Panther detection rules · threatengine.sh

SOAR

Panther

3,750 rules · Sigma detections in Panther syntax

The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.

Severity critical high medium low all severities

Using these Sigma rules

Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.

Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.

Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.

◈

Detection rules

50 shown of 3,750

high

Potential CVE-2022-29072 Exploitation Attempt

Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.

status test author frack113, @kostastsale id 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3

panther query

def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\7zFM.exe"),
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\cmd.exe"),
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                            event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in ["Cmd.Exe", "PowerShell.EXE", "pwsh.dll"],
                ]
            ),
            not any(
                [
                    any(
                        [
                            any(
                                [
                                    " /c " in event.deep_get("CommandLine", default=""),
                                    " /k " in event.deep_get("CommandLine", default=""),
                                    " /r " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    event.deep_get("CommandLine", default="").endswith(".bat"),
                                    event.deep_get("CommandLine", default="").endswith(".cmd"),
                                    event.deep_get("CommandLine", default="").endswith(".ps1"),
                                ]
                            ),
                        ]
                    ),
                    event.deep_get("CommandLine", default="") == "",
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2022-29072 Exploitation Attempt
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
status: test
description: |
    Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
    7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
    The command runs in a child process under the 7zFM.exe process.
references:
    - https://github.com/kagancapar/CVE-2022-29072
    - https://twitter.com/kagancapar/status/1515219358234161153
author: frack113, @kostastsale
date: 2022-04-17
modified: 2024-08-15
tags:
    - attack.execution
    - cve.2022-29072
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\7zFM.exe'
    selection_img:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    filter_main_extensions_and_flags:
        - CommandLine|contains:
              - ' /c '
              - ' /k '
              - ' /r '
        - CommandLine|endswith:
              - '.bat'
              - '.cmd'
              - '.ps1'
    filter_main_null:
        CommandLine: null
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CVE-2022-46169 Exploitation Attempt

Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169

status test author Nasreddine Bencherchali (Nextron Systems) id 738cb115-881f-4df3-82cc-56ab02fc5192

panther query

def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            "/remote_agent.php" in event.deep_get("cs-uri-query", default=""),
            "action=polldata" in event.deep_get("cs-uri-query", default=""),
            "poller_id=" in event.deep_get("cs-uri-query", default=""),
            any(
                [
                    "| base64 -d | /bin/bash`" in event.deep_get("cs-uri-query", default=""),
                    "%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60"
                    in event.deep_get("cs-uri-query", default=""),
                    "`whoami" in event.deep_get("cs-uri-query", default=""),
                    "powershell" in event.deep_get("cs-uri-query", default=""),
                    "cmd" in event.deep_get("cs-uri-query", default=""),
                    "wget" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2022-46169 Exploitation Attempt
id: 738cb115-881f-4df3-82cc-56ab02fc5192
status: test
description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
references:
    - https://github.com/0xf4n9x/CVE-2022-46169
    - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
    - https://github.com/rapid7/metasploit-framework/pull/17407
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-46169
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        # Check for the presence of the X-FORWARDED-FOR header pointing to the hostname of the server running Cacti (which indicate auth bypass)
        # Check for previous requests indicating the bruteforce of the "local_data_ids" and "host_id"
        cs-method: 'GET'
        cs-uri-query|contains|all:
            - '/remote_agent.php'
            - 'action=polldata'
            - 'poller_id='
        cs-uri-query|contains:
            # From https://github.com/rapid7/metasploit-framework/pull/17407/files#diff-972a47250ccd30b935a59e8871134956a15980df5b29f9d970414646704d5258R288
            # Not tested could be shown in other format (update if you have more info)
            - '| base64 -d | /bin/bash`'
            - '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60' # URL encoded version
            # Add more suspicious commands accordingly
            - '`whoami'
            - 'powershell'
            - 'cmd'
            - 'wget'
    condition: selection
falsepositives:
    - Web vulnerability scanners
level: high

Convert to SIEM query

high

Potential CVE-2023-21554 QueueJumper Exploitation

Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)

status test author Nasreddine Bencherchali (Nextron Systems) id 53207cc2-0745-4c19-bc72-80be1cc16b3f

panther query

def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\Windows\\System32\\mqsvc.exe"),
            any(
                [
                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                    event.deep_get("Image", default="").endswith("\\cscript.exe"),
                    event.deep_get("Image", default="").endswith("\\mshta.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell.exe"),
                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                    event.deep_get("Image", default="").endswith("\\regsvr32.exe"),
                    event.deep_get("Image", default="").endswith("\\rundll32.exe"),
                    event.deep_get("Image", default="").endswith("\\schtasks.exe"),
                    event.deep_get("Image", default="").endswith("\\wmic.exe"),
                    event.deep_get("Image", default="").endswith("\\wscript.exe"),
                    event.deep_get("Image", default="").endswith("\\wsl.exe"),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-21554 QueueJumper Exploitation
id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
status: test
description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
references:
    - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-12
tags:
    - attack.privilege-escalation
    - attack.execution
    - cve.2023-21554
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\Windows\System32\mqsvc.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wsl.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CVE-2023-23752 Exploitation Attempt

Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla

status test author Bhabesh Raj id 0e1ebc5a-15d0-4bf6-8199-b2535397433a

panther query

def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            "/api/index.php/v1/" in event.deep_get("cs-uri-query", default=""),
            "public=true" in event.deep_get("cs-uri-query", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-23752 Exploitation Attempt
id: 0e1ebc5a-15d0-4bf6-8199-b2535397433a
status: test
description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
references:
    - https://xz.aliyun.com/t/12175
    - https://twitter.com/momika233/status/1626464189261942786
author: Bhabesh Raj
date: 2023-02-23
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-23752
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
        cs-uri-query|contains|all:
            - '/api/index.php/v1/'
            - 'public=true'
    condition: selection
falsepositives:
    - Vulnerability scanners
level: high

Convert to SIEM query

high

Potential CVE-2023-25157 Exploitation Attempt

Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer

status test author Nasreddine Bencherchali (Nextron Systems) id c0341543-5ed0-4475-aabc-7eea8c52aa66

panther query

def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            "/geoserver/ows" in event.deep_get("cs-uri-query", default=""),
            "CQL_FILTER=" in event.deep_get("cs-uri-query", default=""),
            any(
                [
                    "PropertyIsLike" in event.deep_get("cs-uri-query", default=""),
                    "strEndsWith" in event.deep_get("cs-uri-query", default=""),
                    "strStartsWith" in event.deep_get("cs-uri-query", default=""),
                    "FeatureId" in event.deep_get("cs-uri-query", default=""),
                    "jsonArrayContains" in event.deep_get("cs-uri-query", default=""),
                    "DWithin" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
            any(
                [
                    "+--" in event.deep_get("cs-uri-query", default=""),
                    "+AS+" in event.deep_get("cs-uri-query", default=""),
                    "+OR+" in event.deep_get("cs-uri-query", default=""),
                    "FROM" in event.deep_get("cs-uri-query", default=""),
                    "ORDER+BY" in event.deep_get("cs-uri-query", default=""),
                    "SELECT" in event.deep_get("cs-uri-query", default=""),
                    "sleep%28" in event.deep_get("cs-uri-query", default=""),
                    "substring%28" in event.deep_get("cs-uri-query", default=""),
                    "UNION" in event.deep_get("cs-uri-query", default=""),
                    "WHERE" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-25157 Exploitation Attempt
id: c0341543-5ed0-4475-aabc-7eea8c52aa66
status: test
description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
references:
    - https://github.com/win3zz/CVE-2023-25157
    - https://twitter.com/parzel2/status/1665726454489915395
    - https://github.com/advisories/GHSA-7g5f-wrx8-5ccf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
    - attack.initial-access
    - cve.2023-25157
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_url:
        cs-method: 'GET'
        cs-uri-query|contains|all:
            - '/geoserver/ows'
            - 'CQL_FILTER='
        cs-uri-query|contains:
            # Abusable Filters/Function as reported in the Advisory
            - 'PropertyIsLike'
            - 'strEndsWith'
            - 'strStartsWith'
            - 'FeatureId'
            - 'jsonArrayContains'
            - 'DWithin'
    selection_payload:
        cs-uri-query|contains:
            - '+--'
            - '+AS+'
            - '+OR+'
            - 'FROM'
            - 'ORDER+BY'
            - 'SELECT'
            - 'sleep%28'
            - 'substring%28'
            - 'UNION'
            - 'WHERE'
    condition: all of selection_*
falsepositives:
    - Vulnerability scanners
level: high

Convert to SIEM query

high

Potential CVE-2023-25717 Exploitation Attempt

Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin

status test author Nasreddine Bencherchali (Nextron Systems) id 043c1609-0e32-4462-a6f2-5a0c2da3fafe

panther query

def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            "/forms/doLogin" in event.deep_get("cs-uri-query", default=""),
            "login_username" in event.deep_get("cs-uri-query", default=""),
            "password" in event.deep_get("cs-uri-query", default=""),
            any(
                [
                    "$(" in event.deep_get("cs-uri-query", default=""),
                    "%24%28" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-25717 Exploitation Attempt
id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe
status: test
description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
references:
    - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-30
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-25717
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
        cs-uri-query|contains|all:
            - '/forms/doLogin'
            - 'login_username'
            - 'password'
        cs-uri-query|contains:
            - '$('
            - '%24%28' # URL Encode version of "$("
    condition: selection
falsepositives:
    - Vulnerability scanners
    - Some rare false positives may occur if the password contains the characters "$(". Apply addition indicators such as executed commands to remove FP
level: high

Convert to SIEM query

high

Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader

Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.

status test author Gregory id 9cae055f-e1d2-4f81-b8a5-1986a68cdd84

panther query

def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\FoxitPDFReader.exe"),
            "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
            in event.deep_get("TargetFilename", default=""),
            event.deep_get("TargetFilename", default="").endswith(".hta"),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: test
description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
    - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
    - https://www.zerodayinitiative.com/advisories/ZDI-23-491/
    - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023-10-11
tags:
    - attack.persistence
    - attack.t1505.001
    - cve.2023-27363
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\FoxitPDFReader.exe'
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
        TargetFilename|endswith: '.hta'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution

Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874

status test author Nasreddine Bencherchali (Nextron Systems) id 50dbc08b-60ce-40f1-a6b6-346497e34c88

panther query

def rule(event):
    if all(
        [
            event.deep_get("OriginalFileName", default="")
            in ["Cmd.Exe", "powershell_ise.EXE", "powershell.exe"],
            event.deep_get("Image", default="").endswith("\\wermgr.exe"),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
id: 50dbc08b-60ce-40f1-a6b6-346497e34c88
status: test
description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
references:
    - https://github.com/Wh04m1001/CVE-2023-36874
    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
tags:
    - attack.execution
    - cve.2023-36874
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName:
            - 'Cmd.Exe'
            - 'powershell_ise.EXE'
            - 'powershell.exe'
        Image|endswith: '\wermgr.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation

Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.

status test author Nasreddine Bencherchali (Nextron Systems) id ad0960eb-0015-4d16-be13-b3d9f18f1342

panther query

def rule(event):
    if all(
        [
            event.deep_get("TargetFilename", default="").endswith("\\wermgr.exe"),
            not any(
                [
                    ":\\$WINDOWS.~BT\\NewOS\\" in event.deep_get("TargetFilename", default=""),
                    ":\\$WinREAgent\\" in event.deep_get("TargetFilename", default=""),
                    ":\\Windows\\servicing\\LCU\\" in event.deep_get("TargetFilename", default=""),
                    ":\\Windows\\System32\\" in event.deep_get("TargetFilename", default=""),
                    ":\\Windows\\SysWOW64\\" in event.deep_get("TargetFilename", default=""),
                    ":\\Windows\\WinSxS\\" in event.deep_get("TargetFilename", default=""),
                    ":\\WUDownloadCache\\" in event.deep_get("TargetFilename", default=""),
                    ":\\Windows\\SoftwareDistribution\\Download\\"
                    in event.deep_get("TargetFilename", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
id: ad0960eb-0015-4d16-be13-b3d9f18f1342
status: test
description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
references:
    - https://github.com/Wh04m1001/CVE-2023-36874
    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
modified: 2025-01-13
tags:
    - attack.execution
    - cve.2023-36874
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\wermgr.exe'
    filter_main_locations:
        TargetFilename|contains:
            - ':\$WINDOWS.~BT\NewOS\'
            - ':\$WinREAgent\' # From "wuauclt.exe"
            - ':\Windows\servicing\LCU\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
            - ':\WUDownloadCache\' # Windows Update Download Cache
            - ':\Windows\SoftwareDistribution\Download\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CVE-2023-36884 Exploitation - Share Access

Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884

status test author Nasreddine Bencherchali (Nextron Systems) id 3df95076-9e78-4e63-accb-16699c3b74f8

panther query

import re


def rule(event):
    if all(
        [
            event.deep_get("EventID", default="") == 5140,
            any(
                [
                    all(
                        [
                            "\\MSHTML_C7\\" in event.deep_get("ShareName", default=""),
                            re.match(
                                r"[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}",
                                event.deep_get("ShareName", default=""),
                            ),
                        ]
                    ),
                    all(
                        [
                            "\\MSHTML_C7\\" in event.deep_get("ShareLocalPath", default=""),
                            re.match(
                                r"[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}",
                                event.deep_get("ShareLocalPath", default=""),
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-36884 Exploitation - Share Access
id: 3df95076-9e78-4e63-accb-16699c3b74f8
status: test
description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
    - attack.command-and-control
    - cve.2023-36884
    - detection.emerging-threats
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
    selection_eid:
        EventID: 5140
    selection_share_name:
        ShareName|contains: '\MSHTML_C7\'
        ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    selection_share_path:
        ShareLocalPath|contains: '\MSHTML_C7\'
        ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    condition: selection_eid and 1 of selection_share_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CVE-2023-36884 Exploitation - URL Marker

Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884

status test author X__Junior id e59f71ff-c042-4f7a-8a82-8f53beea817e

panther query

def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            "/MSHTML_C7/" in event.deep_get("c-uri", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2023-36884 Exploitation - URL Marker
id: e59f71ff-c042-4f7a-8a82-8f53beea817e
status: test
description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
    - attack.command-and-control
    - cve.2023-36884
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'GET'
        c-uri|contains: '/MSHTML_C7/'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection

Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

status test author Nasreddine Bencherchali (Nextron Systems) id f130a5f1-73ba-42f0-bf1e-b66a8361cb8f

panther query

import json


def rule(event):
    if any(
        [
            any(
                [
                    "failed to unmarshal session(../" in json.dumps(event.to_dict()),
                    "failed to unmarshal session(./../" in json.dumps(event.to_dict()),
                    "failed to unmarshal session(/.." in json.dumps(event.to_dict()),
                    "failed to unmarshal session(%2E%2E%2F" in json.dumps(event.to_dict()),
                    "failed to unmarshal session(%2F%2E%2E" in json.dumps(event.to_dict()),
                    "failed to unmarshal session(%2E%2F%2E%2E%2F" in json.dumps(event.to_dict()),
                    "failed to unmarshal session(%252E%252E%252F" in json.dumps(event.to_dict()),
                    "failed to unmarshal session(%252F%252E%252E" in json.dumps(event.to_dict()),
                    "failed to unmarshal session(%252E%252F%252E%252E%252F"
                    in json.dumps(event.to_dict()),
                ]
            ),
            all(
                [
                    any(
                        [
                            "{IFS}" in json.dumps(event.to_dict()),
                            "base64" in json.dumps(event.to_dict()),
                            "bash" in json.dumps(event.to_dict()),
                            "curl" in json.dumps(event.to_dict()),
                            "http" in json.dumps(event.to_dict()),
                        ]
                    ),
                    "/opt/panlogs/tmp/device_telemetry/" in json.dumps(event.to_dict()),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
status: test
description: |
    Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
    This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
references:
    - https://security.paloaltonetworks.com/CVE-2024-3400
    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
    - https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-18
modified: 2025-11-22
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - cve.2024-3400
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: appliance
    product: paloalto
    service: globalprotect
    definition: 'Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" log files need to be ingested'
detection:
    keywords_generic:
        - 'failed to unmarshal session(../'
        - 'failed to unmarshal session(./../'
        - 'failed to unmarshal session(/..'
        - 'failed to unmarshal session(%2E%2E%2F'
        - 'failed to unmarshal session(%2F%2E%2E'
        - 'failed to unmarshal session(%2E%2F%2E%2E%2F'
        - 'failed to unmarshal session(%252E%252E%252F'
        - 'failed to unmarshal session(%252F%252E%252E'
        - 'failed to unmarshal session(%252E%252F%252E%252E%252F'
    keywords_telemetry_exploit:
        - '{IFS}'
        - 'base64'
        - 'bash'
        - 'curl'
        - 'http'
    keywords_telemetry_path:
        - '/opt/panlogs/tmp/device_telemetry/'
    condition: keywords_generic or (keywords_telemetry_exploit and keywords_telemetry_path)
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI

Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:). An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource. When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash. HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access. The URI can be delivered via a malicious hyperlink, phishing email, or web page.

status test author Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems) id 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d

panther query

def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\SnippingTool.exe"),
            any(
                [
                    "ms-screensketch:edit?&filePath=\\\\"
                    in event.deep_get("CommandLine", default=""),
                    "ms-screensketch:edit?&filePath=%%5C"
                    in event.deep_get("CommandLine", default=""),
                    "ms-screensketch:edit?&filePath=%5C"
                    in event.deep_get("CommandLine", default=""),
                    "ms-screensketch:edit?&filePath=http"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
status: test
description: |
    Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
    An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
    When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
    HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
    The URI can be delivered via a malicious hyperlink, phishing email, or web page.
references:
    - https://x.com/BlackArrowSec/status/2044374743491424508
    - https://x.com/SBousseaden/status/2044417029721997635
author: Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-28
tags:
    - attack.credential-access
    - attack.t1187
    - detection.emerging-threats
    - cve.2026-33829
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\SnippingTool.exe'
        CommandLine|contains:
            # '\\\\'  = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
            - 'ms-screensketch:edit?&filePath=\\\\'
            - 'ms-screensketch:edit?&filePath=%%5C'
            - 'ms-screensketch:edit?&filePath=%5C'
            - 'ms-screensketch:edit?&filePath=http'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml

Convert to SIEM query

high

Potential CVE-2303-36884 URL Request Pattern Traffic

Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884

status test author X__Junior id d9365e39-febd-4a4b-8441-3ca91bb9d333

panther query

import re


def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "GET",
            re.match(
                r"\\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\\?d=[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}",
                event.deep_get("c-uri", default=""),
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CVE-2303-36884 URL Request Pattern Traffic
id: d9365e39-febd-4a4b-8441-3ca91bb9d333
status: test
description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
    - attack.command-and-control
    - cve.2023-36884
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    # Examples:
    #   hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99.
    #   104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_
    selection:
        cs-method: 'GET'
        c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877

Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877

status test author Nasreddine Bencherchali (Nextron Systems) id 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1

panther query

def rule(event):
    if all(
        [
            event.deep_get("cs-method", default="") == "POST",
            "/login/index.php" in event.deep_get("cs-uri-query", default=""),
            "login=" in event.deep_get("cs-uri-query", default=""),
            any(
                [
                    "login=$(" in event.deep_get("cs-uri-query", default=""),
                    "base64" in event.deep_get("cs-uri-query", default=""),
                    "subprocess" in event.deep_get("cs-uri-query", default=""),
                    "socket" in event.deep_get("cs-uri-query", default=""),
                    "${IFS}" in event.deep_get("cs-uri-query", default=""),
                    "cHl0aG9u" in event.deep_get("cs-uri-query", default=""),
                    "B5dGhvb" in event.deep_get("cs-uri-query", default=""),
                    "weXRob2" in event.deep_get("cs-uri-query", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1
status: test
description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
references:
    - https://seclists.org/fulldisclosure/2023/Jan/1
    - https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-20
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-44877
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|contains|all:
            - '/login/index.php'
            - 'login='
        cs-uri-query|contains:
            # TOD: Include other commonly used reverse shells. Examples: https://www.revshells.com/
            - 'login=$('
            # Common keywords related to python reverse shells
            - 'base64'
            - 'subprocess'
            - 'socket'
            - '${IFS}' # Usage of the input field separator to avoid writing spaces
            # B64 Encoded "python" with different offsets
            - 'cHl0aG9u'
            - 'B5dGhvb'
            - 'weXRob2'
    condition: selection
falsepositives:
    - Web vulnerability scanners
level: high

Convert to SIEM query

high

Potential ClickFix Execution Pattern - Registry

Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id f5fe36cf-f1ec-4c23-903d-09a3110f6bbb

panther query

def rule(event):
    if all(
        [
            "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\"
            in event.deep_get("TargetObject", default=""),
            any(
                [
                    "http://" in event.deep_get("Details", default=""),
                    "https://" in event.deep_get("Details", default=""),
                ]
            ),
            any(
                [
                    any(
                        [
                            "account" in event.deep_get("Details", default=""),
                            "anti-bot" in event.deep_get("Details", default=""),
                            "botcheck" in event.deep_get("Details", default=""),
                            "captcha" in event.deep_get("Details", default=""),
                            "challenge" in event.deep_get("Details", default=""),
                            "confirmation" in event.deep_get("Details", default=""),
                            "fraud" in event.deep_get("Details", default=""),
                            "human" in event.deep_get("Details", default=""),
                            "identification" in event.deep_get("Details", default=""),
                            "identificator" in event.deep_get("Details", default=""),
                            "identity" in event.deep_get("Details", default=""),
                            "robot" in event.deep_get("Details", default=""),
                            "validation" in event.deep_get("Details", default=""),
                            "verification" in event.deep_get("Details", default=""),
                            "verify" in event.deep_get("Details", default=""),
                        ]
                    ),
                    any(
                        [
                            "%comspec%" in event.deep_get("Details", default=""),
                            "bitsadmin" in event.deep_get("Details", default=""),
                            "certutil" in event.deep_get("Details", default=""),
                            "cmd" in event.deep_get("Details", default=""),
                            "cscript" in event.deep_get("Details", default=""),
                            "curl" in event.deep_get("Details", default=""),
                            "finger" in event.deep_get("Details", default=""),
                            "mshta" in event.deep_get("Details", default=""),
                            "powershell" in event.deep_get("Details", default=""),
                            "pwsh" in event.deep_get("Details", default=""),
                            "regsvr32" in event.deep_get("Details", default=""),
                            "rundll32" in event.deep_get("Details", default=""),
                            "schtasks" in event.deep_get("Details", default=""),
                            "wget" in event.deep_get("Details", default=""),
                            "wscript" in event.deep_get("Details", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential ClickFix Execution Pattern - Registry
id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
related:
    - id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
      type: similar
status: experimental
description: |
    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
    such as one-liners that execute remotely hosted malicious files or scripts.
references:
    - https://github.com/JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
    - https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
    - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
    - https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-25
modified: 2025-11-19
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_registry:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
    selection_details:
        Details|contains:
            - 'http://'
            - 'https://'
    selection_susp_pattern:
        - Details|contains:
              # Add more suspicious keywords
              - 'account'
              - 'anti-bot'
              - 'botcheck'
              - 'captcha'
              - 'challenge'
              - 'confirmation'
              - 'fraud'
              - 'human'
              - 'identification'
              - 'identificator'
              - 'identity'
              - 'robot'
              - 'validation'
              - 'verification'
              - 'verify'
        - Details|contains:
              - '%comspec%'
              - 'bitsadmin'
              - 'certutil'
              - 'cmd'
              - 'cscript'
              - 'curl'
              - 'finger'
              - 'mshta'
              - 'powershell'
              - 'pwsh'
              - 'regsvr32'
              - 'rundll32'
              - 'schtasks'
              - 'wget'
              - 'wscript'
    condition: all of selection_*
falsepositives:
    - Legitimate applications using RunMRU with HTTP links
level: high

Convert to SIEM query

high

Potential CobaltStrike Process Patterns

Detects potential process patterns related to Cobalt Strike beacon activity

status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id f35c5d71-b489-4e22-a115-f003df287317

panther query

def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("CommandLine", default="").endswith("cmd.exe /C whoami"),
                    event.deep_get("ParentImage", default="").startswith("C:\\Temp\\"),
                ]
            ),
            all(
                [
                    any(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\runonce.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\dllhost.exe"),
                        ]
                    ),
                    "cmd.exe /c echo" in event.deep_get("CommandLine", default=""),
                    "> \\\\.\\pipe" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "cmd.exe /C echo" in event.deep_get("ParentCommandLine", default=""),
                    " > \\\\.\\pipe" in event.deep_get("ParentCommandLine", default=""),
                    event.deep_get("CommandLine", default="").endswith(
                        "conhost.exe 0xffffffff -ForceV1"
                    ),
                ]
            ),
            all(
                [
                    event.deep_get("ParentCommandLine", default="").endswith("/C whoami"),
                    event.deep_get("CommandLine", default="").endswith(
                        "conhost.exe 0xffffffff -ForceV1"
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CobaltStrike Process Patterns
id: f35c5d71-b489-4e22-a115-f003df287317
status: test
description: Detects potential process patterns related to Cobalt Strike beacon activity
references:
    - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-27
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_generic_1:
        CommandLine|endswith: 'cmd.exe /C whoami'
        ParentImage|startswith: 'C:\Temp\'
    selection_generic_2:
        ParentImage|endswith:
            - '\runonce.exe'
            - '\dllhost.exe'
        CommandLine|contains|all:
            - 'cmd.exe /c echo'
            - '> \\\\.\\pipe'
    selection_conhost_1:
        ParentCommandLine|contains|all:
            - 'cmd.exe /C echo'
            - ' > \\\\.\\pipe'
        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
    selection_conhost_2:
        ParentCommandLine|endswith: '/C whoami'
        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CobaltStrike Service Installations - Registry

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

status test author Wojciech Lesicki id 61a7697c-cb79-42a8-a2ff-5f0cdfae0130

panther query

def rule(event):
    if all(
        [
            any(
                [
                    "\\System\\CurrentControlSet\\Services"
                    in event.deep_get("TargetObject", default=""),
                    all(
                        [
                            "\\System\\ControlSet" in event.deep_get("TargetObject", default=""),
                            "\\Services" in event.deep_get("TargetObject", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    all(
                        [
                            "ADMIN$" in event.deep_get("Details", default=""),
                            ".exe" in event.deep_get("Details", default=""),
                        ]
                    ),
                    all(
                        [
                            "%COMSPEC%" in event.deep_get("Details", default=""),
                            "start" in event.deep_get("Details", default=""),
                            "powershell" in event.deep_get("Details", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
    - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection_key:
        - TargetObject|contains: '\System\CurrentControlSet\Services'
        - TargetObject|contains|all:
              - '\System\ControlSet'
              - '\Services'
    selection_details:
        - Details|contains|all:
              - 'ADMIN$'
              - '.exe'
        - Details|contains|all:
              - '%COMSPEC%'
              - 'start'
              - 'powershell'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

status test author frack113, Florian Roth (Nextron Systems), Josh Nickels id 584bca0f-3608-4402-80fd-4075ff6072e3

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                    event.deep_get("Image", default="").endswith("\\cscript.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell_ise.exe"),
                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                    event.deep_get("Image", default="").endswith("\\wscript.exe"),
                ]
            ),
            event.deep_get("OriginalFileName", default="")
            in [
                "Cmd.EXE",
                "cscript.exe",
                "PowerShell.EXE",
                "PowerShell_ISE.EXE",
                "pwsh.dll",
                "wscript.exe",
            ],
            any(
                [
                    "ˣ" in event.deep_get("CommandLine", default=""),
                    "˪" in event.deep_get("CommandLine", default=""),
                    "ˢ" in event.deep_get("CommandLine", default=""),
                    "∕" in event.deep_get("CommandLine", default=""),
                    "⁄" in event.deep_get("CommandLine", default=""),
                    "―" in event.deep_get("CommandLine", default=""),
                    "—" in event.deep_get("CommandLine", default=""),
                    " " in event.deep_get("CommandLine", default=""),
                    "¯" in event.deep_get("CommandLine", default=""),
                    "®" in event.deep_get("CommandLine", default=""),
                    "¶" in event.deep_get("CommandLine", default=""),
                    "⠀" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
id: 584bca0f-3608-4402-80fd-4075ff6072e3
related:
    - id: e0552b19-5a83-4222-b141-b36184bb8d79
      type: similar
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
      type: similar
    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
      type: obsolete
status: test
description: |
    Detects potential commandline obfuscation using unicode characters.
    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems), Josh Nickels
date: 2024-09-02
modified: 2025-05-30
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        OriginalFileName:
            - 'Cmd.EXE'
            - 'cscript.exe'
            - 'PowerShell.EXE'
            - 'PowerShell_ISE.EXE'
            - 'pwsh.dll'
            - 'wscript.exe'
    selection_special_chars:
        CommandLine|contains:
            # spacing modifier letters that get auto-replaced
            - 'ˣ' # 0x02E3
            - '˪' # 0x02EA
            - 'ˢ' # 0x02E2
            # Forward slash alternatives
            - '∕' # 0x22FF
            - '⁄' # 0x206F
            # Hyphen alternatives
            - '―' # 0x2015
            - '—' # 0x2014
            # Whitespace that don't work as path separator
            - ' ' # 0x00A0
            # Other
            - '¯'
            - '®'
            - '¶'
            # Unicode whitespace characters
            - '⠀' # Braille Pattern Blank (Unicode: U+2800)
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential CommandLine Path Traversal Via Cmd.EXE

Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking

status test author xknow @xknow_infosec, Tim Shelton id 087790e3-3287-436c-bccf-cbd0184a7db1

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("ParentImage", default="").endswith("\\cmd.exe"),
                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                    event.deep_get("OriginalFileName", default="") == "cmd.exe",
                ]
            ),
            any(
                [
                    any(
                        [
                            "/c" in event.deep_get("ParentCommandLine", default=""),
                            "/k" in event.deep_get("ParentCommandLine", default=""),
                            "/r" in event.deep_get("ParentCommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "/c" in event.deep_get("CommandLine", default=""),
                            "/k" in event.deep_get("CommandLine", default=""),
                            "/r" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            any(
                [
                    event.deep_get("ParentCommandLine", default="") == "/../../",
                    "/../../" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not "\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java"
            in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential CommandLine Path Traversal Via Cmd.EXE
id: 087790e3-3287-436c-bccf-cbd0184a7db1
status: test
description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
references:
    - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
    - https://twitter.com/Oddvarmoe/status/1270633613449723905
author: xknow @xknow_infosec, Tim Shelton
date: 2020-06-11
modified: 2023-03-06
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - ParentImage|endswith: '\cmd.exe'
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'cmd.exe'
    selection_flags:
        - ParentCommandLine|contains:
              - '/c'
              - '/k'
              - '/r'
        - CommandLine|contains:
              - '/c'
              - '/k'
              - '/r'
    selection_path_traversal:
        - ParentCommandLine: '/../../'
        - CommandLine|contains: '/../../'
    filter_java:
        CommandLine|contains: '\Tasktop\keycloak\bin\/../../jre\bin\java'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Java tools are known to produce false-positive when loading libraries
level: high

Convert to SIEM query

high

Potential Compromised 3CXDesktopApp Beaconing Activity - DNS

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

status test author Nasreddine Bencherchali (Nextron Systems) id bd03a0dc-5d93-49eb-b2e8-2dfd268600f8

panther query

def rule(event):
    if any(
        [
            "akamaicontainer.com" in event.deep_get("QueryName", default=""),
            "akamaitechcloudservices.com" in event.deep_get("QueryName", default=""),
            "azuredeploystore.com" in event.deep_get("QueryName", default=""),
            "azureonlinecloud.com" in event.deep_get("QueryName", default=""),
            "azureonlinestorage.com" in event.deep_get("QueryName", default=""),
            "dunamistrd.com" in event.deep_get("QueryName", default=""),
            "glcloudservice.com" in event.deep_get("QueryName", default=""),
            "journalide.org" in event.deep_get("QueryName", default=""),
            "msedgepackageinfo.com" in event.deep_get("QueryName", default=""),
            "msedgeupdate.net" in event.deep_get("QueryName", default=""),
            "msstorageazure.com" in event.deep_get("QueryName", default=""),
            "msstorageboxes.com" in event.deep_get("QueryName", default=""),
            "officeaddons.com" in event.deep_get("QueryName", default=""),
            "officestoragebox.com" in event.deep_get("QueryName", default=""),
            "pbxcloudeservices.com" in event.deep_get("QueryName", default=""),
            "pbxphonenetwork.com" in event.deep_get("QueryName", default=""),
            "pbxsources.com" in event.deep_get("QueryName", default=""),
            "qwepoi123098.com" in event.deep_get("QueryName", default=""),
            "sbmsa.wiki" in event.deep_get("QueryName", default=""),
            "sourceslabs.com" in event.deep_get("QueryName", default=""),
            "visualstudiofactory.com" in event.deep_get("QueryName", default=""),
            "zacharryblogs.com" in event.deep_get("QueryName", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
      type: similar
    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
references:
    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-03-31
tags:
    - attack.command-and-control
    - detection.emerging-threats
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|contains:
            - 'akamaicontainer.com'
            - 'akamaitechcloudservices.com'
            - 'azuredeploystore.com'
            - 'azureonlinecloud.com'
            - 'azureonlinestorage.com'
            - 'dunamistrd.com'
            - 'glcloudservice.com'
            - 'journalide.org'
            - 'msedgepackageinfo.com'
            - 'msedgeupdate.net'
            - 'msstorageazure.com'
            - 'msstorageboxes.com'
            - 'officeaddons.com'
            - 'officestoragebox.com'
            - 'pbxcloudeservices.com'
            - 'pbxphonenetwork.com'
            - 'pbxsources.com'
            - 'qwepoi123098.com'
            - 'sbmsa.wiki'
            - 'sourceslabs.com'
            - 'visualstudiofactory.com'
            - 'zacharryblogs.com'
    condition: selection
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

status test author Nasreddine Bencherchali (Nextron Systems) id 51eecf75-d069-43c7-9ea2-63f75499edd4

panther query

def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\3CXDesktopApp.exe"),
            any(
                [
                    "akamaicontainer.com" in event.deep_get("DestinationHostname", default=""),
                    "akamaitechcloudservices.com"
                    in event.deep_get("DestinationHostname", default=""),
                    "azuredeploystore.com" in event.deep_get("DestinationHostname", default=""),
                    "azureonlinecloud.com" in event.deep_get("DestinationHostname", default=""),
                    "azureonlinestorage.com" in event.deep_get("DestinationHostname", default=""),
                    "dunamistrd.com" in event.deep_get("DestinationHostname", default=""),
                    "glcloudservice.com" in event.deep_get("DestinationHostname", default=""),
                    "journalide.org" in event.deep_get("DestinationHostname", default=""),
                    "msedgepackageinfo.com" in event.deep_get("DestinationHostname", default=""),
                    "msstorageazure.com" in event.deep_get("DestinationHostname", default=""),
                    "msstorageboxes.com" in event.deep_get("DestinationHostname", default=""),
                    "officeaddons.com" in event.deep_get("DestinationHostname", default=""),
                    "officestoragebox.com" in event.deep_get("DestinationHostname", default=""),
                    "pbxcloudeservices.com" in event.deep_get("DestinationHostname", default=""),
                    "pbxphonenetwork.com" in event.deep_get("DestinationHostname", default=""),
                    "pbxsources.com" in event.deep_get("DestinationHostname", default=""),
                    "qwepoi123098.com" in event.deep_get("DestinationHostname", default=""),
                    "sbmsa.wiki" in event.deep_get("DestinationHostname", default=""),
                    "sourceslabs.com" in event.deep_get("DestinationHostname", default=""),
                    "visualstudiofactory.com" in event.deep_get("DestinationHostname", default=""),
                    "zacharryblogs.com" in event.deep_get("DestinationHostname", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
id: 51eecf75-d069-43c7-9ea2-63f75499edd4
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
references:
    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-03-31
tags:
    - attack.command-and-control
    - detection.emerging-threats
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\3CXDesktopApp.exe'
        DestinationHostname|contains:
            - 'akamaicontainer.com'
            - 'akamaitechcloudservices.com'
            - 'azuredeploystore.com'
            - 'azureonlinecloud.com'
            - 'azureonlinestorage.com'
            - 'dunamistrd.com'
            - 'glcloudservice.com'
            - 'journalide.org'
            - 'msedgepackageinfo.com'
            - 'msstorageazure.com'
            - 'msstorageboxes.com'
            - 'officeaddons.com'
            - 'officestoragebox.com'
            - 'pbxcloudeservices.com'
            - 'pbxphonenetwork.com'
            - 'pbxsources.com'
            - 'qwepoi123098.com'
            - 'sbmsa.wiki'
            - 'sourceslabs.com'
            - 'visualstudiofactory.com'
            - 'zacharryblogs.com'
    condition: selection
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

status test author Nasreddine Bencherchali (Nextron Systems) id 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26

panther query

def rule(event):
    if any(
        [
            "akamaicontainer.com" in event.deep_get("cs-host", default=""),
            "akamaitechcloudservices.com" in event.deep_get("cs-host", default=""),
            "azuredeploystore.com" in event.deep_get("cs-host", default=""),
            "azureonlinecloud.com" in event.deep_get("cs-host", default=""),
            "azureonlinestorage.com" in event.deep_get("cs-host", default=""),
            "dunamistrd.com" in event.deep_get("cs-host", default=""),
            "glcloudservice.com" in event.deep_get("cs-host", default=""),
            "journalide.org" in event.deep_get("cs-host", default=""),
            "msedgepackageinfo.com" in event.deep_get("cs-host", default=""),
            "msstorageazure.com" in event.deep_get("cs-host", default=""),
            "msstorageboxes.com" in event.deep_get("cs-host", default=""),
            "officeaddons.com" in event.deep_get("cs-host", default=""),
            "officestoragebox.com" in event.deep_get("cs-host", default=""),
            "pbxcloudeservices.com" in event.deep_get("cs-host", default=""),
            "pbxphonenetwork.com" in event.deep_get("cs-host", default=""),
            "pbxsources.com" in event.deep_get("cs-host", default=""),
            "qwepoi123098.com" in event.deep_get("cs-host", default=""),
            "sbmsa.wiki" in event.deep_get("cs-host", default=""),
            "sourceslabs.com" in event.deep_get("cs-host", default=""),
            "visualstudiofactory.com" in event.deep_get("cs-host", default=""),
            "zacharryblogs.com" in event.deep_get("cs-host", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26
related:
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
      type: similar
    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
references:
    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-05-18
tags:
    - attack.command-and-control
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        cs-host|contains:
            - 'akamaicontainer.com'
            - 'akamaitechcloudservices.com'
            - 'azuredeploystore.com'
            - 'azureonlinecloud.com'
            - 'azureonlinestorage.com'
            - 'dunamistrd.com'
            - 'glcloudservice.com'
            - 'journalide.org'
            - 'msedgepackageinfo.com'
            - 'msstorageazure.com'
            - 'msstorageboxes.com'
            - 'officeaddons.com'
            - 'officestoragebox.com'
            - 'pbxcloudeservices.com'
            - 'pbxphonenetwork.com'
            - 'pbxsources.com'
            - 'qwepoi123098.com'
            - 'sbmsa.wiki'
            - 'sourceslabs.com'
            - 'visualstudiofactory.com'
            - 'zacharryblogs.com'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Compromised 3CXDesktopApp Execution

Detects execution of known compromised version of 3CXDesktopApp

status test author Nasreddine Bencherchali (Nextron Systems) id 93bbde78-dc86-4e73-9ffc-ff8a384ca89c

panther query

def rule(event):
    if any(
        [
            all(
                [
                    any(
                        [
                            event.deep_get("OriginalFileName", default="") == "3CXDesktopApp.exe",
                            event.deep_get("Image", default="").endswith("\\3CXDesktopApp.exe"),
                            event.deep_get("Product", default="") == "3CX Desktop App",
                        ]
                    ),
                    "18.12." in event.deep_get("FileVersion", default=""),
                ]
            ),
            any(
                [
                    "SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC"
                    in event.deep_get("Hashes", default=""),
                    "SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02"
                    in event.deep_get("Hashes", default=""),
                    "SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE"
                    in event.deep_get("Hashes", default=""),
                    "SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859"
                    in event.deep_get("Hashes", default=""),
                    "SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187"
                    in event.deep_get("Hashes", default=""),
                    "SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA"
                    in event.deep_get("Hashes", default=""),
                    "MD5=BB915073385DD16A846DFA318AFA3C19" in event.deep_get("Hashes", default=""),
                    "MD5=08D79E1FFFA244CC0DC61F7D2036ACA9" in event.deep_get("Hashes", default=""),
                    "MD5=4965EDF659753E3C05D800C6C8A23A7A" in event.deep_get("Hashes", default=""),
                    "SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405"
                    in event.deep_get("Hashes", default=""),
                    "SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734"
                    in event.deep_get("Hashes", default=""),
                    "SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203"
                    in event.deep_get("Hashes", default=""),
                    "SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1"
                    in event.deep_get("Hashes", default=""),
                    "SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB"
                    in event.deep_get("Hashes", default=""),
                    "SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5"
                    in event.deep_get("Hashes", default=""),
                    "MD5=9833A4779B69B38E3E51F04E395674C6" in event.deep_get("Hashes", default=""),
                    "MD5=704DB9184700481A56E5100FB56496CE" in event.deep_get("Hashes", default=""),
                    "MD5=8EE6802F085F7A9DF7E0303E65722DC0" in event.deep_get("Hashes", default=""),
                    "SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868"
                    in event.deep_get("Hashes", default=""),
                    "SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983"
                    in event.deep_get("Hashes", default=""),
                    "SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA"
                    in event.deep_get("Hashes", default=""),
                    "SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E"
                    in event.deep_get("Hashes", default=""),
                    "MD5=F3D4144860CA10BA60F7EF4D176CC736" in event.deep_get("Hashes", default=""),
                    "MD5=0EEB1C0133EB4D571178B2D9D14CE3E9" in event.deep_get("Hashes", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Compromised 3CXDesktopApp Execution
id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects execution of known compromised version of 3CXDesktopApp
references:
    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2024-11-23
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_hashes:
        Hashes|contains:
            # 3CX Desktop 18.12.407
            - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
            - 'SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
            - 'SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
            - 'SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859'
            - 'SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187'
            - 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
            - 'MD5=BB915073385DD16A846DFA318AFA3C19'
            - 'MD5=08D79E1FFFA244CC0DC61F7D2036ACA9'
            - 'MD5=4965EDF659753E3C05D800C6C8A23A7A'
            # 3CX Desktop 18.12.416
            - 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
            - 'SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
            - 'SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
            - 'SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
            - 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
            - 'SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
            - 'MD5=9833A4779B69B38E3E51F04E395674C6'
            - 'MD5=704DB9184700481A56E5100FB56496CE'
            - 'MD5=8EE6802F085F7A9DF7E0303E65722DC0'
            # 3CXDesktopApp MSI
            - 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
            - 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
            - 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
            - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
            - 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
            - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
    selection_pe_1:
        - OriginalFileName: '3CXDesktopApp.exe'
        - Image|endswith: '\3CXDesktopApp.exe'
        - Product: '3CX Desktop App'
    selection_pe_2:
        FileVersion|contains: '18.12.'
    condition: all of selection_pe_* or selection_hashes
falsepositives:
    - Legitimate usage of 3CXDesktopApp
level: high

Convert to SIEM query

high

Potential Compromised 3CXDesktopApp ICO C2 File Download

Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository

status test author Nasreddine Bencherchali (Nextron Systems) id 76bc1601-9546-4b75-9419-06e0e8d10651

panther query

def rule(event):
    if all(
        [
            "IconStorages/images/main/icon" in event.deep_get("c-uri", default=""),
            ".ico" in event.deep_get("c-uri", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Compromised 3CXDesktopApp ICO C2 File Download
id: 76bc1601-9546-4b75-9419-06e0e8d10651
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
      type: similar
    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository
references:
    - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
    - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-31
tags:
    - attack.command-and-control
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains|all:
            - 'IconStorages/images/main/icon'
            - '.ico'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Compromised 3CXDesktopApp Update Activity

Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software

status test author Nasreddine Bencherchali (Nextron Systems) id e7581747-1e44-4d4b-85a6-0db0b4a00f2a

panther query

def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\3CXDesktopApp\\app\\update.exe"),
            "--update" in event.deep_get("CommandLine", default=""),
            "http" in event.deep_get("CommandLine", default=""),
            "/electron/update/win32/18.12" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Compromised 3CXDesktopApp Update Activity
id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
      type: similar
    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
      type: similar
status: test
description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
references:
    - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/
    - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\3CXDesktopApp\app\update.exe'
        CommandLine|contains|all:
            - '--update'
            - 'http'
            - '/electron/update/win32/18.12'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Conti Ransomware Database Dumping Activity Via SQLCmd

Detects a command used by conti to dump database

status test author frack113 id 2f47f1fd-0901-466e-a770-3b7092834a1b

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\sqlcmd.exe"),
                    any(
                        [
                            "sqlcmd " in event.deep_get("CommandLine", default=""),
                            "sqlcmd.exe" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            " -S localhost " in event.deep_get("CommandLine", default=""),
            any(
                [
                    "sys.sysprocesses" in event.deep_get("CommandLine", default=""),
                    "master.dbo.sysdatabases" in event.deep_get("CommandLine", default=""),
                    "BACKUP DATABASE" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
status: test
description: Detects a command used by conti to dump database
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
author: frack113
date: 2021-08-16
modified: 2023-05-04
tags:
    - attack.collection
    - attack.t1005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        - Image|endswith: '\sqlcmd.exe'
        - CommandLine|contains:
              - 'sqlcmd '
              - 'sqlcmd.exe'
    selection_svr:
        CommandLine|contains: ' -S localhost '
    selection_query:
        CommandLine|contains:
            - 'sys.sysprocesses'
            - 'master.dbo.sysdatabases'
            - 'BACKUP DATABASE'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Credential Dumping Attempt Using New NetworkProvider - CLI

