🇬🇬'
            - '🇬🇳'
            - '🇬🇼'
            - '🇬🇾'
            - '🇭🇹'
            - '🇭🇳'
            - '🇭🇰'
            - '🇭🇺'
            - '🇮🇸'
            - '🇮🇳'
            - '🇮🇩'
            - '🇮🇷'
            - '🇮🇶'
            - '🇮🇪'
            - '🇮🇲'
            - '🇮🇱'
            - '🇮🇹'
            - '🇯🇲'
            - '🇯🇵'
            - '🎌'
            - '🇯🇪'
            - '🇯🇴'
            - '🇰🇿'
            - '🇰🇪'
            - '🇰🇮'
            - '🇽🇰'
            - '🇰🇼'
            - '🇰🇬'
            - '🇱🇦'
            - '🇱🇻'
            - '🇱🇧'
            - '🇱🇸'
            - '🇱🇷'
            - '🇱🇾'
            - '🇱🇮'
            - '🇱🇹'
            - '🇱🇺'
            - '🇲🇴'
            - '🇲🇰'
            - '🇲🇬'
            - '🇲🇼'
            - '🇲🇾'
            - '🇲🇻'
            - '🇲🇱'
            - '🇲🇹'
            - '🇲🇭'
            - '🇲🇶'
            - '🇲🇷'
            - '🇲🇺'
            - '🇾🇹'
            - '🇲🇽'
            - '🇫🇲'
            - '🇲🇩'
            - '🇲🇨'
            - '🇲🇳'
            - '🇲🇪'
            - '🇲🇸'
            - '🇲🇦'
            - '🇲🇿'
            - '🇲🇲'
            - '🇳🇦'
            - '🇳🇷'
            - '🇳🇵'
            - '🇳🇱'
            - '🇳🇨'
            - '🇳🇿'
            - '🇳🇮'
            - '🇳🇪'
            - '🇳🇬'
            - '🇳🇺'
            - '🇳🇫'
            - '🇰🇵'
            - '🇲🇵'
            - '🇳🇴'
            - '🇴🇲'
            - '🇵🇰'
            - '🇵🇼'
            - '🇵🇸'
            - '🇵🇦'
            - '🇵🇬'
            - '🇵🇾'
            - '🇵🇪'
            - '🇵🇭'
            - '🇵🇳'
            - '🇵🇱'
            - '🇵🇹'
            - '🇵🇷'
            - '🇶🇦'
            - '🇷🇪'
            - '🇷🇴'
            - '🇷🇺'
            - '🇷🇼'
            - '🇼🇸'
            - '🇸🇲'
            - '🇸🇦'
            - '🇸🇳'
            - '🇷🇸'
            - '🇸🇨'
            - '🇸🇱'
            - '🇸🇬'
            - '🇸🇽'
            - '🇸🇰'
            - '🇸🇮'
            - '🇬🇸'
            - '🇸🇧'
            - '🇸🇴'
            - '🇿🇦'
            - '🇰🇷'
            - '🇸🇸'
            - '🇪🇸'
            - '🇱🇰'
            - '🇧🇱'
            - '🇸🇭'
            - '🇰🇳'
            - '🇱🇨'
            - '🇵🇲'
            - '🇻🇨'
            - '🇸🇩'
            - '🇸🇷'
            - '🇸🇿'
            - '🇸🇪'
            - '🇨🇭'
            - '🇸🇾'
            - '🇹🇼'
            - '🇹🇯'
            - '🇹🇿'
            - '🇹🇭'
            - '🇹🇱'
            - '🇹🇬'
            - '🇹🇰'
            - '🇹🇴'
            - '🇹🇹'
            - '🇹🇳'
            - '🇹🇷'
            - '🇹🇲'
            - '🇹🇨'
            - '🇹🇻'
            - '🇻🇮'
            - '🇺🇬'
            - '🇺🇦'
            - '🇦🇪'
            - '🇬🇧'
            - '🏴󠁧󠁢󠁥󠁮󠁧󠁿'
            - '🏴󠁧󠁢󠁳󠁣󠁴󠁿'
            - '🏴󠁧󠁢󠁷󠁬󠁳󠁿'
            - '🇺🇳'
            - '🇺🇸'
            - '🇺🇾'
            - '🇺🇿'
            - '🇻🇺'
            - '🇻🇦'
            - '🇻🇪'
            - '🇻🇳'
            - '🇼🇫'
            - '🇪🇭'
            - '🇾🇪'
            - '🇿🇲'
            - '🇿🇼🫠'
            - '🫢'
            - '🫣'
            - '🫡'
            - '🫥'
            - '🫤'
            - '🥹'
            - '🫱'
            - '🫱🏻'
            - '🫱🏼'
            - '🫱🏽'
            - '🫱🏾'
            - '🫱🏿'
            - '🫲'
            - '🫲🏻'
            - '🫲🏼'
            - '🫲🏽'
            - '🫲🏾'
            - '🫲🏿'
            - '🫳'
            - '🫳🏻'
            - '🫳🏼'
            - '🫳🏽'
            - '🫳🏾'
            - '🫳🏿'
            - '🫴'
            - '🫴🏻'
            - '🫴🏼'
            - '🫴🏽'
            - '🫴🏾'
            - '🫴🏿'
            - '🫰'
            - '🫰🏻'
            - '🫰🏼'
            - '🫰🏽'
            - '🫰🏾'
            - '🫰🏿'
            - '🫵'
            - '🫵🏻'
            - '🫵🏼'
            - '🫵🏽'
            - '🫵🏾'
            - '🫵🏿'
            - '🫶'
            - '🫶🏻'
            - '🫶🏼'
            - '🫶🏽'
            - '🫶🏾'
            - '🫶🏿'
            - '🤝🏻'
            - '🤝🏼'
            - '🤝🏽'
            - '🤝🏾'
            - '🤝🏿'
            - '🫱🏻‍🫲🏼'
            - '🫱🏻‍🫲🏽'
            - '🫱🏻‍🫲🏾'
            - '🫱🏻‍🫲🏿'
            - '🫱🏼‍🫲🏻'
            - '🫱🏼‍🫲🏽'
            - '🫱🏼‍🫲🏾'
            - '🫱🏼‍🫲🏿'
            - '🫱🏽‍🫲🏻'
            - '🫱🏽‍🫲🏼'
            - '🫱🏽‍🫲🏾'
            - '🫱🏽‍🫲🏿'
            - '🫱🏾‍🫲🏻'
            - '🫱🏾‍🫲🏼'
            - '🫱🏾‍🫲🏽'
            - '🫱🏾‍🫲🏿'
            - '🫱🏿‍🫲🏻'
            - '🫱🏿‍🫲🏼'
            - '🫱🏿‍🫲🏽'
            - '🫱🏿‍🫲🏾'
            - '🫦'
            - '🫅'
            - '🫅🏻'
            - '🫅🏼'
            - '🫅🏽'
            - '🫅🏾'
            - '🫅🏿'
            - '🫃'
            - '🫃🏻'
            - '🫃🏼'
            - '🫃🏽'
            - '🫃🏾'
            - '🫃🏿'
            - '🫄'
            - '🫄🏻'
            - '🫄🏼'
            - '🫄🏽'
            - '🫄🏾'
            - '🫄🏿'
            - '🧌'
            - '🪸'
            - '🪷'
            - '🪹'
            - '🪺'
            - '🫘'
            - '🫗'
            - '🫙'
            - '🛝'
            - '🛞'
            - '🛟'
            - '🪬'
            - '🪩'
            - '🪫'
            - '🩼'
            - '🩻'
            - '🫧'
            - '🪪'
            - '🟰'
            - '😮‍💨'
            - '😵‍💫'
            - '😶‍🌫️'
            - '❤️‍🔥'
            - '❤️‍🩹'
            - '🧔‍♀️'
            - '🧔🏻‍♀️'
            - '🧔🏼‍♀️'
            - '🧔🏽‍♀️'
            - '🧔🏾‍♀️'
            - '🧔🏿‍♀️'
            - '🧔‍♂️'
            - '🧔🏻‍♂️'
            - '🧔🏼‍♂️'
            - '🧔🏽‍♂️'
            - '🧔🏾‍♂️'
            - '🧔🏿‍♂️'
            - '💑🏻'
            - '💑🏼'
            - '💑🏽'
            - '💑🏾'
            - '💑🏿'
            - '💏🏻'
            - '💏🏼'
            - '💏🏽'
            - '💏🏾'
            - '💏🏿'
            - '👨🏻‍❤️‍👨🏻'
            - '👨🏻‍❤️‍👨🏼'
            - '👨🏻‍❤️‍👨🏽'
            - '👨🏻‍❤️‍👨🏾'
            - '👨🏻‍❤️‍👨🏿'
            - '👨🏼‍❤️‍👨🏻'
            - '👨🏼‍❤️‍👨🏼'
            - '👨🏼‍❤️‍👨🏽'
            - '👨🏼‍❤️‍👨🏾'
            - '👨🏼‍❤️‍👨🏿'
            - '👨🏽‍❤️‍👨🏻'
            - '👨🏽‍❤️‍👨🏼'
            - '👨🏽‍❤️‍👨🏽'
            - '👨🏽‍❤️‍👨🏾'
            - '👨🏽‍❤️‍👨🏿'
            - '👨🏾‍❤️‍👨🏻'
            - '👨🏾‍❤️‍👨🏼'
            - '👨🏾‍❤️‍👨🏽'
            - '👨🏾‍❤️‍👨🏾'
            - '👨🏾‍❤️‍👨🏿'
            - '👨🏿‍❤️‍👨🏻'
            - '👨🏿‍❤️‍👨🏼'