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

status test author Nasreddine Bencherchali (Nextron Systems) id baef1ec6-2ca9-47a3-97cc-4cf2bda10b77

panther query

def rule(event):
    if all(
        [
            "\\System\\CurrentControlSet\\Services\\" in event.deep_get("CommandLine", default=""),
            "\\NetworkProvider" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
    - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
      type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-02-02
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Services\'
            - '\NetworkProvider'
    # filter:
    #     CommandLine|contains:
    #         - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
    #         - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
    #         - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
    #         - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
    condition: selection
falsepositives:
    - Other legitimate network providers used and not filtred in this rule
level: high

Convert to SIEM query

high

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

status test author oscd.community, Natalia Shornikova id fb656378-f909-47c1-8747-278bf09f4f4f

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("SourceImage", default="").endswith("\\powershell.exe"),
                    event.deep_get("SourceImage", default="").endswith("\\pwsh.exe"),
                ]
            ),
            event.deep_get("TargetImage", default="").endswith("\\lsass.exe"),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Credential Dumping Attempt Via PowerShell Remote Thread
id: fb656378-f909-47c1-8747-278bf09f4f4f
related:
    - id: 3f07b9d1-2082-4c56-9277-613a621983cc
      type: obsolete
    - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
      type: similar
status: test
description: Detects remote thread creation by PowerShell processes into "lsass.exe"
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-12-18
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetImage|endswith: '\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Credential Dumping Via WER

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

status test author @pbssubhash , Nasreddine Bencherchali id 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\Werfault.exe"),
                    event.deep_get("OriginalFileName", default="") == "WerFault.exe",
                ]
            ),
            any(
                [
                    "AUTHORI" in event.deep_get("ParentUser", default=""),
                    "AUTORI" in event.deep_get("ParentUser", default=""),
                ]
            ),
            any(
                [
                    "AUTHORI" in event.deep_get("User", default=""),
                    "AUTORI" in event.deep_get("User", default=""),
                ]
            ),
            " -u -p " in event.deep_get("CommandLine", default=""),
            " -ip " in event.deep_get("CommandLine", default=""),
            " -s " in event.deep_get("CommandLine", default=""),
            not event.deep_get("ParentImage", default="") == "C:\\Windows\\System32\\lsass.exe",
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Credential Dumping Via WER
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
status: test
description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash , Nasreddine Bencherchali'
date: 2022-12-08
modified: 2022-12-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\Werfault.exe'
        - OriginalFileName: 'WerFault.exe'
    selection_cli:
        ParentUser|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        User|contains:
            - 'AUTHORI'
            - 'AUTORI'
        CommandLine|contains|all:
            # Doc: WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>
            # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
            # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique
            # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity
            - ' -u -p '
            - ' -ip '
            - ' -s '
    filter_lsass:
        ParentImage: 'C:\Windows\System32\lsass.exe'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.
level: high

Convert to SIEM query

high

Potential Crypto Mining Activity

Detects command line parameters or strings often used by crypto miners

status stable author Florian Roth (Nextron Systems) id 66c3b204-9f88-4d0a-a7f7-8a57d521ca55

panther query

def rule(event):
    if all(
        [
            any(
                [
                    " --cpu-priority=" in event.deep_get("CommandLine", default=""),
                    "--donate-level=0" in event.deep_get("CommandLine", default=""),
                    " -o pool." in event.deep_get("CommandLine", default=""),
                    " --nicehash" in event.deep_get("CommandLine", default=""),
                    " --algo=rx/0 " in event.deep_get("CommandLine", default=""),
                    "stratum+tcp://" in event.deep_get("CommandLine", default=""),
                    "stratum+udp://" in event.deep_get("CommandLine", default=""),
                    "LS1kb25hdGUtbGV2ZWw9" in event.deep_get("CommandLine", default=""),
                    "0tZG9uYXRlLWxldmVsP" in event.deep_get("CommandLine", default=""),
                    "tLWRvbmF0ZS1sZXZlbD" in event.deep_get("CommandLine", default=""),
                    "c3RyYXR1bSt0Y3A6Ly" in event.deep_get("CommandLine", default=""),
                    "N0cmF0dW0rdGNwOi8v" in event.deep_get("CommandLine", default=""),
                    "zdHJhdHVtK3RjcDovL" in event.deep_get("CommandLine", default=""),
                    "c3RyYXR1bSt1ZHA6Ly" in event.deep_get("CommandLine", default=""),
                    "N0cmF0dW0rdWRwOi8v" in event.deep_get("CommandLine", default=""),
                    "zdHJhdHVtK3VkcDovL" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not any(
                [
                    " pool.c " in event.deep_get("CommandLine", default=""),
                    " pool.o " in event.deep_get("CommandLine", default=""),
                    "gcc -" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Crypto Mining Activity
id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
status: stable
description: Detects command line parameters or strings often used by crypto miners
references:
    - https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2023-02-13
tags:
    - attack.impact
    - attack.t1496
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' --cpu-priority='
            - '--donate-level=0'
            - ' -o pool.'
            - ' --nicehash'
            - ' --algo=rx/0 '
            - 'stratum+tcp://'
            - 'stratum+udp://'
            # base64 encoded: --donate-level=
            - 'LS1kb25hdGUtbGV2ZWw9'
            - '0tZG9uYXRlLWxldmVsP'
            - 'tLWRvbmF0ZS1sZXZlbD'
            # base64 encoded: stratum+tcp:// and stratum+udp://
            - 'c3RyYXR1bSt0Y3A6Ly'
            - 'N0cmF0dW0rdGNwOi8v'
            - 'zdHJhdHVtK3RjcDovL'
            - 'c3RyYXR1bSt1ZHA6Ly'
            - 'N0cmF0dW0rdWRwOi8v'
            - 'zdHJhdHVtK3VkcDovL'
    filter:
        CommandLine|contains:
            - ' pool.c '
            - ' pool.o '
            - 'gcc -'
    condition: selection and not filter
falsepositives:
    - Legitimate use of crypto miners
    - Some build frameworks
level: high

Convert to SIEM query

high

Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

status test author Swachchhanda Shrawan Poudel id d2451be2-b582-4e15-8701-4196ac180260

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\KeyScrambler.exe"),
                    event.deep_get("Image", default="").endswith("\\KeyScramblerLogon.exe"),
                ]
            ),
            event.deep_get("ImageLoaded", default="").endswith("\\KeyScramblerIE.dll"),
            not any(
                [
                    all(
                        [
                            any(
                                [
                                    "C:\\Program Files (x86)\\KeyScrambler\\"
                                    in event.deep_get("Image", default=""),
                                    "C:\\Program Files\\KeyScrambler\\"
                                    in event.deep_get("Image", default=""),
                                ]
                            ),
                            any(
                                [
                                    "C:\\Program Files (x86)\\KeyScrambler\\"
                                    in event.deep_get("ImageLoaded", default=""),
                                    "C:\\Program Files\\KeyScrambler\\"
                                    in event.deep_get("ImageLoaded", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Signature", default="") == "QFX Software Corporation",
                            event.deep_get("SignatureStatus", default="") == "Valid",
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
id: d2451be2-b582-4e15-8701-4196ac180260
related:
    - id: ca5583e9-8f80-46ac-ab91-7f314d13b984
      type: similar
status: test
description: |
    Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe".
    Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
references:
    - https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html
    - https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/
    - https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
    - https://twitter.com/Max_Mal_/status/1775222576639291859
    - https://twitter.com/DTCERT/status/1712785426895839339
author: Swachchhanda Shrawan Poudel
date: 2024-04-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\KeyScrambler.exe'
            - '\KeyScramblerLogon.exe'
        ImageLoaded|endswith: '\KeyScramblerIE.dll'
    filter_main_legitimate_path:
        Image|contains:
            - 'C:\Program Files (x86)\KeyScrambler\'
            - 'C:\Program Files\KeyScrambler\'
        ImageLoaded|contains:
            - 'C:\Program Files (x86)\KeyScrambler\'
            - 'C:\Program Files\KeyScrambler\'
    filter_main_signature:
        Signature: 'QFX Software Corporation'
        SignatureStatus: 'Valid'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential DLL Sideloading Of Non-Existent DLLs From System Folders

Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.

status test author Nasreddine Bencherchali (Nextron Systems), SBousseaden id 6b98b92b-4f00-4f62-b4fe-4d1920215771

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\axeonoffhelper.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\cdpsgshims.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\oci.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\offdmpsvc.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\shellchromeapi.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\TSMSISrv.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\TSVIPSrv.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\wbem\\wbemcomn.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\WLBSCTRL.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\wow64log.dll"
                    ),
                    event.deep_get("ImageLoaded", default="").endswith(
                        ":\\Windows\\System32\\WptsExtensions.dll"
                    ),
                ]
            ),
            not all(
                [
                    event.deep_get("Signed", default="") == "true",
                    event.deep_get("SignatureStatus", default="") == "Valid",
                    event.deep_get("Signature", default="") == "Microsoft Windows",
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
related:
    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
      type: similar
    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
      type: obsolete
status: test
description: |
    Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.
    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
references:
    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://decoded.avast.io/martinchlumecky/png-steganography/
    - https://github.com/Wh04m1001/SysmonEoP
    - https://itm4n.github.io/cdpsvc-dll-hijacking/
    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
    - https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
date: 2022-12-09
modified: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            # Add other DLLs
            - ':\Windows\System32\axeonoffhelper.dll'
            - ':\Windows\System32\cdpsgshims.dll'
            - ':\Windows\System32\oci.dll'
            - ':\Windows\System32\offdmpsvc.dll'
            - ':\Windows\System32\shellchromeapi.dll'
            - ':\Windows\System32\TSMSISrv.dll'
            - ':\Windows\System32\TSVIPSrv.dll'
            - ':\Windows\System32\wbem\wbemcomn.dll'
            - ':\Windows\System32\WLBSCTRL.dll'
            - ':\Windows\System32\wow64log.dll'
            - ':\Windows\System32\WptsExtensions.dll'
    filter_main_ms_signed:
        Signed: 'true'
        SignatureStatus: 'Valid'
        # There could be other signatures (please add when found)
        Signature: 'Microsoft Windows'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential DLL Sideloading Via VMware Xfer

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

status test author Nasreddine Bencherchali (Nextron Systems) id 9313dc13-d04c-46d8-af4a-a930cc55d93b

panther query

def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\VMwareXferlogs.exe"),
            event.deep_get("ImageLoaded", default="").endswith("\\glib-2.0.dll"),
            not event.deep_get("ImageLoaded", default="").startswith("C:\\Program Files\\VMware\\"),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential DLL Sideloading Via VMware Xfer
id: 9313dc13-d04c-46d8-af4a-a930cc55d93b
status: test
description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2023-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
        ImageLoaded|endswith: '\glib-2.0.dll'
    filter: # VMware might be installed in another path so update the rule accordingly
        ImageLoaded|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential DLL Sideloading Via comctl32.dll

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

status test author Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) id 6360757a-d460-456c-8b13-74cf0e60cceb

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("ImageLoaded", default="").startswith(
                        "C:\\Windows\\System32\\logonUI.exe.local\\"
                    ),
                    event.deep_get("ImageLoaded", default="").startswith(
                        "C:\\Windows\\System32\\werFault.exe.local\\"
                    ),
                    event.deep_get("ImageLoaded", default="").startswith(
                        "C:\\Windows\\System32\\consent.exe.local\\"
                    ),
                    event.deep_get("ImageLoaded", default="").startswith(
                        "C:\\Windows\\System32\\narrator.exe.local\\"
                    ),
                    event.deep_get("ImageLoaded", default="").startswith(
                        "C:\\windows\\system32\\wermgr.exe.local\\"
                    ),
                ]
            ),
            event.deep_get("ImageLoaded", default="").endswith("\\comctl32.dll"),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential DLL Sideloading Via comctl32.dll
id: 6360757a-d460-456c-8b13-74cf0e60cceb
status: test
description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
references:
    - https://github.com/binderlabs/DirCreate2System
    - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\logonUI.exe.local\'
            - 'C:\Windows\System32\werFault.exe.local\'
            - 'C:\Windows\System32\consent.exe.local\'
            - 'C:\Windows\System32\narrator.exe.local\'
            - 'C:\windows\system32\wermgr.exe.local\'
        ImageLoaded|endswith: '\comctl32.dll'
    condition: selection
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential Data Exfiltration Activity Via CommandLine Tools

Detects the use of various CLI utilities exfiltrating data via web requests

status test author Nasreddine Bencherchali (Nextron Systems) id 7d1aaf3d-4304-425c-b7c3-162055e0b3ab

panther query

import re


def rule(event):
    if all(
        [
            any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell_ise.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith(
                                        "\\powershell.exe"
                                    ),
                                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                                ]
                            ),
                            any(
                                [
                                    "curl " in event.deep_get("CommandLine", default=""),
                                    "Invoke-RestMethod"
                                    in event.deep_get("CommandLine", default=""),
                                    "Invoke-WebRequest"
                                    in event.deep_get("CommandLine", default=""),
                                    "irm " in event.deep_get("CommandLine", default=""),
                                    "iwr " in event.deep_get("CommandLine", default=""),
                                    "wget " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            " -ur" in event.deep_get("CommandLine", default=""),
                            " -me" in event.deep_get("CommandLine", default=""),
                            " -b" in event.deep_get("CommandLine", default=""),
                            " POST " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\curl.exe"),
                            "--ur" in event.deep_get("CommandLine", default=""),
                            any(
                                [
                                    " -d " in event.deep_get("CommandLine", default=""),
                                    " --data " in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("Image", default="").endswith("\\wget.exe"),
                            any(
                                [
                                    "--post-data" in event.deep_get("CommandLine", default=""),
                                    "--post-file" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            any(
                [
                    any(
                        [
                            re.match(r"net\\s+view", event.deep_get("CommandLine", default="")),
                            re.match(r"sc\\s+query", event.deep_get("CommandLine", default="")),
                        ]
                    ),
                    any(
                        [
                            "Get-Content" in event.deep_get("CommandLine", default=""),
                            "GetBytes" in event.deep_get("CommandLine", default=""),
                            "hostname" in event.deep_get("CommandLine", default=""),
                            "ifconfig" in event.deep_get("CommandLine", default=""),
                            "ipconfig" in event.deep_get("CommandLine", default=""),
                            "netstat" in event.deep_get("CommandLine", default=""),
                            "nltest" in event.deep_get("CommandLine", default=""),
                            "qprocess" in event.deep_get("CommandLine", default=""),
                            "systeminfo" in event.deep_get("CommandLine", default=""),
                            "tasklist" in event.deep_get("CommandLine", default=""),
                            "ToBase64String" in event.deep_get("CommandLine", default=""),
                            "whoami" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            "type " in event.deep_get("CommandLine", default=""),
                            " > " in event.deep_get("CommandLine", default=""),
                            " C:\\" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Data Exfiltration Activity Via CommandLine Tools
id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
status: test
description: Detects the use of various CLI utilities exfiltrating data via web requests
references:
    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-10-19
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_iwr:
        Image|endswith:
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'curl '
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
            - 'wget '
        CommandLine|contains|all:
            - ' -ur' # Shortest possible version of the -uri flag
            - ' -me' # Shortest possible version of the -method flag
            - ' -b'
            - ' POST '
    selection_curl:
        Image|endswith: '\curl.exe'
        CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
    selection_curl_data:
        CommandLine|contains:
            - ' -d ' # Shortest possible version of the --data flag
            - ' --data '
    selection_wget:
        Image|endswith: '\wget.exe'
        CommandLine|contains:
            - '--post-data'
            - '--post-file'
    payloads:
        - CommandLine|re:
              - 'net\s+view'
              - 'sc\s+query'
        - CommandLine|contains:
              - 'Get-Content'
              - 'GetBytes'
              - 'hostname'
              - 'ifconfig'
              - 'ipconfig'
              - 'netstat'
              - 'nltest'
              - 'qprocess'
              - 'systeminfo'
              - 'tasklist'
              - 'ToBase64String'
              - 'whoami'
        - CommandLine|contains|all:
              - 'type '
              - ' > '
              - ' C:\'
    condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential Data Stealing Via Chromium Headless Debugging

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

status test author Nasreddine Bencherchali (Nextron Systems) id 3e8207c5-fcd2-4ea6-9418-15d45b4890e4

panther query

def rule(event):
    if all(
        [
            "--remote-debugging-" in event.deep_get("CommandLine", default=""),
            "--user-data-dir" in event.deep_get("CommandLine", default=""),
            "--headless" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
      type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1185
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
            - '--user-data-dir'
            - '--headless'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

status test author @Kostastsale, TheDFIRReport id 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259

panther query

def rule(event):
    if any(
        [
            "😀" in event.deep_get("CommandLine", default=""),
            "😃" in event.deep_get("CommandLine", default=""),
            "😄" in event.deep_get("CommandLine", default=""),
            "😁" in event.deep_get("CommandLine", default=""),
            "😆" in event.deep_get("CommandLine", default=""),
            "😅" in event.deep_get("CommandLine", default=""),
            "😂" in event.deep_get("CommandLine", default=""),
            "🤣" in event.deep_get("CommandLine", default=""),
            "🥲" in event.deep_get("CommandLine", default=""),
            "🥹" in event.deep_get("CommandLine", default=""),
            "☺️" in event.deep_get("CommandLine", default=""),
            "😊" in event.deep_get("CommandLine", default=""),
            "😇" in event.deep_get("CommandLine", default=""),
            "🙂" in event.deep_get("CommandLine", default=""),
            "🙃" in event.deep_get("CommandLine", default=""),
            "😉" in event.deep_get("CommandLine", default=""),
            "😌" in event.deep_get("CommandLine", default=""),
            "😍" in event.deep_get("CommandLine", default=""),
            "🥰" in event.deep_get("CommandLine", default=""),
            "😘" in event.deep_get("CommandLine", default=""),
            "😗" in event.deep_get("CommandLine", default=""),
            "😙" in event.deep_get("CommandLine", default=""),
            "😚" in event.deep_get("CommandLine", default=""),
            "😋" in event.deep_get("CommandLine", default=""),
            "😛" in event.deep_get("CommandLine", default=""),
            "😝" in event.deep_get("CommandLine", default=""),
            "😜" in event.deep_get("CommandLine", default=""),
            "🤪" in event.deep_get("CommandLine", default=""),
            "🤨" in event.deep_get("CommandLine", default=""),
            "🧐" in event.deep_get("CommandLine", default=""),
            "🤓" in event.deep_get("CommandLine", default=""),
            "😎" in event.deep_get("CommandLine", default=""),
            "🥸" in event.deep_get("CommandLine", default=""),
            "🤩" in event.deep_get("CommandLine", default=""),
            "🥳" in event.deep_get("CommandLine", default=""),
            "😏" in event.deep_get("CommandLine", default=""),
            "😒" in event.deep_get("CommandLine", default=""),
            "😞" in event.deep_get("CommandLine", default=""),
            "😔" in event.deep_get("CommandLine", default=""),
            "😟" in event.deep_get("CommandLine", default=""),
            "😕" in event.deep_get("CommandLine", default=""),
            "🙁" in event.deep_get("CommandLine", default=""),
            "☹️" in event.deep_get("CommandLine", default=""),
            "😣" in event.deep_get("CommandLine", default=""),
            "😖" in event.deep_get("CommandLine", default=""),
            "😫" in event.deep_get("CommandLine", default=""),
            "😩" in event.deep_get("CommandLine", default=""),
            "🥺" in event.deep_get("CommandLine", default=""),
            "😢" in event.deep_get("CommandLine", default=""),
            "😭" in event.deep_get("CommandLine", default=""),
            "😮‍💨" in event.deep_get("CommandLine", default=""),
            "😤" in event.deep_get("CommandLine", default=""),
            "😠" in event.deep_get("CommandLine", default=""),
            "😡" in event.deep_get("CommandLine", default=""),
            "🤬" in event.deep_get("CommandLine", default=""),
            "🤯" in event.deep_get("CommandLine", default=""),
            "😳" in event.deep_get("CommandLine", default=""),
            "🥵" in event.deep_get("CommandLine", default=""),
            "🥶" in event.deep_get("CommandLine", default=""),
            "😱" in event.deep_get("CommandLine", default=""),
            "😨" in event.deep_get("CommandLine", default=""),
            "😰" in event.deep_get("CommandLine", default=""),
            "😥" in event.deep_get("CommandLine", default=""),
            "😓" in event.deep_get("CommandLine", default=""),
            "🫣" in event.deep_get("CommandLine", default=""),
            "🤗" in event.deep_get("CommandLine", default=""),
            "🫡" in event.deep_get("CommandLine", default=""),
            "🤔" in event.deep_get("CommandLine", default=""),
            "🫢" in event.deep_get("CommandLine", default=""),
            "🤭" in event.deep_get("CommandLine", default=""),
            "🤫" in event.deep_get("CommandLine", default=""),
            "🤥" in event.deep_get("CommandLine", default=""),
            "😶" in event.deep_get("CommandLine", default=""),
            "😶‍🌫️" in event.deep_get("CommandLine", default=""),
            "😐" in event.deep_get("CommandLine", default=""),
            "😑" in event.deep_get("CommandLine", default=""),
            "😬" in event.deep_get("CommandLine", default=""),
            "🫠" in event.deep_get("CommandLine", default=""),
            "🙄" in event.deep_get("CommandLine", default=""),
            "😯" in event.deep_get("CommandLine", default=""),
            "😦" in event.deep_get("CommandLine", default=""),
            "😧" in event.deep_get("CommandLine", default=""),
            "😮" in event.deep_get("CommandLine", default=""),
            "😲" in event.deep_get("CommandLine", default=""),
            "🥱" in event.deep_get("CommandLine", default=""),
            "😴" in event.deep_get("CommandLine", default=""),
            "🤤" in event.deep_get("CommandLine", default=""),
            "😪" in event.deep_get("CommandLine", default=""),
            "😵" in event.deep_get("CommandLine", default=""),
            "😵‍💫" in event.deep_get("CommandLine", default=""),
            "🫥" in event.deep_get("CommandLine", default=""),
            "🤐" in event.deep_get("CommandLine", default=""),
            "🥴" in event.deep_get("CommandLine", default=""),
            "🤢" in event.deep_get("CommandLine", default=""),
            "🤮" in event.deep_get("CommandLine", default=""),
            "🤧" in event.deep_get("CommandLine", default=""),
            "😷" in event.deep_get("CommandLine", default=""),
            "🤒" in event.deep_get("CommandLine", default=""),
            "🤕" in event.deep_get("CommandLine", default=""),
            "🤑" in event.deep_get("CommandLine", default=""),
            "🤠" in event.deep_get("CommandLine", default=""),
            "😈" in event.deep_get("CommandLine", default=""),
            "👿" in event.deep_get("CommandLine", default=""),
            "👹" in event.deep_get("CommandLine", default=""),
            "👺" in event.deep_get("CommandLine", default=""),
            "🤡" in event.deep_get("CommandLine", default=""),
            "💩" in event.deep_get("CommandLine", default=""),
            "👻" in event.deep_get("CommandLine", default=""),
            "💀" in event.deep_get("CommandLine", default=""),
            "☠️" in event.deep_get("CommandLine", default=""),
            "👽" in event.deep_get("CommandLine", default=""),
            "👾" in event.deep_get("CommandLine", default=""),
            "🤖" in event.deep_get("CommandLine", default=""),
            "🎃" in event.deep_get("CommandLine", default=""),
            "😺" in event.deep_get("CommandLine", default=""),
            "😸" in event.deep_get("CommandLine", default=""),
            "😹" in event.deep_get("CommandLine", default=""),
            "😻" in event.deep_get("CommandLine", default=""),
            "😼" in event.deep_get("CommandLine", default=""),
            "😽" in event.deep_get("CommandLine", default=""),
            "🙀" in event.deep_get("CommandLine", default=""),
            "😿" in event.deep_get("CommandLine", default=""),
            "😾" in event.deep_get("CommandLine", default=""),
            "👋" in event.deep_get("CommandLine", default=""),
            "🤚" in event.deep_get("CommandLine", default=""),
            "🖐" in event.deep_get("CommandLine", default=""),
            "✋" in event.deep_get("CommandLine", default=""),
            "🖖" in event.deep_get("CommandLine", default=""),
            "👌" in event.deep_get("CommandLine", default=""),
            "🤌" in event.deep_get("CommandLine", default=""),
            "🤏" in event.deep_get("CommandLine", default=""),
            "✌️" in event.deep_get("CommandLine", default=""),
            "🤞" in event.deep_get("CommandLine", default=""),
            "🫰" in event.deep_get("CommandLine", default=""),
            "🤟" in event.deep_get("CommandLine", default=""),
            "🤘" in event.deep_get("CommandLine", default=""),
            "🤙" in event.deep_get("CommandLine", default=""),
            "🫵" in event.deep_get("CommandLine", default=""),
            "🫱" in event.deep_get("CommandLine", default=""),
            "🫲" in event.deep_get("CommandLine", default=""),
            "🫳" in event.deep_get("CommandLine", default=""),
            "🫴" in event.deep_get("CommandLine", default=""),
            "👈" in event.deep_get("CommandLine", default=""),
            "👉" in event.deep_get("CommandLine", default=""),
            "👆" in event.deep_get("CommandLine", default=""),
            "🖕" in event.deep_get("CommandLine", default=""),
            "👇" in event.deep_get("CommandLine", default=""),
            "☝️" in event.deep_get("CommandLine", default=""),
            "👍" in event.deep_get("CommandLine", default=""),
            "👎" in event.deep_get("CommandLine", default=""),
            "✊" in event.deep_get("CommandLine", default=""),
            "👊" in event.deep_get("CommandLine", default=""),
            "🤛" in event.deep_get("CommandLine", default=""),
            "🤜" in event.deep_get("CommandLine", default=""),
            "👏" in event.deep_get("CommandLine", default=""),
            "🫶" in event.deep_get("CommandLine", default=""),
            "🙌" in event.deep_get("CommandLine", default=""),
            "👐" in event.deep_get("CommandLine", default=""),
            "🤲" in event.deep_get("CommandLine", default=""),
            "🤝" in event.deep_get("CommandLine", default=""),
            "🙏" in event.deep_get("CommandLine", default=""),
            "✍️" in event.deep_get("CommandLine", default=""),
            "💪" in event.deep_get("CommandLine", default=""),
            "🦾" in event.deep_get("CommandLine", default=""),
            "🦵" in event.deep_get("CommandLine", default=""),
            "🦿" in event.deep_get("CommandLine", default=""),
            "🦶" in event.deep_get("CommandLine", default=""),
            "👣" in event.deep_get("CommandLine", default=""),
            "👂" in event.deep_get("CommandLine", default=""),
            "🦻" in event.deep_get("CommandLine", default=""),
            "👃" in event.deep_get("CommandLine", default=""),
            "🫀" in event.deep_get("CommandLine", default=""),
            "🫁" in event.deep_get("CommandLine", default=""),
            "🧠" in event.deep_get("CommandLine", default=""),
            "🦷" in event.deep_get("CommandLine", default=""),
            "🦴" in event.deep_get("CommandLine", default=""),
            "👀" in event.deep_get("CommandLine", default=""),
            "👁" in event.deep_get("CommandLine", default=""),
            "👅" in event.deep_get("CommandLine", default=""),
            "👄" in event.deep_get("CommandLine", default=""),
            "🫦" in event.deep_get("CommandLine", default=""),
            "💋" in event.deep_get("CommandLine", default=""),
            "🩸" in event.deep_get("CommandLine", default=""),
            "👶" in event.deep_get("CommandLine", default=""),
            "👧" in event.deep_get("CommandLine", default=""),
            "🧒" in event.deep_get("CommandLine", default=""),
            "👦" in event.deep_get("CommandLine", default=""),
            "👩" in event.deep_get("CommandLine", default=""),
            "🧑" in event.deep_get("CommandLine", default=""),
            "👨" in event.deep_get("CommandLine", default=""),
            "👩‍🦱" in event.deep_get("CommandLine", default=""),
            "🧑‍🦱" in event.deep_get("CommandLine", default=""),
            "👨‍🦱" in event.deep_get("CommandLine", default=""),
            "👩‍🦰" in event.deep_get("CommandLine", default=""),
            "🧑‍🦰" in event.deep_get("CommandLine", default=""),
            "👨‍🦰" in event.deep_get("CommandLine", default=""),
            "👱‍♀️" in event.deep_get("CommandLine", default=""),
            "👱" in event.deep_get("CommandLine", default=""),
            "👱‍♂️" in event.deep_get("CommandLine", default=""),
            "👩‍🦳" in event.deep_get("CommandLine", default=""),
            "🧑‍🦳" in event.deep_get("CommandLine", default=""),
            "👨‍🦳" in event.deep_get("CommandLine", default=""),
            "👩‍🦲" in event.deep_get("CommandLine", default=""),
            "🧑‍🦲" in event.deep_get("CommandLine", default=""),
            "👨‍🦲" in event.deep_get("CommandLine", default=""),
            "🧔‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔" in event.deep_get("CommandLine", default=""),
            "🧔‍♂️" in event.deep_get("CommandLine", default=""),
            "👵" in event.deep_get("CommandLine", default=""),
            "🧓" in event.deep_get("CommandLine", default=""),
            "👴" in event.deep_get("CommandLine", default=""),
            "👲" in event.deep_get("CommandLine", default=""),
            "👳‍♀️" in event.deep_get("CommandLine", default=""),
            "👳" in event.deep_get("CommandLine", default=""),
            "👳‍♂️" in event.deep_get("CommandLine", default=""),
            "🧕" in event.deep_get("CommandLine", default=""),
            "👮‍♀️" in event.deep_get("CommandLine", default=""),
            "👮" in event.deep_get("CommandLine", default=""),
            "👮‍♂️" in event.deep_get("CommandLine", default=""),
            "👷‍♀️" in event.deep_get("CommandLine", default=""),
            "👷" in event.deep_get("CommandLine", default=""),
            "👷‍♂️" in event.deep_get("CommandLine", default=""),
            "💂‍♀️" in event.deep_get("CommandLine", default=""),
            "💂" in event.deep_get("CommandLine", default=""),
            "💂‍♂️" in event.deep_get("CommandLine", default=""),
            "🕵️‍♀️" in event.deep_get("CommandLine", default=""),
            "🕵️" in event.deep_get("CommandLine", default=""),
            "🕵️‍♂️" in event.deep_get("CommandLine", default=""),
            "👩‍⚕️" in event.deep_get("CommandLine", default=""),
            "🧑‍⚕️" in event.deep_get("CommandLine", default=""),
            "👨‍⚕️" in event.deep_get("CommandLine", default=""),
            "👩‍🌾" in event.deep_get("CommandLine", default=""),
            "🧑‍🌾" in event.deep_get("CommandLine", default=""),
            "👨‍🌾" in event.deep_get("CommandLine", default=""),
            "👩‍🍳" in event.deep_get("CommandLine", default=""),
            "🧑‍🍳" in event.deep_get("CommandLine", default=""),
            "👨‍🍳" in event.deep_get("CommandLine", default=""),
            "👩‍🎓" in event.deep_get("CommandLine", default=""),
            "🧑‍🎓" in event.deep_get("CommandLine", default=""),
            "👨‍🎓" in event.deep_get("CommandLine", default=""),
            "👩‍🎤" in event.deep_get("CommandLine", default=""),
            "🧑‍🎤" in event.deep_get("CommandLine", default=""),
            "👨‍🎤" in event.deep_get("CommandLine", default=""),
            "👩‍🏫" in event.deep_get("CommandLine", default=""),
            "🧑‍🏫" in event.deep_get("CommandLine", default=""),
            "👨‍🏫" in event.deep_get("CommandLine", default=""),
            "👩‍🏭" in event.deep_get("CommandLine", default=""),
            "🧑‍🏭" in event.deep_get("CommandLine", default=""),
            "👨‍🏭" in event.deep_get("CommandLine", default=""),
            "👩‍💻" in event.deep_get("CommandLine", default=""),
            "🧑‍💻" in event.deep_get("CommandLine", default=""),
            "👨‍💻" in event.deep_get("CommandLine", default=""),
            "👩‍💼" in event.deep_get("CommandLine", default=""),
            "🧑‍💼" in event.deep_get("CommandLine", default=""),
            "👨‍💼" in event.deep_get("CommandLine", default=""),
            "👩‍🔧" in event.deep_get("CommandLine", default=""),
            "🧑‍🔧" in event.deep_get("CommandLine", default=""),
            "👨‍🔧" in event.deep_get("CommandLine", default=""),
            "👩‍🔬" in event.deep_get("CommandLine", default=""),
            "🧑‍🔬" in event.deep_get("CommandLine", default=""),
            "👨‍🔬" in event.deep_get("CommandLine", default=""),
            "👩‍🎨" in event.deep_get("CommandLine", default=""),
            "🧑‍🎨" in event.deep_get("CommandLine", default=""),
            "👨‍🎨" in event.deep_get("CommandLine", default=""),
            "👩‍🚒" in event.deep_get("CommandLine", default=""),
            "🧑‍🚒" in event.deep_get("CommandLine", default=""),
            "👨‍🚒" in event.deep_get("CommandLine", default=""),
            "👩‍✈️" in event.deep_get("CommandLine", default=""),
            "🧑‍✈️" in event.deep_get("CommandLine", default=""),
            "👨‍✈️" in event.deep_get("CommandLine", default=""),
            "👩‍🚀" in event.deep_get("CommandLine", default=""),
            "🧑‍🚀" in event.deep_get("CommandLine", default=""),
            "👨‍🚀" in event.deep_get("CommandLine", default=""),
            "👩‍⚖️" in event.deep_get("CommandLine", default=""),
            "🧑‍⚖️" in event.deep_get("CommandLine", default=""),
            "👨‍⚖️" in event.deep_get("CommandLine", default=""),
            "👰‍♀️" in event.deep_get("CommandLine", default=""),
            "👰" in event.deep_get("CommandLine", default=""),
            "👰‍♂️" in event.deep_get("CommandLine", default=""),
            "🤵‍♀️" in event.deep_get("CommandLine", default=""),
            "🤵" in event.deep_get("CommandLine", default=""),
            "🤵‍♂️" in event.deep_get("CommandLine", default=""),
            "👸" in event.deep_get("CommandLine", default=""),
            "🫅" in event.deep_get("CommandLine", default=""),
            "🤴" in event.deep_get("CommandLine", default=""),
            "🥷" in event.deep_get("CommandLine", default=""),
            "🦸‍♀️" in event.deep_get("CommandLine", default=""),
            "🦸" in event.deep_get("CommandLine", default=""),
            "🦸‍♂️" in event.deep_get("CommandLine", default=""),
            "🦹‍♀️" in event.deep_get("CommandLine", default=""),
            "🦹" in event.deep_get("CommandLine", default=""),
            "🦹‍♂️" in event.deep_get("CommandLine", default=""),
            "🤶" in event.deep_get("CommandLine", default=""),
            "🧑‍🎄" in event.deep_get("CommandLine", default=""),
            "🎅" in event.deep_get("CommandLine", default=""),
            "🧙‍♀️" in event.deep_get("CommandLine", default=""),
            "🧙" in event.deep_get("CommandLine", default=""),
            "🧙‍♂️" in event.deep_get("CommandLine", default=""),
            "🧝‍♀️" in event.deep_get("CommandLine", default=""),
            "🧝" in event.deep_get("CommandLine", default=""),
            "🧝‍♂️" in event.deep_get("CommandLine", default=""),
            "🧛‍♀️" in event.deep_get("CommandLine", default=""),
            "🧛" in event.deep_get("CommandLine", default=""),
            "🧛‍♂️" in event.deep_get("CommandLine", default=""),
            "🧟‍♀️" in event.deep_get("CommandLine", default=""),
            "🧟" in event.deep_get("CommandLine", default=""),
            "🧟‍♂️" in event.deep_get("CommandLine", default=""),
            "🧞‍♀️" in event.deep_get("CommandLine", default=""),
            "🧞" in event.deep_get("CommandLine", default=""),
            "🧞‍♂️" in event.deep_get("CommandLine", default=""),
            "🧜‍♀️" in event.deep_get("CommandLine", default=""),
            "🧜" in event.deep_get("CommandLine", default=""),
            "🧜‍♂️" in event.deep_get("CommandLine", default=""),
            "🧚‍♀️" in event.deep_get("CommandLine", default=""),
            "🧚" in event.deep_get("CommandLine", default=""),
            "🧚‍♂️" in event.deep_get("CommandLine", default=""),
            "🧌" in event.deep_get("CommandLine", default=""),
            "👼" in event.deep_get("CommandLine", default=""),
            "🤰" in event.deep_get("CommandLine", default=""),
            "🫄" in event.deep_get("CommandLine", default=""),
            "🫃" in event.deep_get("CommandLine", default=""),
            "🤱" in event.deep_get("CommandLine", default=""),
            "👩‍🍼" in event.deep_get("CommandLine", default=""),
            "🧑‍🍼" in event.deep_get("CommandLine", default=""),
            "👨‍🍼" in event.deep_get("CommandLine", default=""),
            "🙇‍♀️" in event.deep_get("CommandLine", default=""),
            "🙇" in event.deep_get("CommandLine", default=""),
            "🙇‍♂️" in event.deep_get("CommandLine", default=""),
            "💁‍♀️" in event.deep_get("CommandLine", default=""),
            "💁" in event.deep_get("CommandLine", default=""),
            "💁‍♂️" in event.deep_get("CommandLine", default=""),
            "🙅‍♀️" in event.deep_get("CommandLine", default=""),
            "🙅" in event.deep_get("CommandLine", default=""),
            "🙅‍♂️" in event.deep_get("CommandLine", default=""),
            "🙆‍♀️" in event.deep_get("CommandLine", default=""),
            "🙆" in event.deep_get("CommandLine", default=""),
            "🙆‍♂️" in event.deep_get("CommandLine", default=""),
            "🙋‍♀️" in event.deep_get("CommandLine", default=""),
            "🙋" in event.deep_get("CommandLine", default=""),
            "🙋‍♂️" in event.deep_get("CommandLine", default=""),
            "🧏‍♀️" in event.deep_get("CommandLine", default=""),
            "🧏" in event.deep_get("CommandLine", default=""),
            "🧏‍♂️" in event.deep_get("CommandLine", default=""),
            "🤦‍♀️" in event.deep_get("CommandLine", default=""),
            "🤦" in event.deep_get("CommandLine", default=""),
            "🤦‍♂️" in event.deep_get("CommandLine", default=""),
            "🤷‍♀️" in event.deep_get("CommandLine", default=""),
            "🤷" in event.deep_get("CommandLine", default=""),
            "🤷‍♂️" in event.deep_get("CommandLine", default=""),
            "🙎‍♀️" in event.deep_get("CommandLine", default=""),
            "🙎" in event.deep_get("CommandLine", default=""),
            "🙎‍♂️" in event.deep_get("CommandLine", default=""),
            "🙍‍♀️" in event.deep_get("CommandLine", default=""),
            "🙍" in event.deep_get("CommandLine", default=""),
            "🙍‍♂️" in event.deep_get("CommandLine", default=""),
            "💇‍♀️" in event.deep_get("CommandLine", default=""),
            "💇" in event.deep_get("CommandLine", default=""),
            "💇‍♂️" in event.deep_get("CommandLine", default=""),
            "💆‍♀️" in event.deep_get("CommandLine", default=""),
            "💆" in event.deep_get("CommandLine", default=""),
            "💆‍♂️" in event.deep_get("CommandLine", default=""),
            "🧖‍♀️" in event.deep_get("CommandLine", default=""),
            "🧖" in event.deep_get("CommandLine", default=""),
            "🧖‍♂️" in event.deep_get("CommandLine", default=""),
            "💅" in event.deep_get("CommandLine", default=""),
            "💃" in event.deep_get("CommandLine", default=""),
            "🕺" in event.deep_get("CommandLine", default=""),
            "👯‍♀️" in event.deep_get("CommandLine", default=""),
            "👯" in event.deep_get("CommandLine", default=""),
            "👯‍♂️" in event.deep_get("CommandLine", default=""),
            "🕴" in event.deep_get("CommandLine", default=""),
            "👩‍🦽" in event.deep_get("CommandLine", default=""),
            "🧑‍🦽" in event.deep_get("CommandLine", default=""),
            "👨‍🦽" in event.deep_get("CommandLine", default=""),
            "👩‍🦼" in event.deep_get("CommandLine", default=""),
            "🧑‍🦼" in event.deep_get("CommandLine", default=""),
            "👨‍🦼" in event.deep_get("CommandLine", default=""),
            "🚶‍♀️" in event.deep_get("CommandLine", default=""),
            "🚶" in event.deep_get("CommandLine", default=""),
            "🚶‍♂️" in event.deep_get("CommandLine", default=""),
            "👩‍🦯" in event.deep_get("CommandLine", default=""),
            "🧑‍🦯" in event.deep_get("CommandLine", default=""),
            "👨‍🦯" in event.deep_get("CommandLine", default=""),
            "🧎‍♀️" in event.deep_get("CommandLine", default=""),
            "🧎" in event.deep_get("CommandLine", default=""),
            "🧎‍♂️" in event.deep_get("CommandLine", default=""),
            "🏃‍♀️" in event.deep_get("CommandLine", default=""),
            "🏃" in event.deep_get("CommandLine", default=""),
            "🏃‍♂️" in event.deep_get("CommandLine", default=""),
            "🧍‍♀️" in event.deep_get("CommandLine", default=""),
            "🧍" in event.deep_get("CommandLine", default=""),
            "🧍‍♂️" in event.deep_get("CommandLine", default=""),
            "👭" in event.deep_get("CommandLine", default=""),
            "🧑‍🤝‍🧑" in event.deep_get("CommandLine", default=""),
            "👬" in event.deep_get("CommandLine", default=""),
            "👫" in event.deep_get("CommandLine", default=""),
            "👩‍❤️‍👩" in event.deep_get("CommandLine", default=""),
            "💑" in event.deep_get("CommandLine", default=""),
            "👨‍❤️‍👨" in event.deep_get("CommandLine", default=""),
            "👩‍❤️‍👨" in event.deep_get("CommandLine", default=""),
            "👩‍❤️‍💋‍👩" in event.deep_get("CommandLine", default=""),
            "💏" in event.deep_get("CommandLine", default=""),
            "👨‍❤️‍💋‍👨" in event.deep_get("CommandLine", default=""),
            "👩‍❤️‍💋‍👨" in event.deep_get("CommandLine", default=""),
            "👪" in event.deep_get("CommandLine", default=""),
            "👨‍👩‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👩‍👧" in event.deep_get("CommandLine", default=""),
            "👨‍👩‍👧‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👩‍👦‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👩‍👧‍👧" in event.deep_get("CommandLine", default=""),
            "👨‍👨‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👨‍👧" in event.deep_get("CommandLine", default=""),
            "👨‍👨‍👧‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👨‍👦‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👨‍👧‍👧" in event.deep_get("CommandLine", default=""),
            "👩‍👩‍👦" in event.deep_get("CommandLine", default=""),
            "👩‍👩‍👧" in event.deep_get("CommandLine", default=""),
            "👩‍👩‍👧‍👦" in event.deep_get("CommandLine", default=""),
            "👩‍👩‍👦‍👦" in event.deep_get("CommandLine", default=""),
            "👩‍👩‍👧‍👧" in event.deep_get("CommandLine", default=""),
            "👨‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👦‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👧" in event.deep_get("CommandLine", default=""),
            "👨‍👧‍👦" in event.deep_get("CommandLine", default=""),
            "👨‍👧‍👧" in event.deep_get("CommandLine", default=""),
            "👩‍👦" in event.deep_get("CommandLine", default=""),
            "👩‍👦‍👦" in event.deep_get("CommandLine", default=""),
            "👩‍👧" in event.deep_get("CommandLine", default=""),
            "👩‍👧‍👦" in event.deep_get("CommandLine", default=""),
            "👩‍👧‍👧" in event.deep_get("CommandLine", default=""),
            "🗣" in event.deep_get("CommandLine", default=""),
            "👤" in event.deep_get("CommandLine", default=""),
            "👥" in event.deep_get("CommandLine", default=""),
            "🫂" in event.deep_get("CommandLine", default=""),
            "🧳" in event.deep_get("CommandLine", default=""),
            "🌂" in event.deep_get("CommandLine", default=""),
            "☂️" in event.deep_get("CommandLine", default=""),
            "🧵" in event.deep_get("CommandLine", default=""),
            "🪡" in event.deep_get("CommandLine", default=""),
            "🪢" in event.deep_get("CommandLine", default=""),
            "🧶" in event.deep_get("CommandLine", default=""),
            "👓" in event.deep_get("CommandLine", default=""),
            "🕶" in event.deep_get("CommandLine", default=""),
            "🥽" in event.deep_get("CommandLine", default=""),
            "🥼" in event.deep_get("CommandLine", default=""),
            "🦺" in event.deep_get("CommandLine", default=""),
            "👔" in event.deep_get("CommandLine", default=""),
            "👕" in event.deep_get("CommandLine", default=""),
            "👖" in event.deep_get("CommandLine", default=""),
            "🧣" in event.deep_get("CommandLine", default=""),
            "🧤" in event.deep_get("CommandLine", default=""),
            "🧥" in event.deep_get("CommandLine", default=""),
            "🧦" in event.deep_get("CommandLine", default=""),
            "👗" in event.deep_get("CommandLine", default=""),
            "👘" in event.deep_get("CommandLine", default=""),
            "🥻" in event.deep_get("CommandLine", default=""),
            "🩴" in event.deep_get("CommandLine", default=""),
            "🩱" in event.deep_get("CommandLine", default=""),
            "🩲" in event.deep_get("CommandLine", default=""),
            "🩳" in event.deep_get("CommandLine", default=""),
            "👙" in event.deep_get("CommandLine", default=""),
            "👚" in event.deep_get("CommandLine", default=""),
            "👛" in event.deep_get("CommandLine", default=""),
            "👜" in event.deep_get("CommandLine", default=""),
            "👝" in event.deep_get("CommandLine", default=""),
            "🎒" in event.deep_get("CommandLine", default=""),
            "👞" in event.deep_get("CommandLine", default=""),
            "👟" in event.deep_get("CommandLine", default=""),
            "🥾" in event.deep_get("CommandLine", default=""),
            "🥿" in event.deep_get("CommandLine", default=""),
            "👠" in event.deep_get("CommandLine", default=""),
            "👡" in event.deep_get("CommandLine", default=""),
            "🩰" in event.deep_get("CommandLine", default=""),
            "👢" in event.deep_get("CommandLine", default=""),
            "👑" in event.deep_get("CommandLine", default=""),
            "👒" in event.deep_get("CommandLine", default=""),
            "🎩" in event.deep_get("CommandLine", default=""),
            "🎓" in event.deep_get("CommandLine", default=""),
            "🧢" in event.deep_get("CommandLine", default=""),
            "⛑" in event.deep_get("CommandLine", default=""),
            "🪖" in event.deep_get("CommandLine", default=""),
            "💄" in event.deep_get("CommandLine", default=""),
            "💍" in event.deep_get("CommandLine", default=""),
            "💼" in event.deep_get("CommandLine", default=""),
            "👋🏻" in event.deep_get("CommandLine", default=""),
            "🤚🏻" in event.deep_get("CommandLine", default=""),
            "🖐🏻" in event.deep_get("CommandLine", default=""),
            "✋🏻" in event.deep_get("CommandLine", default=""),
            "🖖🏻" in event.deep_get("CommandLine", default=""),
            "👌🏻" in event.deep_get("CommandLine", default=""),
            "🤌🏻" in event.deep_get("CommandLine", default=""),
            "🤏🏻" in event.deep_get("CommandLine", default=""),
            "✌🏻" in event.deep_get("CommandLine", default=""),
            "🤞🏻" in event.deep_get("CommandLine", default=""),
            "🫰🏻" in event.deep_get("CommandLine", default=""),
            "🤟🏻" in event.deep_get("CommandLine", default=""),
            "🤘🏻" in event.deep_get("CommandLine", default=""),
            "🤙🏻" in event.deep_get("CommandLine", default=""),
            "🫵🏻" in event.deep_get("CommandLine", default=""),
            "🫱🏻" in event.deep_get("CommandLine", default=""),
            "🫲🏻" in event.deep_get("CommandLine", default=""),
            "🫳🏻" in event.deep_get("CommandLine", default=""),
            "🫴🏻" in event.deep_get("CommandLine", default=""),
            "👈🏻" in event.deep_get("CommandLine", default=""),
            "👉🏻" in event.deep_get("CommandLine", default=""),
            "👆🏻" in event.deep_get("CommandLine", default=""),
            "🖕🏻" in event.deep_get("CommandLine", default=""),
            "👇🏻" in event.deep_get("CommandLine", default=""),
            "☝🏻" in event.deep_get("CommandLine", default=""),
            "👍🏻" in event.deep_get("CommandLine", default=""),
            "👎🏻" in event.deep_get("CommandLine", default=""),
            "✊🏻" in event.deep_get("CommandLine", default=""),
            "👊🏻" in event.deep_get("CommandLine", default=""),
            "🤛🏻" in event.deep_get("CommandLine", default=""),
            "🤜🏻" in event.deep_get("CommandLine", default=""),
            "👏🏻" in event.deep_get("CommandLine", default=""),
            "🫶🏻" in event.deep_get("CommandLine", default=""),
            "🙌🏻" in event.deep_get("CommandLine", default=""),
            "👐🏻" in event.deep_get("CommandLine", default=""),
            "🤲🏻" in event.deep_get("CommandLine", default=""),
            "🙏🏻" in event.deep_get("CommandLine", default=""),
            "✍🏻" in event.deep_get("CommandLine", default=""),
            "💪🏻" in event.deep_get("CommandLine", default=""),
            "🦵🏻" in event.deep_get("CommandLine", default=""),
            "🦶🏻" in event.deep_get("CommandLine", default=""),
            "👂🏻" in event.deep_get("CommandLine", default=""),
            "🦻🏻" in event.deep_get("CommandLine", default=""),
            "👃🏻" in event.deep_get("CommandLine", default=""),
            "👶🏻" in event.deep_get("CommandLine", default=""),
            "👧🏻" in event.deep_get("CommandLine", default=""),
            "🧒🏻" in event.deep_get("CommandLine", default=""),
            "👦🏻" in event.deep_get("CommandLine", default=""),
            "👩🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏻" in event.deep_get("CommandLine", default=""),
            "👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🦱" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🦱" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🦱" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🦰" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🦰" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🦰" in event.deep_get("CommandLine", default=""),
            "👱🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "👱🏻" in event.deep_get("CommandLine", default=""),
            "👱🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🦳" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🦳" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🦳" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🦲" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🦲" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🦲" in event.deep_get("CommandLine", default=""),
            "🧔🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏻" in event.deep_get("CommandLine", default=""),
            "🧔🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "👵🏻" in event.deep_get("CommandLine", default=""),
            "🧓🏻" in event.deep_get("CommandLine", default=""),
            "👴🏻" in event.deep_get("CommandLine", default=""),
            "👲🏻" in event.deep_get("CommandLine", default=""),
            "👳🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "👳🏻" in event.deep_get("CommandLine", default=""),
            "👳🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧕🏻" in event.deep_get("CommandLine", default=""),
            "👮🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "👮🏻" in event.deep_get("CommandLine", default=""),
            "👮🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "👷🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "👷🏻" in event.deep_get("CommandLine", default=""),
            "👷🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "💂🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "💂🏻" in event.deep_get("CommandLine", default=""),
            "💂🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🕵🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🕵🏻" in event.deep_get("CommandLine", default=""),
            "🕵🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏻‍⚕️" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍⚕️" in event.deep_get("CommandLine", default=""),
            "👨🏻‍⚕️" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🌾" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🌾" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🌾" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🍳" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🍳" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🍳" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🎓" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🎓" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🎓" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🎤" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🎤" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🎤" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🏫" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🏫" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🏫" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🏭" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🏭" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🏭" in event.deep_get("CommandLine", default=""),
            "👩🏻‍💻" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍💻" in event.deep_get("CommandLine", default=""),
            "👨🏻‍💻" in event.deep_get("CommandLine", default=""),
            "👩🏻‍💼" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍💼" in event.deep_get("CommandLine", default=""),
            "👨🏻‍💼" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🔧" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🔧" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🔧" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🔬" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🔬" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🔬" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🎨" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🎨" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🎨" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🚒" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🚒" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🚒" in event.deep_get("CommandLine", default=""),
            "👩🏻‍✈️" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍✈️" in event.deep_get("CommandLine", default=""),
            "👨🏻‍✈️" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🚀" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🚀" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🚀" in event.deep_get("CommandLine", default=""),
            "👩🏻‍⚖️" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍⚖️" in event.deep_get("CommandLine", default=""),
            "👨🏻‍⚖️" in event.deep_get("CommandLine", default=""),
            "👰🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "👰🏻" in event.deep_get("CommandLine", default=""),
            "👰🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🤵🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🤵🏻" in event.deep_get("CommandLine", default=""),
            "🤵🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "👸🏻" in event.deep_get("CommandLine", default=""),
            "🫅🏻" in event.deep_get("CommandLine", default=""),
            "🤴🏻" in event.deep_get("CommandLine", default=""),
            "🥷🏻" in event.deep_get("CommandLine", default=""),
            "🦸🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🦸🏻" in event.deep_get("CommandLine", default=""),
            "🦸🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🦹🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🦹🏻" in event.deep_get("CommandLine", default=""),
            "🦹🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🤶🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🎄" in event.deep_get("CommandLine", default=""),
            "🎅🏻" in event.deep_get("CommandLine", default=""),
            "🧙🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧙🏻" in event.deep_get("CommandLine", default=""),
            "🧙🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧝🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧝🏻" in event.deep_get("CommandLine", default=""),
            "🧝🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧛🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧛🏻" in event.deep_get("CommandLine", default=""),
            "🧛🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧜🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧜🏻" in event.deep_get("CommandLine", default=""),
            "🧜🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧚🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧚🏻" in event.deep_get("CommandLine", default=""),
            "🧚🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "👼🏻" in event.deep_get("CommandLine", default=""),
            "🤰🏻" in event.deep_get("CommandLine", default=""),
            "🫄🏻" in event.deep_get("CommandLine", default=""),
            "🫃🏻" in event.deep_get("CommandLine", default=""),
            "🤱🏻" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🍼" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🍼" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🍼" in event.deep_get("CommandLine", default=""),
            "🙇🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🙇🏻" in event.deep_get("CommandLine", default=""),
            "🙇🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "💁🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "💁🏻" in event.deep_get("CommandLine", default=""),
            "💁🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🙅🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🙅🏻" in event.deep_get("CommandLine", default=""),
            "🙅🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🙆🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🙆🏻" in event.deep_get("CommandLine", default=""),
            "🙆🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🙋🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🙋🏻" in event.deep_get("CommandLine", default=""),
            "🙋🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧏🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧏🏻" in event.deep_get("CommandLine", default=""),
            "🧏🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🤦🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🤦🏻" in event.deep_get("CommandLine", default=""),
            "🤦🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🤷🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🤷🏻" in event.deep_get("CommandLine", default=""),
            "🤷🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🙎🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🙎🏻" in event.deep_get("CommandLine", default=""),
            "🙎🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🙍🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🙍🏻" in event.deep_get("CommandLine", default=""),
            "🙍🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "💇🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "💇🏻" in event.deep_get("CommandLine", default=""),
            "💇🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "💆🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "💆🏻" in event.deep_get("CommandLine", default=""),
            "💆🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧖🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧖🏻" in event.deep_get("CommandLine", default=""),
            "🧖🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "💃🏻" in event.deep_get("CommandLine", default=""),
            "🕺🏻" in event.deep_get("CommandLine", default=""),
            "🕴🏻" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🦽" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🦽" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🦽" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🦼" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🦼" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🦼" in event.deep_get("CommandLine", default=""),
            "🚶🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🚶🏻" in event.deep_get("CommandLine", default=""),
            "🚶🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏻‍🦯" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🦯" in event.deep_get("CommandLine", default=""),
            "👨🏻‍🦯" in event.deep_get("CommandLine", default=""),
            "🧎🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧎🏻" in event.deep_get("CommandLine", default=""),
            "🧎🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🏃🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🏃🏻" in event.deep_get("CommandLine", default=""),
            "🏃🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧍🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧍🏻" in event.deep_get("CommandLine", default=""),
            "🧍🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "👭🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍🤝‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "👬🏻" in event.deep_get("CommandLine", default=""),
            "👫🏻" in event.deep_get("CommandLine", default=""),
            "🧗🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧗🏻" in event.deep_get("CommandLine", default=""),
            "🧗🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🏇🏻" in event.deep_get("CommandLine", default=""),
            "🏂🏻" in event.deep_get("CommandLine", default=""),
            "🏌🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🏌🏻" in event.deep_get("CommandLine", default=""),
            "🏌🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🏄🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🏄🏻" in event.deep_get("CommandLine", default=""),
            "🏄🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🚣🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🚣🏻" in event.deep_get("CommandLine", default=""),
            "🚣🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🏊🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🏊🏻" in event.deep_get("CommandLine", default=""),
            "🏊🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "⛹🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "⛹🏻" in event.deep_get("CommandLine", default=""),
            "⛹🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🏋🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🏋🏻" in event.deep_get("CommandLine", default=""),
            "🏋🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🚴🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🚴🏻" in event.deep_get("CommandLine", default=""),
            "🚴🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🚵🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🚵🏻" in event.deep_get("CommandLine", default=""),
            "🚵🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🤸🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🤸🏻" in event.deep_get("CommandLine", default=""),
            "🤸🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🤽🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🤽🏻" in event.deep_get("CommandLine", default=""),
            "🤽🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🤾🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🤾🏻" in event.deep_get("CommandLine", default=""),
            "🤾🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🤹🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🤹🏻" in event.deep_get("CommandLine", default=""),
            "🤹🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧘🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧘🏻" in event.deep_get("CommandLine", default=""),
            "🧘🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🛀🏻" in event.deep_get("CommandLine", default=""),
            "🛌🏻" in event.deep_get("CommandLine", default=""),
            "👋🏼" in event.deep_get("CommandLine", default=""),
            "🤚🏼" in event.deep_get("CommandLine", default=""),
            "🖐🏼" in event.deep_get("CommandLine", default=""),
            "✋🏼" in event.deep_get("CommandLine", default=""),
            "🖖🏼" in event.deep_get("CommandLine", default=""),
            "👌🏼" in event.deep_get("CommandLine", default=""),
            "🤌🏼" in event.deep_get("CommandLine", default=""),
            "🤏🏼" in event.deep_get("CommandLine", default=""),
            "✌🏼" in event.deep_get("CommandLine", default=""),
            "🤞🏼" in event.deep_get("CommandLine", default=""),
            "🫰🏼" in event.deep_get("CommandLine", default=""),
            "🤟🏼" in event.deep_get("CommandLine", default=""),
            "🤘🏼" in event.deep_get("CommandLine", default=""),
            "🤙🏼" in event.deep_get("CommandLine", default=""),
            "🫵🏼" in event.deep_get("CommandLine", default=""),
            "🫱🏼" in event.deep_get("CommandLine", default=""),
            "🫲🏼" in event.deep_get("CommandLine", default=""),
            "🫳🏼" in event.deep_get("CommandLine", default=""),
            "🫴🏼" in event.deep_get("CommandLine", default=""),
            "👈🏼" in event.deep_get("CommandLine", default=""),
            "👉🏼" in event.deep_get("CommandLine", default=""),
            "👆🏼" in event.deep_get("CommandLine", default=""),
            "🖕🏼" in event.deep_get("CommandLine", default=""),
            "👇🏼" in event.deep_get("CommandLine", default=""),
            "☝🏼" in event.deep_get("CommandLine", default=""),
            "👍🏼" in event.deep_get("CommandLine", default=""),
            "👎🏼" in event.deep_get("CommandLine", default=""),
            "✊🏼" in event.deep_get("CommandLine", default=""),
            "👊🏼" in event.deep_get("CommandLine", default=""),
            "🤛🏼" in event.deep_get("CommandLine", default=""),
            "🤜🏼" in event.deep_get("CommandLine", default=""),
            "👏🏼" in event.deep_get("CommandLine", default=""),
            "🫶🏼" in event.deep_get("CommandLine", default=""),
            "🙌🏼" in event.deep_get("CommandLine", default=""),
            "👐🏼" in event.deep_get("CommandLine", default=""),
            "🤲🏼" in event.deep_get("CommandLine", default=""),
            "🙏🏼" in event.deep_get("CommandLine", default=""),
            "✍🏼" in event.deep_get("CommandLine", default=""),
            "💪🏼" in event.deep_get("CommandLine", default=""),
            "🦵🏼" in event.deep_get("CommandLine", default=""),
            "🦶🏼" in event.deep_get("CommandLine", default=""),
            "👂🏼" in event.deep_get("CommandLine", default=""),
            "🦻🏼" in event.deep_get("CommandLine", default=""),
            "👃🏼" in event.deep_get("CommandLine", default=""),
            "👶🏼" in event.deep_get("CommandLine", default=""),
            "👧🏼" in event.deep_get("CommandLine", default=""),
            "🧒🏼" in event.deep_get("CommandLine", default=""),
            "👦🏼" in event.deep_get("CommandLine", default=""),
            "👩🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏼" in event.deep_get("CommandLine", default=""),
            "👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🦱" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🦱" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🦱" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🦰" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🦰" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🦰" in event.deep_get("CommandLine", default=""),
            "👱🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "👱🏼" in event.deep_get("CommandLine", default=""),
            "👱🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🦳" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🦳" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🦳" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🦲" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🦲" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🦲" in event.deep_get("CommandLine", default=""),
            "🧔🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏼" in event.deep_get("CommandLine", default=""),
            "🧔🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "👵🏼" in event.deep_get("CommandLine", default=""),
            "🧓🏼" in event.deep_get("CommandLine", default=""),
            "👴🏼" in event.deep_get("CommandLine", default=""),
            "👲🏼" in event.deep_get("CommandLine", default=""),
            "👳🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "👳🏼" in event.deep_get("CommandLine", default=""),
            "👳🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧕🏼" in event.deep_get("CommandLine", default=""),
            "👮🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "👮🏼" in event.deep_get("CommandLine", default=""),
            "👮🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "👷🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "👷🏼" in event.deep_get("CommandLine", default=""),
            "👷🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "💂🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "💂🏼" in event.deep_get("CommandLine", default=""),
            "💂🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🕵🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🕵🏼" in event.deep_get("CommandLine", default=""),
            "🕵🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏼‍⚕️" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍⚕️" in event.deep_get("CommandLine", default=""),
            "👨🏼‍⚕️" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🌾" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🌾" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🌾" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🍳" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🍳" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🍳" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🎓" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🎓" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🎓" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🎤" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🎤" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🎤" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🏫" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🏫" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🏫" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🏭" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🏭" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🏭" in event.deep_get("CommandLine", default=""),
            "👩🏼‍💻" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍💻" in event.deep_get("CommandLine", default=""),
            "👨🏼‍💻" in event.deep_get("CommandLine", default=""),
            "👩🏼‍💼" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍💼" in event.deep_get("CommandLine", default=""),
            "👨🏼‍💼" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🔧" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🔧" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🔧" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🔬" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🔬" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🔬" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🎨" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🎨" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🎨" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🚒" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🚒" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🚒" in event.deep_get("CommandLine", default=""),
            "👩🏼‍✈️" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍✈️" in event.deep_get("CommandLine", default=""),
            "👨🏼‍✈️" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🚀" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🚀" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🚀" in event.deep_get("CommandLine", default=""),
            "👩🏼‍⚖️" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍⚖️" in event.deep_get("CommandLine", default=""),
            "👨🏼‍⚖️" in event.deep_get("CommandLine", default=""),
            "👰🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "👰🏼" in event.deep_get("CommandLine", default=""),
            "👰🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤵🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🤵🏼" in event.deep_get("CommandLine", default=""),
            "🤵🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "👸🏼" in event.deep_get("CommandLine", default=""),
            "🫅🏼" in event.deep_get("CommandLine", default=""),
            "🤴🏼" in event.deep_get("CommandLine", default=""),
            "🥷🏼" in event.deep_get("CommandLine", default=""),
            "🦸🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🦸🏼" in event.deep_get("CommandLine", default=""),
            "🦸🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🦹🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🦹🏼" in event.deep_get("CommandLine", default=""),
            "🦹🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤶🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🎄" in event.deep_get("CommandLine", default=""),
            "🎅🏼" in event.deep_get("CommandLine", default=""),
            "🧙🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧙🏼" in event.deep_get("CommandLine", default=""),
            "🧙🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧝🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧝🏼" in event.deep_get("CommandLine", default=""),
            "🧝🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧛🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧛🏼" in event.deep_get("CommandLine", default=""),
            "🧛🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧜🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧜🏼" in event.deep_get("CommandLine", default=""),
            "🧜🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧚🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧚🏼" in event.deep_get("CommandLine", default=""),
            "🧚🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "👼🏼" in event.deep_get("CommandLine", default=""),
            "🤰🏼" in event.deep_get("CommandLine", default=""),
            "🫄🏼" in event.deep_get("CommandLine", default=""),
            "🫃🏼" in event.deep_get("CommandLine", default=""),
            "🤱🏼" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🍼" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🍼" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🍼" in event.deep_get("CommandLine", default=""),
            "🙇🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🙇🏼" in event.deep_get("CommandLine", default=""),
            "🙇🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "💁🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "💁🏼" in event.deep_get("CommandLine", default=""),
            "💁🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🙅🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🙅🏼" in event.deep_get("CommandLine", default=""),
            "🙅🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🙆🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🙆🏼" in event.deep_get("CommandLine", default=""),
            "🙆🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🙋🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🙋🏼" in event.deep_get("CommandLine", default=""),
            "🙋🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧏🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧏🏼" in event.deep_get("CommandLine", default=""),
            "🧏🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤦🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🤦🏼" in event.deep_get("CommandLine", default=""),
            "🤦🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤷🏼‍♀️" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
id: 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '😀'
            - '😃'
            - '😄'
            - '😁'
            - '😆'
            - '😅'
            - '😂'
            - '🤣'
            - '🥲'
            - '🥹'
            - '☺️'
            - '😊'
            - '😇'
            - '🙂'
            - '🙃'
            - '😉'
            - '😌'
            - '😍'
            - '🥰'
            - '😘'
            - '😗'
            - '😙'
            - '😚'
            - '😋'
            - '😛'
            - '😝'
            - '😜'
            - '🤪'
            - '🤨'
            - '🧐'
            - '🤓'
            - '😎'
            - '🥸'
            - '🤩'
            - '🥳'
            - '😏'
            - '😒'
            - '😞'
            - '😔'
            - '😟'
            - '😕'
            - '🙁'
            - '☹️'
            - '😣'
            - '😖'
            - '😫'
            - '😩'
            - '🥺'
            - '😢'
            - '😭'
            - '😮‍💨'
            - '😤'
            - '😠'
            - '😡'
            - '🤬'
            - '🤯'
            - '😳'
            - '🥵'
            - '🥶'
            - '😱'
            - '😨'
            - '😰'
            - '😥'
            - '😓'
            - '🫣'
            - '🤗'
            - '🫡'
            - '🤔'
            - '🫢'
            - '🤭'
            - '🤫'
            - '🤥'
            - '😶'
            - '😶‍🌫️'
            - '😐'
            - '😑'
            - '😬'
            - '🫠'
            - '🙄'
            - '😯'
            - '😦'
            - '😧'
            - '😮'
            - '😲'
            - '🥱'
            - '😴'
            - '🤤'
            - '😪'
            - '😵'
            - '😵‍💫'
            - '🫥'
            - '🤐'
            - '🥴'
            - '🤢'
            - '🤮'
            - '🤧'
            - '😷'
            - '🤒'
            - '🤕'
            - '🤑'
            - '🤠'
            - '😈'
            - '👿'
            - '👹'
            - '👺'
            - '🤡'
            - '💩'
            - '👻'
            - '💀'
            - '☠️'
            - '👽'
            - '👾'
            - '🤖'
            - '🎃'
            - '😺'
            - '😸'
            - '😹'
            - '😻'
            - '😼'
            - '😽'
            - '🙀'
            - '😿'
            - '😾'
            - '👋'
            - '🤚'
            - '🖐'
            - '✋'
            - '🖖'
            - '👌'
            - '🤌'
            - '🤏'
            - '✌️'
            - '🤞'
            - '🫰'
            - '🤟'
            - '🤘'
            - '🤙'
            - '🫵'
            - '🫱'
            - '🫲'
            - '🫳'
            - '🫴'
            - '👈'
            - '👉'
            - '👆'
            - '🖕'
            - '👇'
            - '☝️'
            - '👍'
            - '👎'
            - '✊'
            - '👊'
            - '🤛'
            - '🤜'
            - '👏'
            - '🫶'
            - '🙌'
            - '👐'
            - '🤲'
            - '🤝'
            - '🙏'
            - '✍️'
            - '💪'
            - '🦾'
            - '🦵'
            - '🦿'
            - '🦶'
            - '👣'
            - '👂'
            - '🦻'
            - '👃'
            - '🫀'
            - '🫁'
            - '🧠'
            - '🦷'
            - '🦴'
            - '👀'
            - '👁'
            - '👅'
            - '👄'
            - '🫦'
            - '💋'
            - '🩸'
            - '👶'
            - '👧'
            - '🧒'
            - '👦'
            - '👩'
            - '🧑'
            - '👨'
            - '👩‍🦱'
            - '🧑‍🦱'
            - '👨‍🦱'
            - '👩‍🦰'
            - '🧑‍🦰'
            - '👨‍🦰'
            - '👱‍♀️'
            - '👱'
            - '👱‍♂️'
            - '👩‍🦳'
            - '🧑‍🦳'
            - '👨‍🦳'
            - '👩‍🦲'
            - '🧑‍🦲'
            - '👨‍🦲'
            - '🧔‍♀️'
            - '🧔'
            - '🧔‍♂️'
            - '👵'
            - '🧓'
            - '👴'
            - '👲'
            - '👳‍♀️'
            - '👳'
            - '👳‍♂️'
            - '🧕'
            - '👮‍♀️'
            - '👮'
            - '👮‍♂️'
            - '👷‍♀️'
            - '👷'
            - '👷‍♂️'
            - '💂‍♀️'
            - '💂'
            - '💂‍♂️'
            - '🕵️‍♀️'
            - '🕵️'
            - '🕵️‍♂️'
            - '👩‍⚕️'
            - '🧑‍⚕️'
            - '👨‍⚕️'
            - '👩‍🌾'
            - '🧑‍🌾'
            - '👨‍🌾'
            - '👩‍🍳'
            - '🧑‍🍳'
            - '👨‍🍳'
            - '👩‍🎓'
            - '🧑‍🎓'
            - '👨‍🎓'
            - '👩‍🎤'
            - '🧑‍🎤'
            - '👨‍🎤'
            - '👩‍🏫'
            - '🧑‍🏫'
            - '👨‍🏫'
            - '👩‍🏭'
            - '🧑‍🏭'
            - '👨‍🏭'
            - '👩‍💻'
            - '🧑‍💻'
            - '👨‍💻'
            - '👩‍💼'
            - '🧑‍💼'
            - '👨‍💼'
            - '👩‍🔧'
            - '🧑‍🔧'
            - '👨‍🔧'
            - '👩‍🔬'
            - '🧑‍🔬'
            - '👨‍🔬'
            - '👩‍🎨'
            - '🧑‍🎨'
            - '👨‍🎨'
            - '👩‍🚒'
            - '🧑‍🚒'
            - '👨‍🚒'
            - '👩‍✈️'
            - '🧑‍✈️'
            - '👨‍✈️'
            - '👩‍🚀'
            - '🧑‍🚀'
            - '👨‍🚀'
            - '👩‍⚖️'
            - '🧑‍⚖️'
            - '👨‍⚖️'
            - '👰‍♀️'
            - '👰'
            - '👰‍♂️'
            - '🤵‍♀️'
            - '🤵'
            - '🤵‍♂️'
            - '👸'
            - '🫅'
            - '🤴'
            - '🥷'
            - '🦸‍♀️'
            - '🦸'
            - '🦸‍♂️'
            - '🦹‍♀️'
            - '🦹'
            - '🦹‍♂️'
            - '🤶'
            - '🧑‍🎄'
            - '🎅'
            - '🧙‍♀️'
            - '🧙'
            - '🧙‍♂️'
            - '🧝‍♀️'
            - '🧝'
            - '🧝‍♂️'
            - '🧛‍♀️'
            - '🧛'
            - '🧛‍♂️'
            - '🧟‍♀️'
            - '🧟'
            - '🧟‍♂️'
            - '🧞‍♀️'
            - '🧞'
            - '🧞‍♂️'
            - '🧜‍♀️'
            - '🧜'
            - '🧜‍♂️'
            - '🧚‍♀️'
            - '🧚'
            - '🧚‍♂️'
            - '🧌'
            - '👼'
            - '🤰'
            - '🫄'
            - '🫃'
            - '🤱'
            - '👩‍🍼'
            - '🧑‍🍼'
            - '👨‍🍼'
            - '🙇‍♀️'
            - '🙇'
            - '🙇‍♂️'
            - '💁‍♀️'
            - '💁'
            - '💁‍♂️'
            - '🙅‍♀️'
            - '🙅'
            - '🙅‍♂️'
            - '🙆‍♀️'
            - '🙆'
            - '🙆‍♂️'
            - '🙋‍♀️'
            - '🙋'
            - '🙋‍♂️'
            - '🧏‍♀️'
            - '🧏'
            - '🧏‍♂️'
            - '🤦‍♀️'
            - '🤦'
            - '🤦‍♂️'
            - '🤷‍♀️'
            - '🤷'
            - '🤷‍♂️'
            - '🙎‍♀️'
            - '🙎'
            - '🙎‍♂️'
            - '🙍‍♀️'
            - '🙍'
            - '🙍‍♂️'
            - '💇‍♀️'
            - '💇'
            - '💇‍♂️'
            - '💆‍♀️'
            - '💆'
            - '💆‍♂️'
            - '🧖‍♀️'
            - '🧖'
            - '🧖‍♂️'
            - '💅'
            - '💃'
            - '🕺'
            - '👯‍♀️'
            - '👯'
            - '👯‍♂️'
            - '🕴'
            - '👩‍🦽'
            - '🧑‍🦽'
            - '👨‍🦽'
            - '👩‍🦼'
            - '🧑‍🦼'
            - '👨‍🦼'
            - '🚶‍♀️'
            - '🚶'
            - '🚶‍♂️'
            - '👩‍🦯'
            - '🧑‍🦯'
            - '👨‍🦯'
            - '🧎‍♀️'
            - '🧎'
            - '🧎‍♂️'
            - '🏃‍♀️'
            - '🏃'
            - '🏃‍♂️'
            - '🧍‍♀️'
            - '🧍'
            - '🧍‍♂️'
            - '👭'
            - '🧑‍🤝‍🧑'
            - '👬'
            - '👫'
            - '👩‍❤️‍👩'
            - '💑'
            - '👨‍❤️‍👨'
            - '👩‍❤️‍👨'
            - '👩‍❤️‍💋‍👩'
            - '💏'
            - '👨‍❤️‍💋‍👨'
            - '👩‍❤️‍💋‍👨'
            - '👪'
            - '👨‍👩‍👦'
            - '👨‍👩‍👧'
            - '👨‍👩‍👧‍👦'
            - '👨‍👩‍👦‍👦'
            - '👨‍👩‍👧‍👧'
            - '👨‍👨‍👦'
            - '👨‍👨‍👧'
            - '👨‍👨‍👧‍👦'
            - '👨‍👨‍👦‍👦'
            - '👨‍👨‍👧‍👧'
            - '👩‍👩‍👦'
            - '👩‍👩‍👧'
            - '👩‍👩‍👧‍👦'
            - '👩‍👩‍👦‍👦'
            - '👩‍👩‍👧‍👧'
            - '👨‍👦'
            - '👨‍👦‍👦'
            - '👨‍👧'
            - '👨‍👧‍👦'
            - '👨‍👧‍👧'
            - '👩‍👦'
            - '👩‍👦‍👦'
            - '👩‍👧'
            - '👩‍👧‍👦'
            - '👩‍👧‍👧'
            - '🗣'
            - '👤'
            - '👥'
            - '🫂'
            - '🧳'
            - '🌂'
            - '☂️'
            - '🧵'
            - '🪡'
            - '🪢'
            - '🧶'
            - '👓'
            - '🕶'
            - '🥽'
            - '🥼'
            - '🦺'
            - '👔'
            - '👕'
            - '👖'
            - '🧣'
            - '🧤'
            - '🧥'
            - '🧦'
            - '👗'
            - '👘'
            - '🥻'
            - '🩴'
            - '🩱'
            - '🩲'
            - '🩳'
            - '👙'
            - '👚'
            - '👛'
            - '👜'
            - '👝'
            - '🎒'
            - '👞'
            - '👟'
            - '🥾'
            - '🥿'
            - '👠'
            - '👡'
            - '🩰'
            - '👢'
            - '👑'
            - '👒'
            - '🎩'
            - '🎓'
            - '🧢'
            - '⛑'
            - '🪖'
            - '💄'
            - '💍'
            - '💼'
            - '👋🏻'
            - '🤚🏻'
            - '🖐🏻'
            - '✋🏻'
            - '🖖🏻'
            - '👌🏻'
            - '🤌🏻'
            - '🤏🏻'
            - '✌🏻'
            - '🤞🏻'
            - '🫰🏻'
            - '🤟🏻'
            - '🤘🏻'
            - '🤙🏻'
            - '🫵🏻'
            - '🫱🏻'
            - '🫲🏻'
            - '🫳🏻'
            - '🫴🏻'
            - '👈🏻'
            - '👉🏻'
            - '👆🏻'
            - '🖕🏻'
            - '👇🏻'
            - '☝🏻'
            - '👍🏻'
            - '👎🏻'
            - '✊🏻'
            - '👊🏻'
            - '🤛🏻'
            - '🤜🏻'
            - '👏🏻'
            - '🫶🏻'
            - '🙌🏻'
            - '👐🏻'
            - '🤲🏻'
            - '🙏🏻'
            - '✍🏻'
            - '💪🏻'
            - '🦵🏻'
            - '🦶🏻'
            - '👂🏻'
            - '🦻🏻'
            - '👃🏻'
            - '👶🏻'
            - '👧🏻'
            - '🧒🏻'
            - '👦🏻'
            - '👩🏻'
            - '🧑🏻'
            - '👨🏻'
            - '👩🏻‍🦱'
            - '🧑🏻‍🦱'
            - '👨🏻‍🦱'
            - '👩🏻‍🦰'
            - '🧑🏻‍🦰'
            - '👨🏻‍🦰'
            - '👱🏻‍♀️'
            - '👱🏻'
            - '👱🏻‍♂️'
            - '👩🏻‍🦳'
            - '🧑🏻‍🦳'
            - '👨🏻‍🦳'
            - '👩🏻‍🦲'
            - '🧑🏻‍🦲'
            - '👨🏻‍🦲'
            - '🧔🏻‍♀️'
            - '🧔🏻'
            - '🧔🏻‍♂️'
            - '👵🏻'
            - '🧓🏻'
            - '👴🏻'
            - '👲🏻'
            - '👳🏻‍♀️'
            - '👳🏻'
            - '👳🏻‍♂️'
            - '🧕🏻'
            - '👮🏻‍♀️'
            - '👮🏻'
            - '👮🏻‍♂️'
            - '👷🏻‍♀️'
            - '👷🏻'
            - '👷🏻‍♂️'
            - '💂🏻‍♀️'
            - '💂🏻'
            - '💂🏻‍♂️'
            - '🕵🏻‍♀️'
            - '🕵🏻'
            - '🕵🏻‍♂️'
            - '👩🏻‍⚕️'
            - '🧑🏻‍⚕️'
            - '👨🏻‍⚕️'
            - '👩🏻‍🌾'
            - '🧑🏻‍🌾'
            - '👨🏻‍🌾'
            - '👩🏻‍🍳'
            - '🧑🏻‍🍳'
            - '👨🏻‍🍳'
            - '👩🏻‍🎓'
            - '🧑🏻‍🎓'
            - '👨🏻‍🎓'
            - '👩🏻‍🎤'
            - '🧑🏻‍🎤'
            - '👨🏻‍🎤'
            - '👩🏻‍🏫'
            - '🧑🏻‍🏫'
            - '👨🏻‍🏫'
            - '👩🏻‍🏭'
            - '🧑🏻‍🏭'
            - '👨🏻‍🏭'
            - '👩🏻‍💻'
            - '🧑🏻‍💻'
            - '👨🏻‍💻'
            - '👩🏻‍💼'
            - '🧑🏻‍💼'
            - '👨🏻‍💼'
            - '👩🏻‍🔧'
            - '🧑🏻‍🔧'
            - '👨🏻‍🔧'
            - '👩🏻‍🔬'
            - '🧑🏻‍🔬'
            - '👨🏻‍🔬'
            - '👩🏻‍🎨'
            - '🧑🏻‍🎨'
            - '👨🏻‍🎨'
            - '👩🏻‍🚒'
            - '🧑🏻‍🚒'
            - '👨🏻‍🚒'
            - '👩🏻‍✈️'
            - '🧑🏻‍✈️'
            - '👨🏻‍✈️'
            - '👩🏻‍🚀'
            - '🧑🏻‍🚀'
            - '👨🏻‍🚀'
            - '👩🏻‍⚖️'
            - '🧑🏻‍⚖️'
            - '👨🏻‍⚖️'
            - '👰🏻‍♀️'
            - '👰🏻'
            - '👰🏻‍♂️'
            - '🤵🏻‍♀️'
            - '🤵🏻'
            - '🤵🏻‍♂️'
            - '👸🏻'
            - '🫅🏻'
            - '🤴🏻'
            - '🥷🏻'
            - '🦸🏻‍♀️'
            - '🦸🏻'
            - '🦸🏻‍♂️'
            - '🦹🏻‍♀️'
            - '🦹🏻'
            - '🦹🏻‍♂️'
            - '🤶🏻'
            - '🧑🏻‍🎄'
            - '🎅🏻'
            - '🧙🏻‍♀️'
            - '🧙🏻'
            - '🧙🏻‍♂️'
            - '🧝🏻‍♀️'
            - '🧝🏻'
            - '🧝🏻‍♂️'
            - '🧛🏻‍♀️'
            - '🧛🏻'
            - '🧛🏻‍♂️'
            - '🧜🏻‍♀️'
            - '🧜🏻'
            - '🧜🏻‍♂️'
            - '🧚🏻‍♀️'
            - '🧚🏻'
            - '🧚🏻‍♂️'
            - '👼🏻'
            - '🤰🏻'
            - '🫄🏻'
            - '🫃🏻'
            - '🤱🏻'
            - '👩🏻‍🍼'
            - '🧑🏻‍🍼'
            - '👨🏻‍🍼'
            - '🙇🏻‍♀️'
            - '🙇🏻'
            - '🙇🏻‍♂️'
            - '💁🏻‍♀️'
            - '💁🏻'
            - '💁🏻‍♂️'
            - '🙅🏻‍♀️'
            - '🙅🏻'
            - '🙅🏻‍♂️'
            - '🙆🏻‍♀️'
            - '🙆🏻'
            - '🙆🏻‍♂️'
            - '🙋🏻‍♀️'
            - '🙋🏻'
            - '🙋🏻‍♂️'
            - '🧏🏻‍♀️'
            - '🧏🏻'
            - '🧏🏻‍♂️'
            - '🤦🏻‍♀️'
            - '🤦🏻'
            - '🤦🏻‍♂️'
            - '🤷🏻‍♀️'
            - '🤷🏻'
            - '🤷🏻‍♂️'
            - '🙎🏻‍♀️'
            - '🙎🏻'
            - '🙎🏻‍♂️'
            - '🙍🏻‍♀️'
            - '🙍🏻'
            - '🙍🏻‍♂️'
            - '💇🏻‍♀️'
            - '💇🏻'
            - '💇🏻‍♂️'
            - '💆🏻‍♀️'
            - '💆🏻'
            - '💆🏻‍♂️'
            - '🧖🏻‍♀️'
            - '🧖🏻'
            - '🧖🏻‍♂️'
            - '💃🏻'
            - '🕺🏻'
            - '🕴🏻'
            - '👩🏻‍🦽'
            - '🧑🏻‍🦽'
            - '👨🏻‍🦽'
            - '👩🏻‍🦼'
            - '🧑🏻‍🦼'
            - '👨🏻‍🦼'
            - '🚶🏻‍♀️'
            - '🚶🏻'
            - '🚶🏻‍♂️'
            - '👩🏻‍🦯'
            - '🧑🏻‍🦯'
            - '👨🏻‍🦯'
            - '🧎🏻‍♀️'
            - '🧎🏻'
            - '🧎🏻‍♂️'
            - '🏃🏻‍♀️'
            - '🏃🏻'
            - '🏃🏻‍♂️'
            - '🧍🏻‍♀️'
            - '🧍🏻'
            - '🧍🏻‍♂️'
            - '👭🏻'
            - '🧑🏻‍🤝‍🧑🏻'
            - '👬🏻'
            - '👫🏻'
            - '🧗🏻‍♀️'
            - '🧗🏻'
            - '🧗🏻‍♂️'
            - '🏇🏻'
            - '🏂🏻'
            - '🏌🏻‍♀️'
            - '🏌🏻'
            - '🏌🏻‍♂️'
            - '🏄🏻‍♀️'
            - '🏄🏻'
            - '🏄🏻‍♂️'
            - '🚣🏻‍♀️'
            - '🚣🏻'
            - '🚣🏻‍♂️'
            - '🏊🏻‍♀️'
            - '🏊🏻'
            - '🏊🏻‍♂️'
            - '⛹🏻‍♀️'
            - '⛹🏻'
            - '⛹🏻‍♂️'
            - '🏋🏻‍♀️'
            - '🏋🏻'
            - '🏋🏻‍♂️'
            - '🚴🏻‍♀️'
            - '🚴🏻'
            - '🚴🏻‍♂️'
            - '🚵🏻‍♀️'
            - '🚵🏻'
            - '🚵🏻‍♂️'
            - '🤸🏻‍♀️'
            - '🤸🏻'
            - '🤸🏻‍♂️'
            - '🤽🏻‍♀️'
            - '🤽🏻'
            - '🤽🏻‍♂️'
            - '🤾🏻‍♀️'
            - '🤾🏻'
            - '🤾🏻‍♂️'
            - '🤹🏻‍♀️'
            - '🤹🏻'
            - '🤹🏻‍♂️'
            - '🧘🏻‍♀️'
            - '🧘🏻'
            - '🧘🏻‍♂️'
            - '🛀🏻'
            - '🛌🏻'
            - '👋🏼'
            - '🤚🏼'
            - '🖐🏼'
            - '✋🏼'
            - '🖖🏼'
            - '👌🏼'
            - '🤌🏼'
            - '🤏🏼'
            - '✌🏼'
            - '🤞🏼'
            - '🫰🏼'
            - '🤟🏼'
            - '🤘🏼'
            - '🤙🏼'
            - '🫵🏼'
            - '🫱🏼'
            - '🫲🏼'
            - '🫳🏼'
            - '🫴🏼'
            - '👈🏼'
            - '👉🏼'
            - '👆🏼'
            - '🖕🏼'
            - '👇🏼'
            - '☝🏼'
            - '👍🏼'
            - '👎🏼'
            - '✊🏼'
            - '👊🏼'
            - '🤛🏼'
            - '🤜🏼'
            - '👏🏼'
            - '🫶🏼'
            - '🙌🏼'
            - '👐🏼'
            - '🤲🏼'
            - '🙏🏼'
            - '✍🏼'
            - '💪🏼'
            - '🦵🏼'
            - '🦶🏼'
            - '👂🏼'
            - '🦻🏼'
            - '👃🏼'
            - '👶🏼'
            - '👧🏼'
            - '🧒🏼'
            - '👦🏼'
            - '👩🏼'
            - '🧑🏼'
            - '👨🏼'
            - '👩🏼‍🦱'
            - '🧑🏼‍🦱'
            - '👨🏼‍🦱'
            - '👩🏼‍🦰'
            - '🧑🏼‍🦰'
            - '👨🏼‍🦰'
            - '👱🏼‍♀️'
            - '👱🏼'
            - '👱🏼‍♂️'
            - '👩🏼‍🦳'
            - '🧑🏼‍🦳'
            - '👨🏼‍🦳'
            - '👩🏼‍🦲'
            - '🧑🏼‍🦲'
            - '👨🏼‍🦲'
            - '🧔🏼‍♀️'
            - '🧔🏼'
            - '🧔🏼‍♂️'
            - '👵🏼'
            - '🧓🏼'
            - '👴🏼'
            - '👲🏼'
            - '👳🏼‍♀️'
            - '👳🏼'
            - '👳🏼‍♂️'
            - '🧕🏼'
            - '👮🏼‍♀️'
            - '👮🏼'
            - '👮🏼‍♂️'
            - '👷🏼‍♀️'
            - '👷🏼'
            - '👷🏼‍♂️'
            - '💂🏼‍♀️'
            - '💂🏼'
            - '💂🏼‍♂️'
            - '🕵🏼‍♀️'
            - '🕵🏼'
            - '🕵🏼‍♂️'
            - '👩🏼‍⚕️'
            - '🧑🏼‍⚕️'
            - '👨🏼‍⚕️'
            - '👩🏼‍🌾'
            - '🧑🏼‍🌾'
            - '👨🏼‍🌾'
            - '👩🏼‍🍳'
            - '🧑🏼‍🍳'
            - '👨🏼‍🍳'
            - '👩🏼‍🎓'
            - '🧑🏼‍🎓'
            - '👨🏼‍🎓'
            - '👩🏼‍🎤'
            - '🧑🏼‍🎤'
            - '👨🏼‍🎤'
            - '👩🏼‍🏫'
            - '🧑🏼‍🏫'
            - '👨🏼‍🏫'
            - '👩🏼‍🏭'
            - '🧑🏼‍🏭'
            - '👨🏼‍🏭'
            - '👩🏼‍💻'
            - '🧑🏼‍💻'
            - '👨🏼‍💻'
            - '👩🏼‍💼'
            - '🧑🏼‍💼'
            - '👨🏼‍💼'
            - '👩🏼‍🔧'
            - '🧑🏼‍🔧'
            - '👨🏼‍🔧'
            - '👩🏼‍🔬'
            - '🧑🏼‍🔬'
            - '👨🏼‍🔬'
            - '👩🏼‍🎨'
            - '🧑🏼‍🎨'
            - '👨🏼‍🎨'
            - '👩🏼‍🚒'
            - '🧑🏼‍🚒'
            - '👨🏼‍🚒'
            - '👩🏼‍✈️'
            - '🧑🏼‍✈️'
            - '👨🏼‍✈️'
            - '👩🏼‍🚀'
            - '🧑🏼‍🚀'
            - '👨🏼‍🚀'
            - '👩🏼‍⚖️'
            - '🧑🏼‍⚖️'
            - '👨🏼‍⚖️'
            - '👰🏼‍♀️'
            - '👰🏼'
            - '👰🏼‍♂️'
            - '🤵🏼‍♀️'
            - '🤵🏼'
            - '🤵🏼‍♂️'
            - '👸🏼'
            - '🫅🏼'
            - '🤴🏼'
            - '🥷🏼'
            - '🦸🏼‍♀️'
            - '🦸🏼'
            - '🦸🏼‍♂️'
            - '🦹🏼‍♀️'
            - '🦹🏼'
            - '🦹🏼‍♂️'
            - '🤶🏼'
            - '🧑🏼‍🎄'
            - '🎅🏼'
            - '🧙🏼‍♀️'
            - '🧙🏼'
            - '🧙🏼‍♂️'
            - '🧝🏼‍♀️'
            - '🧝🏼'
            - '🧝🏼‍♂️'
            - '🧛🏼‍♀️'
            - '🧛🏼'
            - '🧛🏼‍♂️'
            - '🧜🏼‍♀️'
            - '🧜🏼'
            - '🧜🏼‍♂️'
            - '🧚🏼‍♀️'
            - '🧚🏼'
            - '🧚🏼‍♂️'
            - '👼🏼'
            - '🤰🏼'
            - '🫄🏼'
            - '🫃🏼'
            - '🤱🏼'
            - '👩🏼‍🍼'
            - '🧑🏼‍🍼'
            - '👨🏼‍🍼'
            - '🙇🏼‍♀️'
            - '🙇🏼'
            - '🙇🏼‍♂️'
            - '💁🏼‍♀️'
            - '💁🏼'
            - '💁🏼‍♂️'
            - '🙅🏼‍♀️'
            - '🙅🏼'
            - '🙅🏼‍♂️'
            - '🙆🏼‍♀️'
            - '🙆🏼'
            - '🙆🏼‍♂️'
            - '🙋🏼‍♀️'
            - '🙋🏼'
            - '🙋🏼‍♂️'
            - '🧏🏼‍♀️'
            - '🧏🏼'
            - '🧏🏼‍♂️'
            - '🤦🏼‍♀️'
            - '🤦🏼'
            - '🤦🏼‍♂️'
            - '🤷🏼‍♀️'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