            - '👨🏿‍❤️‍👨🏽'
            - '👨🏿‍❤️‍👨🏾'
            - '👨🏿‍❤️‍👨🏿'
            - '👩🏻‍❤️‍👨🏻'
            - '👩🏻‍❤️‍👨🏼'
            - '👩🏻‍❤️‍👨🏽'
            - '👩🏻‍❤️‍👨🏾'
            - '👩🏻‍❤️‍👨🏿'
            - '👩🏻‍❤️‍👩🏻'
            - '👩🏻‍❤️‍👩🏼'
            - '👩🏻‍❤️‍👩🏽'
            - '👩🏻‍❤️‍👩🏾'
            - '👩🏻‍❤️‍👩🏿'
            - '👩🏼‍❤️‍👨🏻'
            - '👩🏼‍❤️‍👨🏼'
            - '👩🏼‍❤️‍👨🏽'
            - '👩🏼‍❤️‍👨🏾'
            - '👩🏼‍❤️‍👨🏿'
            - '👩🏼‍❤️‍👩🏻'
            - '👩🏼‍❤️‍👩🏼'
            - '👩🏼‍❤️‍👩🏽'
            - '👩🏼‍❤️‍👩🏾'
            - '👩🏼‍❤️‍👩🏿'
            - '👩🏽‍❤️‍👨🏻'
            - '👩🏽‍❤️‍👨🏼'
            - '👩🏽‍❤️‍👨🏽'
            - '👩🏽‍❤️‍👨🏾'
            - '👩🏽‍❤️‍👨🏿'
            - '👩🏽‍❤️‍👩🏻'
            - '👩🏽‍❤️‍👩🏼'
            - '👩🏽‍❤️‍👩🏽'
            - '👩🏽‍❤️‍👩🏾'
            - '👩🏽‍❤️‍👩🏿'
            - '👩🏾‍❤️‍👨🏻'
            - '👩🏾‍❤️‍👨🏼'
            - '👩🏾‍❤️‍👨🏽'
            - '👩🏾‍❤️‍👨🏾'
            - '👩🏾‍❤️‍👨🏿'
            - '👩🏾‍❤️‍👩🏻'
            - '👩🏾‍❤️‍👩🏼'
            - '👩🏾‍❤️‍👩🏽'
            - '👩🏾‍❤️‍👩🏾'
            - '👩🏾‍❤️‍👩🏿'
            - '👩🏿‍❤️‍👨🏻'
            - '👩🏿‍❤️‍👨🏼'
            - '👩🏿‍❤️‍👨🏽'
            - '👩🏿‍❤️‍👨🏾'
            - '👩🏿‍❤️‍👨🏿'
            - '👩🏿‍❤️‍👩🏻'
            - '👩🏿‍❤️‍👩🏼'
            - '👩🏿‍❤️‍👩🏽'
            - '👩🏿‍❤️‍👩🏾'
            - '👩🏿‍❤️‍👩🏿'
            - '🧑🏻‍❤️‍🧑🏼'
            - '🧑🏻‍❤️‍🧑🏽'
            - '🧑🏻‍❤️‍🧑🏾'
            - '🧑🏻‍❤️‍🧑🏿'
            - '🧑🏼‍❤️‍🧑🏻'
            - '🧑🏼‍❤️‍🧑🏽'
            - '🧑🏼‍❤️‍🧑🏾'
            - '🧑🏼‍❤️‍🧑🏿'
            - '🧑🏽‍❤️‍🧑🏻'
            - '🧑🏽‍❤️‍🧑🏼'
            - '🧑🏽‍❤️‍🧑🏾'
            - '🧑🏽‍❤️‍🧑🏿'
            - '🧑🏾‍❤️‍🧑🏻'
            - '🧑🏾‍❤️‍🧑🏼'
            - '🧑🏾‍❤️‍🧑🏽'
            - '🧑🏾‍❤️‍🧑🏿'
            - '🧑🏿‍❤️‍🧑🏻'
            - '🧑🏿‍❤️‍🧑🏼'
            - '🧑🏿‍❤️‍🧑🏽'
            - '🧑🏿‍❤️‍🧑🏾'
            - '👨🏻‍❤️‍💋‍👨🏻'
            - '👨🏻‍❤️‍💋‍👨🏼'
            - '👨🏻‍❤️‍💋‍👨🏽'
            - '👨🏻‍❤️‍💋‍👨🏾'
            - '👨🏻‍❤️‍💋‍👨🏿'
            - '👨🏼‍❤️‍💋‍👨🏻'
            - '👨🏼‍❤️‍💋‍👨🏼'
            - '👨🏼‍❤️‍💋‍👨🏽'
            - '👨🏼‍❤️‍💋‍👨🏾'
            - '👨🏼‍❤️‍💋‍👨🏿'
            - '👨🏽‍❤️‍💋‍👨🏻'
            - '👨🏽‍❤️‍💋‍👨🏼'
            - '👨🏽‍❤️‍💋‍👨🏽'
            - '👨🏽‍❤️‍💋‍👨🏾'
            - '👨🏽‍❤️‍💋‍👨🏿'
            - '👨🏾‍❤️‍💋‍👨🏻'
            - '👨🏾‍❤️‍💋‍👨🏼'
            - '👨🏾‍❤️‍💋‍👨🏽'
            - '👨🏾‍❤️‍💋‍👨🏾'
            - '👨🏾‍❤️‍💋‍👨🏿'
            - '👨🏿‍❤️‍💋‍👨🏻'
            - '👨🏿‍❤️‍💋‍👨🏼'
            - '👨🏿‍❤️‍💋‍👨🏽'
            - '👨🏿‍❤️‍💋‍👨🏾'
            - '👨🏿‍❤️‍💋‍👨🏿'
            - '👩🏻‍❤️‍💋‍👨🏻'
            - '👩🏻‍❤️‍💋‍👨🏼'
            - '👩🏻‍❤️‍💋‍👨🏽'
            - '👩🏻‍❤️‍💋‍👨🏾'
            - '👩🏻‍❤️‍💋‍👨🏿'
            - '👩🏻‍❤️‍💋‍👩🏻'
            - '👩🏻‍❤️‍💋‍👩🏼'
            - '👩🏻‍❤️‍💋‍👩🏽'
            - '👩🏻‍❤️‍💋‍👩🏾'
            - '👩🏻‍❤️‍💋‍👩🏿'
            - '👩🏼‍❤️‍💋‍👨🏻'
            - '👩🏼‍❤️‍💋‍👨🏼'
            - '👩🏼‍❤️‍💋‍👨🏽'
            - '👩🏼‍❤️‍💋‍👨🏾'
            - '👩🏼‍❤️‍💋‍👨🏿'
            - '👩🏼‍❤️‍💋‍👩🏻'
            - '👩🏼‍❤️‍💋‍👩🏼'
            - '👩🏼‍❤️‍💋‍👩🏽'
            - '👩🏼‍❤️‍💋‍👩🏾'
            - '👩🏼‍❤️‍💋‍👩🏿'
            - '👩🏽‍❤️‍💋‍👨🏻'
            - '👩🏽‍❤️‍💋‍👨🏼'
            - '👩🏽‍❤️‍💋‍👨🏽'
            - '👩🏽‍❤️‍💋‍👨🏾'
            - '👩🏽‍❤️‍💋‍👨🏿'
            - '👩🏽‍❤️‍💋‍👩🏻'
            - '👩🏽‍❤️‍💋‍👩🏼'
            - '👩🏽‍❤️‍💋‍👩🏽'
            - '👩🏽‍❤️‍💋‍👩🏾'
            - '👩🏽‍❤️‍💋‍👩🏿'
            - '👩🏾‍❤️‍💋‍👨🏻'
            - '👩🏾‍❤️‍💋‍👨🏼'
            - '👩🏾‍❤️‍💋‍👨🏽'
            - '👩🏾‍❤️‍💋‍👨🏾'
            - '👩🏾‍❤️‍💋‍👨🏿'
            - '👩🏾‍❤️‍💋‍👩🏻'
            - '👩🏾‍❤️‍💋‍👩🏼'
            - '👩🏾‍❤️‍💋‍👩🏽'
            - '👩🏾‍❤️‍💋‍👩🏾'
            - '👩🏾‍❤️‍💋‍👩🏿'
            - '👩🏿‍❤️‍💋‍👨🏻'
            - '👩🏿‍❤️‍💋‍👨🏼'
            - '👩🏿‍❤️‍💋‍👨🏽'
            - '👩🏿‍❤️‍💋‍👨🏾'
            - '👩🏿‍❤️‍💋‍👨🏿'
            - '👩🏿‍❤️‍💋‍👩🏻'
            - '👩🏿‍❤️‍💋‍👩🏼'
            - '👩🏿‍❤️‍💋‍👩🏽'
            - '👩🏿‍❤️‍💋‍👩🏾'
            - '👩🏿‍❤️‍💋‍👩🏿'
            - '🧑🏻‍❤️‍💋‍🧑🏼'
            - '🧑🏻‍❤️‍💋‍🧑🏽'
            - '🧑🏻‍❤️‍💋‍🧑🏾'
            - '🧑🏻‍❤️‍💋‍🧑🏿'
            - '🧑🏼‍❤️‍💋‍🧑🏻'
            - '🧑🏼‍❤️‍💋‍🧑🏽'
            - '🧑🏼‍❤️‍💋‍🧑🏾'
            - '🧑🏼‍❤️‍💋‍🧑🏿'
            - '🧑🏽‍❤️‍💋‍🧑🏻'
            - '🧑🏽‍❤️‍💋‍🧑🏼'
            - '🧑🏽‍❤️‍💋‍🧑🏾'
            - '🧑🏽‍❤️‍💋‍🧑🏿'
            - '🧑🏾‍❤️‍💋‍🧑🏻'
            - '🧑🏾‍❤️‍💋‍🧑🏼'
            - '🧑🏾‍❤️‍💋‍🧑🏽'
            - '🧑🏾‍❤️‍💋‍🧑🏿'
            - '🧑🏿‍❤️‍💋‍🧑🏻'
            - '🧑🏿‍❤️‍💋‍🧑🏼'
            - '🧑🏿‍❤️‍💋‍🧑🏽'
            - '🧑🏿‍❤️‍💋‍🧑🏾'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
status test author Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux ATT&CK sub-technique id ad691d92-15f2-4181-9aa4-723c74f9ddc3
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*\u202e*", "*[U+202E]*", "*‮*")))
view Sigma YAML 
title: Potential Defense Evasion Via Right-to-Left Override
id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
related:
    - id: e0552b19-5a83-4222-b141-b36184bb8d79
      type: derived
    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
      type: derived
status: test
description: |
    Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
    This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
    - https://unicode-explorer.com/c/202E
    - https://tria.ge/241015-l98snsyeje/behavioral2
    - https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/
author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux
date: 2023-02-15
modified: 2026-03-20
tags:
    - attack.stealth
    - attack.t1036.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '\u202e'  # Unicode RTLO character
            - '[U+202E]'
            # Real char U+202E copied/pasted below
            - '‮'
    condition: selection
falsepositives:
    - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml
Convert to SIEM query
high Moderate Medium FP
Potential Devil Bait Malware Reconnaissance
Detects specific process behavior observed with Devil Bait samples
status test author Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) ATT&CK technique id e8954be4-b2b8-4961-be18-da1a5bda709c
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains "\wscript.exe" and 
 action_process_image_path contains "\cmd.exe" and 
 action_process_image_command_line contains ">>%APPDATA%\Microsoft\" and 
 (action_process_image_command_line in ("*.xml", "*.txt"))) and 