status test author @Kostastsale, TheDFIRReport id c98f2a0d-e1b8-4f76-90d3-359caf88d6b9

panther query

def rule(event):
    if any(
        [
            "🤷🏼" in event.deep_get("CommandLine", default=""),
            "🤷🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🙎🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🙎🏼" in event.deep_get("CommandLine", default=""),
            "🙎🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🙍🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🙍🏼" in event.deep_get("CommandLine", default=""),
            "🙍🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "💇🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "💇🏼" in event.deep_get("CommandLine", default=""),
            "💇🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "💆🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "💆🏼" in event.deep_get("CommandLine", default=""),
            "💆🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧖🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧖🏼" in event.deep_get("CommandLine", default=""),
            "🧖🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "💃🏼" in event.deep_get("CommandLine", default=""),
            "🕺🏼" in event.deep_get("CommandLine", default=""),
            "🕴🏼" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🦽" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🦽" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🦽" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🦼" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🦼" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🦼" in event.deep_get("CommandLine", default=""),
            "🚶🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🚶🏼" in event.deep_get("CommandLine", default=""),
            "🚶🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏼‍🦯" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🦯" in event.deep_get("CommandLine", default=""),
            "👨🏼‍🦯" in event.deep_get("CommandLine", default=""),
            "🧎🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧎🏼" in event.deep_get("CommandLine", default=""),
            "🧎🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🏃🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🏃🏼" in event.deep_get("CommandLine", default=""),
            "🏃🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧍🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧍🏼" in event.deep_get("CommandLine", default=""),
            "🧍🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "👭🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍🤝‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "👬🏼" in event.deep_get("CommandLine", default=""),
            "👫🏼" in event.deep_get("CommandLine", default=""),
            "🧗🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧗🏼" in event.deep_get("CommandLine", default=""),
            "🧗🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🏇🏼" in event.deep_get("CommandLine", default=""),
            "🏂🏼" in event.deep_get("CommandLine", default=""),
            "🏌🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🏌🏼" in event.deep_get("CommandLine", default=""),
            "🏌🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🏄🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🏄🏼" in event.deep_get("CommandLine", default=""),
            "🏄🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🚣🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🚣🏼" in event.deep_get("CommandLine", default=""),
            "🚣🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🏊🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🏊🏼" in event.deep_get("CommandLine", default=""),
            "🏊🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "⛹🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "⛹🏼" in event.deep_get("CommandLine", default=""),
            "⛹🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🏋🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🏋🏼" in event.deep_get("CommandLine", default=""),
            "🏋🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🚴🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🚴🏼" in event.deep_get("CommandLine", default=""),
            "🚴🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🚵🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🚵🏼" in event.deep_get("CommandLine", default=""),
            "🚵🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤸🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🤸🏼" in event.deep_get("CommandLine", default=""),
            "🤸🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤽🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🤽🏼" in event.deep_get("CommandLine", default=""),
            "🤽🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤾🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🤾🏼" in event.deep_get("CommandLine", default=""),
            "🤾🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤹🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🤹🏼" in event.deep_get("CommandLine", default=""),
            "🤹🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧘🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧘🏼" in event.deep_get("CommandLine", default=""),
            "🧘🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🛀🏼" in event.deep_get("CommandLine", default=""),
            "🛌🏼" in event.deep_get("CommandLine", default=""),
            "👋🏽" in event.deep_get("CommandLine", default=""),
            "🤚🏽" in event.deep_get("CommandLine", default=""),
            "🖐🏽" in event.deep_get("CommandLine", default=""),
            "✋🏽" in event.deep_get("CommandLine", default=""),
            "🖖🏽" in event.deep_get("CommandLine", default=""),
            "👌🏽" in event.deep_get("CommandLine", default=""),
            "🤌🏽" in event.deep_get("CommandLine", default=""),
            "🤏🏽" in event.deep_get("CommandLine", default=""),
            "✌🏽" in event.deep_get("CommandLine", default=""),
            "🤞🏽" in event.deep_get("CommandLine", default=""),
            "🫰🏽" in event.deep_get("CommandLine", default=""),
            "🤟🏽" in event.deep_get("CommandLine", default=""),
            "🤘🏽" in event.deep_get("CommandLine", default=""),
            "🤙🏽" in event.deep_get("CommandLine", default=""),
            "🫵🏽" in event.deep_get("CommandLine", default=""),
            "🫱🏽" in event.deep_get("CommandLine", default=""),
            "🫲🏽" in event.deep_get("CommandLine", default=""),
            "🫳🏽" in event.deep_get("CommandLine", default=""),
            "🫴🏽" in event.deep_get("CommandLine", default=""),
            "👈🏽" in event.deep_get("CommandLine", default=""),
            "👉🏽" in event.deep_get("CommandLine", default=""),
            "👆🏽" in event.deep_get("CommandLine", default=""),
            "🖕🏽" in event.deep_get("CommandLine", default=""),
            "👇🏽" in event.deep_get("CommandLine", default=""),
            "☝🏽" in event.deep_get("CommandLine", default=""),
            "👍🏽" in event.deep_get("CommandLine", default=""),
            "👎🏽" in event.deep_get("CommandLine", default=""),
            "✊🏽" in event.deep_get("CommandLine", default=""),
            "👊🏽" in event.deep_get("CommandLine", default=""),
            "🤛🏽" in event.deep_get("CommandLine", default=""),
            "🤜🏽" in event.deep_get("CommandLine", default=""),
            "👏🏽" in event.deep_get("CommandLine", default=""),
            "🫶🏽" in event.deep_get("CommandLine", default=""),
            "🙌🏽" in event.deep_get("CommandLine", default=""),
            "👐🏽" in event.deep_get("CommandLine", default=""),
            "🤲🏽" in event.deep_get("CommandLine", default=""),
            "🙏🏽" in event.deep_get("CommandLine", default=""),
            "✍🏽" in event.deep_get("CommandLine", default=""),
            "💪🏽" in event.deep_get("CommandLine", default=""),
            "🦵🏽" in event.deep_get("CommandLine", default=""),
            "🦶🏽" in event.deep_get("CommandLine", default=""),
            "👂🏽" in event.deep_get("CommandLine", default=""),
            "🦻🏽" in event.deep_get("CommandLine", default=""),
            "👃🏽" in event.deep_get("CommandLine", default=""),
            "👶🏽" in event.deep_get("CommandLine", default=""),
            "👧🏽" in event.deep_get("CommandLine", default=""),
            "🧒🏽" in event.deep_get("CommandLine", default=""),
            "👦🏽" in event.deep_get("CommandLine", default=""),
            "👩🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏽" in event.deep_get("CommandLine", default=""),
            "👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🦱" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🦱" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🦱" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🦰" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🦰" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🦰" in event.deep_get("CommandLine", default=""),
            "👱🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "👱🏽" in event.deep_get("CommandLine", default=""),
            "👱🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🦳" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🦳" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🦳" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🦲" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🦲" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🦲" in event.deep_get("CommandLine", default=""),
            "🧔🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏽" in event.deep_get("CommandLine", default=""),
            "🧔🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "👵🏽" in event.deep_get("CommandLine", default=""),
            "🧓🏽" in event.deep_get("CommandLine", default=""),
            "👴🏽" in event.deep_get("CommandLine", default=""),
            "👲🏽" in event.deep_get("CommandLine", default=""),
            "👳🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "👳🏽" in event.deep_get("CommandLine", default=""),
            "👳🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧕🏽" in event.deep_get("CommandLine", default=""),
            "👮🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "👮🏽" in event.deep_get("CommandLine", default=""),
            "👮🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "👷🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "👷🏽" in event.deep_get("CommandLine", default=""),
            "👷🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "💂🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "💂🏽" in event.deep_get("CommandLine", default=""),
            "💂🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🕵🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🕵🏽" in event.deep_get("CommandLine", default=""),
            "🕵🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏽‍⚕️" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍⚕️" in event.deep_get("CommandLine", default=""),
            "👨🏽‍⚕️" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🌾" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🌾" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🌾" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🍳" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🍳" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🍳" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🎓" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🎓" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🎓" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🎤" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🎤" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🎤" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🏫" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🏫" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🏫" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🏭" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🏭" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🏭" in event.deep_get("CommandLine", default=""),
            "👩🏽‍💻" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍💻" in event.deep_get("CommandLine", default=""),
            "👨🏽‍💻" in event.deep_get("CommandLine", default=""),
            "👩🏽‍💼" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍💼" in event.deep_get("CommandLine", default=""),
            "👨🏽‍💼" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🔧" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🔧" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🔧" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🔬" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🔬" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🔬" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🎨" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🎨" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🎨" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🚒" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🚒" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🚒" in event.deep_get("CommandLine", default=""),
            "👩🏽‍✈️" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍✈️" in event.deep_get("CommandLine", default=""),
            "👨🏽‍✈️" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🚀" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🚀" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🚀" in event.deep_get("CommandLine", default=""),
            "👩🏽‍⚖️" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍⚖️" in event.deep_get("CommandLine", default=""),
            "👨🏽‍⚖️" in event.deep_get("CommandLine", default=""),
            "👰🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "👰🏽" in event.deep_get("CommandLine", default=""),
            "👰🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🤵🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🤵🏽" in event.deep_get("CommandLine", default=""),
            "🤵🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "👸🏽" in event.deep_get("CommandLine", default=""),
            "🫅🏽" in event.deep_get("CommandLine", default=""),
            "🤴🏽" in event.deep_get("CommandLine", default=""),
            "🥷🏽" in event.deep_get("CommandLine", default=""),
            "🦸🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🦸🏽" in event.deep_get("CommandLine", default=""),
            "🦸🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🦹🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🦹🏽" in event.deep_get("CommandLine", default=""),
            "🦹🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🤶🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🎄" in event.deep_get("CommandLine", default=""),
            "🎅🏽" in event.deep_get("CommandLine", default=""),
            "🧙🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧙🏽" in event.deep_get("CommandLine", default=""),
            "🧙🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧝🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧝🏽" in event.deep_get("CommandLine", default=""),
            "🧝🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧛🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧛🏽" in event.deep_get("CommandLine", default=""),
            "🧛🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧜🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧜🏽" in event.deep_get("CommandLine", default=""),
            "🧜🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧚🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧚🏽" in event.deep_get("CommandLine", default=""),
            "🧚🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "👼🏽" in event.deep_get("CommandLine", default=""),
            "🤰🏽" in event.deep_get("CommandLine", default=""),
            "🫄🏽" in event.deep_get("CommandLine", default=""),
            "🫃🏽" in event.deep_get("CommandLine", default=""),
            "🤱🏽" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🍼" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🍼" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🍼" in event.deep_get("CommandLine", default=""),
            "🙇🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🙇🏽" in event.deep_get("CommandLine", default=""),
            "🙇🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "💁🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "💁🏽" in event.deep_get("CommandLine", default=""),
            "💁🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🙅🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🙅🏽" in event.deep_get("CommandLine", default=""),
            "🙅🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🙆🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🙆🏽" in event.deep_get("CommandLine", default=""),
            "🙆🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🙋🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🙋🏽" in event.deep_get("CommandLine", default=""),
            "🙋🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧏🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧏🏽" in event.deep_get("CommandLine", default=""),
            "🧏🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🤦🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🤦🏽" in event.deep_get("CommandLine", default=""),
            "🤦🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🤷🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🤷🏽" in event.deep_get("CommandLine", default=""),
            "🤷🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🙎🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🙎🏽" in event.deep_get("CommandLine", default=""),
            "🙎🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🙍🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🙍🏽" in event.deep_get("CommandLine", default=""),
            "🙍🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "💇🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "💇🏽" in event.deep_get("CommandLine", default=""),
            "💇🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "💆🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "💆🏽" in event.deep_get("CommandLine", default=""),
            "💆🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧖🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧖🏽" in event.deep_get("CommandLine", default=""),
            "🧖🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "💃🏽" in event.deep_get("CommandLine", default=""),
            "🕺🏽" in event.deep_get("CommandLine", default=""),
            "🕴🏽" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🦽" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🦽" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🦽" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🦼" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🦼" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🦼" in event.deep_get("CommandLine", default=""),
            "🚶🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🚶🏽" in event.deep_get("CommandLine", default=""),
            "🚶🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏽‍🦯" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🦯" in event.deep_get("CommandLine", default=""),
            "👨🏽‍🦯" in event.deep_get("CommandLine", default=""),
            "🧎🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧎🏽" in event.deep_get("CommandLine", default=""),
            "🧎🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🏃🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🏃🏽" in event.deep_get("CommandLine", default=""),
            "🏃🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧍🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧍🏽" in event.deep_get("CommandLine", default=""),
            "🧍🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "👭🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍🤝‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "👬🏽" in event.deep_get("CommandLine", default=""),
            "👫🏽" in event.deep_get("CommandLine", default=""),
            "🧗🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧗🏽" in event.deep_get("CommandLine", default=""),
            "🧗🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🏇🏽" in event.deep_get("CommandLine", default=""),
            "🏂🏽" in event.deep_get("CommandLine", default=""),
            "🏌🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🏌🏽" in event.deep_get("CommandLine", default=""),
            "🏌🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🏄🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🏄🏽" in event.deep_get("CommandLine", default=""),
            "🏄🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🚣🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🚣🏽" in event.deep_get("CommandLine", default=""),
            "🚣🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🏊🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🏊🏽" in event.deep_get("CommandLine", default=""),
            "🏊🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "⛹🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "⛹🏽" in event.deep_get("CommandLine", default=""),
            "⛹🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🏋🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🏋🏽" in event.deep_get("CommandLine", default=""),
            "🏋🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🚴🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🚴🏽" in event.deep_get("CommandLine", default=""),
            "🚴🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🚵🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🚵🏽" in event.deep_get("CommandLine", default=""),
            "🚵🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🤸🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🤸🏽" in event.deep_get("CommandLine", default=""),
            "🤸🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🤽🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🤽🏽" in event.deep_get("CommandLine", default=""),
            "🤽🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🤾🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🤾🏽" in event.deep_get("CommandLine", default=""),
            "🤾🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🤹🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🤹🏽" in event.deep_get("CommandLine", default=""),
            "🤹🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧘🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧘🏽" in event.deep_get("CommandLine", default=""),
            "🧘🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🛀🏽" in event.deep_get("CommandLine", default=""),
            "🛌🏽" in event.deep_get("CommandLine", default=""),
            "👋🏾" in event.deep_get("CommandLine", default=""),
            "🤚🏾" in event.deep_get("CommandLine", default=""),
            "🖐🏾" in event.deep_get("CommandLine", default=""),
            "✋🏾" in event.deep_get("CommandLine", default=""),
            "🖖🏾" in event.deep_get("CommandLine", default=""),
            "👌🏾" in event.deep_get("CommandLine", default=""),
            "🤌🏾" in event.deep_get("CommandLine", default=""),
            "🤏🏾" in event.deep_get("CommandLine", default=""),
            "✌🏾" in event.deep_get("CommandLine", default=""),
            "🤞🏾" in event.deep_get("CommandLine", default=""),
            "🫰🏾" in event.deep_get("CommandLine", default=""),
            "🤟🏾" in event.deep_get("CommandLine", default=""),
            "🤘🏾" in event.deep_get("CommandLine", default=""),
            "🤙🏾" in event.deep_get("CommandLine", default=""),
            "🫵🏾" in event.deep_get("CommandLine", default=""),
            "🫱🏾" in event.deep_get("CommandLine", default=""),
            "🫲🏾" in event.deep_get("CommandLine", default=""),
            "🫳🏾" in event.deep_get("CommandLine", default=""),
            "🫴🏾" in event.deep_get("CommandLine", default=""),
            "👈🏾" in event.deep_get("CommandLine", default=""),
            "👉🏾" in event.deep_get("CommandLine", default=""),
            "👆🏾" in event.deep_get("CommandLine", default=""),
            "🖕🏾" in event.deep_get("CommandLine", default=""),
            "👇🏾" in event.deep_get("CommandLine", default=""),
            "☝🏾" in event.deep_get("CommandLine", default=""),
            "👍🏾" in event.deep_get("CommandLine", default=""),
            "👎🏾" in event.deep_get("CommandLine", default=""),
            "✊🏾" in event.deep_get("CommandLine", default=""),
            "👊🏾" in event.deep_get("CommandLine", default=""),
            "🤛🏾" in event.deep_get("CommandLine", default=""),
            "🤜🏾" in event.deep_get("CommandLine", default=""),
            "👏🏾" in event.deep_get("CommandLine", default=""),
            "🫶🏾" in event.deep_get("CommandLine", default=""),
            "🙌🏾" in event.deep_get("CommandLine", default=""),
            "👐🏾" in event.deep_get("CommandLine", default=""),
            "🤲🏾" in event.deep_get("CommandLine", default=""),
            "🙏🏾" in event.deep_get("CommandLine", default=""),
            "✍🏾" in event.deep_get("CommandLine", default=""),
            "💪🏾" in event.deep_get("CommandLine", default=""),
            "🦵🏾" in event.deep_get("CommandLine", default=""),
            "🦶🏾" in event.deep_get("CommandLine", default=""),
            "👂🏾" in event.deep_get("CommandLine", default=""),
            "🦻🏾" in event.deep_get("CommandLine", default=""),
            "👃🏾" in event.deep_get("CommandLine", default=""),
            "👶🏾" in event.deep_get("CommandLine", default=""),
            "👧🏾" in event.deep_get("CommandLine", default=""),
            "🧒🏾" in event.deep_get("CommandLine", default=""),
            "👦🏾" in event.deep_get("CommandLine", default=""),
            "👩🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏾" in event.deep_get("CommandLine", default=""),
            "👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🦱" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🦱" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🦱" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🦰" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🦰" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🦰" in event.deep_get("CommandLine", default=""),
            "👱🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "👱🏾" in event.deep_get("CommandLine", default=""),
            "👱🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🦳" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🦳" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🦳" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🦲" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🦲" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🦲" in event.deep_get("CommandLine", default=""),
            "🧔🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏾" in event.deep_get("CommandLine", default=""),
            "🧔🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "👵🏾" in event.deep_get("CommandLine", default=""),
            "🧓🏾" in event.deep_get("CommandLine", default=""),
            "👴🏾" in event.deep_get("CommandLine", default=""),
            "👲🏾" in event.deep_get("CommandLine", default=""),
            "👳🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "👳🏾" in event.deep_get("CommandLine", default=""),
            "👳🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧕🏾" in event.deep_get("CommandLine", default=""),
            "👮🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "👮🏾" in event.deep_get("CommandLine", default=""),
            "👮🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "👷🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "👷🏾" in event.deep_get("CommandLine", default=""),
            "👷🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "💂🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "💂🏾" in event.deep_get("CommandLine", default=""),
            "💂🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🕵🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🕵🏾" in event.deep_get("CommandLine", default=""),
            "🕵🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏾‍⚕️" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍⚕️" in event.deep_get("CommandLine", default=""),
            "👨🏾‍⚕️" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🌾" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🌾" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🌾" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🍳" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🍳" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🍳" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🎓" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🎓" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🎓" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🎤" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🎤" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🎤" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🏫" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🏫" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🏫" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🏭" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🏭" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🏭" in event.deep_get("CommandLine", default=""),
            "👩🏾‍💻" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍💻" in event.deep_get("CommandLine", default=""),
            "👨🏾‍💻" in event.deep_get("CommandLine", default=""),
            "👩🏾‍💼" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍💼" in event.deep_get("CommandLine", default=""),
            "👨🏾‍💼" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🔧" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🔧" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🔧" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🔬" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🔬" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🔬" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🎨" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🎨" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🎨" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🚒" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🚒" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🚒" in event.deep_get("CommandLine", default=""),
            "👩🏾‍✈️" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍✈️" in event.deep_get("CommandLine", default=""),
            "👨🏾‍✈️" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🚀" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🚀" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🚀" in event.deep_get("CommandLine", default=""),
            "👩🏾‍⚖️" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍⚖️" in event.deep_get("CommandLine", default=""),
            "👨🏾‍⚖️" in event.deep_get("CommandLine", default=""),
            "👰🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "👰🏾" in event.deep_get("CommandLine", default=""),
            "👰🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🤵🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🤵🏾" in event.deep_get("CommandLine", default=""),
            "🤵🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "👸🏾" in event.deep_get("CommandLine", default=""),
            "🫅🏾" in event.deep_get("CommandLine", default=""),
            "🤴🏾" in event.deep_get("CommandLine", default=""),
            "🥷🏾" in event.deep_get("CommandLine", default=""),
            "🦸🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🦸🏾" in event.deep_get("CommandLine", default=""),
            "🦸🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🦹🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🦹🏾" in event.deep_get("CommandLine", default=""),
            "🦹🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🤶🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🎄" in event.deep_get("CommandLine", default=""),
            "🎅🏾" in event.deep_get("CommandLine", default=""),
            "🧙🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧙🏾" in event.deep_get("CommandLine", default=""),
            "🧙🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧝🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧝🏾" in event.deep_get("CommandLine", default=""),
            "🧝🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧛🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧛🏾" in event.deep_get("CommandLine", default=""),
            "🧛🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧜🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧜🏾" in event.deep_get("CommandLine", default=""),
            "🧜🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧚🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧚🏾" in event.deep_get("CommandLine", default=""),
            "🧚🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "👼🏾" in event.deep_get("CommandLine", default=""),
            "🤰🏾" in event.deep_get("CommandLine", default=""),
            "🫄🏾" in event.deep_get("CommandLine", default=""),
            "🫃🏾" in event.deep_get("CommandLine", default=""),
            "🤱🏾" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🍼" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🍼" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🍼" in event.deep_get("CommandLine", default=""),
            "🙇🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🙇🏾" in event.deep_get("CommandLine", default=""),
            "🙇🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "💁🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "💁🏾" in event.deep_get("CommandLine", default=""),
            "💁🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🙅🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🙅🏾" in event.deep_get("CommandLine", default=""),
            "🙅🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🙆🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🙆🏾" in event.deep_get("CommandLine", default=""),
            "🙆🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🙋🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🙋🏾" in event.deep_get("CommandLine", default=""),
            "🙋🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧏🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧏🏾" in event.deep_get("CommandLine", default=""),
            "🧏🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🤦🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🤦🏾" in event.deep_get("CommandLine", default=""),
            "🤦🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🤷🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🤷🏾" in event.deep_get("CommandLine", default=""),
            "🤷🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🙎🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🙎🏾" in event.deep_get("CommandLine", default=""),
            "🙎🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🙍🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🙍🏾" in event.deep_get("CommandLine", default=""),
            "🙍🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "💇🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "💇🏾" in event.deep_get("CommandLine", default=""),
            "💇🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "💆🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "💆🏾" in event.deep_get("CommandLine", default=""),
            "💆🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧖🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧖🏾" in event.deep_get("CommandLine", default=""),
            "🧖🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "💃🏾" in event.deep_get("CommandLine", default=""),
            "🕺🏾" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🦽" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🦽" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🦽" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🦼" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🦼" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🦼" in event.deep_get("CommandLine", default=""),
            "🚶🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🚶🏾" in event.deep_get("CommandLine", default=""),
            "🚶🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏾‍🦯" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🦯" in event.deep_get("CommandLine", default=""),
            "👨🏾‍🦯" in event.deep_get("CommandLine", default=""),
            "🧎🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧎🏾" in event.deep_get("CommandLine", default=""),
            "🧎🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🏃🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🏃🏾" in event.deep_get("CommandLine", default=""),
            "🏃🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧍🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧍🏾" in event.deep_get("CommandLine", default=""),
            "🧍🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "👭🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍🤝‍🧑🏾" in event.deep_get("CommandLine", default=""),
            "👬🏾" in event.deep_get("CommandLine", default=""),
            "👫🏾" in event.deep_get("CommandLine", default=""),
            "🧗🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧗🏾" in event.deep_get("CommandLine", default=""),
            "🧗🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🏇🏾" in event.deep_get("CommandLine", default=""),
            "🏂🏾" in event.deep_get("CommandLine", default=""),
            "🏌🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🏌🏾" in event.deep_get("CommandLine", default=""),
            "🏌🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🏄🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🏄🏾" in event.deep_get("CommandLine", default=""),
            "🏄🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🚣🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🚣🏾" in event.deep_get("CommandLine", default=""),
            "🚣🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🏊🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🏊🏾" in event.deep_get("CommandLine", default=""),
            "🏊🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "⛹🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "⛹🏾" in event.deep_get("CommandLine", default=""),
            "⛹🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🏋🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🏋🏾" in event.deep_get("CommandLine", default=""),
            "🏋🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🚴🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🚴🏾" in event.deep_get("CommandLine", default=""),
            "🚴🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🚵🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🚵🏾" in event.deep_get("CommandLine", default=""),
            "🚵🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🤸🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🤸🏾" in event.deep_get("CommandLine", default=""),
            "🤸🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🤽🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🤽🏾" in event.deep_get("CommandLine", default=""),
            "🤽🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🤾🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🤾🏾" in event.deep_get("CommandLine", default=""),
            "🤾🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🤹🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🤹🏾" in event.deep_get("CommandLine", default=""),
            "🤹🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧘🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧘🏾" in event.deep_get("CommandLine", default=""),
            "🧘🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🛀🏾" in event.deep_get("CommandLine", default=""),
            "🛌🏾" in event.deep_get("CommandLine", default=""),
            "👋🏿" in event.deep_get("CommandLine", default=""),
            "🤚🏿" in event.deep_get("CommandLine", default=""),
            "🖐🏿" in event.deep_get("CommandLine", default=""),
            "✋🏿" in event.deep_get("CommandLine", default=""),
            "🖖🏿" in event.deep_get("CommandLine", default=""),
            "👌🏿" in event.deep_get("CommandLine", default=""),
            "🤌🏿" in event.deep_get("CommandLine", default=""),
            "🤏🏿" in event.deep_get("CommandLine", default=""),
            "✌🏿" in event.deep_get("CommandLine", default=""),
            "🤞🏿" in event.deep_get("CommandLine", default=""),
            "🫰🏿" in event.deep_get("CommandLine", default=""),
            "🤟🏿" in event.deep_get("CommandLine", default=""),
            "🤘🏿" in event.deep_get("CommandLine", default=""),
            "🤙🏿" in event.deep_get("CommandLine", default=""),
            "🫵🏿" in event.deep_get("CommandLine", default=""),
            "🫱🏿" in event.deep_get("CommandLine", default=""),
            "🫲🏿" in event.deep_get("CommandLine", default=""),
            "🫳🏿" in event.deep_get("CommandLine", default=""),
            "🫴🏿" in event.deep_get("CommandLine", default=""),
            "👈🏿" in event.deep_get("CommandLine", default=""),
            "👉🏿" in event.deep_get("CommandLine", default=""),
            "👆🏿" in event.deep_get("CommandLine", default=""),
            "🖕🏿" in event.deep_get("CommandLine", default=""),
            "👇🏿" in event.deep_get("CommandLine", default=""),
            "☝🏿" in event.deep_get("CommandLine", default=""),
            "👍🏿" in event.deep_get("CommandLine", default=""),
            "👎🏿" in event.deep_get("CommandLine", default=""),
            "✊🏿" in event.deep_get("CommandLine", default=""),
            "👊🏿" in event.deep_get("CommandLine", default=""),
            "🤛🏿" in event.deep_get("CommandLine", default=""),
            "🤜🏿" in event.deep_get("CommandLine", default=""),
            "👏🏿" in event.deep_get("CommandLine", default=""),
            "🫶🏿" in event.deep_get("CommandLine", default=""),
            "🙌🏿" in event.deep_get("CommandLine", default=""),
            "👐🏿" in event.deep_get("CommandLine", default=""),
            "🤲🏿" in event.deep_get("CommandLine", default=""),
            "🙏🏿" in event.deep_get("CommandLine", default=""),
            "✍🏿" in event.deep_get("CommandLine", default=""),
            "🤳🏿" in event.deep_get("CommandLine", default=""),
            "💪🏿" in event.deep_get("CommandLine", default=""),
            "🦵🏿" in event.deep_get("CommandLine", default=""),
            "🦶🏿" in event.deep_get("CommandLine", default=""),
            "👂🏿" in event.deep_get("CommandLine", default=""),
            "🦻🏿" in event.deep_get("CommandLine", default=""),
            "👃🏿" in event.deep_get("CommandLine", default=""),
            "👶🏿" in event.deep_get("CommandLine", default=""),
            "👧🏿" in event.deep_get("CommandLine", default=""),
            "🧒🏿" in event.deep_get("CommandLine", default=""),
            "👦🏿" in event.deep_get("CommandLine", default=""),
            "👩🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏿" in event.deep_get("CommandLine", default=""),
            "👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🦱" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🦱" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🦱" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🦰" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🦰" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🦰" in event.deep_get("CommandLine", default=""),
            "👱🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "👱🏿" in event.deep_get("CommandLine", default=""),
            "👱🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🦳" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🦳" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🦳" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🦲" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🦲" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🦲" in event.deep_get("CommandLine", default=""),
            "🧔🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏿" in event.deep_get("CommandLine", default=""),
            "🧔🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "👵🏿" in event.deep_get("CommandLine", default=""),
            "🧓🏿" in event.deep_get("CommandLine", default=""),
            "👴🏿" in event.deep_get("CommandLine", default=""),
            "👲🏿" in event.deep_get("CommandLine", default=""),
            "👳🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "👳🏿" in event.deep_get("CommandLine", default=""),
            "👳🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧕🏿" in event.deep_get("CommandLine", default=""),
            "👮🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "👮🏿" in event.deep_get("CommandLine", default=""),
            "👮🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "👷🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "👷🏿" in event.deep_get("CommandLine", default=""),
            "👷🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "💂🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "💂🏿" in event.deep_get("CommandLine", default=""),
            "💂🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🕵🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🕵🏿" in event.deep_get("CommandLine", default=""),
            "🕵🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏿‍⚕️" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍⚕️" in event.deep_get("CommandLine", default=""),
            "👨🏿‍⚕️" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🌾" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🌾" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🌾" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🍳" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🍳" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🍳" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🎓" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🎓" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🎓" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🎤" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🎤" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🎤" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🏫" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🏫" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🏫" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🏭" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🏭" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🏭" in event.deep_get("CommandLine", default=""),
            "👩🏿‍💻" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍💻" in event.deep_get("CommandLine", default=""),
            "👨🏿‍💻" in event.deep_get("CommandLine", default=""),
            "👩🏿‍💼" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍💼" in event.deep_get("CommandLine", default=""),
            "👨🏿‍💼" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🔧" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🔧" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🔧" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🔬" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🔬" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🔬" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🎨" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🎨" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🎨" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🚒" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🚒" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🚒" in event.deep_get("CommandLine", default=""),
            "👩🏿‍✈️" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍✈️" in event.deep_get("CommandLine", default=""),
            "👨🏿‍✈️" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🚀" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🚀" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🚀" in event.deep_get("CommandLine", default=""),
            "👩🏿‍⚖️" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍⚖️" in event.deep_get("CommandLine", default=""),
            "👨🏿‍⚖️" in event.deep_get("CommandLine", default=""),
            "👰🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "👰🏿" in event.deep_get("CommandLine", default=""),
            "👰🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🤵🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🤵🏿" in event.deep_get("CommandLine", default=""),
            "🤵🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "👸🏿" in event.deep_get("CommandLine", default=""),
            "🫅🏿" in event.deep_get("CommandLine", default=""),
            "🤴🏿" in event.deep_get("CommandLine", default=""),
            "🥷🏿" in event.deep_get("CommandLine", default=""),
            "🦸🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🦸🏿" in event.deep_get("CommandLine", default=""),
            "🦸🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🦹🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🦹🏿" in event.deep_get("CommandLine", default=""),
            "🦹🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🤶🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🎄" in event.deep_get("CommandLine", default=""),
            "🎅🏿" in event.deep_get("CommandLine", default=""),
            "🧙🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧙🏿" in event.deep_get("CommandLine", default=""),
            "🧙🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧝🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧝🏿" in event.deep_get("CommandLine", default=""),
            "🧝🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧛🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧛🏿" in event.deep_get("CommandLine", default=""),
            "🧛🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧜🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧜🏿" in event.deep_get("CommandLine", default=""),
            "🧜🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧚🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧚🏿" in event.deep_get("CommandLine", default=""),
            "🧚🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "👼🏿" in event.deep_get("CommandLine", default=""),
            "🤰🏿" in event.deep_get("CommandLine", default=""),
            "🫄🏿" in event.deep_get("CommandLine", default=""),
            "🫃🏿" in event.deep_get("CommandLine", default=""),
            "🤱🏿" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🍼" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🍼" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🍼" in event.deep_get("CommandLine", default=""),
            "🙇🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🙇🏿" in event.deep_get("CommandLine", default=""),
            "🙇🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "💁🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "💁🏿" in event.deep_get("CommandLine", default=""),
            "💁🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🙅🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🙅🏿" in event.deep_get("CommandLine", default=""),
            "🙅🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🙆🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🙆🏿" in event.deep_get("CommandLine", default=""),
            "🙆🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🙋🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🙋🏿" in event.deep_get("CommandLine", default=""),
            "🙋🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧏🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧏🏿" in event.deep_get("CommandLine", default=""),
            "🧏🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🤦🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🤦🏿" in event.deep_get("CommandLine", default=""),
            "🤦🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🤷🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🤷🏿" in event.deep_get("CommandLine", default=""),
            "🤷🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🙎🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🙎🏿" in event.deep_get("CommandLine", default=""),
            "🙎🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🙍🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🙍🏿" in event.deep_get("CommandLine", default=""),
            "🙍🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "💇🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "💇🏿" in event.deep_get("CommandLine", default=""),
            "💇🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "💆🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "💆🏿" in event.deep_get("CommandLine", default=""),
            "💆🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧖🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧖🏿" in event.deep_get("CommandLine", default=""),
            "🧖🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "💃🏿" in event.deep_get("CommandLine", default=""),
            "🕺🏿" in event.deep_get("CommandLine", default=""),
            "🕴🏿" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🦽" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🦽" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🦽" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🦼" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🦼" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🦼" in event.deep_get("CommandLine", default=""),
            "🚶🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🚶🏿" in event.deep_get("CommandLine", default=""),
            "🚶🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "👩🏿‍🦯" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🦯" in event.deep_get("CommandLine", default=""),
            "👨🏿‍🦯" in event.deep_get("CommandLine", default=""),
            "🧎🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧎🏿" in event.deep_get("CommandLine", default=""),
            "🧎🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🏃🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🏃🏿" in event.deep_get("CommandLine", default=""),
            "🏃🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧍🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧍🏿" in event.deep_get("CommandLine", default=""),
            "🧍🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "👭🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍🤝‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "👬🏿" in event.deep_get("CommandLine", default=""),
            "👫🏿" in event.deep_get("CommandLine", default=""),
            "🧗🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧗🏿" in event.deep_get("CommandLine", default=""),
            "🧗🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🏇🏿" in event.deep_get("CommandLine", default=""),
            "🏂🏿" in event.deep_get("CommandLine", default=""),
            "🏌🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🏌🏿" in event.deep_get("CommandLine", default=""),
            "🏌🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🏄🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🏄🏿" in event.deep_get("CommandLine", default=""),
            "🏄🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🚣🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🚣🏿" in event.deep_get("CommandLine", default=""),
            "🚣🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🏊🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🏊🏿" in event.deep_get("CommandLine", default=""),
            "🏊🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "⛹🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "⛹🏿" in event.deep_get("CommandLine", default=""),
            "⛹🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🏋🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🏋🏿" in event.deep_get("CommandLine", default=""),
            "🏋🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🚴🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🚴🏿" in event.deep_get("CommandLine", default=""),
            "🚴🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🚵🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🚵🏿" in event.deep_get("CommandLine", default=""),
            "🚵🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🤸🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🤸🏿" in event.deep_get("CommandLine", default=""),
            "🤸🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🤽🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🤽🏿" in event.deep_get("CommandLine", default=""),
            "🤽🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🤾🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🤾🏿" in event.deep_get("CommandLine", default=""),
            "🤾🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🤹🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🤹🏿" in event.deep_get("CommandLine", default=""),
            "🤹🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🧘🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧘🏿" in event.deep_get("CommandLine", default=""),
            "🧘🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "🛀🏿" in event.deep_get("CommandLine", default=""),
            "🛌🏿" in event.deep_get("CommandLine", default=""),
            "🐶" in event.deep_get("CommandLine", default=""),
            "🐱" in event.deep_get("CommandLine", default=""),
            "🐭" in event.deep_get("CommandLine", default=""),
            "🐹" in event.deep_get("CommandLine", default=""),
            "🐰" in event.deep_get("CommandLine", default=""),
            "🦊" in event.deep_get("CommandLine", default=""),
            "🐻" in event.deep_get("CommandLine", default=""),
            "🐼" in event.deep_get("CommandLine", default=""),
            "🐻‍❄️" in event.deep_get("CommandLine", default=""),
            "🐨" in event.deep_get("CommandLine", default=""),
            "🐯" in event.deep_get("CommandLine", default=""),
            "🦁" in event.deep_get("CommandLine", default=""),
            "🐮" in event.deep_get("CommandLine", default=""),
            "🐷" in event.deep_get("CommandLine", default=""),
            "🐽" in event.deep_get("CommandLine", default=""),
            "🐸" in event.deep_get("CommandLine", default=""),
            "🐵" in event.deep_get("CommandLine", default=""),
            "🙈" in event.deep_get("CommandLine", default=""),
            "🙉" in event.deep_get("CommandLine", default=""),
            "🙊" in event.deep_get("CommandLine", default=""),
            "🐒" in event.deep_get("CommandLine", default=""),
            "🐔" in event.deep_get("CommandLine", default=""),
            "🐧" in event.deep_get("CommandLine", default=""),
            "🐦" in event.deep_get("CommandLine", default=""),
            "🐤" in event.deep_get("CommandLine", default=""),
            "🐣" in event.deep_get("CommandLine", default=""),
            "🐥" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
id: c98f2a0d-e1b8-4f76-90d3-359caf88d6b9
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '🤷🏼'
            - '🤷🏼‍♂️'
            - '🙎🏼‍♀️'
            - '🙎🏼'
            - '🙎🏼‍♂️'
            - '🙍🏼‍♀️'
            - '🙍🏼'
            - '🙍🏼‍♂️'
            - '💇🏼‍♀️'
            - '💇🏼'
            - '💇🏼‍♂️'
            - '💆🏼‍♀️'
            - '💆🏼'
            - '💆🏼‍♂️'
            - '🧖🏼‍♀️'
            - '🧖🏼'
            - '🧖🏼‍♂️'
            - '💃🏼'
            - '🕺🏼'
            - '🕴🏼'
            - '👩🏼‍🦽'
            - '🧑🏼‍🦽'
            - '👨🏼‍🦽'
            - '👩🏼‍🦼'
            - '🧑🏼‍🦼'
            - '👨🏼‍🦼'
            - '🚶🏼‍♀️'
            - '🚶🏼'
            - '🚶🏼‍♂️'
            - '👩🏼‍🦯'
            - '🧑🏼‍🦯'
            - '👨🏼‍🦯'
            - '🧎🏼‍♀️'
            - '🧎🏼'
            - '🧎🏼‍♂️'
            - '🏃🏼‍♀️'
            - '🏃🏼'
            - '🏃🏼‍♂️'
            - '🧍🏼‍♀️'
            - '🧍🏼'
            - '🧍🏼‍♂️'
            - '👭🏼'
            - '🧑🏼‍🤝‍🧑🏼'
            - '👬🏼'
            - '👫🏼'
            - '🧗🏼‍♀️'
            - '🧗🏼'
            - '🧗🏼‍♂️'
            - '🏇🏼'
            - '🏂🏼'
            - '🏌🏼‍♀️'
            - '🏌🏼'
            - '🏌🏼‍♂️'
            - '🏄🏼‍♀️'
            - '🏄🏼'
            - '🏄🏼‍♂️'
            - '🚣🏼‍♀️'
            - '🚣🏼'
            - '🚣🏼‍♂️'
            - '🏊🏼‍♀️'
            - '🏊🏼'
            - '🏊🏼‍♂️'
            - '⛹🏼‍♀️'
            - '⛹🏼'
            - '⛹🏼‍♂️'
            - '🏋🏼‍♀️'
            - '🏋🏼'
            - '🏋🏼‍♂️'
            - '🚴🏼‍♀️'
            - '🚴🏼'
            - '🚴🏼‍♂️'
            - '🚵🏼‍♀️'
            - '🚵🏼'
            - '🚵🏼‍♂️'
            - '🤸🏼‍♀️'
            - '🤸🏼'
            - '🤸🏼‍♂️'
            - '🤽🏼‍♀️'
            - '🤽🏼'
            - '🤽🏼‍♂️'
            - '🤾🏼‍♀️'
            - '🤾🏼'
            - '🤾🏼‍♂️'
            - '🤹🏼‍♀️'
            - '🤹🏼'
            - '🤹🏼‍♂️'
            - '🧘🏼‍♀️'
            - '🧘🏼'
            - '🧘🏼‍♂️'
            - '🛀🏼'
            - '🛌🏼'
            - '👋🏽'
            - '🤚🏽'
            - '🖐🏽'
            - '✋🏽'
            - '🖖🏽'
            - '👌🏽'
            - '🤌🏽'
            - '🤏🏽'
            - '✌🏽'
            - '🤞🏽'
            - '🫰🏽'
            - '🤟🏽'
            - '🤘🏽'
            - '🤙🏽'
            - '🫵🏽'
            - '🫱🏽'
            - '🫲🏽'
            - '🫳🏽'
            - '🫴🏽'
            - '👈🏽'
            - '👉🏽'
            - '👆🏽'
            - '🖕🏽'
            - '👇🏽'
            - '☝🏽'
            - '👍🏽'
            - '👎🏽'
            - '✊🏽'
            - '👊🏽'
            - '🤛🏽'
            - '🤜🏽'
            - '👏🏽'
            - '🫶🏽'
            - '🙌🏽'
            - '👐🏽'
            - '🤲🏽'
            - '🙏🏽'
            - '✍🏽'
            - '💪🏽'
            - '🦵🏽'
            - '🦶🏽'
            - '👂🏽'
            - '🦻🏽'
            - '👃🏽'
            - '👶🏽'
            - '👧🏽'
            - '🧒🏽'
            - '👦🏽'
            - '👩🏽'
            - '🧑🏽'
            - '👨🏽'
            - '👩🏽‍🦱'
            - '🧑🏽‍🦱'
            - '👨🏽‍🦱'
            - '👩🏽‍🦰'
            - '🧑🏽‍🦰'
            - '👨🏽‍🦰'
            - '👱🏽‍♀️'
            - '👱🏽'
            - '👱🏽‍♂️'
            - '👩🏽‍🦳'
            - '🧑🏽‍🦳'
            - '👨🏽‍🦳'
            - '👩🏽‍🦲'
            - '🧑🏽‍🦲'
            - '👨🏽‍🦲'
            - '🧔🏽‍♀️'
            - '🧔🏽'
            - '🧔🏽‍♂️'
            - '👵🏽'
            - '🧓🏽'
            - '👴🏽'
            - '👲🏽'
            - '👳🏽‍♀️'
            - '👳🏽'
            - '👳🏽‍♂️'
            - '🧕🏽'
            - '👮🏽‍♀️'
            - '👮🏽'
            - '👮🏽‍♂️'
            - '👷🏽‍♀️'
            - '👷🏽'
            - '👷🏽‍♂️'
            - '💂🏽‍♀️'
            - '💂🏽'
            - '💂🏽‍♂️'
            - '🕵🏽‍♀️'
            - '🕵🏽'
            - '🕵🏽‍♂️'
            - '👩🏽‍⚕️'
            - '🧑🏽‍⚕️'
            - '👨🏽‍⚕️'
            - '👩🏽‍🌾'
            - '🧑🏽‍🌾'
            - '👨🏽‍🌾'
            - '👩🏽‍🍳'
            - '🧑🏽‍🍳'
            - '👨🏽‍🍳'
            - '👩🏽‍🎓'
            - '🧑🏽‍🎓'
            - '👨🏽‍🎓'
            - '👩🏽‍🎤'
            - '🧑🏽‍🎤'
            - '👨🏽‍🎤'
            - '👩🏽‍🏫'
            - '🧑🏽‍🏫'
            - '👨🏽‍🏫'
            - '👩🏽‍🏭'
            - '🧑🏽‍🏭'
            - '👨🏽‍🏭'
            - '👩🏽‍💻'
            - '🧑🏽‍💻'
            - '👨🏽‍💻'
            - '👩🏽‍💼'
            - '🧑🏽‍💼'
            - '👨🏽‍💼'
            - '👩🏽‍🔧'
            - '🧑🏽‍🔧'
            - '👨🏽‍🔧'
            - '👩🏽‍🔬'
            - '🧑🏽‍🔬'
            - '👨🏽‍🔬'
            - '👩🏽‍🎨'
            - '🧑🏽‍🎨'
            - '👨🏽‍🎨'
            - '👩🏽‍🚒'
            - '🧑🏽‍🚒'
            - '👨🏽‍🚒'
            - '👩🏽‍✈️'
            - '🧑🏽‍✈️'
            - '👨🏽‍✈️'
            - '👩🏽‍🚀'
            - '🧑🏽‍🚀'
            - '👨🏽‍🚀'
            - '👩🏽‍⚖️'
            - '🧑🏽‍⚖️'
            - '👨🏽‍⚖️'
            - '👰🏽‍♀️'
            - '👰🏽'
            - '👰🏽‍♂️'
            - '🤵🏽‍♀️'
            - '🤵🏽'
            - '🤵🏽‍♂️'
            - '👸🏽'
            - '🫅🏽'
            - '🤴🏽'
            - '🥷🏽'
            - '🦸🏽‍♀️'
            - '🦸🏽'
            - '🦸🏽‍♂️'
            - '🦹🏽‍♀️'
            - '🦹🏽'
            - '🦹🏽‍♂️'
            - '🤶🏽'
            - '🧑🏽‍🎄'
            - '🎅🏽'
            - '🧙🏽‍♀️'
            - '🧙🏽'
            - '🧙🏽‍♂️'
            - '🧝🏽‍♀️'
            - '🧝🏽'
            - '🧝🏽‍♂️'
            - '🧛🏽‍♀️'
            - '🧛🏽'
            - '🧛🏽‍♂️'
            - '🧜🏽‍♀️'
            - '🧜🏽'
            - '🧜🏽‍♂️'
            - '🧚🏽‍♀️'
            - '🧚🏽'
            - '🧚🏽‍♂️'
            - '👼🏽'
            - '🤰🏽'
            - '🫄🏽'
            - '🫃🏽'
            - '🤱🏽'
            - '👩🏽‍🍼'
            - '🧑🏽‍🍼'
            - '👨🏽‍🍼'
            - '🙇🏽‍♀️'
            - '🙇🏽'
            - '🙇🏽‍♂️'
            - '💁🏽‍♀️'
            - '💁🏽'
            - '💁🏽‍♂️'
            - '🙅🏽‍♀️'
            - '🙅🏽'
            - '🙅🏽‍♂️'
            - '🙆🏽‍♀️'
            - '🙆🏽'
            - '🙆🏽‍♂️'
            - '🙋🏽‍♀️'
            - '🙋🏽'
            - '🙋🏽‍♂️'
            - '🧏🏽‍♀️'
            - '🧏🏽'
            - '🧏🏽‍♂️'
            - '🤦🏽‍♀️'
            - '🤦🏽'
            - '🤦🏽‍♂️'
            - '🤷🏽‍♀️'
            - '🤷🏽'
            - '🤷🏽‍♂️'
            - '🙎🏽‍♀️'
            - '🙎🏽'
            - '🙎🏽‍♂️'
            - '🙍🏽‍♀️'
            - '🙍🏽'
            - '🙍🏽‍♂️'
            - '💇🏽‍♀️'
            - '💇🏽'
            - '💇🏽‍♂️'
            - '💆🏽‍♀️'
            - '💆🏽'
            - '💆🏽‍♂️'
            - '🧖🏽‍♀️'
            - '🧖🏽'
            - '🧖🏽‍♂️'
            - '💃🏽'
            - '🕺🏽'
            - '🕴🏽'
            - '👩🏽‍🦽'
            - '🧑🏽‍🦽'
            - '👨🏽‍🦽'
            - '👩🏽‍🦼'
            - '🧑🏽‍🦼'
            - '👨🏽‍🦼'
            - '🚶🏽‍♀️'
            - '🚶🏽'
            - '🚶🏽‍♂️'
            - '👩🏽‍🦯'
            - '🧑🏽‍🦯'
            - '👨🏽‍🦯'
            - '🧎🏽‍♀️'
            - '🧎🏽'
            - '🧎🏽‍♂️'
            - '🏃🏽‍♀️'
            - '🏃🏽'
            - '🏃🏽‍♂️'
            - '🧍🏽‍♀️'
            - '🧍🏽'
            - '🧍🏽‍♂️'
            - '👭🏽'
            - '🧑🏽‍🤝‍🧑🏽'
            - '👬🏽'
            - '👫🏽'
            - '🧗🏽‍♀️'
            - '🧗🏽'
            - '🧗🏽‍♂️'
            - '🏇🏽'
            - '🏂🏽'
            - '🏌🏽‍♀️'
            - '🏌🏽'
            - '🏌🏽‍♂️'
            - '🏄🏽‍♀️'
            - '🏄🏽'
            - '🏄🏽‍♂️'
            - '🚣🏽‍♀️'
            - '🚣🏽'
            - '🚣🏽‍♂️'
            - '🏊🏽‍♀️'
            - '🏊🏽'
            - '🏊🏽‍♂️'
            - '⛹🏽‍♀️'
            - '⛹🏽'
            - '⛹🏽‍♂️'
            - '🏋🏽‍♀️'
            - '🏋🏽'
            - '🏋🏽‍♂️'
            - '🚴🏽‍♀️'
            - '🚴🏽'
            - '🚴🏽‍♂️'
            - '🚵🏽‍♀️'
            - '🚵🏽'
            - '🚵🏽‍♂️'
            - '🤸🏽‍♀️'
            - '🤸🏽'
            - '🤸🏽‍♂️'
            - '🤽🏽‍♀️'
            - '🤽🏽'
            - '🤽🏽‍♂️'
            - '🤾🏽‍♀️'
            - '🤾🏽'
            - '🤾🏽‍♂️'
            - '🤹🏽‍♀️'
            - '🤹🏽'
            - '🤹🏽‍♂️'
            - '🧘🏽‍♀️'
            - '🧘🏽'
            - '🧘🏽‍♂️'
            - '🛀🏽'
            - '🛌🏽'
            - '👋🏾'
            - '🤚🏾'
            - '🖐🏾'
            - '✋🏾'
            - '🖖🏾'
            - '👌🏾'
            - '🤌🏾'
            - '🤏🏾'
            - '✌🏾'
            - '🤞🏾'
            - '🫰🏾'
            - '🤟🏾'
            - '🤘🏾'
            - '🤙🏾'
            - '🫵🏾'
            - '🫱🏾'
            - '🫲🏾'
            - '🫳🏾'
            - '🫴🏾'
            - '👈🏾'
            - '👉🏾'
            - '👆🏾'
            - '🖕🏾'
            - '👇🏾'
            - '☝🏾'
            - '👍🏾'
            - '👎🏾'
            - '✊🏾'
            - '👊🏾'
            - '🤛🏾'
            - '🤜🏾'
            - '👏🏾'
            - '🫶🏾'
            - '🙌🏾'
            - '👐🏾'
            - '🤲🏾'
            - '🙏🏾'
            - '✍🏾'
            - '💪🏾'
            - '🦵🏾'
            - '🦶🏾'
            - '👂🏾'
            - '🦻🏾'
            - '👃🏾'
            - '👶🏾'
            - '👧🏾'
            - '🧒🏾'
            - '👦🏾'
            - '👩🏾'
            - '🧑🏾'
            - '👨🏾'
            - '👩🏾‍🦱'
            - '🧑🏾‍🦱'
            - '👨🏾‍🦱'
            - '👩🏾‍🦰'
            - '🧑🏾‍🦰'
            - '👨🏾‍🦰'
            - '👱🏾‍♀️'
            - '👱🏾'
            - '👱🏾‍♂️'
            - '👩🏾‍🦳'
            - '🧑🏾‍🦳'
            - '👨🏾‍🦳'
            - '👩🏾‍🦲'
            - '🧑🏾‍🦲'
            - '👨🏾‍🦲'
            - '🧔🏾‍♀️'
            - '🧔🏾'
            - '🧔🏾‍♂️'
            - '👵🏾'
            - '🧓🏾'
            - '👴🏾'
            - '👲🏾'
            - '👳🏾‍♀️'
            - '👳🏾'
            - '👳🏾‍♂️'
            - '🧕🏾'
            - '👮🏾‍♀️'
            - '👮🏾'
            - '👮🏾‍♂️'
            - '👷🏾‍♀️'
            - '👷🏾'
            - '👷🏾‍♂️'
            - '💂🏾‍♀️'
            - '💂🏾'
            - '💂🏾‍♂️'
            - '🕵🏾‍♀️'
            - '🕵🏾'
            - '🕵🏾‍♂️'
            - '👩🏾‍⚕️'
            - '🧑🏾‍⚕️'
            - '👨🏾‍⚕️'
            - '👩🏾‍🌾'
            - '🧑🏾‍🌾'
            - '👨🏾‍🌾'
            - '👩🏾‍🍳'
            - '🧑🏾‍🍳'
            - '👨🏾‍🍳'
            - '👩🏾‍🎓'
            - '🧑🏾‍🎓'
            - '👨🏾‍🎓'
            - '👩🏾‍🎤'
            - '🧑🏾‍🎤'
            - '👨🏾‍🎤'
            - '👩🏾‍🏫'
            - '🧑🏾‍🏫'
            - '👨🏾‍🏫'
            - '👩🏾‍🏭'
            - '🧑🏾‍🏭'
            - '👨🏾‍🏭'
            - '👩🏾‍💻'
            - '🧑🏾‍💻'
            - '👨🏾‍💻'
            - '👩🏾‍💼'
            - '🧑🏾‍💼'
            - '👨🏾‍💼'
            - '👩🏾‍🔧'
            - '🧑🏾‍🔧'
            - '👨🏾‍🔧'
            - '👩🏾‍🔬'
            - '🧑🏾‍🔬'
            - '👨🏾‍🔬'
            - '👩🏾‍🎨'
            - '🧑🏾‍🎨'
            - '👨🏾‍🎨'
            - '👩🏾‍🚒'
            - '🧑🏾‍🚒'
            - '👨🏾‍🚒'
            - '👩🏾‍✈️'
            - '🧑🏾‍✈️'
            - '👨🏾‍✈️'
            - '👩🏾‍🚀'
            - '🧑🏾‍🚀'
            - '👨🏾‍🚀'
            - '👩🏾‍⚖️'
            - '🧑🏾‍⚖️'
            - '👨🏾‍⚖️'
            - '👰🏾‍♀️'
            - '👰🏾'
            - '👰🏾‍♂️'
            - '🤵🏾‍♀️'
            - '🤵🏾'
            - '🤵🏾‍♂️'
            - '👸🏾'
            - '🫅🏾'
            - '🤴🏾'
            - '🥷🏾'
            - '🦸🏾‍♀️'
            - '🦸🏾'
            - '🦸🏾‍♂️'
            - '🦹🏾‍♀️'
            - '🦹🏾'
            - '🦹🏾‍♂️'
            - '🤶🏾'
            - '🧑🏾‍🎄'
            - '🎅🏾'
            - '🧙🏾‍♀️'
            - '🧙🏾'
            - '🧙🏾‍♂️'
            - '🧝🏾‍♀️'
            - '🧝🏾'
            - '🧝🏾‍♂️'
            - '🧛🏾‍♀️'
            - '🧛🏾'
            - '🧛🏾‍♂️'
            - '🧜🏾‍♀️'
            - '🧜🏾'
            - '🧜🏾‍♂️'
            - '🧚🏾‍♀️'
            - '🧚🏾'
            - '🧚🏾‍♂️'
            - '👼🏾'
            - '🤰🏾'
            - '🫄🏾'
            - '🫃🏾'
            - '🤱🏾'
            - '👩🏾‍🍼'
            - '🧑🏾‍🍼'
            - '👨🏾‍🍼'
            - '🙇🏾‍♀️'
            - '🙇🏾'
            - '🙇🏾‍♂️'
            - '💁🏾‍♀️'
            - '💁🏾'
            - '💁🏾‍♂️'
            - '🙅🏾‍♀️'
            - '🙅🏾'
            - '🙅🏾‍♂️'
            - '🙆🏾‍♀️'
            - '🙆🏾'
            - '🙆🏾‍♂️'
            - '🙋🏾‍♀️'
            - '🙋🏾'
            - '🙋🏾‍♂️'
            - '🧏🏾‍♀️'
            - '🧏🏾'
            - '🧏🏾‍♂️'
            - '🤦🏾‍♀️'
            - '🤦🏾'
            - '🤦🏾‍♂️'
            - '🤷🏾‍♀️'
            - '🤷🏾'
            - '🤷🏾‍♂️'
            - '🙎🏾‍♀️'
            - '🙎🏾'
            - '🙎🏾‍♂️'
            - '🙍🏾‍♀️'
            - '🙍🏾'
            - '🙍🏾‍♂️'
            - '💇🏾‍♀️'
            - '💇🏾'
            - '💇🏾‍♂️'
            - '💆🏾‍♀️'
            - '💆🏾'
            - '💆🏾‍♂️'
            - '🧖🏾‍♀️'
            - '🧖🏾'
            - '🧖🏾‍♂️'
            - '💃🏾'
            - '🕺🏾'
            - '👩🏾‍🦽'
            - '🧑🏾‍🦽'
            - '👨🏾‍🦽'
            - '👩🏾‍🦼'
            - '🧑🏾‍🦼'
            - '👨🏾‍🦼'
            - '🚶🏾‍♀️'
            - '🚶🏾'
            - '🚶🏾‍♂️'
            - '👩🏾‍🦯'
            - '🧑🏾‍🦯'
            - '👨🏾‍🦯'
            - '🧎🏾‍♀️'
            - '🧎🏾'
            - '🧎🏾‍♂️'
            - '🏃🏾‍♀️'
            - '🏃🏾'
            - '🏃🏾‍♂️'
            - '🧍🏾‍♀️'
            - '🧍🏾'
            - '🧍🏾‍♂️'
            - '👭🏾'
            - '🧑🏾‍🤝‍🧑🏾'
            - '👬🏾'
            - '👫🏾'
            - '🧗🏾‍♀️'
            - '🧗🏾'
            - '🧗🏾‍♂️'
            - '🏇🏾'
            - '🏂🏾'
            - '🏌🏾‍♀️'
            - '🏌🏾'
            - '🏌🏾‍♂️'
            - '🏄🏾‍♀️'
            - '🏄🏾'
            - '🏄🏾‍♂️'
            - '🚣🏾‍♀️'
            - '🚣🏾'
            - '🚣🏾‍♂️'
            - '🏊🏾‍♀️'
            - '🏊🏾'
            - '🏊🏾‍♂️'
            - '⛹🏾‍♀️'
            - '⛹🏾'
            - '⛹🏾‍♂️'
            - '🏋🏾‍♀️'
            - '🏋🏾'
            - '🏋🏾‍♂️'
            - '🚴🏾‍♀️'
            - '🚴🏾'
            - '🚴🏾‍♂️'
            - '🚵🏾‍♀️'
            - '🚵🏾'
            - '🚵🏾‍♂️'
            - '🤸🏾‍♀️'
            - '🤸🏾'
            - '🤸🏾‍♂️'
            - '🤽🏾‍♀️'
            - '🤽🏾'
            - '🤽🏾‍♂️'
            - '🤾🏾‍♀️'
            - '🤾🏾'
            - '🤾🏾‍♂️'
            - '🤹🏾‍♀️'
            - '🤹🏾'
            - '🤹🏾‍♂️'
            - '🧘🏾‍♀️'
            - '🧘🏾'
            - '🧘🏾‍♂️'
            - '🛀🏾'
            - '🛌🏾'
            - '👋🏿'
            - '🤚🏿'
            - '🖐🏿'
            - '✋🏿'
            - '🖖🏿'
            - '👌🏿'
            - '🤌🏿'
            - '🤏🏿'
            - '✌🏿'
            - '🤞🏿'
            - '🫰🏿'
            - '🤟🏿'
            - '🤘🏿'
            - '🤙🏿'
            - '🫵🏿'
            - '🫱🏿'
            - '🫲🏿'
            - '🫳🏿'
            - '🫴🏿'
            - '👈🏿'
            - '👉🏿'
            - '👆🏿'
            - '🖕🏿'
            - '👇🏿'
            - '☝🏿'
            - '👍🏿'
            - '👎🏿'
            - '✊🏿'
            - '👊🏿'
            - '🤛🏿'
            - '🤜🏿'
            - '👏🏿'
            - '🫶🏿'
            - '🙌🏿'
            - '👐🏿'
            - '🤲🏿'
            - '🙏🏿'
            - '✍🏿'
            - '🤳🏿'
            - '💪🏿'
            - '🦵🏿'
            - '🦶🏿'
            - '👂🏿'
            - '🦻🏿'
            - '👃🏿'
            - '👶🏿'
            - '👧🏿'
            - '🧒🏿'
            - '👦🏿'
            - '👩🏿'
            - '🧑🏿'
            - '👨🏿'
            - '👩🏿‍🦱'
            - '🧑🏿‍🦱'
            - '👨🏿‍🦱'
            - '👩🏿‍🦰'
            - '🧑🏿‍🦰'
            - '👨🏿‍🦰'
            - '👱🏿‍♀️'
            - '👱🏿'
            - '👱🏿‍♂️'
            - '👩🏿‍🦳'
            - '🧑🏿‍🦳'
            - '👨🏿‍🦳'
            - '👩🏿‍🦲'
            - '🧑🏿‍🦲'
            - '👨🏿‍🦲'
            - '🧔🏿‍♀️'
            - '🧔🏿'
            - '🧔🏿‍♂️'
            - '👵🏿'
            - '🧓🏿'
            - '👴🏿'
            - '👲🏿'
            - '👳🏿‍♀️'
            - '👳🏿'
            - '👳🏿‍♂️'
            - '🧕🏿'
            - '👮🏿‍♀️'
            - '👮🏿'
            - '👮🏿‍♂️'
            - '👷🏿‍♀️'
            - '👷🏿'
            - '👷🏿‍♂️'
            - '💂🏿‍♀️'
            - '💂🏿'
            - '💂🏿‍♂️'
            - '🕵🏿‍♀️'
            - '🕵🏿'
            - '🕵🏿‍♂️'
            - '👩🏿‍⚕️'
            - '🧑🏿‍⚕️'
            - '👨🏿‍⚕️'
            - '👩🏿‍🌾'
            - '🧑🏿‍🌾'
            - '👨🏿‍🌾'
            - '👩🏿‍🍳'
            - '🧑🏿‍🍳'
            - '👨🏿‍🍳'
            - '👩🏿‍🎓'
            - '🧑🏿‍🎓'
            - '👨🏿‍🎓'
            - '👩🏿‍🎤'
            - '🧑🏿‍🎤'
            - '👨🏿‍🎤'
            - '👩🏿‍🏫'
            - '🧑🏿‍🏫'
            - '👨🏿‍🏫'
            - '👩🏿‍🏭'
            - '🧑🏿‍🏭'
            - '👨🏿‍🏭'
            - '👩🏿‍💻'
            - '🧑🏿‍💻'
            - '👨🏿‍💻'
            - '👩🏿‍💼'
            - '🧑🏿‍💼'
            - '👨🏿‍💼'
            - '👩🏿‍🔧'
            - '🧑🏿‍🔧'
            - '👨🏿‍🔧'
            - '👩🏿‍🔬'
            - '🧑🏿‍🔬'
            - '👨🏿‍🔬'
            - '👩🏿‍🎨'
            - '🧑🏿‍🎨'
            - '👨🏿‍🎨'
            - '👩🏿‍🚒'
            - '🧑🏿‍🚒'
            - '👨🏿‍🚒'
            - '👩🏿‍✈️'
            - '🧑🏿‍✈️'
            - '👨🏿‍✈️'
            - '👩🏿‍🚀'
            - '🧑🏿‍🚀'
            - '👨🏿‍🚀'
            - '👩🏿‍⚖️'
            - '🧑🏿‍⚖️'
            - '👨🏿‍⚖️'
            - '👰🏿‍♀️'
            - '👰🏿'
            - '👰🏿‍♂️'
            - '🤵🏿‍♀️'
            - '🤵🏿'
            - '🤵🏿‍♂️'
            - '👸🏿'
            - '🫅🏿'
            - '🤴🏿'
            - '🥷🏿'
            - '🦸🏿‍♀️'
            - '🦸🏿'
            - '🦸🏿‍♂️'
            - '🦹🏿‍♀️'
            - '🦹🏿'
            - '🦹🏿‍♂️'
            - '🤶🏿'
            - '🧑🏿‍🎄'
            - '🎅🏿'
            - '🧙🏿‍♀️'
            - '🧙🏿'
            - '🧙🏿‍♂️'
            - '🧝🏿‍♀️'
            - '🧝🏿'
            - '🧝🏿‍♂️'
            - '🧛🏿‍♀️'
            - '🧛🏿'
            - '🧛🏿‍♂️'
            - '🧜🏿‍♀️'
            - '🧜🏿'
            - '🧜🏿‍♂️'
            - '🧚🏿‍♀️'
            - '🧚🏿'
            - '🧚🏿‍♂️'
            - '👼🏿'
            - '🤰🏿'
            - '🫄🏿'
            - '🫃🏿'
            - '🤱🏿'
            - '👩🏿‍🍼'
            - '🧑🏿‍🍼'
            - '👨🏿‍🍼'
            - '🙇🏿‍♀️'
            - '🙇🏿'
            - '🙇🏿‍♂️'
            - '💁🏿‍♀️'
            - '💁🏿'
            - '💁🏿‍♂️'
            - '🙅🏿‍♀️'
            - '🙅🏿'
            - '🙅🏿‍♂️'
            - '🙆🏿‍♀️'
            - '🙆🏿'
            - '🙆🏿‍♂️'
            - '🙋🏿‍♀️'
            - '🙋🏿'
            - '🙋🏿‍♂️'
            - '🧏🏿‍♀️'
            - '🧏🏿'
            - '🧏🏿‍♂️'
            - '🤦🏿‍♀️'
            - '🤦🏿'
            - '🤦🏿‍♂️'
            - '🤷🏿‍♀️'
            - '🤷🏿'
            - '🤷🏿‍♂️'
            - '🙎🏿‍♀️'
            - '🙎🏿'
            - '🙎🏿‍♂️'
            - '🙍🏿‍♀️'
            - '🙍🏿'
            - '🙍🏿‍♂️'
            - '💇🏿‍♀️'
            - '💇🏿'
            - '💇🏿‍♂️'
            - '💆🏿‍♀️'
            - '💆🏿'
            - '💆🏿‍♂️'
            - '🧖🏿‍♀️'
            - '🧖🏿'
            - '🧖🏿‍♂️'
            - '💃🏿'
            - '🕺🏿'
            - '🕴🏿'
            - '👩🏿‍🦽'
            - '🧑🏿‍🦽'
            - '👨🏿‍🦽'
            - '👩🏿‍🦼'
            - '🧑🏿‍🦼'
            - '👨🏿‍🦼'
            - '🚶🏿‍♀️'
            - '🚶🏿'
            - '🚶🏿‍♂️'
            - '👩🏿‍🦯'
            - '🧑🏿‍🦯'
            - '👨🏿‍🦯'
            - '🧎🏿‍♀️'
            - '🧎🏿'
            - '🧎🏿‍♂️'
            - '🏃🏿‍♀️'
            - '🏃🏿'
            - '🏃🏿‍♂️'
            - '🧍🏿‍♀️'
            - '🧍🏿'
            - '🧍🏿‍♂️'
            - '👭🏿'
            - '🧑🏿‍🤝‍🧑🏿'
            - '👬🏿'
            - '👫🏿'
            - '🧗🏿‍♀️'
            - '🧗🏿'
            - '🧗🏿‍♂️'
            - '🏇🏿'
            - '🏂🏿'
            - '🏌🏿‍♀️'
            - '🏌🏿'
            - '🏌🏿‍♂️'
            - '🏄🏿‍♀️'
            - '🏄🏿'
            - '🏄🏿‍♂️'
            - '🚣🏿‍♀️'
            - '🚣🏿'
            - '🚣🏿‍♂️'
            - '🏊🏿‍♀️'
            - '🏊🏿'
            - '🏊🏿‍♂️'
            - '⛹🏿‍♀️'
            - '⛹🏿'
            - '⛹🏿‍♂️'
            - '🏋🏿‍♀️'
            - '🏋🏿'
            - '🏋🏿‍♂️'
            - '🚴🏿‍♀️'
            - '🚴🏿'
            - '🚴🏿‍♂️'
            - '🚵🏿‍♀️'
            - '🚵🏿'
            - '🚵🏿‍♂️'
            - '🤸🏿‍♀️'
            - '🤸🏿'
            - '🤸🏿‍♂️'
            - '🤽🏿‍♀️'
            - '🤽🏿'
            - '🤽🏿‍♂️'
            - '🤾🏿‍♀️'
            - '🤾🏿'
            - '🤾🏿‍♂️'
            - '🤹🏿‍♀️'
            - '🤹🏿'
            - '🤹🏿‍♂️'
            - '🧘🏿‍♀️'
            - '🧘🏿'
            - '🧘🏿‍♂️'
            - '🛀🏿'
            - '🛌🏿'
            - '🐶'
            - '🐱'
            - '🐭'
            - '🐹'
            - '🐰'
            - '🦊'
            - '🐻'
            - '🐼'
            - '🐻‍❄️'
            - '🐨'
            - '🐯'
            - '🦁'
            - '🐮'
            - '🐷'
            - '🐽'
            - '🐸'
            - '🐵'
            - '🙈'
            - '🙉'
            - '🙊'
            - '🐒'
            - '🐔'
            - '🐧'
            - '🐦'
            - '🐤'
            - '🐣'
            - '🐥'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

status test author @Kostastsale, TheDFIRReport id f9578658-9e71-4711-b634-3f9b50cd3c06

panther query

def rule(event):
    if any(
        [
            "🦆" in event.deep_get("CommandLine", default=""),
            "🦅" in event.deep_get("CommandLine", default=""),
            "🦉" in event.deep_get("CommandLine", default=""),
            "🦇" in event.deep_get("CommandLine", default=""),
            "🐺" in event.deep_get("CommandLine", default=""),
            "🐗" in event.deep_get("CommandLine", default=""),
            "🐴" in event.deep_get("CommandLine", default=""),
            "🦄" in event.deep_get("CommandLine", default=""),
            "🐝" in event.deep_get("CommandLine", default=""),
            "🪱" in event.deep_get("CommandLine", default=""),
            "🐛" in event.deep_get("CommandLine", default=""),
            "🦋" in event.deep_get("CommandLine", default=""),
            "🐌" in event.deep_get("CommandLine", default=""),
            "🐞" in event.deep_get("CommandLine", default=""),
            "🐜" in event.deep_get("CommandLine", default=""),
            "🪰" in event.deep_get("CommandLine", default=""),
            "🪲" in event.deep_get("CommandLine", default=""),
            "🪳" in event.deep_get("CommandLine", default=""),
            "🦟" in event.deep_get("CommandLine", default=""),
            "🦗" in event.deep_get("CommandLine", default=""),
            "🕷" in event.deep_get("CommandLine", default=""),
            "🕸" in event.deep_get("CommandLine", default=""),
            "🦂" in event.deep_get("CommandLine", default=""),
            "🐢" in event.deep_get("CommandLine", default=""),
            "🐍" in event.deep_get("CommandLine", default=""),
            "🦎" in event.deep_get("CommandLine", default=""),
            "🦖" in event.deep_get("CommandLine", default=""),
            "🦕" in event.deep_get("CommandLine", default=""),
            "🐙" in event.deep_get("CommandLine", default=""),
            "🦑" in event.deep_get("CommandLine", default=""),
            "🦐" in event.deep_get("CommandLine", default=""),
            "🦞" in event.deep_get("CommandLine", default=""),
            "🦀" in event.deep_get("CommandLine", default=""),
            "🪸" in event.deep_get("CommandLine", default=""),
            "🐡" in event.deep_get("CommandLine", default=""),
            "🐠" in event.deep_get("CommandLine", default=""),
            "🐟" in event.deep_get("CommandLine", default=""),
            "🐬" in event.deep_get("CommandLine", default=""),
            "🐳" in event.deep_get("CommandLine", default=""),
            "🐋" in event.deep_get("CommandLine", default=""),
            "🦈" in event.deep_get("CommandLine", default=""),
            "🐊" in event.deep_get("CommandLine", default=""),
            "🐅" in event.deep_get("CommandLine", default=""),
            "🐆" in event.deep_get("CommandLine", default=""),
            "🦓" in event.deep_get("CommandLine", default=""),
            "🦍" in event.deep_get("CommandLine", default=""),
            "🦧" in event.deep_get("CommandLine", default=""),
            "🦣" in event.deep_get("CommandLine", default=""),
            "🐘" in event.deep_get("CommandLine", default=""),
            "🦛" in event.deep_get("CommandLine", default=""),
            "🦏" in event.deep_get("CommandLine", default=""),
            "🐪" in event.deep_get("CommandLine", default=""),
            "🐫" in event.deep_get("CommandLine", default=""),
            "🦒" in event.deep_get("CommandLine", default=""),
            "🦘" in event.deep_get("CommandLine", default=""),
            "🦬" in event.deep_get("CommandLine", default=""),
            "🐃" in event.deep_get("CommandLine", default=""),
            "🐂" in event.deep_get("CommandLine", default=""),
            "🐄" in event.deep_get("CommandLine", default=""),
            "🐎" in event.deep_get("CommandLine", default=""),
            "🐖" in event.deep_get("CommandLine", default=""),
            "🐏" in event.deep_get("CommandLine", default=""),
            "🐑" in event.deep_get("CommandLine", default=""),
            "🦙" in event.deep_get("CommandLine", default=""),
            "🐐" in event.deep_get("CommandLine", default=""),
            "🦌" in event.deep_get("CommandLine", default=""),
            "🐕" in event.deep_get("CommandLine", default=""),
            "🐩" in event.deep_get("CommandLine", default=""),
            "🦮" in event.deep_get("CommandLine", default=""),
            "🐕‍🦺" in event.deep_get("CommandLine", default=""),
            "🐈" in event.deep_get("CommandLine", default=""),
            "🐈‍⬛" in event.deep_get("CommandLine", default=""),
            "🪶" in event.deep_get("CommandLine", default=""),
            "🐓" in event.deep_get("CommandLine", default=""),
            "🦃" in event.deep_get("CommandLine", default=""),
            "🦤" in event.deep_get("CommandLine", default=""),
            "🦚" in event.deep_get("CommandLine", default=""),
            "🦜" in event.deep_get("CommandLine", default=""),
            "🦢" in event.deep_get("CommandLine", default=""),
            "🦩" in event.deep_get("CommandLine", default=""),
            "🕊" in event.deep_get("CommandLine", default=""),
            "🐇" in event.deep_get("CommandLine", default=""),
            "🦝" in event.deep_get("CommandLine", default=""),
            "🦨" in event.deep_get("CommandLine", default=""),
            "🦡" in event.deep_get("CommandLine", default=""),
            "🦫" in event.deep_get("CommandLine", default=""),
            "🦦" in event.deep_get("CommandLine", default=""),
            "🦥" in event.deep_get("CommandLine", default=""),
            "🐁" in event.deep_get("CommandLine", default=""),
            "🐀" in event.deep_get("CommandLine", default=""),
            "🐿" in event.deep_get("CommandLine", default=""),
            "🦔" in event.deep_get("CommandLine", default=""),
            "🐾" in event.deep_get("CommandLine", default=""),
            "🐉" in event.deep_get("CommandLine", default=""),
            "🐲" in event.deep_get("CommandLine", default=""),
            "🌵" in event.deep_get("CommandLine", default=""),
            "🎄" in event.deep_get("CommandLine", default=""),
            "🌲" in event.deep_get("CommandLine", default=""),
            "🌳" in event.deep_get("CommandLine", default=""),
            "🌴" in event.deep_get("CommandLine", default=""),
            "🪹" in event.deep_get("CommandLine", default=""),
            "🪺" in event.deep_get("CommandLine", default=""),
            "🪵" in event.deep_get("CommandLine", default=""),
            "🌱" in event.deep_get("CommandLine", default=""),
            "🌿" in event.deep_get("CommandLine", default=""),
            "☘️" in event.deep_get("CommandLine", default=""),
            "🍀" in event.deep_get("CommandLine", default=""),
            "🎍" in event.deep_get("CommandLine", default=""),
            "🪴" in event.deep_get("CommandLine", default=""),
            "🎋" in event.deep_get("CommandLine", default=""),
            "🍃" in event.deep_get("CommandLine", default=""),
            "🍂" in event.deep_get("CommandLine", default=""),
            "🍁" in event.deep_get("CommandLine", default=""),
            "🍄" in event.deep_get("CommandLine", default=""),
            "🐚" in event.deep_get("CommandLine", default=""),
            "🪨" in event.deep_get("CommandLine", default=""),
            "🌾" in event.deep_get("CommandLine", default=""),
            "💐" in event.deep_get("CommandLine", default=""),
            "🌷" in event.deep_get("CommandLine", default=""),
            "🪷" in event.deep_get("CommandLine", default=""),
            "🌹" in event.deep_get("CommandLine", default=""),
            "🥀" in event.deep_get("CommandLine", default=""),
            "🌺" in event.deep_get("CommandLine", default=""),
            "🌸" in event.deep_get("CommandLine", default=""),
            "🌼" in event.deep_get("CommandLine", default=""),
            "🌻" in event.deep_get("CommandLine", default=""),
            "🌞" in event.deep_get("CommandLine", default=""),
            "🌝" in event.deep_get("CommandLine", default=""),
            "🌛" in event.deep_get("CommandLine", default=""),
            "🌜" in event.deep_get("CommandLine", default=""),
            "🌚" in event.deep_get("CommandLine", default=""),
            "🌕" in event.deep_get("CommandLine", default=""),
            "🌖" in event.deep_get("CommandLine", default=""),
            "🌗" in event.deep_get("CommandLine", default=""),
            "🌘" in event.deep_get("CommandLine", default=""),
            "🌑" in event.deep_get("CommandLine", default=""),
            "🌒" in event.deep_get("CommandLine", default=""),
            "🌓" in event.deep_get("CommandLine", default=""),
            "🌔" in event.deep_get("CommandLine", default=""),
            "🌙" in event.deep_get("CommandLine", default=""),
            "🌎" in event.deep_get("CommandLine", default=""),
            "🌍" in event.deep_get("CommandLine", default=""),
            "🌏" in event.deep_get("CommandLine", default=""),
            "🪐" in event.deep_get("CommandLine", default=""),
            "💫" in event.deep_get("CommandLine", default=""),
            "⭐️" in event.deep_get("CommandLine", default=""),
            "🌟" in event.deep_get("CommandLine", default=""),
            "✨" in event.deep_get("CommandLine", default=""),
            "⚡️" in event.deep_get("CommandLine", default=""),
            "☄️" in event.deep_get("CommandLine", default=""),
            "💥" in event.deep_get("CommandLine", default=""),
            "🔥" in event.deep_get("CommandLine", default=""),
            "🌪" in event.deep_get("CommandLine", default=""),
            "🌈" in event.deep_get("CommandLine", default=""),
            "☀️" in event.deep_get("CommandLine", default=""),
            "🌤" in event.deep_get("CommandLine", default=""),
            "⛅️" in event.deep_get("CommandLine", default=""),
            "🌥" in event.deep_get("CommandLine", default=""),
            "☁️" in event.deep_get("CommandLine", default=""),
            "🌦" in event.deep_get("CommandLine", default=""),
            "🌧" in event.deep_get("CommandLine", default=""),
            "⛈" in event.deep_get("CommandLine", default=""),
            "🌩" in event.deep_get("CommandLine", default=""),
            "🌨" in event.deep_get("CommandLine", default=""),
            "❄️" in event.deep_get("CommandLine", default=""),
            "☃️" in event.deep_get("CommandLine", default=""),
            "⛄️" in event.deep_get("CommandLine", default=""),
            "🌬" in event.deep_get("CommandLine", default=""),
            "💨" in event.deep_get("CommandLine", default=""),
            "💧" in event.deep_get("CommandLine", default=""),
            "💦" in event.deep_get("CommandLine", default=""),
            "🫧" in event.deep_get("CommandLine", default=""),
            "☔️" in event.deep_get("CommandLine", default=""),
            "☂️" in event.deep_get("CommandLine", default=""),
            "🌊" in event.deep_get("CommandLine", default=""),
            "🌫🍏" in event.deep_get("CommandLine", default=""),
            "🍎" in event.deep_get("CommandLine", default=""),
            "🍐" in event.deep_get("CommandLine", default=""),
            "🍊" in event.deep_get("CommandLine", default=""),
            "🍋" in event.deep_get("CommandLine", default=""),
            "🍌" in event.deep_get("CommandLine", default=""),
            "🍉" in event.deep_get("CommandLine", default=""),
            "🍇" in event.deep_get("CommandLine", default=""),
            "🍓" in event.deep_get("CommandLine", default=""),
            "🫐" in event.deep_get("CommandLine", default=""),
            "🍈" in event.deep_get("CommandLine", default=""),
            "🍒" in event.deep_get("CommandLine", default=""),
            "🍑" in event.deep_get("CommandLine", default=""),
            "🥭" in event.deep_get("CommandLine", default=""),
            "🍍" in event.deep_get("CommandLine", default=""),
            "🥥" in event.deep_get("CommandLine", default=""),
            "🥝" in event.deep_get("CommandLine", default=""),
            "🍅" in event.deep_get("CommandLine", default=""),
            "🍆" in event.deep_get("CommandLine", default=""),
            "🥑" in event.deep_get("CommandLine", default=""),
            "🥦" in event.deep_get("CommandLine", default=""),
            "🥬" in event.deep_get("CommandLine", default=""),
            "🥒" in event.deep_get("CommandLine", default=""),
            "🌶" in event.deep_get("CommandLine", default=""),
            "🫑" in event.deep_get("CommandLine", default=""),
            "🌽" in event.deep_get("CommandLine", default=""),
            "🥕" in event.deep_get("CommandLine", default=""),
            "🫒" in event.deep_get("CommandLine", default=""),
            "🧄" in event.deep_get("CommandLine", default=""),
            "🧅" in event.deep_get("CommandLine", default=""),
            "🥔" in event.deep_get("CommandLine", default=""),
            "🍠" in event.deep_get("CommandLine", default=""),
            "🫘" in event.deep_get("CommandLine", default=""),
            "🥐" in event.deep_get("CommandLine", default=""),
            "🥯" in event.deep_get("CommandLine", default=""),
            "🍞" in event.deep_get("CommandLine", default=""),
            "🥖" in event.deep_get("CommandLine", default=""),
            "🥨" in event.deep_get("CommandLine", default=""),
            "🧀" in event.deep_get("CommandLine", default=""),
            "🥚" in event.deep_get("CommandLine", default=""),
            "🍳" in event.deep_get("CommandLine", default=""),
            "🧈" in event.deep_get("CommandLine", default=""),
            "🥞" in event.deep_get("CommandLine", default=""),
            "🧇" in event.deep_get("CommandLine", default=""),
            "🥓" in event.deep_get("CommandLine", default=""),
            "🥩" in event.deep_get("CommandLine", default=""),
            "🍗" in event.deep_get("CommandLine", default=""),
            "🍖" in event.deep_get("CommandLine", default=""),
            "🦴" in event.deep_get("CommandLine", default=""),
            "🌭" in event.deep_get("CommandLine", default=""),
            "🍔" in event.deep_get("CommandLine", default=""),
            "🍟" in event.deep_get("CommandLine", default=""),
            "🍕" in event.deep_get("CommandLine", default=""),
            "🫓" in event.deep_get("CommandLine", default=""),
            "🥪" in event.deep_get("CommandLine", default=""),
            "🥙" in event.deep_get("CommandLine", default=""),
            "🧆" in event.deep_get("CommandLine", default=""),
            "🌮" in event.deep_get("CommandLine", default=""),
            "🌯" in event.deep_get("CommandLine", default=""),
            "🫔" in event.deep_get("CommandLine", default=""),
            "🥗" in event.deep_get("CommandLine", default=""),
            "🥘" in event.deep_get("CommandLine", default=""),
            "🫕" in event.deep_get("CommandLine", default=""),
            "🥫" in event.deep_get("CommandLine", default=""),
            "🍝" in event.deep_get("CommandLine", default=""),
            "🍜" in event.deep_get("CommandLine", default=""),
            "🍲" in event.deep_get("CommandLine", default=""),
            "🍛" in event.deep_get("CommandLine", default=""),
            "🍣" in event.deep_get("CommandLine", default=""),
            "🍱" in event.deep_get("CommandLine", default=""),
            "🥟" in event.deep_get("CommandLine", default=""),
            "🦪" in event.deep_get("CommandLine", default=""),
            "🍤" in event.deep_get("CommandLine", default=""),
            "🍙" in event.deep_get("CommandLine", default=""),
            "🍚" in event.deep_get("CommandLine", default=""),
            "🍘" in event.deep_get("CommandLine", default=""),
            "🍥" in event.deep_get("CommandLine", default=""),
            "🥠" in event.deep_get("CommandLine", default=""),
            "🥮" in event.deep_get("CommandLine", default=""),
            "🍢" in event.deep_get("CommandLine", default=""),
            "🍡" in event.deep_get("CommandLine", default=""),
            "🍧" in event.deep_get("CommandLine", default=""),
            "🍨" in event.deep_get("CommandLine", default=""),
            "🍦" in event.deep_get("CommandLine", default=""),
            "🥧" in event.deep_get("CommandLine", default=""),
            "🧁" in event.deep_get("CommandLine", default=""),
            "🍰" in event.deep_get("CommandLine", default=""),
            "🎂" in event.deep_get("CommandLine", default=""),
            "🍮" in event.deep_get("CommandLine", default=""),
            "🍭" in event.deep_get("CommandLine", default=""),
            "🍬" in event.deep_get("CommandLine", default=""),
            "🍫" in event.deep_get("CommandLine", default=""),
            "🍿" in event.deep_get("CommandLine", default=""),
            "🍩" in event.deep_get("CommandLine", default=""),
            "🍪" in event.deep_get("CommandLine", default=""),
            "🌰" in event.deep_get("CommandLine", default=""),
            "🥜" in event.deep_get("CommandLine", default=""),
            "🍯" in event.deep_get("CommandLine", default=""),
            "🥛" in event.deep_get("CommandLine", default=""),
            "🍼" in event.deep_get("CommandLine", default=""),
            "🫖" in event.deep_get("CommandLine", default=""),
            "☕️" in event.deep_get("CommandLine", default=""),
            "🍵" in event.deep_get("CommandLine", default=""),
            "🧃" in event.deep_get("CommandLine", default=""),
            "🥤" in event.deep_get("CommandLine", default=""),
            "🧋" in event.deep_get("CommandLine", default=""),
            "🫙" in event.deep_get("CommandLine", default=""),
            "🍶" in event.deep_get("CommandLine", default=""),
            "🍺" in event.deep_get("CommandLine", default=""),
            "🍻" in event.deep_get("CommandLine", default=""),
            "🥂" in event.deep_get("CommandLine", default=""),
            "🍷" in event.deep_get("CommandLine", default=""),
            "🫗" in event.deep_get("CommandLine", default=""),
            "🥃" in event.deep_get("CommandLine", default=""),
            "🍸" in event.deep_get("CommandLine", default=""),
            "🍹" in event.deep_get("CommandLine", default=""),
            "🧉" in event.deep_get("CommandLine", default=""),
            "🍾" in event.deep_get("CommandLine", default=""),
            "🧊" in event.deep_get("CommandLine", default=""),
            "🥄" in event.deep_get("CommandLine", default=""),
            "🍴" in event.deep_get("CommandLine", default=""),
            "🍽" in event.deep_get("CommandLine", default=""),
            "🥣" in event.deep_get("CommandLine", default=""),
            "🥡" in event.deep_get("CommandLine", default=""),
            "🥢" in event.deep_get("CommandLine", default=""),
            "🧂" in event.deep_get("CommandLine", default=""),
            "⚽️" in event.deep_get("CommandLine", default=""),
            "🏀" in event.deep_get("CommandLine", default=""),
            "🏈" in event.deep_get("CommandLine", default=""),
            "⚾️" in event.deep_get("CommandLine", default=""),
            "🥎" in event.deep_get("CommandLine", default=""),
            "🎾" in event.deep_get("CommandLine", default=""),
            "🏐" in event.deep_get("CommandLine", default=""),
            "🏉" in event.deep_get("CommandLine", default=""),
            "🥏" in event.deep_get("CommandLine", default=""),
            "🎱" in event.deep_get("CommandLine", default=""),
            "🪀" in event.deep_get("CommandLine", default=""),
            "🏓" in event.deep_get("CommandLine", default=""),
            "🏸" in event.deep_get("CommandLine", default=""),
            "🏒" in event.deep_get("CommandLine", default=""),
            "🏑" in event.deep_get("CommandLine", default=""),
            "🥍" in event.deep_get("CommandLine", default=""),
            "🏏" in event.deep_get("CommandLine", default=""),
            "🪃" in event.deep_get("CommandLine", default=""),
            "🥅" in event.deep_get("CommandLine", default=""),
            "⛳️" in event.deep_get("CommandLine", default=""),
            "🪁" in event.deep_get("CommandLine", default=""),
            "🏹" in event.deep_get("CommandLine", default=""),
            "🎣" in event.deep_get("CommandLine", default=""),
            "🤿" in event.deep_get("CommandLine", default=""),
            "🥊" in event.deep_get("CommandLine", default=""),
            "🥋" in event.deep_get("CommandLine", default=""),
            "🎽" in event.deep_get("CommandLine", default=""),
            "🛹" in event.deep_get("CommandLine", default=""),
            "🛼" in event.deep_get("CommandLine", default=""),
            "🛷" in event.deep_get("CommandLine", default=""),
            "⛸" in event.deep_get("CommandLine", default=""),
            "🥌" in event.deep_get("CommandLine", default=""),
            "🎿" in event.deep_get("CommandLine", default=""),
            "⛷" in event.deep_get("CommandLine", default=""),
            "🏂" in event.deep_get("CommandLine", default=""),
            "🪂" in event.deep_get("CommandLine", default=""),
            "🏋️‍♀️" in event.deep_get("CommandLine", default=""),
            "🏋️" in event.deep_get("CommandLine", default=""),
            "🏋️‍♂️" in event.deep_get("CommandLine", default=""),
            "🤼‍♀️" in event.deep_get("CommandLine", default=""),
            "🤼" in event.deep_get("CommandLine", default=""),
            "🤼‍♂️" in event.deep_get("CommandLine", default=""),
            "🤸‍♀️" in event.deep_get("CommandLine", default=""),
            "🤸" in event.deep_get("CommandLine", default=""),
            "🤸‍♂️" in event.deep_get("CommandLine", default=""),
            "⛹️‍♀️" in event.deep_get("CommandLine", default=""),
            "⛹️" in event.deep_get("CommandLine", default=""),
            "⛹️‍♂️" in event.deep_get("CommandLine", default=""),
            "🤺" in event.deep_get("CommandLine", default=""),
            "🤾‍♀️" in event.deep_get("CommandLine", default=""),
            "🤾" in event.deep_get("CommandLine", default=""),
            "🤾‍♂️" in event.deep_get("CommandLine", default=""),
            "🏌️‍♀️" in event.deep_get("CommandLine", default=""),
            "🏌️" in event.deep_get("CommandLine", default=""),
            "🏌️‍♂️" in event.deep_get("CommandLine", default=""),
            "🏇" in event.deep_get("CommandLine", default=""),
            "🧘‍♀️" in event.deep_get("CommandLine", default=""),
            "🧘" in event.deep_get("CommandLine", default=""),
            "🧘‍♂️" in event.deep_get("CommandLine", default=""),
            "🏄‍♀️" in event.deep_get("CommandLine", default=""),
            "🏄" in event.deep_get("CommandLine", default=""),
            "🏄‍♂️" in event.deep_get("CommandLine", default=""),
            "🏊‍♀️" in event.deep_get("CommandLine", default=""),
            "🏊" in event.deep_get("CommandLine", default=""),
            "🏊‍♂️" in event.deep_get("CommandLine", default=""),
            "🤽‍♀️" in event.deep_get("CommandLine", default=""),
            "🤽" in event.deep_get("CommandLine", default=""),
            "🤽‍♂️" in event.deep_get("CommandLine", default=""),
            "🚣‍♀️" in event.deep_get("CommandLine", default=""),
            "🚣" in event.deep_get("CommandLine", default=""),
            "🚣‍♂️" in event.deep_get("CommandLine", default=""),
            "🧗‍♀️" in event.deep_get("CommandLine", default=""),
            "🧗" in event.deep_get("CommandLine", default=""),
            "🧗‍♂️" in event.deep_get("CommandLine", default=""),
            "🚵‍♀️" in event.deep_get("CommandLine", default=""),
            "🚵" in event.deep_get("CommandLine", default=""),
            "🚵‍♂️" in event.deep_get("CommandLine", default=""),
            "🚴‍♀️" in event.deep_get("CommandLine", default=""),
            "🚴" in event.deep_get("CommandLine", default=""),
            "🚴‍♂️" in event.deep_get("CommandLine", default=""),
            "🏆" in event.deep_get("CommandLine", default=""),
            "🥇" in event.deep_get("CommandLine", default=""),
            "🥈" in event.deep_get("CommandLine", default=""),
            "🥉" in event.deep_get("CommandLine", default=""),
            "🏅" in event.deep_get("CommandLine", default=""),
            "🎖" in event.deep_get("CommandLine", default=""),
            "🏵" in event.deep_get("CommandLine", default=""),
            "🎗" in event.deep_get("CommandLine", default=""),
            "🎫" in event.deep_get("CommandLine", default=""),
            "🎟" in event.deep_get("CommandLine", default=""),
            "🎪" in event.deep_get("CommandLine", default=""),
            "🤹" in event.deep_get("CommandLine", default=""),
            "🤹‍♂️" in event.deep_get("CommandLine", default=""),
            "🤹‍♀️" in event.deep_get("CommandLine", default=""),
            "🎭" in event.deep_get("CommandLine", default=""),
            "🩰" in event.deep_get("CommandLine", default=""),
            "🎨" in event.deep_get("CommandLine", default=""),
            "🎬" in event.deep_get("CommandLine", default=""),
            "🎤" in event.deep_get("CommandLine", default=""),
            "🎧" in event.deep_get("CommandLine", default=""),
            "🎼" in event.deep_get("CommandLine", default=""),
            "🎹" in event.deep_get("CommandLine", default=""),
            "🥁" in event.deep_get("CommandLine", default=""),
            "🪘" in event.deep_get("CommandLine", default=""),
            "🎷" in event.deep_get("CommandLine", default=""),
            "🎺" in event.deep_get("CommandLine", default=""),
            "🪗" in event.deep_get("CommandLine", default=""),
            "🎸" in event.deep_get("CommandLine", default=""),
            "🪕" in event.deep_get("CommandLine", default=""),
            "🎻" in event.deep_get("CommandLine", default=""),
            "🎲" in event.deep_get("CommandLine", default=""),
            "♟" in event.deep_get("CommandLine", default=""),
            "🎯" in event.deep_get("CommandLine", default=""),
            "🎳" in event.deep_get("CommandLine", default=""),
            "🎮" in event.deep_get("CommandLine", default=""),
            "🎰" in event.deep_get("CommandLine", default=""),
            "🧩" in event.deep_get("CommandLine", default=""),
            "🚗" in event.deep_get("CommandLine", default=""),
            "🚕" in event.deep_get("CommandLine", default=""),
            "🚙" in event.deep_get("CommandLine", default=""),
            "🚌" in event.deep_get("CommandLine", default=""),
            "🚎" in event.deep_get("CommandLine", default=""),
            "🏎" in event.deep_get("CommandLine", default=""),
            "🚓" in event.deep_get("CommandLine", default=""),
            "🚑" in event.deep_get("CommandLine", default=""),
            "🚒" in event.deep_get("CommandLine", default=""),
            "🚐" in event.deep_get("CommandLine", default=""),
            "🛻" in event.deep_get("CommandLine", default=""),
            "🚚" in event.deep_get("CommandLine", default=""),
            "🚛" in event.deep_get("CommandLine", default=""),
            "🚜" in event.deep_get("CommandLine", default=""),
            "🦯" in event.deep_get("CommandLine", default=""),
            "🦽" in event.deep_get("CommandLine", default=""),
            "🦼" in event.deep_get("CommandLine", default=""),
            "🛴" in event.deep_get("CommandLine", default=""),
            "🚲" in event.deep_get("CommandLine", default=""),
            "🛵" in event.deep_get("CommandLine", default=""),
            "🏍" in event.deep_get("CommandLine", default=""),
            "🛺" in event.deep_get("CommandLine", default=""),
            "🚨" in event.deep_get("CommandLine", default=""),
            "🚔" in event.deep_get("CommandLine", default=""),
            "🚍" in event.deep_get("CommandLine", default=""),
            "🚘" in event.deep_get("CommandLine", default=""),
            "🚖" in event.deep_get("CommandLine", default=""),
            "🛞" in event.deep_get("CommandLine", default=""),
            "🚡" in event.deep_get("CommandLine", default=""),
            "🚠" in event.deep_get("CommandLine", default=""),
            "🚟" in event.deep_get("CommandLine", default=""),
            "🚃" in event.deep_get("CommandLine", default=""),
            "🚋" in event.deep_get("CommandLine", default=""),
            "🚞" in event.deep_get("CommandLine", default=""),
            "🚝" in event.deep_get("CommandLine", default=""),
            "🚄" in event.deep_get("CommandLine", default=""),
            "🚅" in event.deep_get("CommandLine", default=""),
            "🚈" in event.deep_get("CommandLine", default=""),
            "🚂" in event.deep_get("CommandLine", default=""),
            "🚆" in event.deep_get("CommandLine", default=""),
            "🚇" in event.deep_get("CommandLine", default=""),
            "🚊" in event.deep_get("CommandLine", default=""),
            "🚉" in event.deep_get("CommandLine", default=""),
            "✈️" in event.deep_get("CommandLine", default=""),
            "🛫" in event.deep_get("CommandLine", default=""),
            "🛬" in event.deep_get("CommandLine", default=""),
            "🛩" in event.deep_get("CommandLine", default=""),
            "💺" in event.deep_get("CommandLine", default=""),
            "🛰" in event.deep_get("CommandLine", default=""),
            "🚀" in event.deep_get("CommandLine", default=""),
            "🛸" in event.deep_get("CommandLine", default=""),
            "🚁" in event.deep_get("CommandLine", default=""),
            "🛶" in event.deep_get("CommandLine", default=""),
            "⛵️" in event.deep_get("CommandLine", default=""),
            "🚤" in event.deep_get("CommandLine", default=""),
            "🛥" in event.deep_get("CommandLine", default=""),
            "🛳" in event.deep_get("CommandLine", default=""),
            "⛴" in event.deep_get("CommandLine", default=""),
            "🚢" in event.deep_get("CommandLine", default=""),
            "⚓️" in event.deep_get("CommandLine", default=""),
            "🛟" in event.deep_get("CommandLine", default=""),
            "🪝" in event.deep_get("CommandLine", default=""),
            "⛽️" in event.deep_get("CommandLine", default=""),
            "🚧" in event.deep_get("CommandLine", default=""),
            "🚦" in event.deep_get("CommandLine", default=""),
            "🚥" in event.deep_get("CommandLine", default=""),
            "🚏" in event.deep_get("CommandLine", default=""),
            "🗺" in event.deep_get("CommandLine", default=""),
            "🗿" in event.deep_get("CommandLine", default=""),
            "🗽" in event.deep_get("CommandLine", default=""),
            "🗼" in event.deep_get("CommandLine", default=""),
            "🏰" in event.deep_get("CommandLine", default=""),
            "🏯" in event.deep_get("CommandLine", default=""),
            "🏟" in event.deep_get("CommandLine", default=""),
            "🎡" in event.deep_get("CommandLine", default=""),
            "🎢" in event.deep_get("CommandLine", default=""),
            "🛝" in event.deep_get("CommandLine", default=""),
            "🎠" in event.deep_get("CommandLine", default=""),
            "⛲️" in event.deep_get("CommandLine", default=""),
            "⛱" in event.deep_get("CommandLine", default=""),
            "🏖" in event.deep_get("CommandLine", default=""),
            "🏝" in event.deep_get("CommandLine", default=""),
            "🏜" in event.deep_get("CommandLine", default=""),
            "🌋" in event.deep_get("CommandLine", default=""),
            "⛰" in event.deep_get("CommandLine", default=""),
            "🏔" in event.deep_get("CommandLine", default=""),
            "🗻" in event.deep_get("CommandLine", default=""),
            "🏕" in event.deep_get("CommandLine", default=""),
            "⛺️" in event.deep_get("CommandLine", default=""),
            "🛖" in event.deep_get("CommandLine", default=""),
            "🏠" in event.deep_get("CommandLine", default=""),
            "🏡" in event.deep_get("CommandLine", default=""),
            "🏘" in event.deep_get("CommandLine", default=""),
            "🏚" in event.deep_get("CommandLine", default=""),
            "🏗" in event.deep_get("CommandLine", default=""),
            "🏭" in event.deep_get("CommandLine", default=""),
            "🏢" in event.deep_get("CommandLine", default=""),
            "🏬" in event.deep_get("CommandLine", default=""),
            "🏣" in event.deep_get("CommandLine", default=""),
            "🏤" in event.deep_get("CommandLine", default=""),
            "🏥" in event.deep_get("CommandLine", default=""),
            "🏦" in event.deep_get("CommandLine", default=""),
            "🏨" in event.deep_get("CommandLine", default=""),
            "🏪" in event.deep_get("CommandLine", default=""),
            "🏫" in event.deep_get("CommandLine", default=""),
            "🏩" in event.deep_get("CommandLine", default=""),
            "💒" in event.deep_get("CommandLine", default=""),
            "🏛" in event.deep_get("CommandLine", default=""),
            "⛪️" in event.deep_get("CommandLine", default=""),
            "🕌" in event.deep_get("CommandLine", default=""),
            "🕍" in event.deep_get("CommandLine", default=""),
            "🛕" in event.deep_get("CommandLine", default=""),
            "🕋" in event.deep_get("CommandLine", default=""),
            "⛩" in event.deep_get("CommandLine", default=""),
            "🛤" in event.deep_get("CommandLine", default=""),
            "🛣" in event.deep_get("CommandLine", default=""),
            "🗾" in event.deep_get("CommandLine", default=""),
            "🎑" in event.deep_get("CommandLine", default=""),
            "🏞" in event.deep_get("CommandLine", default=""),
            "🌅" in event.deep_get("CommandLine", default=""),
            "🌄" in event.deep_get("CommandLine", default=""),
            "🌠" in event.deep_get("CommandLine", default=""),
            "🎇" in event.deep_get("CommandLine", default=""),
            "🎆" in event.deep_get("CommandLine", default=""),
            "🌇" in event.deep_get("CommandLine", default=""),
            "🌆" in event.deep_get("CommandLine", default=""),
            "🏙" in event.deep_get("CommandLine", default=""),
            "🌃" in event.deep_get("CommandLine", default=""),
            "🌌" in event.deep_get("CommandLine", default=""),
            "🌉" in event.deep_get("CommandLine", default=""),
            "🌁" in event.deep_get("CommandLine", default=""),
            "⌚️" in event.deep_get("CommandLine", default=""),
            "📱" in event.deep_get("CommandLine", default=""),
            "📲" in event.deep_get("CommandLine", default=""),
            "💻" in event.deep_get("CommandLine", default=""),
            "⌨️" in event.deep_get("CommandLine", default=""),
            "🖥" in event.deep_get("CommandLine", default=""),
            "🖨" in event.deep_get("CommandLine", default=""),
            "🖱" in event.deep_get("CommandLine", default=""),
            "🖲" in event.deep_get("CommandLine", default=""),
            "🕹" in event.deep_get("CommandLine", default=""),
            "🗜" in event.deep_get("CommandLine", default=""),
            "💽" in event.deep_get("CommandLine", default=""),
            "💾" in event.deep_get("CommandLine", default=""),
            "💿" in event.deep_get("CommandLine", default=""),
            "📀" in event.deep_get("CommandLine", default=""),
            "📼" in event.deep_get("CommandLine", default=""),
            "📷" in event.deep_get("CommandLine", default=""),
            "📸" in event.deep_get("CommandLine", default=""),
            "📹" in event.deep_get("CommandLine", default=""),
            "🎥" in event.deep_get("CommandLine", default=""),
            "📽" in event.deep_get("CommandLine", default=""),
            "🎞" in event.deep_get("CommandLine", default=""),
            "📞" in event.deep_get("CommandLine", default=""),
            "☎️" in event.deep_get("CommandLine", default=""),
            "📟" in event.deep_get("CommandLine", default=""),
            "📠" in event.deep_get("CommandLine", default=""),
            "📺" in event.deep_get("CommandLine", default=""),
            "📻" in event.deep_get("CommandLine", default=""),
            "🎙" in event.deep_get("CommandLine", default=""),
            "🎚" in event.deep_get("CommandLine", default=""),
            "🎛" in event.deep_get("CommandLine", default=""),
            "🧭" in event.deep_get("CommandLine", default=""),
            "⏱" in event.deep_get("CommandLine", default=""),
            "⏲" in event.deep_get("CommandLine", default=""),
            "⏰" in event.deep_get("CommandLine", default=""),
            "🕰" in event.deep_get("CommandLine", default=""),
            "⌛️" in event.deep_get("CommandLine", default=""),
            "⏳" in event.deep_get("CommandLine", default=""),
            "📡" in event.deep_get("CommandLine", default=""),
            "🔋" in event.deep_get("CommandLine", default=""),
            "🪫" in event.deep_get("CommandLine", default=""),
            "🔌" in event.deep_get("CommandLine", default=""),
            "💡" in event.deep_get("CommandLine", default=""),
            "🔦" in event.deep_get("CommandLine", default=""),
            "🕯" in event.deep_get("CommandLine", default=""),
            "🪔" in event.deep_get("CommandLine", default=""),
            "🧯" in event.deep_get("CommandLine", default=""),
            "🛢" in event.deep_get("CommandLine", default=""),
            "💸" in event.deep_get("CommandLine", default=""),
            "💵" in event.deep_get("CommandLine", default=""),
            "💴" in event.deep_get("CommandLine", default=""),
            "💶" in event.deep_get("CommandLine", default=""),
            "💷" in event.deep_get("CommandLine", default=""),
            "🪙" in event.deep_get("CommandLine", default=""),
            "💰" in event.deep_get("CommandLine", default=""),
            "💳" in event.deep_get("CommandLine", default=""),
            "💎" in event.deep_get("CommandLine", default=""),
            "⚖️" in event.deep_get("CommandLine", default=""),
            "🪜" in event.deep_get("CommandLine", default=""),
            "🧰" in event.deep_get("CommandLine", default=""),
            "🪛" in event.deep_get("CommandLine", default=""),
            "🔧" in event.deep_get("CommandLine", default=""),
            "🔨" in event.deep_get("CommandLine", default=""),
            "⚒" in event.deep_get("CommandLine", default=""),
            "🛠" in event.deep_get("CommandLine", default=""),
            "⛏" in event.deep_get("CommandLine", default=""),
            "🪚" in event.deep_get("CommandLine", default=""),
            "🔩" in event.deep_get("CommandLine", default=""),
            "⚙️" in event.deep_get("CommandLine", default=""),
            "🪤" in event.deep_get("CommandLine", default=""),
            "🧱" in event.deep_get("CommandLine", default=""),
            "⛓" in event.deep_get("CommandLine", default=""),
            "🧲" in event.deep_get("CommandLine", default=""),
            "🔫" in event.deep_get("CommandLine", default=""),
            "💣" in event.deep_get("CommandLine", default=""),
            "🧨" in event.deep_get("CommandLine", default=""),
            "🪓" in event.deep_get("CommandLine", default=""),
            "🔪" in event.deep_get("CommandLine", default=""),
            "🗡" in event.deep_get("CommandLine", default=""),
            "⚔️" in event.deep_get("CommandLine", default=""),
            "🛡" in event.deep_get("CommandLine", default=""),
            "🚬" in event.deep_get("CommandLine", default=""),
            "⚰️" in event.deep_get("CommandLine", default=""),
            "🪦" in event.deep_get("CommandLine", default=""),
            "⚱️" in event.deep_get("CommandLine", default=""),
            "🏺" in event.deep_get("CommandLine", default=""),
            "🔮" in event.deep_get("CommandLine", default=""),
            "📿" in event.deep_get("CommandLine", default=""),
            "🧿" in event.deep_get("CommandLine", default=""),
            "🪬" in event.deep_get("CommandLine", default=""),
            "💈" in event.deep_get("CommandLine", default=""),
            "⚗️" in event.deep_get("CommandLine", default=""),
            "🔭" in event.deep_get("CommandLine", default=""),
            "🔬" in event.deep_get("CommandLine", default=""),
            "🕳" in event.deep_get("CommandLine", default=""),
            "🩹" in event.deep_get("CommandLine", default=""),
            "🩺" in event.deep_get("CommandLine", default=""),
            "🩻" in event.deep_get("CommandLine", default=""),
            "🩼" in event.deep_get("CommandLine", default=""),
            "💊" in event.deep_get("CommandLine", default=""),
            "💉" in event.deep_get("CommandLine", default=""),
            "🩸" in event.deep_get("CommandLine", default=""),
            "🧬" in event.deep_get("CommandLine", default=""),
            "🦠" in event.deep_get("CommandLine", default=""),
            "🧫" in event.deep_get("CommandLine", default=""),
            "🧪" in event.deep_get("CommandLine", default=""),
            "🌡" in event.deep_get("CommandLine", default=""),
            "🧹" in event.deep_get("CommandLine", default=""),
            "🪠" in event.deep_get("CommandLine", default=""),
            "🧺" in event.deep_get("CommandLine", default=""),
            "🧻" in event.deep_get("CommandLine", default=""),
            "🚽" in event.deep_get("CommandLine", default=""),
            "🚰" in event.deep_get("CommandLine", default=""),
            "🚿" in event.deep_get("CommandLine", default=""),
            "🛁" in event.deep_get("CommandLine", default=""),
            "🛀" in event.deep_get("CommandLine", default=""),
            "🧼" in event.deep_get("CommandLine", default=""),
            "🪥" in event.deep_get("CommandLine", default=""),
            "🪒" in event.deep_get("CommandLine", default=""),
            "🧽" in event.deep_get("CommandLine", default=""),
            "🪣" in event.deep_get("CommandLine", default=""),
            "🧴" in event.deep_get("CommandLine", default=""),
            "🛎" in event.deep_get("CommandLine", default=""),
            "🔑" in event.deep_get("CommandLine", default=""),
            "🗝" in event.deep_get("CommandLine", default=""),
            "🚪" in event.deep_get("CommandLine", default=""),
            "🪑" in event.deep_get("CommandLine", default=""),
            "🛋" in event.deep_get("CommandLine", default=""),
            "🛏" in event.deep_get("CommandLine", default=""),
            "🛌" in event.deep_get("CommandLine", default=""),
            "🧸" in event.deep_get("CommandLine", default=""),
            "🪆" in event.deep_get("CommandLine", default=""),
            "🖼" in event.deep_get("CommandLine", default=""),
            "🪞" in event.deep_get("CommandLine", default=""),
            "🪟" in event.deep_get("CommandLine", default=""),
            "🛍" in event.deep_get("CommandLine", default=""),
            "🛒" in event.deep_get("CommandLine", default=""),
            "🎁" in event.deep_get("CommandLine", default=""),
            "🎈" in event.deep_get("CommandLine", default=""),
            "🎏" in event.deep_get("CommandLine", default=""),
            "🎀" in event.deep_get("CommandLine", default=""),
            "🪄" in event.deep_get("CommandLine", default=""),
            "🪅" in event.deep_get("CommandLine", default=""),
            "🎊" in event.deep_get("CommandLine", default=""),
            "🎉" in event.deep_get("CommandLine", default=""),
            "🪩" in event.deep_get("CommandLine", default=""),
            "🎎" in event.deep_get("CommandLine", default=""),
            "🏮" in event.deep_get("CommandLine", default=""),
            "🎐" in event.deep_get("CommandLine", default=""),
            "🧧" in event.deep_get("CommandLine", default=""),
            "✉️" in event.deep_get("CommandLine", default=""),
            "📩" in event.deep_get("CommandLine", default=""),
            "📨" in event.deep_get("CommandLine", default=""),
            "📧" in event.deep_get("CommandLine", default=""),
            "💌" in event.deep_get("CommandLine", default=""),
            "📥" in event.deep_get("CommandLine", default=""),
            "📤" in event.deep_get("CommandLine", default=""),
            "📦" in event.deep_get("CommandLine", default=""),
            "🏷" in event.deep_get("CommandLine", default=""),
            "🪧" in event.deep_get("CommandLine", default=""),
            "📪" in event.deep_get("CommandLine", default=""),
            "📫" in event.deep_get("CommandLine", default=""),
            "📬" in event.deep_get("CommandLine", default=""),
            "📭" in event.deep_get("CommandLine", default=""),
            "📮" in event.deep_get("CommandLine", default=""),
            "📯" in event.deep_get("CommandLine", default=""),
            "📜" in event.deep_get("CommandLine", default=""),
            "📃" in event.deep_get("CommandLine", default=""),
            "📄" in event.deep_get("CommandLine", default=""),
            "📑" in event.deep_get("CommandLine", default=""),
            "🧾" in event.deep_get("CommandLine", default=""),
            "📊" in event.deep_get("CommandLine", default=""),
            "📈" in event.deep_get("CommandLine", default=""),
            "📉" in event.deep_get("CommandLine", default=""),
            "🗒" in event.deep_get("CommandLine", default=""),
            "🗓" in event.deep_get("CommandLine", default=""),
            "📆" in event.deep_get("CommandLine", default=""),
            "📅" in event.deep_get("CommandLine", default=""),
            "🗑" in event.deep_get("CommandLine", default=""),
            "🪪" in event.deep_get("CommandLine", default=""),
            "📇" in event.deep_get("CommandLine", default=""),
            "🗃" in event.deep_get("CommandLine", default=""),
            "🗳" in event.deep_get("CommandLine", default=""),
            "🗄" in event.deep_get("CommandLine", default=""),
            "📋" in event.deep_get("CommandLine", default=""),
            "📁" in event.deep_get("CommandLine", default=""),
            "📂" in event.deep_get("CommandLine", default=""),
            "🗂" in event.deep_get("CommandLine", default=""),
            "🗞" in event.deep_get("CommandLine", default=""),
            "📰" in event.deep_get("CommandLine", default=""),
            "📓" in event.deep_get("CommandLine", default=""),
            "📔" in event.deep_get("CommandLine", default=""),
            "📒" in event.deep_get("CommandLine", default=""),
            "📕" in event.deep_get("CommandLine", default=""),
            "📗" in event.deep_get("CommandLine", default=""),
            "📘" in event.deep_get("CommandLine", default=""),
            "📙" in event.deep_get("CommandLine", default=""),
            "📚" in event.deep_get("CommandLine", default=""),
            "📖" in event.deep_get("CommandLine", default=""),
            "🔖" in event.deep_get("CommandLine", default=""),
            "🧷" in event.deep_get("CommandLine", default=""),
            "🔗" in event.deep_get("CommandLine", default=""),
            "📎" in event.deep_get("CommandLine", default=""),
            "🖇" in event.deep_get("CommandLine", default=""),
            "📐" in event.deep_get("CommandLine", default=""),
            "📏" in event.deep_get("CommandLine", default=""),
            "🧮" in event.deep_get("CommandLine", default=""),
            "📌" in event.deep_get("CommandLine", default=""),
            "📍" in event.deep_get("CommandLine", default=""),
            "✂️" in event.deep_get("CommandLine", default=""),
            "🖊" in event.deep_get("CommandLine", default=""),
            "🖋" in event.deep_get("CommandLine", default=""),
            "✒️" in event.deep_get("CommandLine", default=""),
            "🖌" in event.deep_get("CommandLine", default=""),
            "🖍" in event.deep_get("CommandLine", default=""),
            "📝" in event.deep_get("CommandLine", default=""),
            "✏️" in event.deep_get("CommandLine", default=""),
            "🔍" in event.deep_get("CommandLine", default=""),
            "🔎" in event.deep_get("CommandLine", default=""),
            "🔏" in event.deep_get("CommandLine", default=""),
            "🔐" in event.deep_get("CommandLine", default=""),
            "🔒" in event.deep_get("CommandLine", default=""),
            "🔓❤️" in event.deep_get("CommandLine", default=""),
            "🧡" in event.deep_get("CommandLine", default=""),
            "💛" in event.deep_get("CommandLine", default=""),
            "💚" in event.deep_get("CommandLine", default=""),
            "💙" in event.deep_get("CommandLine", default=""),
            "💜" in event.deep_get("CommandLine", default=""),
            "🖤" in event.deep_get("CommandLine", default=""),
            "🤍" in event.deep_get("CommandLine", default=""),
            "🤎" in event.deep_get("CommandLine", default=""),
            "❤️‍🔥" in event.deep_get("CommandLine", default=""),
            "❤️‍🩹" in event.deep_get("CommandLine", default=""),
            "💔" in event.deep_get("CommandLine", default=""),
            "❣️" in event.deep_get("CommandLine", default=""),
            "💕" in event.deep_get("CommandLine", default=""),
            "💞" in event.deep_get("CommandLine", default=""),
            "💓" in event.deep_get("CommandLine", default=""),
            "💗" in event.deep_get("CommandLine", default=""),
            "💖" in event.deep_get("CommandLine", default=""),
            "💘" in event.deep_get("CommandLine", default=""),
            "💝" in event.deep_get("CommandLine", default=""),
            "💟" in event.deep_get("CommandLine", default=""),
            "☮️" in event.deep_get("CommandLine", default=""),
            "✝️" in event.deep_get("CommandLine", default=""),
            "☪️" in event.deep_get("CommandLine", default=""),
            "🕉" in event.deep_get("CommandLine", default=""),
            "☸️" in event.deep_get("CommandLine", default=""),
            "✡️" in event.deep_get("CommandLine", default=""),
            "🔯" in event.deep_get("CommandLine", default=""),
            "🕎" in event.deep_get("CommandLine", default=""),
            "☯️" in event.deep_get("CommandLine", default=""),
            "☦️" in event.deep_get("CommandLine", default=""),
            "🛐" in event.deep_get("CommandLine", default=""),
            "⛎" in event.deep_get("CommandLine", default=""),
            "♈️" in event.deep_get("CommandLine", default=""),
            "♉️" in event.deep_get("CommandLine", default=""),
            "♊️" in event.deep_get("CommandLine", default=""),
            "♋️" in event.deep_get("CommandLine", default=""),
            "♌️" in event.deep_get("CommandLine", default=""),
            "♍️" in event.deep_get("CommandLine", default=""),
            "♎️" in event.deep_get("CommandLine", default=""),
            "♏️" in event.deep_get("CommandLine", default=""),
            "♐️" in event.deep_get("CommandLine", default=""),
            "♑️" in event.deep_get("CommandLine", default=""),
            "♒️" in event.deep_get("CommandLine", default=""),
            "♓️" in event.deep_get("CommandLine", default=""),
            "🆔" in event.deep_get("CommandLine", default=""),
            "⚛️" in event.deep_get("CommandLine", default=""),
            "🉑" in event.deep_get("CommandLine", default=""),
            "☢️" in event.deep_get("CommandLine", default=""),
            "☣️" in event.deep_get("CommandLine", default=""),
            "📴" in event.deep_get("CommandLine", default=""),
            "📳" in event.deep_get("CommandLine", default=""),
            "🈶" in event.deep_get("CommandLine", default=""),
            "🈚️" in event.deep_get("CommandLine", default=""),
            "🈸" in event.deep_get("CommandLine", default=""),
            "🈺" in event.deep_get("CommandLine", default=""),
            "🈷️" in event.deep_get("CommandLine", default=""),
            "✴️" in event.deep_get("CommandLine", default=""),
            "🆚" in event.deep_get("CommandLine", default=""),
            "💮" in event.deep_get("CommandLine", default=""),
            "🉐" in event.deep_get("CommandLine", default=""),
            "㊙️" in event.deep_get("CommandLine", default=""),
            "㊗️" in event.deep_get("CommandLine", default=""),
            "🈴" in event.deep_get("CommandLine", default=""),
            "🈵" in event.deep_get("CommandLine", default=""),
            "🈹" in event.deep_get("CommandLine", default=""),
            "🈲" in event.deep_get("CommandLine", default=""),
            "🅰️" in event.deep_get("CommandLine", default=""),
            "🅱️" in event.deep_get("CommandLine", default=""),
            "🆎" in event.deep_get("CommandLine", default=""),
            "🆑" in event.deep_get("CommandLine", default=""),
            "🅾️" in event.deep_get("CommandLine", default=""),
            "🆘" in event.deep_get("CommandLine", default=""),
            "❌" in event.deep_get("CommandLine", default=""),
            "⭕️" in event.deep_get("CommandLine", default=""),
            "🛑" in event.deep_get("CommandLine", default=""),
            "⛔️" in event.deep_get("CommandLine", default=""),
            "📛" in event.deep_get("CommandLine", default=""),
            "🚫" in event.deep_get("CommandLine", default=""),
            "💯" in event.deep_get("CommandLine", default=""),
            "💢" in event.deep_get("CommandLine", default=""),
            "♨️" in event.deep_get("CommandLine", default=""),
            "🚷" in event.deep_get("CommandLine", default=""),
            "🚯" in event.deep_get("CommandLine", default=""),
            "🚳" in event.deep_get("CommandLine", default=""),
            "🚱" in event.deep_get("CommandLine", default=""),
            "🔞" in event.deep_get("CommandLine", default=""),
            "📵" in event.deep_get("CommandLine", default=""),
            "🚭" in event.deep_get("CommandLine", default=""),
            "❗️" in event.deep_get("CommandLine", default=""),
            "❕" in event.deep_get("CommandLine", default=""),
            "❓" in event.deep_get("CommandLine", default=""),
            "❔" in event.deep_get("CommandLine", default=""),
            "‼️" in event.deep_get("CommandLine", default=""),
            "⁉️" in event.deep_get("CommandLine", default=""),
            "🔅" in event.deep_get("CommandLine", default=""),
            "🔆" in event.deep_get("CommandLine", default=""),
            "〽️" in event.deep_get("CommandLine", default=""),
            "⚠️" in event.deep_get("CommandLine", default=""),
            "🚸" in event.deep_get("CommandLine", default=""),
            "🔱" in event.deep_get("CommandLine", default=""),
            "⚜️" in event.deep_get("CommandLine", default=""),
            "🔰" in event.deep_get("CommandLine", default=""),
            "♻️" in event.deep_get("CommandLine", default=""),
            "✅" in event.deep_get("CommandLine", default=""),
            "🈯️" in event.deep_get("CommandLine", default=""),
            "💹" in event.deep_get("CommandLine", default=""),
            "❇️" in event.deep_get("CommandLine", default=""),
            "✳️" in event.deep_get("CommandLine", default=""),
            "❎" in event.deep_get("CommandLine", default=""),
            "🌐" in event.deep_get("CommandLine", default=""),
            "💠" in event.deep_get("CommandLine", default=""),
            "Ⓜ️" in event.deep_get("CommandLine", default=""),
            "🌀" in event.deep_get("CommandLine", default=""),
            "💤" in event.deep_get("CommandLine", default=""),
            "🏧" in event.deep_get("CommandLine", default=""),
            "🚾" in event.deep_get("CommandLine", default=""),
            "♿️" in event.deep_get("CommandLine", default=""),
            "🅿️" in event.deep_get("CommandLine", default=""),
            "🛗" in event.deep_get("CommandLine", default=""),
            "🈳" in event.deep_get("CommandLine", default=""),
            "🈂️" in event.deep_get("CommandLine", default=""),
            "🛂" in event.deep_get("CommandLine", default=""),
            "🛃" in event.deep_get("CommandLine", default=""),
            "🛄" in event.deep_get("CommandLine", default=""),
            "🛅" in event.deep_get("CommandLine", default=""),
            "🚹" in event.deep_get("CommandLine", default=""),
            "🚺" in event.deep_get("CommandLine", default=""),
            "🚼" in event.deep_get("CommandLine", default=""),
            "⚧" in event.deep_get("CommandLine", default=""),
            "🚻" in event.deep_get("CommandLine", default=""),
            "🚮" in event.deep_get("CommandLine", default=""),
            "🎦" in event.deep_get("CommandLine", default=""),
            "📶" in event.deep_get("CommandLine", default=""),
            "🈁" in event.deep_get("CommandLine", default=""),
            "🔣" in event.deep_get("CommandLine", default=""),
            "ℹ️" in event.deep_get("CommandLine", default=""),
            "🔤" in event.deep_get("CommandLine", default=""),
            "🔡" in event.deep_get("CommandLine", default=""),
            "🔠" in event.deep_get("CommandLine", default=""),
            "🆖" in event.deep_get("CommandLine", default=""),
            "🆗" in event.deep_get("CommandLine", default=""),
            "🆙" in event.deep_get("CommandLine", default=""),
            "🆒" in event.deep_get("CommandLine", default=""),
            "🆕" in event.deep_get("CommandLine", default=""),
            "🆓" in event.deep_get("CommandLine", default=""),
            "0️⃣" in event.deep_get("CommandLine", default=""),
            "1️⃣" in event.deep_get("CommandLine", default=""),
            "2️⃣" in event.deep_get("CommandLine", default=""),
            "3️⃣" in event.deep_get("CommandLine", default=""),
            "4️⃣" in event.deep_get("CommandLine", default=""),
            "5️⃣" in event.deep_get("CommandLine", default=""),
            "6️⃣" in event.deep_get("CommandLine", default=""),
            "7️⃣" in event.deep_get("CommandLine", default=""),
            "8️⃣" in event.deep_get("CommandLine", default=""),
            "9️⃣" in event.deep_get("CommandLine", default=""),
            "🔟" in event.deep_get("CommandLine", default=""),
            "🔢" in event.deep_get("CommandLine", default=""),
            "#️⃣" in event.deep_get("CommandLine", default=""),
            "️⃣" in event.deep_get("CommandLine", default=""),
            "⏏️" in event.deep_get("CommandLine", default=""),
            "▶️" in event.deep_get("CommandLine", default=""),
            "⏸" in event.deep_get("CommandLine", default=""),
            "⏯" in event.deep_get("CommandLine", default=""),
            "⏹" in event.deep_get("CommandLine", default=""),
            "⏺" in event.deep_get("CommandLine", default=""),
            "⏭" in event.deep_get("CommandLine", default=""),
            "⏮" in event.deep_get("CommandLine", default=""),
            "⏩" in event.deep_get("CommandLine", default=""),
            "⏪" in event.deep_get("CommandLine", default=""),
            "⏫" in event.deep_get("CommandLine", default=""),
            "⏬" in event.deep_get("CommandLine", default=""),
            "◀️" in event.deep_get("CommandLine", default=""),
            "🔼" in event.deep_get("CommandLine", default=""),
            "🔽" in event.deep_get("CommandLine", default=""),
            "➡️" in event.deep_get("CommandLine", default=""),
            "⬅️" in event.deep_get("CommandLine", default=""),
            "⬆️" in event.deep_get("CommandLine", default=""),
            "⬇️" in event.deep_get("CommandLine", default=""),
            "↗️" in event.deep_get("CommandLine", default=""),
            "↘️" in event.deep_get("CommandLine", default=""),
            "↙️" in event.deep_get("CommandLine", default=""),
            "↖️" in event.deep_get("CommandLine", default=""),
            "↕️" in event.deep_get("CommandLine", default=""),
            "↔️" in event.deep_get("CommandLine", default=""),
            "↪️" in event.deep_get("CommandLine", default=""),
            "↩️" in event.deep_get("CommandLine", default=""),
            "⤴️" in event.deep_get("CommandLine", default=""),
            "⤵️" in event.deep_get("CommandLine", default=""),
            "🔀" in event.deep_get("CommandLine", default=""),
            "🔁" in event.deep_get("CommandLine", default=""),
            "🔂" in event.deep_get("CommandLine", default=""),
            "🔄" in event.deep_get("CommandLine", default=""),
            "🔃" in event.deep_get("CommandLine", default=""),
            "🎵" in event.deep_get("CommandLine", default=""),
            "🎶" in event.deep_get("CommandLine", default=""),
            "➕" in event.deep_get("CommandLine", default=""),
            "➖" in event.deep_get("CommandLine", default=""),
            "➗" in event.deep_get("CommandLine", default=""),
            "✖️" in event.deep_get("CommandLine", default=""),
            "🟰" in event.deep_get("CommandLine", default=""),
            "♾" in event.deep_get("CommandLine", default=""),
            "💲" in event.deep_get("CommandLine", default=""),
            "💱" in event.deep_get("CommandLine", default=""),
            "™️" in event.deep_get("CommandLine", default=""),
            "©️" in event.deep_get("CommandLine", default=""),
            "®️" in event.deep_get("CommandLine", default=""),
            "〰️" in event.deep_get("CommandLine", default=""),
            "➰" in event.deep_get("CommandLine", default=""),
            "➿" in event.deep_get("CommandLine", default=""),
            "🔚" in event.deep_get("CommandLine", default=""),
            "🔙" in event.deep_get("CommandLine", default=""),
            "🔛" in event.deep_get("CommandLine", default=""),
            "🔝" in event.deep_get("CommandLine", default=""),
            "🔜" in event.deep_get("CommandLine", default=""),
            "✔️" in event.deep_get("CommandLine", default=""),
            "☑️" in event.deep_get("CommandLine", default=""),
            "🔘" in event.deep_get("CommandLine", default=""),
            "🔴" in event.deep_get("CommandLine", default=""),
            "🟠" in event.deep_get("CommandLine", default=""),
            "🟡" in event.deep_get("CommandLine", default=""),
            "🟢" in event.deep_get("CommandLine", default=""),
            "🔵" in event.deep_get("CommandLine", default=""),
            "🟣" in event.deep_get("CommandLine", default=""),
            "⚫️" in event.deep_get("CommandLine", default=""),
            "⚪️" in event.deep_get("CommandLine", default=""),
            "🟤" in event.deep_get("CommandLine", default=""),
            "🔺" in event.deep_get("CommandLine", default=""),
            "🔻" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
id: f9578658-9e71-4711-b634-3f9b50cd3c06
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '🦆'
            - '🦅'
            - '🦉'
            - '🦇'
            - '🐺'
            - '🐗'
            - '🐴'
            - '🦄'
            - '🐝'
            - '🪱'
            - '🐛'
            - '🦋'
            - '🐌'
            - '🐞'
            - '🐜'
            - '🪰'
            - '🪲'
            - '🪳'
            - '🦟'
            - '🦗'
            - '🕷'
            - '🕸'
            - '🦂'
            - '🐢'
            - '🐍'
            - '🦎'
            - '🦖'
            - '🦕'
            - '🐙'
            - '🦑'
            - '🦐'
            - '🦞'
            - '🦀'
            - '🪸'
            - '🐡'
            - '🐠'
            - '🐟'
            - '🐬'
            - '🐳'
            - '🐋'
            - '🦈'
            - '🐊'
            - '🐅'
            - '🐆'
            - '🦓'
            - '🦍'
            - '🦧'
            - '🦣'
            - '🐘'
            - '🦛'
            - '🦏'
            - '🐪'
            - '🐫'
            - '🦒'
            - '🦘'
            - '🦬'
            - '🐃'
            - '🐂'
            - '🐄'
            - '🐎'
            - '🐖'
            - '🐏'
            - '🐑'
            - '🦙'
            - '🐐'
            - '🦌'
            - '🐕'
            - '🐩'
            - '🦮'
            - '🐕‍🦺'
            - '🐈'
            - '🐈‍⬛'
            - '🪶'
            - '🐓'
            - '🦃'
            - '🦤'
            - '🦚'
            - '🦜'
            - '🦢'
            - '🦩'
            - '🕊'
            - '🐇'
            - '🦝'
            - '🦨'
            - '🦡'
            - '🦫'
            - '🦦'
            - '🦥'
            - '🐁'
            - '🐀'
            - '🐿'
            - '🦔'
            - '🐾'
            - '🐉'
            - '🐲'
            - '🌵'
            - '🎄'
            - '🌲'
            - '🌳'
            - '🌴'
            - '🪹'
            - '🪺'
            - '🪵'
            - '🌱'
            - '🌿'
            - '☘️'
            - '🍀'
            - '🎍'
            - '🪴'
            - '🎋'
            - '🍃'
            - '🍂'
            - '🍁'
            - '🍄'
            - '🐚'
            - '🪨'
            - '🌾'
            - '💐'
            - '🌷'
            - '🪷'
            - '🌹'
            - '🥀'
            - '🌺'
            - '🌸'
            - '🌼'
            - '🌻'
            - '🌞'
            - '🌝'
            - '🌛'
            - '🌜'
            - '🌚'
            - '🌕'
            - '🌖'
            - '🌗'
            - '🌘'
            - '🌑'
            - '🌒'
            - '🌓'
            - '🌔'
            - '🌙'
            - '🌎'
            - '🌍'
            - '🌏'
            - '🪐'
            - '💫'
            - '⭐️'
            - '🌟'
            - '✨'
            - '⚡️'
            - '☄️'
            - '💥'
            - '🔥'
            - '🌪'
            - '🌈'
            - '☀️'
            - '🌤'
            - '⛅️'
            - '🌥'
            - '☁️'
            - '🌦'
            - '🌧'
            - '⛈'
            - '🌩'
            - '🌨'
            - '❄️'
            - '☃️'
            - '⛄️'
            - '🌬'
            - '💨'
            - '💧'
            - '💦'
            - '🫧'
            - '☔️'
            - '☂️'
            - '🌊'
            - '🌫🍏'
            - '🍎'
            - '🍐'
            - '🍊'
            - '🍋'
            - '🍌'
            - '🍉'
            - '🍇'
            - '🍓'
            - '🫐'
            - '🍈'
            - '🍒'
            - '🍑'
            - '🥭'
            - '🍍'
            - '🥥'
            - '🥝'
            - '🍅'
            - '🍆'
            - '🥑'
            - '🥦'
            - '🥬'
            - '🥒'
            - '🌶'
            - '🫑'
            - '🌽'
            - '🥕'
            - '🫒'
            - '🧄'
            - '🧅'
            - '🥔'
            - '🍠'
            - '🫘'
            - '🥐'
            - '🥯'
            - '🍞'
            - '🥖'
            - '🥨'
            - '🧀'
            - '🥚'
            - '🍳'
            - '🧈'
            - '🥞'
            - '🧇'
            - '🥓'
            - '🥩'
            - '🍗'
            - '🍖'
            - '🦴'
            - '🌭'
            - '🍔'
            - '🍟'
            - '🍕'
            - '🫓'
            - '🥪'
            - '🥙'
            - '🧆'
            - '🌮'
            - '🌯'
            - '🫔'
            - '🥗'
            - '🥘'
            - '🫕'
            - '🥫'
            - '🍝'
            - '🍜'
            - '🍲'
            - '🍛'
            - '🍣'
            - '🍱'
            - '🥟'
            - '🦪'
            - '🍤'
            - '🍙'
            - '🍚'
            - '🍘'
            - '🍥'
            - '🥠'
            - '🥮'
            - '🍢'
            - '🍡'
            - '🍧'
            - '🍨'
            - '🍦'
            - '🥧'
            - '🧁'
            - '🍰'
            - '🎂'
            - '🍮'
            - '🍭'
            - '🍬'
            - '🍫'
            - '🍿'
            - '🍩'
            - '🍪'
            - '🌰'
            - '🥜'
            - '🍯'
            - '🥛'
            - '🍼'
            - '🫖'
            - '☕️'
            - '🍵'
            - '🧃'
            - '🥤'
            - '🧋'
            - '🫙'
            - '🍶'
            - '🍺'
            - '🍻'
            - '🥂'
            - '🍷'
            - '🫗'
            - '🥃'
            - '🍸'
            - '🍹'
            - '🧉'
            - '🍾'
            - '🧊'
            - '🥄'
            - '🍴'
            - '🍽'
            - '🥣'
            - '🥡'
            - '🥢'
            - '🧂'
            - '⚽️'
            - '🏀'
            - '🏈'
            - '⚾️'
            - '🥎'
            - '🎾'
            - '🏐'
            - '🏉'
            - '🥏'
            - '🎱'
            - '🪀'
            - '🏓'
            - '🏸'
            - '🏒'
            - '🏑'
            - '🥍'
            - '🏏'
            - '🪃'
            - '🥅'
            - '⛳️'
            - '🪁'
            - '🏹'
            - '🎣'
            - '🤿'
            - '🥊'
            - '🥋'
            - '🎽'
            - '🛹'
            - '🛼'
            - '🛷'
            - '⛸'
            - '🥌'
            - '🎿'
            - '⛷'
            - '🏂'
            - '🪂'
            - '🏋️‍♀️'
            - '🏋️'
            - '🏋️‍♂️'
            - '🤼‍♀️'
            - '🤼'
            - '🤼‍♂️'
            - '🤸‍♀️'
            - '🤸'
            - '🤸‍♂️'
            - '⛹️‍♀️'
            - '⛹️'
            - '⛹️‍♂️'
            - '🤺'
            - '🤾‍♀️'
            - '🤾'
            - '🤾‍♂️'
            - '🏌️‍♀️'
            - '🏌️'
            - '🏌️‍♂️'
            - '🏇'
            - '🧘‍♀️'
            - '🧘'
            - '🧘‍♂️'
            - '🏄‍♀️'
            - '🏄'
            - '🏄‍♂️'
            - '🏊‍♀️'
            - '🏊'
            - '🏊‍♂️'
            - '🤽‍♀️'
            - '🤽'
            - '🤽‍♂️'
            - '🚣‍♀️'
            - '🚣'
            - '🚣‍♂️'
            - '🧗‍♀️'
            - '🧗'
            - '🧗‍♂️'
            - '🚵‍♀️'
            - '🚵'
            - '🚵‍♂️'
            - '🚴‍♀️'
            - '🚴'
            - '🚴‍♂️'
            - '🏆'
            - '🥇'
            - '🥈'
            - '🥉'
            - '🏅'
            - '🎖'
            - '🏵'
            - '🎗'
            - '🎫'
            - '🎟'
            - '🎪'
            - '🤹'
            - '🤹‍♂️'
            - '🤹‍♀️'
            - '🎭'
            - '🩰'
            - '🎨'
            - '🎬'
            - '🎤'
            - '🎧'
            - '🎼'
            - '🎹'
            - '🥁'
            - '🪘'
            - '🎷'
            - '🎺'
            - '🪗'
            - '🎸'
            - '🪕'
            - '🎻'
            - '🎲'
            - '♟'
            - '🎯'
            - '🎳'
            - '🎮'
            - '🎰'
            - '🧩'
            - '🚗'
            - '🚕'
            - '🚙'
            - '🚌'
            - '🚎'
            - '🏎'
            - '🚓'
            - '🚑'
            - '🚒'
            - '🚐'
            - '🛻'
            - '🚚'
            - '🚛'
            - '🚜'
            - '🦯'
            - '🦽'
            - '🦼'
            - '🛴'
            - '🚲'
            - '🛵'
            - '🏍'
            - '🛺'
            - '🚨'
            - '🚔'
            - '🚍'
            - '🚘'
            - '🚖'
            - '🛞'
            - '🚡'
            - '🚠'
            - '🚟'
            - '🚃'
            - '🚋'
            - '🚞'
            - '🚝'
            - '🚄'
            - '🚅'
            - '🚈'
            - '🚂'
            - '🚆'
            - '🚇'
            - '🚊'
            - '🚉'
            - '✈️'
            - '🛫'
            - '🛬'
            - '🛩'
            - '💺'
            - '🛰'
            - '🚀'
            - '🛸'
            - '🚁'
            - '🛶'
            - '⛵️'
            - '🚤'
            - '🛥'
            - '🛳'
            - '⛴'
            - '🚢'
            - '⚓️'
            - '🛟'
            - '🪝'
            - '⛽️'
            - '🚧'
            - '🚦'
            - '🚥'
            - '🚏'
            - '🗺'
            - '🗿'
            - '🗽'
            - '🗼'
            - '🏰'
            - '🏯'
            - '🏟'
            - '🎡'
            - '🎢'
            - '🛝'
            - '🎠'
            - '⛲️'
            - '⛱'
            - '🏖'
            - '🏝'
            - '🏜'
            - '🌋'
            - '⛰'
            - '🏔'
            - '🗻'
            - '🏕'
            - '⛺️'
            - '🛖'
            - '🏠'
            - '🏡'
            - '🏘'
            - '🏚'
            - '🏗'
            - '🏭'
            - '🏢'
            - '🏬'
            - '🏣'
            - '🏤'
            - '🏥'
            - '🏦'
            - '🏨'
            - '🏪'
            - '🏫'
            - '🏩'
            - '💒'
            - '🏛'
            - '⛪️'
            - '🕌'
            - '🕍'
            - '🛕'
            - '🕋'
            - '⛩'
            - '🛤'
            - '🛣'
            - '🗾'
            - '🎑'
            - '🏞'
            - '🌅'
            - '🌄'
            - '🌠'
            - '🎇'
            - '🎆'
            - '🌇'
            - '🌆'
            - '🏙'
            - '🌃'
            - '🌌'
            - '🌉'
            - '🌁'
            - '⌚️'
            - '📱'
            - '📲'
            - '💻'
            - '⌨️'
            - '🖥'
            - '🖨'
            - '🖱'
            - '🖲'
            - '🕹'
            - '🗜'
            - '💽'
            - '💾'
            - '💿'
            - '📀'
            - '📼'
            - '📷'
            - '📸'
            - '📹'
            - '🎥'
            - '📽'
            - '🎞'
            - '📞'
            - '☎️'
            - '📟'
            - '📠'
            - '📺'
            - '📻'
            - '🎙'
            - '🎚'
            - '🎛'
            - '🧭'
            - '⏱'
            - '⏲'
            - '⏰'
            - '🕰'
            - '⌛️'
            - '⏳'
            - '📡'
            - '🔋'
            - '🪫'
            - '🔌'
            - '💡'
            - '🔦'
            - '🕯'
            - '🪔'
            - '🧯'
            - '🛢'
            - '💸'
            - '💵'
            - '💴'
            - '💶'
            - '💷'
            - '🪙'
            - '💰'
            - '💳'
            - '💎'
            - '⚖️'
            - '🪜'
            - '🧰'
            - '🪛'
            - '🔧'
            - '🔨'
            - '⚒'
            - '🛠'
            - '⛏'
            - '🪚'
            - '🔩'
            - '⚙️'
            - '🪤'
            - '🧱'
            - '⛓'
            - '🧲'
            - '🔫'
            - '💣'
            - '🧨'
            - '🪓'
            - '🔪'
            - '🗡'
            - '⚔️'
            - '🛡'
            - '🚬'
            - '⚰️'
            - '🪦'
            - '⚱️'
            - '🏺'
            - '🔮'
            - '📿'
            - '🧿'
            - '🪬'
            - '💈'
            - '⚗️'
            - '🔭'
            - '🔬'
            - '🕳'
            - '🩹'
            - '🩺'
            - '🩻'
            - '🩼'
            - '💊'
            - '💉'
            - '🩸'
            - '🧬'
            - '🦠'
            - '🧫'
            - '🧪'
            - '🌡'
            - '🧹'
            - '🪠'
            - '🧺'
            - '🧻'
            - '🚽'
            - '🚰'
            - '🚿'
            - '🛁'
            - '🛀'
            - '🧼'
            - '🪥'
            - '🪒'
            - '🧽'
            - '🪣'
            - '🧴'
            - '🛎'
            - '🔑'
            - '🗝'
            - '🚪'
            - '🪑'
            - '🛋'
            - '🛏'
            - '🛌'
            - '🧸'
            - '🪆'
            - '🖼'
            - '🪞'
            - '🪟'
            - '🛍'
            - '🛒'
            - '🎁'
            - '🎈'
            - '🎏'
            - '🎀'
            - '🪄'
            - '🪅'
            - '🎊'
            - '🎉'
            - '🪩'
            - '🎎'
            - '🏮'
            - '🎐'
            - '🧧'
            - '✉️'
            - '📩'
            - '📨'
            - '📧'
            - '💌'
            - '📥'
            - '📤'
            - '📦'
            - '🏷'
            - '🪧'
            - '📪'
            - '📫'
            - '📬'
            - '📭'
            - '📮'
            - '📯'
            - '📜'
            - '📃'
            - '📄'
            - '📑'
            - '🧾'
            - '📊'
            - '📈'
            - '📉'
            - '🗒'
            - '🗓'
            - '📆'
            - '📅'
            - '🗑'
            - '🪪'
            - '📇'
            - '🗃'
            - '🗳'
            - '🗄'
            - '📋'
            - '📁'
            - '📂'
            - '🗂'
            - '🗞'
            - '📰'
            - '📓'
            - '📔'
            - '📒'
            - '📕'
            - '📗'
            - '📘'
            - '📙'
            - '📚'
            - '📖'
            - '🔖'
            - '🧷'
            - '🔗'
            - '📎'
            - '🖇'
            - '📐'
            - '📏'
            - '🧮'
            - '📌'
            - '📍'
            - '✂️'
            - '🖊'
            - '🖋'
            - '✒️'
            - '🖌'
            - '🖍'
            - '📝'
            - '✏️'
            - '🔍'
            - '🔎'
            - '🔏'
            - '🔐'
            - '🔒'
            - '🔓❤️'
            - '🧡'
            - '💛'
            - '💚'
            - '💙'
            - '💜'
            - '🖤'
            - '🤍'
            - '🤎'
            - '❤️‍🔥'
            - '❤️‍🩹'
            - '💔'
            - '❣️'
            - '💕'
            - '💞'
            - '💓'
            - '💗'
            - '💖'
            - '💘'
            - '💝'
            - '💟'
            - '☮️'
            - '✝️'
            - '☪️'
            - '🕉'
            - '☸️'
            - '✡️'
            - '🔯'
            - '🕎'
            - '☯️'
            - '☦️'
            - '🛐'
            - '⛎'
            - '♈️'
            - '♉️'
            - '♊️'
            - '♋️'
            - '♌️'
            - '♍️'
            - '♎️'
            - '♏️'
            - '♐️'
            - '♑️'
            - '♒️'
            - '♓️'
            - '🆔'
            - '⚛️'
            - '🉑'
            - '☢️'
            - '☣️'
            - '📴'
            - '📳'
            - '🈶'
            - '🈚️'
            - '🈸'
            - '🈺'
            - '🈷️'
            - '✴️'
            - '🆚'
            - '💮'
            - '🉐'
            - '㊙️'
            - '㊗️'
            - '🈴'
            - '🈵'
            - '🈹'
            - '🈲'
            - '🅰️'
            - '🅱️'
            - '🆎'
            - '🆑'
            - '🅾️'
            - '🆘'
            - '❌'
            - '⭕️'
            - '🛑'
            - '⛔️'
            - '📛'
            - '🚫'
            - '💯'
            - '💢'
            - '♨️'
            - '🚷'
            - '🚯'
            - '🚳'
            - '🚱'
            - '🔞'
            - '📵'
            - '🚭'
            - '❗️'
            - '❕'
            - '❓'
            - '❔'
            - '‼️'
            - '⁉️'
            - '🔅'
            - '🔆'
            - '〽️'
            - '⚠️'
            - '🚸'
            - '🔱'
            - '⚜️'
            - '🔰'
            - '♻️'
            - '✅'
            - '🈯️'
            - '💹'
            - '❇️'
            - '✳️'
            - '❎'
            - '🌐'
            - '💠'
            - 'Ⓜ️'
            - '🌀'
            - '💤'
            - '🏧'
            - '🚾'
            - '♿️'
            - '🅿️'
            - '🛗'
            - '🈳'
            - '🈂️'
            - '🛂'
            - '🛃'
            - '🛄'
            - '🛅'
            - '🚹'
            - '🚺'
            - '🚼'
            - '⚧'
            - '🚻'
            - '🚮'
            - '🎦'
            - '📶'
            - '🈁'
            - '🔣'
            - 'ℹ️'
            - '🔤'
            - '🔡'
            - '🔠'
            - '🆖'
            - '🆗'
            - '🆙'
            - '🆒'
            - '🆕'
            - '🆓'
            - '0️⃣'
            - '1️⃣'
            - '2️⃣'
            - '3️⃣'
            - '4️⃣'
            - '5️⃣'
            - '6️⃣'
            - '7️⃣'
            - '8️⃣'
            - '9️⃣'
            - '🔟'
            - '🔢'
            - '#️⃣'
            - '*️⃣'
            - '⏏️'
            - '▶️'
            - '⏸'
            - '⏯'
            - '⏹'
            - '⏺'
            - '⏭'
            - '⏮'
            - '⏩'
            - '⏪'
            - '⏫'
            - '⏬'
            - '◀️'
            - '🔼'
            - '🔽'
            - '➡️'
            - '⬅️'
            - '⬆️'
            - '⬇️'
            - '↗️'
            - '↘️'
            - '↙️'
            - '↖️'
            - '↕️'
            - '↔️'
            - '↪️'
            - '↩️'
            - '⤴️'
            - '⤵️'
            - '🔀'
            - '🔁'
            - '🔂'
            - '🔄'
            - '🔃'
            - '🎵'
            - '🎶'
            - '➕'
            - '➖'
            - '➗'
            - '✖️'
            - '🟰'
            - '♾'
            - '💲'
            - '💱'
            - '™️'
            - '©️'
            - '®️'
            - '〰️'
            - '➰'
            - '➿'
            - '🔚'
            - '🔙'
            - '🔛'
            - '🔝'
            - '🔜'
            - '✔️'
            - '☑️'
            - '🔘'
            - '🔴'
            - '🟠'
            - '🟡'
            - '🟢'
            - '🔵'
            - '🟣'
            - '⚫️'
            - '⚪️'
            - '🟤'
            - '🔺'
            - '🔻'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

status test author @Kostastsale, TheDFIRReport id 225274c4-8dd1-40db-9e09-71dff4f6fb3c

panther query

def rule(event):
    if any(
        [
            "🔸" in event.deep_get("CommandLine", default=""),
            "🔹" in event.deep_get("CommandLine", default=""),
            "🔶" in event.deep_get("CommandLine", default=""),
            "🔷" in event.deep_get("CommandLine", default=""),
            "🔳" in event.deep_get("CommandLine", default=""),
            "🔲" in event.deep_get("CommandLine", default=""),
            "▪️" in event.deep_get("CommandLine", default=""),
            "▫️" in event.deep_get("CommandLine", default=""),
            "◾️" in event.deep_get("CommandLine", default=""),
            "◽️" in event.deep_get("CommandLine", default=""),
            "◼️" in event.deep_get("CommandLine", default=""),
            "◻️" in event.deep_get("CommandLine", default=""),
            "🟥" in event.deep_get("CommandLine", default=""),
            "🟧" in event.deep_get("CommandLine", default=""),
            "🟨" in event.deep_get("CommandLine", default=""),
            "🟩" in event.deep_get("CommandLine", default=""),
            "🟦" in event.deep_get("CommandLine", default=""),
            "🟪" in event.deep_get("CommandLine", default=""),
            "⬛️" in event.deep_get("CommandLine", default=""),
            "⬜️" in event.deep_get("CommandLine", default=""),
            "🟫" in event.deep_get("CommandLine", default=""),
            "🔈" in event.deep_get("CommandLine", default=""),
            "🔇" in event.deep_get("CommandLine", default=""),
            "🔉" in event.deep_get("CommandLine", default=""),
            "🔊" in event.deep_get("CommandLine", default=""),
            "🔔" in event.deep_get("CommandLine", default=""),
            "🔕" in event.deep_get("CommandLine", default=""),
            "📣" in event.deep_get("CommandLine", default=""),
            "📢" in event.deep_get("CommandLine", default=""),
            "👁‍🗨" in event.deep_get("CommandLine", default=""),
            "💬" in event.deep_get("CommandLine", default=""),
            "💭" in event.deep_get("CommandLine", default=""),
            "🗯" in event.deep_get("CommandLine", default=""),
            "♠️" in event.deep_get("CommandLine", default=""),
            "♣️" in event.deep_get("CommandLine", default=""),
            "♥️" in event.deep_get("CommandLine", default=""),
            "♦️" in event.deep_get("CommandLine", default=""),
            "🃏" in event.deep_get("CommandLine", default=""),
            "🎴" in event.deep_get("CommandLine", default=""),
            "🀄️" in event.deep_get("CommandLine", default=""),
            "🕐" in event.deep_get("CommandLine", default=""),
            "🕑" in event.deep_get("CommandLine", default=""),
            "🕒" in event.deep_get("CommandLine", default=""),
            "🕓" in event.deep_get("CommandLine", default=""),
            "🕔" in event.deep_get("CommandLine", default=""),
            "🕕" in event.deep_get("CommandLine", default=""),
            "🕖" in event.deep_get("CommandLine", default=""),
            "🕗" in event.deep_get("CommandLine", default=""),
            "🕘" in event.deep_get("CommandLine", default=""),
            "🕙" in event.deep_get("CommandLine", default=""),
            "🕚" in event.deep_get("CommandLine", default=""),
            "🕛" in event.deep_get("CommandLine", default=""),
            "🕜" in event.deep_get("CommandLine", default=""),
            "🕝" in event.deep_get("CommandLine", default=""),
            "🕞" in event.deep_get("CommandLine", default=""),
            "🕟" in event.deep_get("CommandLine", default=""),
            "🕠" in event.deep_get("CommandLine", default=""),
            "🕡" in event.deep_get("CommandLine", default=""),
            "🕢" in event.deep_get("CommandLine", default=""),
            "🕣" in event.deep_get("CommandLine", default=""),
            "🕤" in event.deep_get("CommandLine", default=""),
            "🕥" in event.deep_get("CommandLine", default=""),
            "🕦" in event.deep_get("CommandLine", default=""),
            "🕧✢" in event.deep_get("CommandLine", default=""),
            "✣" in event.deep_get("CommandLine", default=""),
            "✤" in event.deep_get("CommandLine", default=""),
            "✥" in event.deep_get("CommandLine", default=""),
            "✦" in event.deep_get("CommandLine", default=""),
            "✧" in event.deep_get("CommandLine", default=""),
            "★" in event.deep_get("CommandLine", default=""),
            "☆" in event.deep_get("CommandLine", default=""),
            "✯" in event.deep_get("CommandLine", default=""),
            "✡︎" in event.deep_get("CommandLine", default=""),
            "✩" in event.deep_get("CommandLine", default=""),
            "✪" in event.deep_get("CommandLine", default=""),
            "✫" in event.deep_get("CommandLine", default=""),
            "✬" in event.deep_get("CommandLine", default=""),
            "✭" in event.deep_get("CommandLine", default=""),
            "✮" in event.deep_get("CommandLine", default=""),
            "✶" in event.deep_get("CommandLine", default=""),
            "✷" in event.deep_get("CommandLine", default=""),
            "✵" in event.deep_get("CommandLine", default=""),
            "✸" in event.deep_get("CommandLine", default=""),
            "✹" in event.deep_get("CommandLine", default=""),
            "→" in event.deep_get("CommandLine", default=""),
            "⇒" in event.deep_get("CommandLine", default=""),
            "⟹" in event.deep_get("CommandLine", default=""),
            "⇨" in event.deep_get("CommandLine", default=""),
            "⇾" in event.deep_get("CommandLine", default=""),
            "➾" in event.deep_get("CommandLine", default=""),
            "⇢" in event.deep_get("CommandLine", default=""),
            "☛" in event.deep_get("CommandLine", default=""),
            "☞" in event.deep_get("CommandLine", default=""),
            "➔" in event.deep_get("CommandLine", default=""),
            "➜" in event.deep_get("CommandLine", default=""),
            "➙" in event.deep_get("CommandLine", default=""),
            "➛" in event.deep_get("CommandLine", default=""),
            "➝" in event.deep_get("CommandLine", default=""),
            "➞" in event.deep_get("CommandLine", default=""),
            "♠︎" in event.deep_get("CommandLine", default=""),
            "♣︎" in event.deep_get("CommandLine", default=""),
            "♥︎" in event.deep_get("CommandLine", default=""),
            "♦︎" in event.deep_get("CommandLine", default=""),
            "♤" in event.deep_get("CommandLine", default=""),
            "♧" in event.deep_get("CommandLine", default=""),
            "♡" in event.deep_get("CommandLine", default=""),
            "♢" in event.deep_get("CommandLine", default=""),
            "♚" in event.deep_get("CommandLine", default=""),
            "♛" in event.deep_get("CommandLine", default=""),
            "♜" in event.deep_get("CommandLine", default=""),
            "♝" in event.deep_get("CommandLine", default=""),
            "♞" in event.deep_get("CommandLine", default=""),
            "♟" in event.deep_get("CommandLine", default=""),
            "♔" in event.deep_get("CommandLine", default=""),
            "♕" in event.deep_get("CommandLine", default=""),
            "♖" in event.deep_get("CommandLine", default=""),
            "♗" in event.deep_get("CommandLine", default=""),
            "♘" in event.deep_get("CommandLine", default=""),
            "♙" in event.deep_get("CommandLine", default=""),
            "⚀" in event.deep_get("CommandLine", default=""),
            "⚁" in event.deep_get("CommandLine", default=""),
            "⚂" in event.deep_get("CommandLine", default=""),
            "⚃" in event.deep_get("CommandLine", default=""),
            "⚄" in event.deep_get("CommandLine", default=""),
            "⚅" in event.deep_get("CommandLine", default=""),
            "🂠" in event.deep_get("CommandLine", default=""),
            "⚈" in event.deep_get("CommandLine", default=""),
            "⚉" in event.deep_get("CommandLine", default=""),
            "⚆" in event.deep_get("CommandLine", default=""),
            "⚇" in event.deep_get("CommandLine", default=""),
            "𓀀" in event.deep_get("CommandLine", default=""),
            "𓀁" in event.deep_get("CommandLine", default=""),
            "𓀂" in event.deep_get("CommandLine", default=""),
            "𓀃" in event.deep_get("CommandLine", default=""),
            "𓀄" in event.deep_get("CommandLine", default=""),
            "𓀅" in event.deep_get("CommandLine", default=""),
            "𓀆" in event.deep_get("CommandLine", default=""),
            "𓀇" in event.deep_get("CommandLine", default=""),
            "𓀈" in event.deep_get("CommandLine", default=""),
            "𓀉" in event.deep_get("CommandLine", default=""),
            "𓀊" in event.deep_get("CommandLine", default=""),
            "𓀋" in event.deep_get("CommandLine", default=""),
            "𓀌" in event.deep_get("CommandLine", default=""),
            "𓀍" in event.deep_get("CommandLine", default=""),
            "𓀎" in event.deep_get("CommandLine", default=""),
            "𓀏" in event.deep_get("CommandLine", default=""),
            "𓀐" in event.deep_get("CommandLine", default=""),
            "𓀑" in event.deep_get("CommandLine", default=""),
            "𓀒" in event.deep_get("CommandLine", default=""),
            "𓀓" in event.deep_get("CommandLine", default=""),
            "𓀔" in event.deep_get("CommandLine", default=""),
            "𓀕" in event.deep_get("CommandLine", default=""),
            "𓀖" in event.deep_get("CommandLine", default=""),
            "𓀗" in event.deep_get("CommandLine", default=""),
            "𓀘" in event.deep_get("CommandLine", default=""),
            "𓀙" in event.deep_get("CommandLine", default=""),
            "𓀚" in event.deep_get("CommandLine", default=""),
            "𓀛" in event.deep_get("CommandLine", default=""),
            "𓀜" in event.deep_get("CommandLine", default=""),
            "𓀝🏳️" in event.deep_get("CommandLine", default=""),
            "🏴" in event.deep_get("CommandLine", default=""),
            "🏁" in event.deep_get("CommandLine", default=""),
            "🚩" in event.deep_get("CommandLine", default=""),
            "🏳️‍🌈" in event.deep_get("CommandLine", default=""),
            "🏳️‍⚧️" in event.deep_get("CommandLine", default=""),
            "🏴‍☠️" in event.deep_get("CommandLine", default=""),
            "🇦🇫" in event.deep_get("CommandLine", default=""),
            "🇦🇽" in event.deep_get("CommandLine", default=""),
            "🇦🇱" in event.deep_get("CommandLine", default=""),
            "🇩🇿" in event.deep_get("CommandLine", default=""),
            "🇦🇸" in event.deep_get("CommandLine", default=""),
            "🇦🇩" in event.deep_get("CommandLine", default=""),
            "🇦🇴" in event.deep_get("CommandLine", default=""),
            "🇦🇮" in event.deep_get("CommandLine", default=""),
            "🇦🇶" in event.deep_get("CommandLine", default=""),
            "🇦🇬" in event.deep_get("CommandLine", default=""),
            "🇦🇷" in event.deep_get("CommandLine", default=""),
            "🇦🇲" in event.deep_get("CommandLine", default=""),
            "🇦🇼" in event.deep_get("CommandLine", default=""),
            "🇦🇺" in event.deep_get("CommandLine", default=""),
            "🇦🇹" in event.deep_get("CommandLine", default=""),
            "🇦🇿" in event.deep_get("CommandLine", default=""),
            "🇧🇸" in event.deep_get("CommandLine", default=""),
            "🇧🇭" in event.deep_get("CommandLine", default=""),
            "🇧🇩" in event.deep_get("CommandLine", default=""),
            "🇧🇧" in event.deep_get("CommandLine", default=""),
            "🇧🇾" in event.deep_get("CommandLine", default=""),
            "🇧🇪" in event.deep_get("CommandLine", default=""),
            "🇧🇿" in event.deep_get("CommandLine", default=""),
            "🇧🇯" in event.deep_get("CommandLine", default=""),
            "🇧🇲" in event.deep_get("CommandLine", default=""),
            "🇧🇹" in event.deep_get("CommandLine", default=""),
            "🇧🇴" in event.deep_get("CommandLine", default=""),
            "🇧🇦" in event.deep_get("CommandLine", default=""),
            "🇧🇼" in event.deep_get("CommandLine", default=""),
            "🇧🇷" in event.deep_get("CommandLine", default=""),
            "🇮🇴" in event.deep_get("CommandLine", default=""),
            "🇻🇬" in event.deep_get("CommandLine", default=""),
            "🇧🇳" in event.deep_get("CommandLine", default=""),
            "🇧🇬" in event.deep_get("CommandLine", default=""),
            "🇧🇫" in event.deep_get("CommandLine", default=""),
            "🇧🇮" in event.deep_get("CommandLine", default=""),
            "🇰🇭" in event.deep_get("CommandLine", default=""),
            "🇨🇲" in event.deep_get("CommandLine", default=""),
            "🇨🇦" in event.deep_get("CommandLine", default=""),
            "🇮🇨" in event.deep_get("CommandLine", default=""),
            "🇨🇻" in event.deep_get("CommandLine", default=""),
            "🇧🇶" in event.deep_get("CommandLine", default=""),
            "🇰🇾" in event.deep_get("CommandLine", default=""),
            "🇨🇫" in event.deep_get("CommandLine", default=""),
            "🇹🇩" in event.deep_get("CommandLine", default=""),
            "🇨🇱" in event.deep_get("CommandLine", default=""),
            "🇨🇳" in event.deep_get("CommandLine", default=""),
            "🇨🇽" in event.deep_get("CommandLine", default=""),
            "🇨🇨" in event.deep_get("CommandLine", default=""),
            "🇨🇴" in event.deep_get("CommandLine", default=""),
            "🇰🇲" in event.deep_get("CommandLine", default=""),
            "🇨🇬" in event.deep_get("CommandLine", default=""),
            "🇨🇩" in event.deep_get("CommandLine", default=""),
            "🇨🇰" in event.deep_get("CommandLine", default=""),
            "🇨🇷" in event.deep_get("CommandLine", default=""),
            "🇨🇮" in event.deep_get("CommandLine", default=""),
            "🇭🇷" in event.deep_get("CommandLine", default=""),
            "🇨🇺" in event.deep_get("CommandLine", default=""),
            "🇨🇼" in event.deep_get("CommandLine", default=""),
            "🇨🇾" in event.deep_get("CommandLine", default=""),
            "🇨🇿" in event.deep_get("CommandLine", default=""),
            "🇩🇰" in event.deep_get("CommandLine", default=""),
            "🇩🇯" in event.deep_get("CommandLine", default=""),
            "🇩🇲" in event.deep_get("CommandLine", default=""),
            "🇩🇴" in event.deep_get("CommandLine", default=""),
            "🇪🇨" in event.deep_get("CommandLine", default=""),
            "🇪🇬" in event.deep_get("CommandLine", default=""),
            "🇸🇻" in event.deep_get("CommandLine", default=""),
            "🇬🇶" in event.deep_get("CommandLine", default=""),
            "🇪🇷" in event.deep_get("CommandLine", default=""),
            "🇪🇪" in event.deep_get("CommandLine", default=""),
            "🇪🇹" in event.deep_get("CommandLine", default=""),
            "🇪🇺" in event.deep_get("CommandLine", default=""),
            "🇫🇰" in event.deep_get("CommandLine", default=""),
            "🇫🇴" in event.deep_get("CommandLine", default=""),
            "🇫🇯" in event.deep_get("CommandLine", default=""),
            "🇫🇮" in event.deep_get("CommandLine", default=""),
            "🇫🇷" in event.deep_get("CommandLine", default=""),
            "🇬🇫" in event.deep_get("CommandLine", default=""),
            "🇵🇫" in event.deep_get("CommandLine", default=""),
            "🇹🇫" in event.deep_get("CommandLine", default=""),
            "🇬🇦" in event.deep_get("CommandLine", default=""),
            "🇬🇲" in event.deep_get("CommandLine", default=""),
            "🇬🇪" in event.deep_get("CommandLine", default=""),
            "🇩🇪" in event.deep_get("CommandLine", default=""),
            "🇬🇭" in event.deep_get("CommandLine", default=""),
            "🇬🇮" in event.deep_get("CommandLine", default=""),
            "🇬🇷" in event.deep_get("CommandLine", default=""),
            "🇬🇱" in event.deep_get("CommandLine", default=""),
            "🇬🇩" in event.deep_get("CommandLine", default=""),
            "🇬🇵" in event.deep_get("CommandLine", default=""),
            "🇬🇺" in event.deep_get("CommandLine", default=""),
            "🇬🇹" in event.deep_get("CommandLine", default=""),
            "🇬🇬" in event.deep_get("CommandLine", default=""),
            "🇬🇳" in event.deep_get("CommandLine", default=""),
            "🇬🇼" in event.deep_get("CommandLine", default=""),
            "🇬🇾" in event.deep_get("CommandLine", default=""),
            "🇭🇹" in event.deep_get("CommandLine", default=""),
            "🇭🇳" in event.deep_get("CommandLine", default=""),
            "🇭🇰" in event.deep_get("CommandLine", default=""),
            "🇭🇺" in event.deep_get("CommandLine", default=""),
            "🇮🇸" in event.deep_get("CommandLine", default=""),
            "🇮🇳" in event.deep_get("CommandLine", default=""),
            "🇮🇩" in event.deep_get("CommandLine", default=""),
            "🇮🇷" in event.deep_get("CommandLine", default=""),
            "🇮🇶" in event.deep_get("CommandLine", default=""),
            "🇮🇪" in event.deep_get("CommandLine", default=""),
            "🇮🇲" in event.deep_get("CommandLine", default=""),
            "🇮🇱" in event.deep_get("CommandLine", default=""),
            "🇮🇹" in event.deep_get("CommandLine", default=""),
            "🇯🇲" in event.deep_get("CommandLine", default=""),
            "🇯🇵" in event.deep_get("CommandLine", default=""),
            "🎌" in event.deep_get("CommandLine", default=""),
            "🇯🇪" in event.deep_get("CommandLine", default=""),
            "🇯🇴" in event.deep_get("CommandLine", default=""),
            "🇰🇿" in event.deep_get("CommandLine", default=""),
            "🇰🇪" in event.deep_get("CommandLine", default=""),
            "🇰🇮" in event.deep_get("CommandLine", default=""),
            "🇽🇰" in event.deep_get("CommandLine", default=""),
            "🇰🇼" in event.deep_get("CommandLine", default=""),
            "🇰🇬" in event.deep_get("CommandLine", default=""),
            "🇱🇦" in event.deep_get("CommandLine", default=""),
            "🇱🇻" in event.deep_get("CommandLine", default=""),
            "🇱🇧" in event.deep_get("CommandLine", default=""),
            "🇱🇸" in event.deep_get("CommandLine", default=""),
            "🇱🇷" in event.deep_get("CommandLine", default=""),
            "🇱🇾" in event.deep_get("CommandLine", default=""),
            "🇱🇮" in event.deep_get("CommandLine", default=""),
            "🇱🇹" in event.deep_get("CommandLine", default=""),
            "🇱🇺" in event.deep_get("CommandLine", default=""),
            "🇲🇴" in event.deep_get("CommandLine", default=""),
            "🇲🇰" in event.deep_get("CommandLine", default=""),
            "🇲🇬" in event.deep_get("CommandLine", default=""),
            "🇲🇼" in event.deep_get("CommandLine", default=""),
            "🇲🇾" in event.deep_get("CommandLine", default=""),
            "🇲🇻" in event.deep_get("CommandLine", default=""),
            "🇲🇱" in event.deep_get("CommandLine", default=""),
            "🇲🇹" in event.deep_get("CommandLine", default=""),
            "🇲🇭" in event.deep_get("CommandLine", default=""),
            "🇲🇶" in event.deep_get("CommandLine", default=""),
            "🇲🇷" in event.deep_get("CommandLine", default=""),
            "🇲🇺" in event.deep_get("CommandLine", default=""),
            "🇾🇹" in event.deep_get("CommandLine", default=""),
            "🇲🇽" in event.deep_get("CommandLine", default=""),
            "🇫🇲" in event.deep_get("CommandLine", default=""),
            "🇲🇩" in event.deep_get("CommandLine", default=""),
            "🇲🇨" in event.deep_get("CommandLine", default=""),
            "🇲🇳" in event.deep_get("CommandLine", default=""),
            "🇲🇪" in event.deep_get("CommandLine", default=""),
            "🇲🇸" in event.deep_get("CommandLine", default=""),
            "🇲🇦" in event.deep_get("CommandLine", default=""),
            "🇲🇿" in event.deep_get("CommandLine", default=""),
            "🇲🇲" in event.deep_get("CommandLine", default=""),
            "🇳🇦" in event.deep_get("CommandLine", default=""),
            "🇳🇷" in event.deep_get("CommandLine", default=""),
            "🇳🇵" in event.deep_get("CommandLine", default=""),
            "🇳🇱" in event.deep_get("CommandLine", default=""),
            "🇳🇨" in event.deep_get("CommandLine", default=""),
            "🇳🇿" in event.deep_get("CommandLine", default=""),
            "🇳🇮" in event.deep_get("CommandLine", default=""),
            "🇳🇪" in event.deep_get("CommandLine", default=""),
            "🇳🇬" in event.deep_get("CommandLine", default=""),
            "🇳🇺" in event.deep_get("CommandLine", default=""),
            "🇳🇫" in event.deep_get("CommandLine", default=""),
            "🇰🇵" in event.deep_get("CommandLine", default=""),
            "🇲🇵" in event.deep_get("CommandLine", default=""),
            "🇳🇴" in event.deep_get("CommandLine", default=""),
            "🇴🇲" in event.deep_get("CommandLine", default=""),
            "🇵🇰" in event.deep_get("CommandLine", default=""),
            "🇵🇼" in event.deep_get("CommandLine", default=""),
            "🇵🇸" in event.deep_get("CommandLine", default=""),
            "🇵🇦" in event.deep_get("CommandLine", default=""),
            "🇵🇬" in event.deep_get("CommandLine", default=""),
            "🇵🇾" in event.deep_get("CommandLine", default=""),
            "🇵🇪" in event.deep_get("CommandLine", default=""),
            "🇵🇭" in event.deep_get("CommandLine", default=""),
            "🇵🇳" in event.deep_get("CommandLine", default=""),
            "🇵🇱" in event.deep_get("CommandLine", default=""),
            "🇵🇹" in event.deep_get("CommandLine", default=""),
            "🇵🇷" in event.deep_get("CommandLine", default=""),
            "🇶🇦" in event.deep_get("CommandLine", default=""),
            "🇷🇪" in event.deep_get("CommandLine", default=""),
            "🇷🇴" in event.deep_get("CommandLine", default=""),
            "🇷🇺" in event.deep_get("CommandLine", default=""),
            "🇷🇼" in event.deep_get("CommandLine", default=""),
            "🇼🇸" in event.deep_get("CommandLine", default=""),
            "🇸🇲" in event.deep_get("CommandLine", default=""),
            "🇸🇦" in event.deep_get("CommandLine", default=""),
            "🇸🇳" in event.deep_get("CommandLine", default=""),
            "🇷🇸" in event.deep_get("CommandLine", default=""),
            "🇸🇨" in event.deep_get("CommandLine", default=""),
            "🇸🇱" in event.deep_get("CommandLine", default=""),
            "🇸🇬" in event.deep_get("CommandLine", default=""),
            "🇸🇽" in event.deep_get("CommandLine", default=""),
            "🇸🇰" in event.deep_get("CommandLine", default=""),
            "🇸🇮" in event.deep_get("CommandLine", default=""),
            "🇬🇸" in event.deep_get("CommandLine", default=""),
            "🇸🇧" in event.deep_get("CommandLine", default=""),
            "🇸🇴" in event.deep_get("CommandLine", default=""),
            "🇿🇦" in event.deep_get("CommandLine", default=""),
            "🇰🇷" in event.deep_get("CommandLine", default=""),
            "🇸🇸" in event.deep_get("CommandLine", default=""),
            "🇪🇸" in event.deep_get("CommandLine", default=""),
            "🇱🇰" in event.deep_get("CommandLine", default=""),
            "🇧🇱" in event.deep_get("CommandLine", default=""),
            "🇸🇭" in event.deep_get("CommandLine", default=""),
            "🇰🇳" in event.deep_get("CommandLine", default=""),
            "🇱🇨" in event.deep_get("CommandLine", default=""),
            "🇵🇲" in event.deep_get("CommandLine", default=""),
            "🇻🇨" in event.deep_get("CommandLine", default=""),
            "🇸🇩" in event.deep_get("CommandLine", default=""),
            "🇸🇷" in event.deep_get("CommandLine", default=""),
            "🇸🇿" in event.deep_get("CommandLine", default=""),
            "🇸🇪" in event.deep_get("CommandLine", default=""),
            "🇨🇭" in event.deep_get("CommandLine", default=""),
            "🇸🇾" in event.deep_get("CommandLine", default=""),
            "🇹🇼" in event.deep_get("CommandLine", default=""),
            "🇹🇯" in event.deep_get("CommandLine", default=""),
            "🇹🇿" in event.deep_get("CommandLine", default=""),
            "🇹🇭" in event.deep_get("CommandLine", default=""),
            "🇹🇱" in event.deep_get("CommandLine", default=""),
            "🇹🇬" in event.deep_get("CommandLine", default=""),
            "🇹🇰" in event.deep_get("CommandLine", default=""),
            "🇹🇴" in event.deep_get("CommandLine", default=""),
            "🇹🇹" in event.deep_get("CommandLine", default=""),
            "🇹🇳" in event.deep_get("CommandLine", default=""),
            "🇹🇷" in event.deep_get("CommandLine", default=""),
            "🇹🇲" in event.deep_get("CommandLine", default=""),
            "🇹🇨" in event.deep_get("CommandLine", default=""),
            "🇹🇻" in event.deep_get("CommandLine", default=""),
            "🇻🇮" in event.deep_get("CommandLine", default=""),
            "🇺🇬" in event.deep_get("CommandLine", default=""),
            "🇺🇦" in event.deep_get("CommandLine", default=""),
            "🇦🇪" in event.deep_get("CommandLine", default=""),
            "🇬🇧" in event.deep_get("CommandLine", default=""),
            "🏴󠁧󠁢󠁥󠁮󠁧󠁿" in event.deep_get("CommandLine", default=""),
            "🏴󠁧󠁢󠁳󠁣󠁴󠁿" in event.deep_get("CommandLine", default=""),
            "🏴󠁧󠁢󠁷󠁬󠁳󠁿" in event.deep_get("CommandLine", default=""),
            "🇺🇳" in event.deep_get("CommandLine", default=""),
            "🇺🇸" in event.deep_get("CommandLine", default=""),
            "🇺🇾" in event.deep_get("CommandLine", default=""),
            "🇺🇿" in event.deep_get("CommandLine", default=""),
            "🇻🇺" in event.deep_get("CommandLine", default=""),
            "🇻🇦" in event.deep_get("CommandLine", default=""),
            "🇻🇪" in event.deep_get("CommandLine", default=""),
            "🇻🇳" in event.deep_get("CommandLine", default=""),
            "🇼🇫" in event.deep_get("CommandLine", default=""),
            "🇪🇭" in event.deep_get("CommandLine", default=""),
            "🇾🇪" in event.deep_get("CommandLine", default=""),
            "🇿🇲" in event.deep_get("CommandLine", default=""),
            "🇿🇼🫠" in event.deep_get("CommandLine", default=""),
            "🫢" in event.deep_get("CommandLine", default=""),
            "🫣" in event.deep_get("CommandLine", default=""),
            "🫡" in event.deep_get("CommandLine", default=""),
            "🫥" in event.deep_get("CommandLine", default=""),
            "🫤" in event.deep_get("CommandLine", default=""),
            "🥹" in event.deep_get("CommandLine", default=""),
            "🫱" in event.deep_get("CommandLine", default=""),
            "🫱🏻" in event.deep_get("CommandLine", default=""),
            "🫱🏼" in event.deep_get("CommandLine", default=""),
            "🫱🏽" in event.deep_get("CommandLine", default=""),
            "🫱🏾" in event.deep_get("CommandLine", default=""),
            "🫱🏿" in event.deep_get("CommandLine", default=""),
            "🫲" in event.deep_get("CommandLine", default=""),
            "🫲🏻" in event.deep_get("CommandLine", default=""),
            "🫲🏼" in event.deep_get("CommandLine", default=""),
            "🫲🏽" in event.deep_get("CommandLine", default=""),
            "🫲🏾" in event.deep_get("CommandLine", default=""),
            "🫲🏿" in event.deep_get("CommandLine", default=""),
            "🫳" in event.deep_get("CommandLine", default=""),
            "🫳🏻" in event.deep_get("CommandLine", default=""),
            "🫳🏼" in event.deep_get("CommandLine", default=""),
            "🫳🏽" in event.deep_get("CommandLine", default=""),
            "🫳🏾" in event.deep_get("CommandLine", default=""),
            "🫳🏿" in event.deep_get("CommandLine", default=""),
            "🫴" in event.deep_get("CommandLine", default=""),
            "🫴🏻" in event.deep_get("CommandLine", default=""),
            "🫴🏼" in event.deep_get("CommandLine", default=""),
            "🫴🏽" in event.deep_get("CommandLine", default=""),
            "🫴🏾" in event.deep_get("CommandLine", default=""),
            "🫴🏿" in event.deep_get("CommandLine", default=""),
            "🫰" in event.deep_get("CommandLine", default=""),
            "🫰🏻" in event.deep_get("CommandLine", default=""),
            "🫰🏼" in event.deep_get("CommandLine", default=""),
            "🫰🏽" in event.deep_get("CommandLine", default=""),
            "🫰🏾" in event.deep_get("CommandLine", default=""),
            "🫰🏿" in event.deep_get("CommandLine", default=""),
            "🫵" in event.deep_get("CommandLine", default=""),
            "🫵🏻" in event.deep_get("CommandLine", default=""),
            "🫵🏼" in event.deep_get("CommandLine", default=""),
            "🫵🏽" in event.deep_get("CommandLine", default=""),
            "🫵🏾" in event.deep_get("CommandLine", default=""),
            "🫵🏿" in event.deep_get("CommandLine", default=""),
            "🫶" in event.deep_get("CommandLine", default=""),
            "🫶🏻" in event.deep_get("CommandLine", default=""),
            "🫶🏼" in event.deep_get("CommandLine", default=""),
            "🫶🏽" in event.deep_get("CommandLine", default=""),
            "🫶🏾" in event.deep_get("CommandLine", default=""),
            "🫶🏿" in event.deep_get("CommandLine", default=""),
            "🤝🏻" in event.deep_get("CommandLine", default=""),
            "🤝🏼" in event.deep_get("CommandLine", default=""),
            "🤝🏽" in event.deep_get("CommandLine", default=""),
            "🤝🏾" in event.deep_get("CommandLine", default=""),
            "🤝🏿" in event.deep_get("CommandLine", default=""),
            "🫱🏻‍🫲🏼" in event.deep_get("CommandLine", default=""),
            "🫱🏻‍🫲🏽" in event.deep_get("CommandLine", default=""),
            "🫱🏻‍🫲🏾" in event.deep_get("CommandLine", default=""),
            "🫱🏻‍🫲🏿" in event.deep_get("CommandLine", default=""),
            "🫱🏼‍🫲🏻" in event.deep_get("CommandLine", default=""),
            "🫱🏼‍🫲🏽" in event.deep_get("CommandLine", default=""),
            "🫱🏼‍🫲🏾" in event.deep_get("CommandLine", default=""),
            "🫱🏼‍🫲🏿" in event.deep_get("CommandLine", default=""),
            "🫱🏽‍🫲🏻" in event.deep_get("CommandLine", default=""),
            "🫱🏽‍🫲🏼" in event.deep_get("CommandLine", default=""),
            "🫱🏽‍🫲🏾" in event.deep_get("CommandLine", default=""),
            "🫱🏽‍🫲🏿" in event.deep_get("CommandLine", default=""),
            "🫱🏾‍🫲🏻" in event.deep_get("CommandLine", default=""),
            "🫱🏾‍🫲🏼" in event.deep_get("CommandLine", default=""),
            "🫱🏾‍🫲🏽" in event.deep_get("CommandLine", default=""),
            "🫱🏾‍🫲🏿" in event.deep_get("CommandLine", default=""),
            "🫱🏿‍🫲🏻" in event.deep_get("CommandLine", default=""),
            "🫱🏿‍🫲🏼" in event.deep_get("CommandLine", default=""),
            "🫱🏿‍🫲🏽" in event.deep_get("CommandLine", default=""),
            "🫱🏿‍🫲🏾" in event.deep_get("CommandLine", default=""),
            "🫦" in event.deep_get("CommandLine", default=""),
            "🫅" in event.deep_get("CommandLine", default=""),
            "🫅🏻" in event.deep_get("CommandLine", default=""),
            "🫅🏼" in event.deep_get("CommandLine", default=""),
            "🫅🏽" in event.deep_get("CommandLine", default=""),
            "🫅🏾" in event.deep_get("CommandLine", default=""),
            "🫅🏿" in event.deep_get("CommandLine", default=""),
            "🫃" in event.deep_get("CommandLine", default=""),
            "🫃🏻" in event.deep_get("CommandLine", default=""),
            "🫃🏼" in event.deep_get("CommandLine", default=""),
            "🫃🏽" in event.deep_get("CommandLine", default=""),
            "🫃🏾" in event.deep_get("CommandLine", default=""),
            "🫃🏿" in event.deep_get("CommandLine", default=""),
            "🫄" in event.deep_get("CommandLine", default=""),
            "🫄🏻" in event.deep_get("CommandLine", default=""),
            "🫄🏼" in event.deep_get("CommandLine", default=""),
            "🫄🏽" in event.deep_get("CommandLine", default=""),
            "🫄🏾" in event.deep_get("CommandLine", default=""),
            "🫄🏿" in event.deep_get("CommandLine", default=""),
            "🧌" in event.deep_get("CommandLine", default=""),
            "🪸" in event.deep_get("CommandLine", default=""),
            "🪷" in event.deep_get("CommandLine", default=""),
            "🪹" in event.deep_get("CommandLine", default=""),
            "🪺" in event.deep_get("CommandLine", default=""),
            "🫘" in event.deep_get("CommandLine", default=""),
            "🫗" in event.deep_get("CommandLine", default=""),
            "🫙" in event.deep_get("CommandLine", default=""),
            "🛝" in event.deep_get("CommandLine", default=""),
            "🛞" in event.deep_get("CommandLine", default=""),
            "🛟" in event.deep_get("CommandLine", default=""),
            "🪬" in event.deep_get("CommandLine", default=""),
            "🪩" in event.deep_get("CommandLine", default=""),
            "🪫" in event.deep_get("CommandLine", default=""),
            "🩼" in event.deep_get("CommandLine", default=""),
            "🩻" in event.deep_get("CommandLine", default=""),
            "🫧" in event.deep_get("CommandLine", default=""),
            "🪪" in event.deep_get("CommandLine", default=""),
            "🟰" in event.deep_get("CommandLine", default=""),
            "😮‍💨" in event.deep_get("CommandLine", default=""),
            "😵‍💫" in event.deep_get("CommandLine", default=""),
            "😶‍🌫️" in event.deep_get("CommandLine", default=""),
            "❤️‍🔥" in event.deep_get("CommandLine", default=""),
            "❤️‍🩹" in event.deep_get("CommandLine", default=""),
            "🧔‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏻‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏼‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏽‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏾‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔🏿‍♀️" in event.deep_get("CommandLine", default=""),
            "🧔‍♂️" in event.deep_get("CommandLine", default=""),
            "🧔🏻‍♂️" in event.deep_get("CommandLine", default=""),
            "🧔🏼‍♂️" in event.deep_get("CommandLine", default=""),
            "🧔🏽‍♂️" in event.deep_get("CommandLine", default=""),
            "🧔🏾‍♂️" in event.deep_get("CommandLine", default=""),
            "🧔🏿‍♂️" in event.deep_get("CommandLine", default=""),
            "💑🏻" in event.deep_get("CommandLine", default=""),
            "💑🏼" in event.deep_get("CommandLine", default=""),
            "💑🏽" in event.deep_get("CommandLine", default=""),
            "💑🏾" in event.deep_get("CommandLine", default=""),
            "💑🏿" in event.deep_get("CommandLine", default=""),
            "💏🏻" in event.deep_get("CommandLine", default=""),
            "💏🏼" in event.deep_get("CommandLine", default=""),
            "💏🏽" in event.deep_get("CommandLine", default=""),
            "💏🏾" in event.deep_get("CommandLine", default=""),
            "💏🏿" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍👩🏿" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍👩🏿" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍👩🏿" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍👩🏿" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍👩🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍❤️‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍❤️‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍❤️‍🧑🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍❤️‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍❤️‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍❤️‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍❤️‍🧑🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍❤️‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍❤️‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍❤️‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍❤️‍🧑🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍❤️‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍❤️‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍❤️‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍❤️‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍❤️‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍❤️‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍❤️‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍❤️‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍❤️‍🧑🏾" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏻‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏼‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏽‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏾‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👨🏿‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏻‍❤️‍💋‍👩🏿" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏼‍❤️‍💋‍👩🏿" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏽‍❤️‍💋‍👩🏿" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏾‍❤️‍💋‍👩🏿" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👨🏻" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👨🏼" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👨🏽" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👨🏾" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👨🏿" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👩🏻" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👩🏼" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👩🏽" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👩🏾" in event.deep_get("CommandLine", default=""),
            "👩🏿‍❤️‍💋‍👩🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍❤️‍💋‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍❤️‍💋‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍❤️‍💋‍🧑🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏻‍❤️‍💋‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍❤️‍💋‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍❤️‍💋‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍❤️‍💋‍🧑🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏼‍❤️‍💋‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍❤️‍💋‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍❤️‍💋‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍❤️‍💋‍🧑🏾" in event.deep_get("CommandLine", default=""),
            "🧑🏽‍❤️‍💋‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍❤️‍💋‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍❤️‍💋‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍❤️‍💋‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏾‍❤️‍💋‍🧑🏿" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍❤️‍💋‍🧑🏻" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍❤️‍💋‍🧑🏼" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍❤️‍💋‍🧑🏽" in event.deep_get("CommandLine", default=""),
            "🧑🏿‍❤️‍💋‍🧑🏾" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
id: 225274c4-8dd1-40db-9e09-71dff4f6fb3c
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '🔸'
            - '🔹'
            - '🔶'
            - '🔷'
            - '🔳'
            - '🔲'
            - '▪️'
            - '▫️'
            - '◾️'
            - '◽️'
            - '◼️'
            - '◻️'
            - '🟥'
            - '🟧'
            - '🟨'
            - '🟩'
            - '🟦'
            - '🟪'
            - '⬛️'
            - '⬜️'
            - '🟫'
            - '🔈'
            - '🔇'
            - '🔉'
            - '🔊'
            - '🔔'
            - '🔕'
            - '📣'
            - '📢'
            - '👁‍🗨'
            - '💬'
            - '💭'
            - '🗯'
            - '♠️'
            - '♣️'
            - '♥️'
            - '♦️'
            - '🃏'
            - '🎴'
            - '🀄️'
            - '🕐'
            - '🕑'
            - '🕒'
            - '🕓'
            - '🕔'
            - '🕕'
            - '🕖'
            - '🕗'
            - '🕘'
            - '🕙'
            - '🕚'
            - '🕛'
            - '🕜'
            - '🕝'
            - '🕞'
            - '🕟'
            - '🕠'
            - '🕡'
            - '🕢'
            - '🕣'
            - '🕤'
            - '🕥'
            - '🕦'
            - '🕧✢'
            - '✣'
            - '✤'
            - '✥'
            - '✦'
            - '✧'
            - '★'
            - '☆'
            - '✯'
            - '✡︎'
            - '✩'
            - '✪'
            - '✫'
            - '✬'
            - '✭'
            - '✮'
            - '✶'
            - '✷'
            - '✵'
            - '✸'
            - '✹'
            - '→'
            - '⇒'
            - '⟹'
            - '⇨'
            - '⇾'
            - '➾'
            - '⇢'
            - '☛'
            - '☞'
            - '➔'
            - '➜'
            - '➙'
            - '➛'
            - '➝'
            - '➞'
            - '♠︎'
            - '♣︎'
            - '♥︎'
            - '♦︎'
            - '♤'
            - '♧'
            - '♡'
            - '♢'
            - '♚'
            - '♛'
            - '♜'
            - '♝'
            - '♞'
            - '♟'
            - '♔'
            - '♕'
            - '♖'
            - '♗'
            - '♘'
            - '♙'
            - '⚀'
            - '⚁'
            - '⚂'
            - '⚃'
            - '⚄'
            - '⚅'
            - '🂠'
            - '⚈'
            - '⚉'
            - '⚆'
            - '⚇'
            - '𓀀'
            - '𓀁'
            - '𓀂'
            - '𓀃'
            - '𓀄'
            - '𓀅'
            - '𓀆'
            - '𓀇'
            - '𓀈'
            - '𓀉'
            - '𓀊'
            - '𓀋'
            - '𓀌'
            - '𓀍'
            - '𓀎'
            - '𓀏'
            - '𓀐'
            - '𓀑'
            - '𓀒'
            - '𓀓'
            - '𓀔'
            - '𓀕'
            - '𓀖'
            - '𓀗'
            - '𓀘'
            - '𓀙'
            - '𓀚'
            - '𓀛'
            - '𓀜'
            - '𓀝🏳️'
            - '🏴'
            - '🏁'
            - '🚩'
            - '🏳️‍🌈'
            - '🏳️‍⚧️'
            - '🏴‍☠️'
            - '🇦🇫'
            - '🇦🇽'
            - '🇦🇱'
            - '🇩🇿'
            - '🇦🇸'
            - '🇦🇩'
            - '🇦🇴'
            - '🇦🇮'
            - '🇦🇶'
            - '🇦🇬'
            - '🇦🇷'
            - '🇦🇲'
            - '🇦🇼'
            - '🇦🇺'
            - '🇦🇹'
            - '🇦🇿'
            - '🇧🇸'
            - '🇧🇭'
            - '🇧🇩'
            - '🇧🇧'
            - '🇧🇾'
            - '🇧🇪'
            - '🇧🇿'
            - '🇧🇯'
            - '🇧🇲'
            - '🇧🇹'
            - '🇧🇴'
            - '🇧🇦'
            - '🇧🇼'
            - '🇧🇷'
            - '🇮🇴'
            - '🇻🇬'
            - '🇧🇳'
            - '🇧🇬'
            - '🇧🇫'
            - '🇧🇮'
            - '🇰🇭'
            - '🇨🇲'
            - '🇨🇦'
            - '🇮🇨'
            - '🇨🇻'
            - '🇧🇶'
            - '🇰🇾'
            - '🇨🇫'
            - '🇹🇩'
            - '🇨🇱'
            - '🇨🇳'
            - '🇨🇽'
            - '🇨🇨'
            - '🇨🇴'
            - '🇰🇲'
            - '🇨🇬'
            - '🇨🇩'
            - '🇨🇰'
            - '🇨🇷'
            - '🇨🇮'
            - '🇭🇷'
            - '🇨🇺'
            - '🇨🇼'
            - '🇨🇾'
            - '🇨🇿'
            - '🇩🇰'
            - '🇩🇯'
            - '🇩🇲'
            - '🇩🇴'
            - '🇪🇨'
            - '🇪🇬'
            - '🇸🇻'
            - '🇬🇶'
            - '🇪🇷'
            - '🇪🇪'
            - '🇪🇹'
            - '🇪🇺'
            - '🇫🇰'
            - '🇫🇴'
            - '🇫🇯'
            - '🇫🇮'
            - '🇫🇷'
            - '🇬🇫'
            - '🇵🇫'
            - '🇹🇫'
            - '🇬🇦'
            - '🇬🇲'
            - '🇬🇪'
            - '🇩🇪'
            - '🇬🇭'
            - '🇬🇮'
            - '🇬🇷'
            - '🇬🇱'
            - '🇬🇩'
            - '🇬🇵'
            - '🇬🇺'
            - '🇬🇹'
            - '🇬🇬'
            - '🇬🇳'
            - '🇬🇼'
            - '🇬🇾'
            - '🇭🇹'
            - '🇭🇳'
            - '🇭🇰'
            - '🇭🇺'
            - '🇮🇸'
            - '🇮🇳'
            - '🇮🇩'
            - '🇮🇷'
            - '🇮🇶'
            - '🇮🇪'
            - '🇮🇲'
            - '🇮🇱'
            - '🇮🇹'
            - '🇯🇲'
            - '🇯🇵'
            - '🎌'
            - '🇯🇪'
            - '🇯🇴'
            - '🇰🇿'
            - '🇰🇪'
            - '🇰🇮'
            - '🇽🇰'
            - '🇰🇼'
            - '🇰🇬'
            - '🇱🇦'
            - '🇱🇻'
            - '🇱🇧'
            - '🇱🇸'
            - '🇱🇷'
            - '🇱🇾'
            - '🇱🇮'
            - '🇱🇹'
            - '🇱🇺'
            - '🇲🇴'
            - '🇲🇰'
            - '🇲🇬'
            - '🇲🇼'
            - '🇲🇾'
            - '🇲🇻'
            - '🇲🇱'
            - '🇲🇹'
            - '🇲🇭'
            - '🇲🇶'
            - '🇲🇷'
            - '🇲🇺'
            - '🇾🇹'
            - '🇲🇽'
            - '🇫🇲'
            - '🇲🇩'
            - '🇲🇨'
            - '🇲🇳'
            - '🇲🇪'
            - '🇲🇸'
            - '🇲🇦'
            - '🇲🇿'
            - '🇲🇲'
            - '🇳🇦'
            - '🇳🇷'
            - '🇳🇵'
            - '🇳🇱'
            - '🇳🇨'
            - '🇳🇿'
            - '🇳🇮'
            - '🇳🇪'
            - '🇳🇬'
            - '🇳🇺'
            - '🇳🇫'
            - '🇰🇵'
            - '🇲🇵'
            - '🇳🇴'
            - '🇴🇲'
            - '🇵🇰'
            - '🇵🇼'
            - '🇵🇸'
            - '🇵🇦'
            - '🇵🇬'
            - '🇵🇾'
            - '🇵🇪'
            - '🇵🇭'
            - '🇵🇳'
            - '🇵🇱'
            - '🇵🇹'
            - '🇵🇷'
            - '🇶🇦'
            - '🇷🇪'
            - '🇷🇴'
            - '🇷🇺'
            - '🇷🇼'
            - '🇼🇸'
            - '🇸🇲'
            - '🇸🇦'
            - '🇸🇳'
            - '🇷🇸'
            - '🇸🇨'
            - '🇸🇱'
            - '🇸🇬'
            - '🇸🇽'
            - '🇸🇰'
            - '🇸🇮'
            - '🇬🇸'
            - '🇸🇧'
            - '🇸🇴'
            - '🇿🇦'
            - '🇰🇷'
            - '🇸🇸'
            - '🇪🇸'
            - '🇱🇰'
            - '🇧🇱'
            - '🇸🇭'
            - '🇰🇳'
            - '🇱🇨'
            - '🇵🇲'
            - '🇻🇨'
            - '🇸🇩'
            - '🇸🇷'
            - '🇸🇿'
            - '🇸🇪'
            - '🇨🇭'
            - '🇸🇾'
            - '🇹🇼'
            - '🇹🇯'
            - '🇹🇿'
            - '🇹🇭'
            - '🇹🇱'
            - '🇹🇬'
            - '🇹🇰'
            - '🇹🇴'
            - '🇹🇹'
            - '🇹🇳'
            - '🇹🇷'
            - '🇹🇲'
            - '🇹🇨'
            - '🇹🇻'
            - '🇻🇮'
            - '🇺🇬'
            - '🇺🇦'
            - '🇦🇪'
            - '🇬🇧'
            - '🏴󠁧󠁢󠁥󠁮󠁧󠁿'
            - '🏴󠁧󠁢󠁳󠁣󠁴󠁿'
            - '🏴󠁧󠁢󠁷󠁬󠁳󠁿'
            - '🇺🇳'
            - '🇺🇸'
            - '🇺🇾'
            - '🇺🇿'
            - '🇻🇺'
            - '🇻🇦'
            - '🇻🇪'
            - '🇻🇳'
            - '🇼🇫'
            - '🇪🇭'
            - '🇾🇪'
            - '🇿🇲'
            - '🇿🇼🫠'
            - '🫢'
            - '🫣'
            - '🫡'
            - '🫥'
            - '🫤'
            - '🥹'
            - '🫱'
            - '🫱🏻'
            - '🫱🏼'
            - '🫱🏽'
            - '🫱🏾'
            - '🫱🏿'
            - '🫲'
            - '🫲🏻'
            - '🫲🏼'
            - '🫲🏽'
            - '🫲🏾'
            - '🫲🏿'
            - '🫳'
            - '🫳🏻'
            - '🫳🏼'
            - '🫳🏽'
            - '🫳🏾'
            - '🫳🏿'
            - '🫴'
            - '🫴🏻'
            - '🫴🏼'
            - '🫴🏽'
            - '🫴🏾'
            - '🫴🏿'
            - '🫰'
            - '🫰🏻'
            - '🫰🏼'
            - '🫰🏽'
            - '🫰🏾'
            - '🫰🏿'
            - '🫵'
            - '🫵🏻'
            - '🫵🏼'
            - '🫵🏽'
            - '🫵🏾'
            - '🫵🏿'
            - '🫶'
            - '🫶🏻'
            - '🫶🏼'
            - '🫶🏽'
            - '🫶🏾'
            - '🫶🏿'
            - '🤝🏻'
            - '🤝🏼'
            - '🤝🏽'
            - '🤝🏾'
            - '🤝🏿'
            - '🫱🏻‍🫲🏼'
            - '🫱🏻‍🫲🏽'
            - '🫱🏻‍🫲🏾'
            - '🫱🏻‍🫲🏿'
            - '🫱🏼‍🫲🏻'
            - '🫱🏼‍🫲🏽'
            - '🫱🏼‍🫲🏾'
            - '🫱🏼‍🫲🏿'
            - '🫱🏽‍🫲🏻'
            - '🫱🏽‍🫲🏼'
            - '🫱🏽‍🫲🏾'
            - '🫱🏽‍🫲🏿'
            - '🫱🏾‍🫲🏻'
            - '🫱🏾‍🫲🏼'
            - '🫱🏾‍🫲🏽'
            - '🫱🏾‍🫲🏿'
            - '🫱🏿‍🫲🏻'
            - '🫱🏿‍🫲🏼'
            - '🫱🏿‍🫲🏽'
            - '🫱🏿‍🫲🏾'
            - '🫦'
            - '🫅'
            - '🫅🏻'
            - '🫅🏼'
            - '🫅🏽'
            - '🫅🏾'
            - '🫅🏿'
            - '🫃'
            - '🫃🏻'
            - '🫃🏼'
            - '🫃🏽'
            - '🫃🏾'
            - '🫃🏿'
            - '🫄'
            - '🫄🏻'
            - '🫄🏼'
            - '🫄🏽'
            - '🫄🏾'
            - '🫄🏿'
            - '🧌'
            - '🪸'
            - '🪷'
            - '🪹'
            - '🪺'
            - '🫘'
            - '🫗'
            - '🫙'
            - '🛝'
            - '🛞'
            - '🛟'
            - '🪬'
            - '🪩'
            - '🪫'
            - '🩼'
            - '🩻'
            - '🫧'
            - '🪪'
            - '🟰'
            - '😮‍💨'
            - '😵‍💫'
            - '😶‍🌫️'
            - '❤️‍🔥'
            - '❤️‍🩹'
            - '🧔‍♀️'
            - '🧔🏻‍♀️'
            - '🧔🏼‍♀️'
            - '🧔🏽‍♀️'
            - '🧔🏾‍♀️'
            - '🧔🏿‍♀️'
            - '🧔‍♂️'
            - '🧔🏻‍♂️'
            - '🧔🏼‍♂️'
            - '🧔🏽‍♂️'
            - '🧔🏾‍♂️'
            - '🧔🏿‍♂️'
            - '💑🏻'
            - '💑🏼'
            - '💑🏽'
            - '💑🏾'
            - '💑🏿'
            - '💏🏻'
            - '💏🏼'
            - '💏🏽'
            - '💏🏾'
            - '💏🏿'
            - '👨🏻‍❤️‍👨🏻'
            - '👨🏻‍❤️‍👨🏼'
            - '👨🏻‍❤️‍👨🏽'
            - '👨🏻‍❤️‍👨🏾'
            - '👨🏻‍❤️‍👨🏿'
            - '👨🏼‍❤️‍👨🏻'
            - '👨🏼‍❤️‍👨🏼'
            - '👨🏼‍❤️‍👨🏽'
            - '👨🏼‍❤️‍👨🏾'
            - '👨🏼‍❤️‍👨🏿'
            - '👨🏽‍❤️‍👨🏻'
            - '👨🏽‍❤️‍👨🏼'
            - '👨🏽‍❤️‍👨🏽'
            - '👨🏽‍❤️‍👨🏾'
            - '👨🏽‍❤️‍👨🏿'
            - '👨🏾‍❤️‍👨🏻'
            - '👨🏾‍❤️‍👨🏼'
            - '👨🏾‍❤️‍👨🏽'
            - '👨🏾‍❤️‍👨🏾'
            - '👨🏾‍❤️‍👨🏿'
            - '👨🏿‍❤️‍👨🏻'
            - '👨🏿‍❤️‍👨🏼'
            - '👨🏿‍❤️‍👨🏽'
            - '👨🏿‍❤️‍👨🏾'
            - '👨🏿‍❤️‍👨🏿'
            - '👩🏻‍❤️‍👨🏻'
            - '👩🏻‍❤️‍👨🏼'
            - '👩🏻‍❤️‍👨🏽'
            - '👩🏻‍❤️‍👨🏾'
            - '👩🏻‍❤️‍👨🏿'
            - '👩🏻‍❤️‍👩🏻'
            - '👩🏻‍❤️‍👩🏼'
            - '👩🏻‍❤️‍👩🏽'
            - '👩🏻‍❤️‍👩🏾'
            - '👩🏻‍❤️‍👩🏿'
            - '👩🏼‍❤️‍👨🏻'
            - '👩🏼‍❤️‍👨🏼'
            - '👩🏼‍❤️‍👨🏽'
            - '👩🏼‍❤️‍👨🏾'
            - '👩🏼‍❤️‍👨🏿'
            - '👩🏼‍❤️‍👩🏻'
            - '👩🏼‍❤️‍👩🏼'
            - '👩🏼‍❤️‍👩🏽'
            - '👩🏼‍❤️‍👩🏾'
            - '👩🏼‍❤️‍👩🏿'
            - '👩🏽‍❤️‍👨🏻'
            - '👩🏽‍❤️‍👨🏼'
            - '👩🏽‍❤️‍👨🏽'
            - '👩🏽‍❤️‍👨🏾'
            - '👩🏽‍❤️‍👨🏿'
            - '👩🏽‍❤️‍👩🏻'
            - '👩🏽‍❤️‍👩🏼'
            - '👩🏽‍❤️‍👩🏽'
            - '👩🏽‍❤️‍👩🏾'
            - '👩🏽‍❤️‍👩🏿'
            - '👩🏾‍❤️‍👨🏻'
            - '👩🏾‍❤️‍👨🏼'
            - '👩🏾‍❤️‍👨🏽'
            - '👩🏾‍❤️‍👨🏾'
            - '👩🏾‍❤️‍👨🏿'
            - '👩🏾‍❤️‍👩🏻'
            - '👩🏾‍❤️‍👩🏼'
            - '👩🏾‍❤️‍👩🏽'
            - '👩🏾‍❤️‍👩🏾'
            - '👩🏾‍❤️‍👩🏿'
            - '👩🏿‍❤️‍👨🏻'
            - '👩🏿‍❤️‍👨🏼'
            - '👩🏿‍❤️‍👨🏽'
            - '👩🏿‍❤️‍👨🏾'
            - '👩🏿‍❤️‍👨🏿'
            - '👩🏿‍❤️‍👩🏻'
            - '👩🏿‍❤️‍👩🏼'
            - '👩🏿‍❤️‍👩🏽'
            - '👩🏿‍❤️‍👩🏾'
            - '👩🏿‍❤️‍👩🏿'
            - '🧑🏻‍❤️‍🧑🏼'
            - '🧑🏻‍❤️‍🧑🏽'
            - '🧑🏻‍❤️‍🧑🏾'
            - '🧑🏻‍❤️‍🧑🏿'
            - '🧑🏼‍❤️‍🧑🏻'
            - '🧑🏼‍❤️‍🧑🏽'
            - '🧑🏼‍❤️‍🧑🏾'
            - '🧑🏼‍❤️‍🧑🏿'
            - '🧑🏽‍❤️‍🧑🏻'
            - '🧑🏽‍❤️‍🧑🏼'
            - '🧑🏽‍❤️‍🧑🏾'
            - '🧑🏽‍❤️‍🧑🏿'
            - '🧑🏾‍❤️‍🧑🏻'
            - '🧑🏾‍❤️‍🧑🏼'
            - '🧑🏾‍❤️‍🧑🏽'
            - '🧑🏾‍❤️‍🧑🏿'
            - '🧑🏿‍❤️‍🧑🏻'
            - '🧑🏿‍❤️‍🧑🏼'
            - '🧑🏿‍❤️‍🧑🏽'
            - '🧑🏿‍❤️‍🧑🏾'
            - '👨🏻‍❤️‍💋‍👨🏻'
            - '👨🏻‍❤️‍💋‍👨🏼'
            - '👨🏻‍❤️‍💋‍👨🏽'
            - '👨🏻‍❤️‍💋‍👨🏾'
            - '👨🏻‍❤️‍💋‍👨🏿'
            - '👨🏼‍❤️‍💋‍👨🏻'
            - '👨🏼‍❤️‍💋‍👨🏼'
            - '👨🏼‍❤️‍💋‍👨🏽'
            - '👨🏼‍❤️‍💋‍👨🏾'
            - '👨🏼‍❤️‍💋‍👨🏿'
            - '👨🏽‍❤️‍💋‍👨🏻'
            - '👨🏽‍❤️‍💋‍👨🏼'
            - '👨🏽‍❤️‍💋‍👨🏽'
            - '👨🏽‍❤️‍💋‍👨🏾'
            - '👨🏽‍❤️‍💋‍👨🏿'
            - '👨🏾‍❤️‍💋‍👨🏻'
            - '👨🏾‍❤️‍💋‍👨🏼'
            - '👨🏾‍❤️‍💋‍👨🏽'
            - '👨🏾‍❤️‍💋‍👨🏾'
            - '👨🏾‍❤️‍💋‍👨🏿'
            - '👨🏿‍❤️‍💋‍👨🏻'
            - '👨🏿‍❤️‍💋‍👨🏼'
            - '👨🏿‍❤️‍💋‍👨🏽'
            - '👨🏿‍❤️‍💋‍👨🏾'
            - '👨🏿‍❤️‍💋‍👨🏿'
            - '👩🏻‍❤️‍💋‍👨🏻'
            - '👩🏻‍❤️‍💋‍👨🏼'
            - '👩🏻‍❤️‍💋‍👨🏽'
            - '👩🏻‍❤️‍💋‍👨🏾'
            - '👩🏻‍❤️‍💋‍👨🏿'
            - '👩🏻‍❤️‍💋‍👩🏻'
            - '👩🏻‍❤️‍💋‍👩🏼'
            - '👩🏻‍❤️‍💋‍👩🏽'
            - '👩🏻‍❤️‍💋‍👩🏾'
            - '👩🏻‍❤️‍💋‍👩🏿'
            - '👩🏼‍❤️‍💋‍👨🏻'
            - '👩🏼‍❤️‍💋‍👨🏼'
            - '👩🏼‍❤️‍💋‍👨🏽'
            - '👩🏼‍❤️‍💋‍👨🏾'
            - '👩🏼‍❤️‍💋‍👨🏿'
            - '👩🏼‍❤️‍💋‍👩🏻'
            - '👩🏼‍❤️‍💋‍👩🏼'
            - '👩🏼‍❤️‍💋‍👩🏽'
            - '👩🏼‍❤️‍💋‍👩🏾'
            - '👩🏼‍❤️‍💋‍👩🏿'
            - '👩🏽‍❤️‍💋‍👨🏻'
            - '👩🏽‍❤️‍💋‍👨🏼'
            - '👩🏽‍❤️‍💋‍👨🏽'
            - '👩🏽‍❤️‍💋‍👨🏾'
            - '👩🏽‍❤️‍💋‍👨🏿'
            - '👩🏽‍❤️‍💋‍👩🏻'
            - '👩🏽‍❤️‍💋‍👩🏼'
            - '👩🏽‍❤️‍💋‍👩🏽'
            - '👩🏽‍❤️‍💋‍👩🏾'
            - '👩🏽‍❤️‍💋‍👩🏿'
            - '👩🏾‍❤️‍💋‍👨🏻'
            - '👩🏾‍❤️‍💋‍👨🏼'
            - '👩🏾‍❤️‍💋‍👨🏽'
            - '👩🏾‍❤️‍💋‍👨🏾'
            - '👩🏾‍❤️‍💋‍👨🏿'
            - '👩🏾‍❤️‍💋‍👩🏻'
            - '👩🏾‍❤️‍💋‍👩🏼'
            - '👩🏾‍❤️‍💋‍👩🏽'
            - '👩🏾‍❤️‍💋‍👩🏾'
            - '👩🏾‍❤️‍💋‍👩🏿'
            - '👩🏿‍❤️‍💋‍👨🏻'
            - '👩🏿‍❤️‍💋‍👨🏼'
            - '👩🏿‍❤️‍💋‍👨🏽'
            - '👩🏿‍❤️‍💋‍👨🏾'
            - '👩🏿‍❤️‍💋‍👨🏿'
            - '👩🏿‍❤️‍💋‍👩🏻'
            - '👩🏿‍❤️‍💋‍👩🏼'
            - '👩🏿‍❤️‍💋‍👩🏽'
            - '👩🏿‍❤️‍💋‍👩🏾'
            - '👩🏿‍❤️‍💋‍👩🏿'
            - '🧑🏻‍❤️‍💋‍🧑🏼'
            - '🧑🏻‍❤️‍💋‍🧑🏽'
            - '🧑🏻‍❤️‍💋‍🧑🏾'
            - '🧑🏻‍❤️‍💋‍🧑🏿'
            - '🧑🏼‍❤️‍💋‍🧑🏻'
            - '🧑🏼‍❤️‍💋‍🧑🏽'
            - '🧑🏼‍❤️‍💋‍🧑🏾'
            - '🧑🏼‍❤️‍💋‍🧑🏿'
            - '🧑🏽‍❤️‍💋‍🧑🏻'
            - '🧑🏽‍❤️‍💋‍🧑🏼'
            - '🧑🏽‍❤️‍💋‍🧑🏾'
            - '🧑🏽‍❤️‍💋‍🧑🏿'
            - '🧑🏾‍❤️‍💋‍🧑🏻'
            - '🧑🏾‍❤️‍💋‍🧑🏼'
            - '🧑🏾‍❤️‍💋‍🧑🏽'
            - '🧑🏾‍❤️‍💋‍🧑🏿'
            - '🧑🏿‍❤️‍💋‍🧑🏻'
            - '🧑🏿‍❤️‍💋‍🧑🏼'
            - '🧑🏿‍❤️‍💋‍🧑🏽'
            - '🧑🏿‍❤️‍💋‍🧑🏾'
    condition: selection
falsepositives:
    - Unknown
level: high

Convert to SIEM query

high

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

status test author Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 id 0ba1da6d-b6ce-4366-828c-18826c9de23e

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Description", default="") == "Execute processes remotely",
                    event.deep_get("Product", default="") == "Sysinternals PsExec",
                    any(
                        [
                            event.deep_get("Description", default="").startswith(
                                "Windows PowerShell"
                            ),
                            event.deep_get("Description", default="").startswith("pwsh"),
                        ]
                    ),
                    event.deep_get("OriginalFileName", default="")
                    in [
                        "certutil.exe",
                        "cmstp.exe",
                        "cscript.exe",
                        "IE4UINIT.EXE",
                        "finger.exe",
                        "mshta.exe",
                        "msiexec.exe",
                        "msxsl.exe",
                        "powershell_ise.exe",
                        "powershell.exe",
                        "psexec.c",
                        "psexec.exe",
                        "psexesvc.exe",
                        "pwsh.dll",
                        "reg.exe",
                        "regsvr32.exe",
                        "rundll32.exe",
                        "WerMgr",
                        "wmic.exe",
                        "wscript.exe",
                    ],
                ]
            ),
            not any(
                [
                    event.deep_get("Image", default="").endswith("\\certutil.exe"),
                    event.deep_get("Image", default="").endswith("\\cmstp.exe"),
                    event.deep_get("Image", default="").endswith("\\cscript.exe"),
                    event.deep_get("Image", default="").endswith("\\ie4uinit.exe"),
                    event.deep_get("Image", default="").endswith("\\finger.exe"),
                    event.deep_get("Image", default="").endswith("\\mshta.exe"),
                    event.deep_get("Image", default="").endswith("\\msiexec.exe"),
                    event.deep_get("Image", default="").endswith("\\msxsl.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell_ise.exe"),
                    event.deep_get("Image", default="").endswith("\\powershell.exe"),
                    event.deep_get("Image", default="").endswith("\\psexec.exe"),
                    event.deep_get("Image", default="").endswith("\\psexec64.exe"),
                    event.deep_get("Image", default="").endswith("\\PSEXESVC.exe"),
                    event.deep_get("Image", default="").endswith("\\pwsh.exe"),
                    event.deep_get("Image", default="").endswith("\\reg.exe"),
                    event.deep_get("Image", default="").endswith("\\regsvr32.exe"),
                    event.deep_get("Image", default="").endswith("\\rundll32.exe"),
                    event.deep_get("Image", default="").endswith("\\wermgr.exe"),
                    event.deep_get("Image", default="").endswith("\\wmic.exe"),
                    event.deep_get("Image", default="").endswith("\\wscript.exe"),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
related:
    - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
      type: similar
    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
      type: derived
    - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
      type: obsolete
    - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
      type: obsolete
    - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
      type: obsolete
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
    - https://twitter.com/christophetd/status/1164506034720952320
    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
    - https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
date: 2019-06-15
modified: 2026-02-12
tags:
    - attack.stealth
    - attack.t1036.003
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'Execute processes remotely'
        - Product: 'Sysinternals PsExec'
        - Description|startswith:
              - 'Windows PowerShell'
              - 'pwsh'
        - OriginalFileName:
              - 'certutil.exe'
              - 'cmstp.exe'
              - 'cscript.exe'
              - 'IE4UINIT.EXE'
              - 'finger.exe'
              - 'mshta.exe'
              - 'msiexec.exe'
              - 'msxsl.exe'
              - 'powershell_ise.exe'
              - 'powershell.exe'
              - 'psexec.c'        # old versions of psexec (2016 seen)
              - 'psexec.exe'
              - 'psexesvc.exe'
              - 'pwsh.dll'
              - 'reg.exe'
              - 'regsvr32.exe'
              - 'rundll32.exe'
              - 'WerMgr'
              - 'wmic.exe'
              - 'wscript.exe'
    filter:
        Image|endswith:
            - '\certutil.exe'
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\ie4uinit.exe'
            - '\finger.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\msxsl.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\PSEXESVC.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wermgr.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml

Convert to SIEM query

high

Potential Defense Evasion Via Right-to-Left Override

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.

status test author Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux id ad691d92-15f2-4181-9aa4-723c74f9ddc3

panther query

def rule(event):
    if any(
        [
            "\\u202e" in event.deep_get("CommandLine", default=""),
            "[U+202E]" in event.deep_get("CommandLine", default=""),
            "‮" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Defense Evasion Via Right-to-Left Override
id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
related:
    - id: e0552b19-5a83-4222-b141-b36184bb8d79
      type: derived
    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
      type: derived
status: test
description: |
    Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
    This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
    - https://unicode-explorer.com/c/202E
    - https://tria.ge/241015-l98snsyeje/behavioral2
    - https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/
author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux
date: 2023-02-15
modified: 2026-03-20
tags:
    - attack.stealth
    - attack.t1036.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '\u202e'  # Unicode RTLO character
            - '[U+202E]'
            # Real char U+202E copied/pasted below
            - '‮'
    condition: selection
falsepositives:
    - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml

Convert to SIEM query

high

Potential Devil Bait Malware Reconnaissance

Detects specific process behavior observed with Devil Bait samples

status test author Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) id e8954be4-b2b8-4961-be18-da1a5bda709c

panther query

import re


def rule(event):
    if all(
        [
            event.deep_get("ParentImage", default="").endswith("\\wscript.exe"),
            event.deep_get("Image", default="").endswith("\\cmd.exe"),
            ">>%APPDATA%\\Microsoft\\" in event.deep_get("CommandLine", default=""),
            any(
                [
                    event.deep_get("CommandLine", default="").endswith(".xml"),
                    event.deep_get("CommandLine", default="").endswith(".txt"),
                ]
            ),
            any(
                [
                    re.match(r"ipconfig\\s+/all", event.deep_get("CommandLine", default="")),
                    any(
                        [
                            "dir" in event.deep_get("CommandLine", default=""),
                            "systeminfo" in event.deep_get("CommandLine", default=""),
                            "tasklist" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Devil Bait Malware Reconnaissance
id: e8954be4-b2b8-4961-be18-da1a5bda709c
related:
    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
      type: derived
status: test
description: Detects specific process behavior observed with Devil Bait samples
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
    - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior
author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
date: 2023-05-15
modified: 2025-10-19
tags:
    - attack.stealth
    - attack.t1218
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_redirect:
        ParentImage|endswith: '\wscript.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '>>%APPDATA%\Microsoft\'
        CommandLine|endswith:
            - '.xml'
            - '.txt'
    selection_recon_cmd:
        - CommandLine|re: 'ipconfig\s+/all'
        - CommandLine|contains:
              # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504
              # If you find samples using other commands please add them
              - 'dir'
              - 'systeminfo'
              - 'tasklist'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential Devil Bait Related Indicator

Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC

status test author Nasreddine Bencherchali (Nextron Systems) id 93d5f1b4-36df-45ed-8680-f66f242b8415

panther query

def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\schtasks.exe"),
                    event.deep_get("Image", default="").endswith("\\wscript.exe"),
                    event.deep_get("Image", default="").endswith("\\mshta.exe"),
                ]
            ),
            "\\AppData\\Roaming\\Microsoft\\" in event.deep_get("TargetFilename", default=""),
            any(
                [
                    event.deep_get("TargetFilename", default="").endswith(".txt"),
                    event.deep_get("TargetFilename", default="").endswith(".xml"),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Devil Bait Related Indicator
id: 93d5f1b4-36df-45ed-8680-f66f242b8415
status: test
description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\schtasks.exe'
            - '\wscript.exe'
            - '\mshta.exe'
        # Example folders used by the samples include:
        #   - %AppData%\Microsoft\Network\
        #   - %AppData%\Microsoft\Office\
        TargetFilename|contains: '\AppData\Roaming\Microsoft\'
        TargetFilename|endswith:
            - '.txt'
            - '.xml'
    condition: selection
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential EACore.DLL Sideloading

Detects potential DLL sideloading of "EACore.dll"

status test author X__Junior (Nextron Systems) id edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5

panther query

def rule(event):
    if all(
        [
            event.deep_get("ImageLoaded", default="").endswith("\\EACore.dll"),
            not all(
                [
                    "C:\\Program Files\\Electronic Arts\\EA Desktop\\"
                    in event.deep_get("Image", default=""),
                    "\\EACoreServer.exe" in event.deep_get("Image", default=""),
                    event.deep_get("ImageLoaded", default="").startswith(
                        "C:\\Program Files\\Electronic Arts\\EA Desktop\\"
                    ),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential EACore.DLL Sideloading
id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
status: test
description: Detects potential DLL sideloading of "EACore.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\EACore.dll'
    filter_main_legit_path:
        Image|contains|all:
            - 'C:\Program Files\Electronic Arts\EA Desktop\'
            - '\EACoreServer.exe'
        ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential Edputil.DLL Sideloading

Detects potential DLL sideloading of "edputil.dll"

status test author X__Junior (Nextron Systems) id e4903324-1a10-4ed3-981b-f6fe3be3a2c2

panther query

def rule(event):
    if all(
        [
            event.deep_get("ImageLoaded", default="").endswith("\\edputil.dll"),
            not any(
                [
                    event.deep_get("ImageLoaded", default="").startswith("C:\\Windows\\System32\\"),
                    event.deep_get("ImageLoaded", default="").startswith("C:\\Windows\\SysWOW64\\"),
                    event.deep_get("ImageLoaded", default="").startswith("C\\Windows\\WinSxS\\"),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Edputil.DLL Sideloading
id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
status: test
description: Detects potential DLL sideloading of "edputil.dll"
references:
    - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\edputil.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential Emotet Activity

Detects all Emotet like process executions that are not covered by the more generic rules

status stable author Florian Roth (Nextron Systems) id d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18

panther query

import re


def rule(event):
    if all(
        [
            any(
                [
                    re.match(r"^.* -e.* PAA.*$", event.deep_get("CommandLine", default="")),
                    "JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ"
                    in event.deep_get("CommandLine", default=""),
                    "QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA"
                    in event.deep_get("CommandLine", default=""),
                    "kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA"
                    in event.deep_get("CommandLine", default=""),
                    "IgAoACcAKgAnACkAOwAkA" in event.deep_get("CommandLine", default=""),
                    "IAKAAnACoAJwApADsAJA" in event.deep_get("CommandLine", default=""),
                    "iACgAJwAqACcAKQA7ACQA" in event.deep_get("CommandLine", default=""),
                    "JABGAGwAeAByAGgAYwBmAGQ" in event.deep_get("CommandLine", default=""),
                    "PQAkAGUAbgB2ADoAdABlAG0AcAArACgA" in event.deep_get("CommandLine", default=""),
                    "0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA" in event.deep_get("CommandLine", default=""),
                    "9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not any(
                [
                    "fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ"
                    in event.deep_get("CommandLine", default=""),
                    "wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA"
                    in event.deep_get("CommandLine", default=""),
                    "8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential Emotet Activity
id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
status: stable
description: Detects all Emotet like process executions that are not covered by the more generic rules
references:
    - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
    - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
    - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
    - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
author: Florian Roth (Nextron Systems)
date: 2019-09-30
modified: 2023-02-04
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1027
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' -e* PAA'
            - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile
            - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile
            - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile
            - 'IgAoACcAKgAnACkAOwAkA' # "('*');$
            - 'IAKAAnACoAJwApADsAJA' # "('*');$
            - 'iACgAJwAqACcAKQA7ACQA' # "('*');$
            - 'JABGAGwAeAByAGgAYwBmAGQ'
            - 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA' # =$env:temp+(
            - '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA' # =$env:temp+(
            - '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA' # =$env:temp+(
    filter:
        CommandLine|contains:
            - 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ'
            - 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA'
            - '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential EmpireMonkey Activity

Detects potential EmpireMonkey APT activity

status test author Markus Neis, Nasreddine Bencherchali (Nextron Systems) id 10152a7b-b566-438f-a33c-390b607d1c8d

panther query

def rule(event):
    if all(
        [
            "/e:jscript" in event.deep_get("CommandLine", default=""),
            "\\Local\\Temp\\Errors.bat" in event.deep_get("CommandLine", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential EmpireMonkey Activity
id: 10152a7b-b566-438f-a33c-390b607d1c8d
status: test
description: Detects potential EmpireMonkey APT activity
references:
    - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
    - https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2019-04-02
modified: 2023-03-09
tags:
    - attack.stealth
    - attack.t1218.010
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '/e:jscript' # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine
            - '\Local\Temp\Errors.bat'
    condition: selection
falsepositives:
    - Unlikely
level: high

Convert to SIEM query

high

Potential EventLog File Location Tampering

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

status test author D3F7A5105 id 0cb8d736-995d-4ce7-a31e-1e8d452a1459

panther query

def rule(event):
    if all(
        [
            "\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\"
            in event.deep_get("TargetObject", default=""),
            event.deep_get("TargetObject", default="").endswith("\\File"),
            not "\\System32\\Winevt\\Logs\\" in event.deep_get("Details", default=""),
        ]
    ):
        return True
    return False

view Sigma YAML

title: Potential EventLog File Location Tampering
id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
status: test
description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
references:
    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\File'
    filter:
        Details|contains: '\System32\Winevt\Logs\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

Convert to SIEM query

Showing 1001-1050 of 3,750

Prev 21 Next