 (action_process_image_command_line ~= "ipconfig\s+/all" or 
 (action_process_image_command_line in ("*dir*", "*systeminfo*", "*tasklist*")))))
view Sigma YAML 
title: Potential Devil Bait Malware Reconnaissance
id: e8954be4-b2b8-4961-be18-da1a5bda709c
related:
    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
      type: derived
status: test
description: Detects specific process behavior observed with Devil Bait samples
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
    - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior
author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
date: 2023-05-15
modified: 2025-10-19
tags:
    - attack.stealth
    - attack.t1218
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_redirect:
        ParentImage|endswith: '\wscript.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '>>%APPDATA%\Microsoft\'
        CommandLine|endswith:
            - '.xml'
            - '.txt'
    selection_recon_cmd:
        - CommandLine|re: 'ipconfig\s+/all'
        - CommandLine|contains:
              # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504
              # If you find samples using other commands please add them
              - 'dir'
              - 'systeminfo'
              - 'tasklist'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 93d5f1b4-36df-45ed-8680-f66f242b8415
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path in ("*\schtasks.exe", "*\wscript.exe", "*\mshta.exe")) and 
 action_file_name contains "\AppData\Roaming\Microsoft\" and 
 (action_file_name in ("*.txt", "*.xml"))))
view Sigma YAML 
title: Potential Devil Bait Related Indicator
id: 93d5f1b4-36df-45ed-8680-f66f242b8415
status: test
description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\schtasks.exe'
            - '\wscript.exe'
            - '\mshta.exe'
        # Example folders used by the samples include:
        #   - %AppData%\Microsoft\Network\
        #   - %AppData%\Microsoft\Office\
        TargetFilename|contains: '\AppData\Roaming\Microsoft\'
        TargetFilename|endswith:
            - '.txt'
            - '.xml'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
status test author X__Junior (Nextron Systems) ATT&CK sub-technique id edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\EACore.dll" and 
 (not 
 ((actor_process_image_path contains "C:\Program Files\Electronic Arts\EA Desktop\" and 
 actor_process_image_path contains "\EACoreServer.exe") and 
 action_module_path contains "C:\Program Files\Electronic Arts\EA Desktop\"))))
view Sigma YAML 
title: Potential EACore.DLL Sideloading
id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
status: test
description: Detects potential DLL sideloading of "EACore.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\EACore.dll'
    filter_main_legit_path:
        Image|contains|all:
            - 'C:\Program Files\Electronic Arts\EA Desktop\'
            - '\EACoreServer.exe'
        ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Potential Edputil.DLL Sideloading
Detects potential DLL sideloading of "edputil.dll"
status test author X__Junior (Nextron Systems) ATT&CK sub-technique id e4903324-1a10-4ed3-981b-f6fe3be3a2c2
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\edputil.dll" and 
 (not 
 (action_module_path in ("C:\Windows\System32\*", "C:\Windows\SysWOW64\*", "C\Windows\WinSxS\*")))))
view Sigma YAML 
title: Potential Edputil.DLL Sideloading
id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
status: test
description: Detects potential DLL sideloading of "edputil.dll"
references:
    - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\edputil.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong High FP
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
status stable author Florian Roth (Nextron Systems) ATT&CK sub-technique id d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("* -e* PAA*", "*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*", "*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*", "*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*", "*IgAoACcAKgAnACkAOwAkA*", "*IAKAAnACoAJwApADsAJA*", "*iACgAJwAqACcAKQA7ACQA*", "*JABGAGwAeAByAGgAYwBmAGQ*", "*PQAkAGUAbgB2ADoAdABlAG0AcAArACgA*", "*0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA*", "*9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA*")) and 
 (not 
 (action_process_image_command_line in ("*fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ*", "*wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA*", "*8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA*")))))
view Sigma YAML 
title: Potential Emotet Activity
id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
status: stable
description: Detects all Emotet like process executions that are not covered by the more generic rules
references:
    - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
    - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
    - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
    - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
author: Florian Roth (Nextron Systems)
date: 2019-09-30
modified: 2023-02-04
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1027
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' -e* PAA'
            - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile
            - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile
            - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile
            - 'IgAoACcAKgAnACkAOwAkA' # "('*');$
            - 'IAKAAnACoAJwApADsAJA' # "('*');$
            - 'iACgAJwAqACcAKQA7ACQA' # "('*');$
            - 'JABGAGwAeAByAGgAYwBmAGQ'
            - 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA' # =$env:temp+(
            - '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA' # =$env:temp+(
            - '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA' # =$env:temp+(
    filter:
        CommandLine|contains:
            - 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ'
            - 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA'
            - '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
Showing 301-350 of 763
Prev 7 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh