Home/Detection rules/Microsoft Sentinel

Microsoft Sentinel

3,763 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK

Detections

50 shown of 3,763
Microsoft Sentinel Converted KQL high T1048 ↗
PUA - Restic Backup Tool Execution
Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
Show query 
((CommandLine contains "--password-file" and CommandLine contains "init" and CommandLine contains " -r ") or (CommandLine contains "--use-fs-snapshot" and CommandLine contains "backup" and CommandLine contains " -r ")) or ((CommandLine contains "sftp:" or CommandLine contains "rest:http" or CommandLine contains "s3:s3." or CommandLine contains "s3.http" or CommandLine contains "azure:" or CommandLine contains " gs:" or CommandLine contains "rclone:" or CommandLine contains "swift:" or CommandLine contains " b2:") and (CommandLine contains " init " and CommandLine contains " -r "))
Microsoft Sentinel Converted KQL high T1569.002 ↗
PUA - RunXCmd Execution
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
Show query 
(CommandLine contains " /account=system " or CommandLine contains " /account=ti ") and CommandLine contains "/exec="
Microsoft Sentinel Converted KQL high T1083 ↗
PUA - Seatbelt Execution
Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
Show query 
(Image endswith "\\Seatbelt.exe" or OriginalFileName =~ "Seatbelt.exe" or Description =~ "Seatbelt" or (CommandLine contains " DpapiMasterKeys" or CommandLine contains " InterestingProcesses" or CommandLine contains " InterestingFiles" or CommandLine contains " CertificateThumbprints" or CommandLine contains " ChromiumBookmarks" or CommandLine contains " ChromiumHistory" or CommandLine contains " ChromiumPresence" or CommandLine contains " CloudCredentials" or CommandLine contains " CredEnum" or CommandLine contains " CredGuard" or CommandLine contains " FirefoxHistory" or CommandLine contains " ProcessCreationEvents")) or ((CommandLine contains " -group=misc" or CommandLine contains " -group=remote" or CommandLine contains " -group=chromium" or CommandLine contains " -group=slack" or CommandLine contains " -group=system" or CommandLine contains " -group=user" or CommandLine contains " -group=all") and CommandLine contains " -outputfile=")
Microsoft Sentinel Converted KQL high T1087.002 ↗
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
Detects active directory enumeration activity using known AdFind CLI flags
Show query 
(CommandLine contains "lockoutduration" or CommandLine contains "lockoutthreshold" or CommandLine contains "lockoutobservationwindow" or CommandLine contains "maxpwdage" or CommandLine contains "minpwdage" or CommandLine contains "minpwdlength" or CommandLine contains "pwdhistorylength" or CommandLine contains "pwdproperties") or CommandLine contains "-sc admincountdmp" or CommandLine contains "-sc exchaddresses"
Microsoft Sentinel Converted KQL high T1059 ↗
PUA - Wsudo Suspicious Execution
Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
Show query 
(Image endswith "\\wsudo.exe" or OriginalFileName =~ "wsudo.exe" or Description =~ "Windows sudo utility" or ParentImage endswith "\\wsudo-bridge.exe") or (CommandLine contains "-u System" or CommandLine contains "-uSystem" or CommandLine contains "-u TrustedInstaller" or CommandLine contains "-uTrustedInstaller" or CommandLine contains " --ti ")
Microsoft Sentinel Converted KQL high T1090 ↗
PUA- IOX Tunneling Tool Execution
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
Show query 
Image endswith "\\iox.exe" or (CommandLine contains ".exe fwd -l " or CommandLine contains ".exe fwd -r " or CommandLine contains ".exe proxy -l " or CommandLine contains ".exe proxy -r ") or (Hashes contains "MD5=9DB2D314DD3F704A02051EF5EA210993" or Hashes contains "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD" or Hashes contains "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731")
Microsoft Sentinel Converted KQL high T1098 ↗
Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Show query 
EventID == 4794
Microsoft Sentinel Converted KQL high T1003.001 ↗
Password Dumper Activity on LSASS
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Show query 
EventID == 4656 and ProcessName endswith "\\lsass.exe" and AccessMask =~ "0x705" and ObjectType =~ "SAM_DOMAIN"
Microsoft Sentinel Converted KQL high T1003.001 ↗
Password Dumper Remote Thread in LSASS
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Show query 
TargetImage endswith "\\lsass.exe" and StartModule =~ ""
Microsoft Sentinel Converted KQL high T1027 ↗
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Show query 
EventID == 5379 and (TargetName contains "Microsoft_Windows_Shell_ZipFolder:filename" and TargetName contains "\\Temporary Internet Files\\Content.Outlook")
Microsoft Sentinel Converted KQL high T1027 ↗
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Show query 
(EventID == 5379 and TargetName contains "Microsoft_Windows_Shell_ZipFolder:filename") and (TargetName contains "invoice" or TargetName contains "new order" or TargetName contains "rechnung" or TargetName contains "factura" or TargetName contains "delivery" or TargetName contains "purchase" or TargetName contains "order" or TargetName contains "payment")
Microsoft Sentinel Converted KQL high T1110 ↗
Password Spray Activity
Indicates that a password spray attack has been successfully performed.
Show query 
riskEventType =~ "passwordSpray"
Microsoft Sentinel Converted KQL high
Persistence Via Hhctrl.ocx
Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
Show query 
TargetObject contains "\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)" and (not(Details =~ "C:\\Windows\\System32\\hhctrl.ocx"))
Microsoft Sentinel Converted KQL high T1053.005 ↗
Persistence and Execution at Scale via GPO Scheduled Task
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Show query 
(EventID == 5136 and (AttributeLDAPDisplayName in~ ("gPCMachineExtensionNames", "gPCUserExtensionNames")) and (AttributeValue contains "CAB54552-DEEA-4691-817E-ED4A4D1AFC72" or AttributeValue contains "AADCED64-746C-4633-A97C-D61349046527")) or (EventID == 5145 and ShareName endswith "\\SYSVOL" and RelativeTargetName endswith "ScheduledTasks.xml" and (AccessList contains "WriteData" or AccessList contains "%%4417"))
Microsoft Sentinel Converted KQL high T1187 ↗
PetitPotam Suspicious Kerberos TGT Request
Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
Show query 
(EventID == 4768 and TargetUserName endswith "$" and CertThumbprint startswith "") and (not((IpAddress =~ "::1" or CertThumbprint =~ "")))
Microsoft Sentinel Converted KQL high T1566 ↗
Phishing Pattern ISO in Archive
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
Show query 
(ParentImage endswith "\\Winrar.exe" or ParentImage endswith "\\7zFM.exe" or ParentImage endswith "\\peazip.exe") and (Image endswith "\\isoburn.exe" or Image endswith "\\PowerISO.exe" or Image endswith "\\ImgBurn.exe")
Microsoft Sentinel Converted KQL high T1027 ↗
Ping Hex IP
Detects a ping command that uses a hex encoded IP address
Show query 
Image endswith "\\ping.exe" and CommandLine matches regex "0x[a-fA-F0-9]{8}"
Microsoft Sentinel Converted KQL high T1033 ↗
Possible DCSync Attack
Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
Show query 
(EventLog =~ "RPCFW" and EventID == 3 and InterfaceUuid =~ "e3514235-4b06-11d1-ab04-00c04fc2dcd2") and (not((OpNum in~ ("0", "1", "12"))))
Microsoft Sentinel Converted KQL high T1003.002 ↗
Possible Impacket SecretDump Remote Activity
Detect AD credential dumping using impacket secretdump HKTL
Show query 
EventID == 5145 and ShareName =~ "\\\\*\\ADMIN$" and (RelativeTargetName contains "SYSTEM32\\" and RelativeTargetName contains ".tmp")
Microsoft Sentinel Converted KQL high T1003.002 ↗
Possible Impacket SecretDump Remote Activity - Zeek
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
Show query 
(path contains "\\" and path contains "ADMIN$") and name contains "SYSTEM32\\" and name endswith ".tmp"
Microsoft Sentinel Converted KQL high T1187 ↗
Possible PetitPotam Coerce Authentication Attempt
Detect PetitPotam coerced authentication activity.
Show query 
EventID == 5145 and ShareName startswith "\\\\" and ShareName endswith "\\IPC$" and RelativeTargetName =~ "lsarpc" and SubjectUserName =~ "ANONYMOUS LOGON"
Microsoft Sentinel Converted KQL high T1574.011 ↗
Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Show query 
(Image endswith "\\sc.exe" and (IntegrityLevel in~ ("Medium", "S-1-16-8192"))) and ((CommandLine contains "config" and CommandLine contains "binPath") or (CommandLine contains "failure" and CommandLine contains "command"))
Microsoft Sentinel Converted KQL high T1556 ↗
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
Show query 
EventID == 5136 and AttributeLDAPDisplayName =~ "msDS-KeyCredentialLink"
Microsoft Sentinel Converted KQL high T1685 ↗
Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Show query 
(CommandLine contains "System.Management.Automation.AmsiUtils" and CommandLine contains "amsiInitFailed") or (CommandLine contains "[Ref].Assembly.GetType" and CommandLine contains "SetValue($null,$true)" and CommandLine contains "NonPublic,Static")
Microsoft Sentinel Converted KQL high T1685 ↗
Potential AMSI COM Server Hijacking
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
Show query 
TargetObject endswith "\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" and (not(Details =~ "%windir%\\system32\\amsi.dll"))
Microsoft Sentinel Converted KQL high T1003.001 ↗
Potential Adplus.EXE Abuse
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
Show query 
(Image endswith "\\adplus.exe" or OriginalFileName =~ "Adplus.exe") and (CommandLine contains " -hang " or CommandLine contains " -pn " or CommandLine contains " -pmn " or CommandLine contains " -p " or CommandLine contains " -po " or CommandLine contains " -c " or CommandLine contains " -sc ")
Microsoft Sentinel Converted KQL high T1127 ↗
Potential Arbitrary Code Execution Via Node.EXE
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
Show query 
(Image endswith "\\node.exe" and (CommandLine contains " -e " or CommandLine contains " --eval ")) and (CommandLine contains ".exec(" and CommandLine contains "net.socket" and CommandLine contains ".connect" and CommandLine contains "child_process")
Microsoft Sentinel Converted KQL high T1202 ↗
Potential Arbitrary Command Execution Using Msdt.EXE
Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
Show query 
(Image endswith "\\msdt.exe" or OriginalFileName =~ "msdt.exe") and (CommandLine contains "IT_BrowseForFile=" or (CommandLine contains " PCWDiagnostic" and (CommandLine contains " -af " or CommandLine contains " /af " or CommandLine contains " –af " or CommandLine contains " —af " or CommandLine contains " ―af ")))
Microsoft Sentinel Converted KQL high T1202 ↗
Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
Show query 
((Image endswith "\\EXCEL.EXE" or Image endswith "\\POWERPNT.EXE" or Image endswith "\\WINWORD.exe") or (OriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) and (CommandLine contains "http://" or CommandLine contains "https://")
Microsoft Sentinel Converted KQL high
Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
Show query 
TargetObject contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\" and ((TargetObject endswith "\\DefaultFileTypeRisk" and Details =~ "DWORD (0x00006152)") or (TargetObject endswith "\\LowRiskFileTypes" and (Details contains ".zip;" or Details contains ".rar;" or Details contains ".exe;" or Details contains ".bat;" or Details contains ".com;" or Details contains ".cmd;" or Details contains ".reg;" or Details contains ".msi;" or Details contains ".htm;" or Details contains ".html;")))
Microsoft Sentinel Converted KQL high
Potential Attachment Manager Settings Attachments Tamper
Detects tampering with attachment manager settings policies attachments (See reference for more information)
Show query 
TargetObject contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\" and ((TargetObject endswith "\\HideZoneInfoOnProperties" and Details =~ "DWORD (0x00000001)") or (TargetObject endswith "\\SaveZoneInformation" and Details =~ "DWORD (0x00000002)") or (TargetObject endswith "\\ScanWithAntiVirus" and Details =~ "DWORD (0x00000001)"))
Microsoft Sentinel Converted KQL high T1685.001 ↗
Potential AutoLogger Sessions Tampering
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging. The AutoLogger event tracing session records events up that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
Show query 
(TargetObject contains "\\Control\\WMI\\Autologger\\" and ((TargetObject contains "\\EventLog-" or TargetObject contains "\\Defender") and (TargetObject endswith "\\Enabled" or TargetObject endswith "\\Start") and Details =~ "DWORD (0x00000000)")) and (not((Image =~ "C:\\Windows\\system32\\wevtutil.exe" or ((Image startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or Image startswith "C:\\Program Files\\Windows Defender\\" or Image startswith "C:\\Program Files (x86)\\Windows Defender\\") and Image endswith "\\MsMpEng.exe" and (TargetObject contains "\\DefenderApiLogger\\" or TargetObject contains "\\DefenderAuditLogger\\")))))
Microsoft Sentinel Converted KQL high T1140 ↗
Potential Base64 Decoded From Images
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
Show query 
Image endswith "/bash" and (CommandLine contains "tail" and CommandLine contains "-c") and (CommandLine contains "base64" and CommandLine contains "-d" and CommandLine contains ">") and (CommandLine contains ".avif" or CommandLine contains ".gif" or CommandLine contains ".jfif" or CommandLine contains ".jpeg" or CommandLine contains ".jpg" or CommandLine contains ".pjp" or CommandLine contains ".pjpeg" or CommandLine contains ".png" or CommandLine contains ".svg" or CommandLine contains ".webp")
Microsoft Sentinel Converted KQL high T1204.001 ↗
Potential ClickFix Execution Pattern - Registry
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.
Show query 
TargetObject contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\" and (Details contains "http://" or Details contains "https://") and ((Details contains "account" or Details contains "anti-bot" or Details contains "botcheck" or Details contains "captcha" or Details contains "challenge" or Details contains "confirmation" or Details contains "fraud" or Details contains "human" or Details contains "identification" or Details contains "identificator" or Details contains "identity" or Details contains "robot" or Details contains "validation" or Details contains "verification" or Details contains "verify") or (Details contains "%comspec%" or Details contains "bitsadmin" or Details contains "certutil" or Details contains "cmd" or Details contains "cscript" or Details contains "curl" or Details contains "finger" or Details contains "mshta" or Details contains "powershell" or Details contains "pwsh" or Details contains "regsvr32" or Details contains "rundll32" or Details contains "schtasks" or Details contains "wget" or Details contains "wscript"))
Microsoft Sentinel Converted KQL high T1059 ↗
Potential CobaltStrike Process Patterns
Detects potential process patterns related to Cobalt Strike beacon activity
Show query 
(CommandLine endswith "cmd.exe /C whoami" and ParentImage startswith "C:\\Temp\\") or ((ParentImage endswith "\\runonce.exe" or ParentImage endswith "\\dllhost.exe") and (CommandLine contains "cmd.exe /c echo" and CommandLine contains "> \\\\.\\pipe")) or ((ParentCommandLine contains "cmd.exe /C echo" and ParentCommandLine contains " > \\\\.\\pipe") and CommandLine endswith "conhost.exe 0xffffffff -ForceV1") or (ParentCommandLine endswith "/C whoami" and CommandLine endswith "conhost.exe 0xffffffff -ForceV1")
Microsoft Sentinel Converted KQL high T1021.002 ↗
Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Show query 
(TargetObject contains "\\System\\CurrentControlSet\\Services" or (TargetObject contains "\\System\\ControlSet" and TargetObject contains "\\Services")) and ((Details contains "ADMIN$" and Details contains ".exe") or (Details contains "%COMSPEC%" and Details contains "start" and Details contains "powershell"))
Microsoft Sentinel Converted KQL high T1027 ↗
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Show query 
((Image endswith "\\cmd.exe" or Image endswith "\\cscript.exe" or Image endswith "\\powershell.exe" or Image endswith "\\powershell_ise.exe" or Image endswith "\\pwsh.exe" or Image endswith "\\wscript.exe") and (OriginalFileName in~ ("Cmd.EXE", "cscript.exe", "PowerShell.EXE", "PowerShell_ISE.EXE", "pwsh.dll", "wscript.exe"))) and (CommandLine contains "ˣ" or CommandLine contains "˪" or CommandLine contains "ˢ" or CommandLine contains "∕" or CommandLine contains "⁄" or CommandLine contains "―" or CommandLine contains "—" or CommandLine contains " " or CommandLine contains "¯" or CommandLine contains "®" or CommandLine contains "¶" or CommandLine contains "⠀")
Microsoft Sentinel Converted KQL high T1059.003 ↗
Potential CommandLine Path Traversal Via Cmd.EXE
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Show query 
((ParentImage endswith "\\cmd.exe" or Image endswith "\\cmd.exe" or OriginalFileName =~ "cmd.exe") and ((ParentCommandLine contains "/c" or ParentCommandLine contains "/k" or ParentCommandLine contains "/r") or (CommandLine contains "/c" or CommandLine contains "/k" or CommandLine contains "/r")) and (ParentCommandLine =~ "/../../" or CommandLine contains "/../../")) and (not(CommandLine contains "\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java"))
Microsoft Sentinel Converted KQL high T1003 ↗
Potential Credential Dumping Attempt Using New NetworkProvider - CLI
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Show query 
CommandLine contains "\\System\\CurrentControlSet\\Services\\" and CommandLine contains "\\NetworkProvider"
Microsoft Sentinel Converted KQL high T1003.001 ↗
Potential Credential Dumping Attempt Via PowerShell Remote Thread
Detects remote thread creation by PowerShell processes into "lsass.exe"
Show query 
(SourceImage endswith "\\powershell.exe" or SourceImage endswith "\\pwsh.exe") and TargetImage endswith "\\lsass.exe"
Microsoft Sentinel Converted KQL high T1003.001 ↗
Potential Credential Dumping Via WER
Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
Show query 
((Image endswith "\\Werfault.exe" or OriginalFileName =~ "WerFault.exe") and ((ParentUser contains "AUTHORI" or ParentUser contains "AUTORI") and (User contains "AUTHORI" or User contains "AUTORI") and (CommandLine contains " -u -p " and CommandLine contains " -ip " and CommandLine contains " -s "))) and (not(ParentImage =~ "C:\\Windows\\System32\\lsass.exe"))
Microsoft Sentinel Converted KQL high T1496 ↗
Potential Crypto Mining Activity
Detects command line parameters or strings often used by crypto miners
Show query 
(CommandLine contains " --cpu-priority=" or CommandLine contains "--donate-level=0" or CommandLine contains " -o pool." or CommandLine contains " --nicehash" or CommandLine contains " --algo=rx/0 " or CommandLine contains "stratum+tcp://" or CommandLine contains "stratum+udp://" or CommandLine contains "LS1kb25hdGUtbGV2ZWw9" or CommandLine contains "0tZG9uYXRlLWxldmVsP" or CommandLine contains "tLWRvbmF0ZS1sZXZlbD" or CommandLine contains "c3RyYXR1bSt0Y3A6Ly" or CommandLine contains "N0cmF0dW0rdGNwOi8v" or CommandLine contains "zdHJhdHVtK3RjcDovL" or CommandLine contains "c3RyYXR1bSt1ZHA6Ly" or CommandLine contains "N0cmF0dW0rdWRwOi8v" or CommandLine contains "zdHJhdHVtK3VkcDovL") and (not((CommandLine contains " pool.c " or CommandLine contains " pool.o " or CommandLine contains "gcc -")))
Microsoft Sentinel Converted KQL high T1574.001 ↗
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
Show query 
((Image endswith "\\KeyScrambler.exe" or Image endswith "\\KeyScramblerLogon.exe") and ImageLoaded endswith "\\KeyScramblerIE.dll") and (not((((Image contains "C:\\Program Files (x86)\\KeyScrambler\\" or Image contains "C:\\Program Files\\KeyScrambler\\") and (ImageLoaded contains "C:\\Program Files (x86)\\KeyScrambler\\" or ImageLoaded contains "C:\\Program Files\\KeyScrambler\\")) or (Signature =~ "QFX Software Corporation" and SignatureStatus =~ "Valid"))))
Microsoft Sentinel Converted KQL high T1574.001 ↗
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Show query 
(ImageLoaded endswith ":\\Windows\\System32\\axeonoffhelper.dll" or ImageLoaded endswith ":\\Windows\\System32\\cdpsgshims.dll" or ImageLoaded endswith ":\\Windows\\System32\\oci.dll" or ImageLoaded endswith ":\\Windows\\System32\\offdmpsvc.dll" or ImageLoaded endswith ":\\Windows\\System32\\shellchromeapi.dll" or ImageLoaded endswith ":\\Windows\\System32\\TSMSISrv.dll" or ImageLoaded endswith ":\\Windows\\System32\\TSVIPSrv.dll" or ImageLoaded endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or ImageLoaded endswith ":\\Windows\\System32\\WLBSCTRL.dll" or ImageLoaded endswith ":\\Windows\\System32\\wow64log.dll" or ImageLoaded endswith ":\\Windows\\System32\\WptsExtensions.dll") and (not((Signed =~ "true" and SignatureStatus =~ "Valid" and Signature =~ "Microsoft Windows")))
Microsoft Sentinel Converted KQL high T1574.001 ↗
Potential DLL Sideloading Via VMware Xfer
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
Show query 
(Image endswith "\\VMwareXferlogs.exe" and ImageLoaded endswith "\\glib-2.0.dll") and (not(ImageLoaded startswith "C:\\Program Files\\VMware\\"))
Microsoft Sentinel Converted KQL high T1574.001 ↗
Potential DLL Sideloading Via comctl32.dll
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Show query 
(ImageLoaded startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or ImageLoaded startswith "C:\\Windows\\System32\\werFault.exe.local\\" or ImageLoaded startswith "C:\\Windows\\System32\\consent.exe.local\\" or ImageLoaded startswith "C:\\Windows\\System32\\narrator.exe.local\\" or ImageLoaded startswith "C:\\windows\\system32\\wermgr.exe.local\\") and ImageLoaded endswith "\\comctl32.dll"
Microsoft Sentinel Converted KQL high T1059.001 ↗
Potential Data Exfiltration Activity Via CommandLine Tools
Detects the use of various CLI utilities exfiltrating data via web requests
Show query 
(((Image endswith "\\powershell_ise.exe" or Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe" or Image endswith "\\cmd.exe") and (CommandLine contains "curl " or CommandLine contains "Invoke-RestMethod" or CommandLine contains "Invoke-WebRequest" or CommandLine contains "irm " or CommandLine contains "iwr " or CommandLine contains "wget ") and (CommandLine contains " -ur" and CommandLine contains " -me" and CommandLine contains " -b" and CommandLine contains " POST ")) or ((Image endswith "\\curl.exe" and CommandLine contains "--ur") and (CommandLine contains " -d " or CommandLine contains " --data ")) or (Image endswith "\\wget.exe" and (CommandLine contains "--post-data" or CommandLine contains "--post-file"))) and ((CommandLine matches regex "net\\s+view" or CommandLine matches regex "sc\\s+query") or (CommandLine contains "Get-Content" or CommandLine contains "GetBytes" or CommandLine contains "hostname" or CommandLine contains "ifconfig" or CommandLine contains "ipconfig" or CommandLine contains "netstat" or CommandLine contains "nltest" or CommandLine contains "qprocess" or CommandLine contains "systeminfo" or CommandLine contains "tasklist" or CommandLine contains "ToBase64String" or CommandLine contains "whoami") or (CommandLine contains "type " and CommandLine contains " > " and CommandLine contains " C:\\"))
Microsoft Sentinel Converted KQL high T1185 ↗
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Show query 
CommandLine contains "--remote-debugging-" and CommandLine contains "--user-data-dir" and CommandLine contains "--headless"
Microsoft Sentinel Converted KQL high
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Show query 
CommandLine contains "😀" or CommandLine contains "😃" or CommandLine contains "😄" or CommandLine contains "😁" or CommandLine contains "😆" or CommandLine contains "😅" or CommandLine contains "😂" or CommandLine contains "🤣" or CommandLine contains "🥲" or CommandLine contains "🥹" or CommandLine contains "☺️" or CommandLine contains "😊" or CommandLine contains "😇" or CommandLine contains "🙂" or CommandLine contains "🙃" or CommandLine contains "😉" or CommandLine contains "😌" or CommandLine contains "😍" or CommandLine contains "🥰" or CommandLine contains "😘" or CommandLine contains "😗" or CommandLine contains "😙" or CommandLine contains "😚" or CommandLine contains "😋" or CommandLine contains "😛" or CommandLine contains "😝" or CommandLine contains "😜" or CommandLine contains "🤪" or CommandLine contains "🤨" or CommandLine contains "🧐" or CommandLine contains "🤓" or CommandLine contains "😎" or CommandLine contains "🥸" or CommandLine contains "🤩" or CommandLine contains "🥳" or CommandLine contains "😏" or CommandLine contains "😒" or CommandLine contains "😞" or CommandLine contains "😔" or CommandLine contains "😟" or CommandLine contains "😕" or CommandLine contains "🙁" or CommandLine contains "☹️" or CommandLine contains "😣" or CommandLine contains "😖" or CommandLine contains "😫" or CommandLine contains "😩" or CommandLine contains "🥺" or CommandLine contains "😢" or CommandLine contains "😭" or CommandLine contains "😮‍💨" or CommandLine contains "😤" or CommandLine contains "😠" or CommandLine contains "😡" or CommandLine contains "🤬" or CommandLine contains "🤯" or CommandLine contains "😳" or CommandLine contains "🥵" or CommandLine contains "🥶" or CommandLine contains "😱" or CommandLine contains "😨" or CommandLine contains "😰" or CommandLine contains "😥" or CommandLine contains "😓" or CommandLine contains "🫣" or CommandLine contains "🤗" or CommandLine contains "🫡" or CommandLine contains "🤔" or CommandLine contains "🫢" or CommandLine contains "🤭" or CommandLine contains "🤫" or CommandLine contains "🤥" or CommandLine contains "😶" or CommandLine contains "😶‍🌫️" or CommandLine contains "😐" or CommandLine contains "😑" or CommandLine contains "😬" or CommandLine contains "🫠" or CommandLine contains "🙄" or CommandLine contains "😯" or CommandLine contains "😦" or CommandLine contains "😧" or CommandLine contains "😮" or CommandLine contains "😲" or CommandLine contains "🥱" or CommandLine contains "😴" or CommandLine contains "🤤" or CommandLine contains "😪" or CommandLine contains "😵" or CommandLine contains "😵‍💫" or CommandLine contains "🫥" or CommandLine contains "🤐" or CommandLine contains "🥴" or CommandLine contains "🤢" or CommandLine contains "🤮" or CommandLine contains "🤧" or CommandLine contains "😷" or CommandLine contains "🤒" or CommandLine contains "🤕" or CommandLine contains "🤑" or CommandLine contains "🤠" or CommandLine contains "😈" or CommandLine contains "👿" or CommandLine contains "👹" or CommandLine contains "👺" or CommandLine contains "🤡" or CommandLine contains "💩" or CommandLine contains "👻" or CommandLine contains "💀" or CommandLine contains "☠️" or CommandLine contains "👽" or CommandLine contains "👾" or CommandLine contains "🤖" or CommandLine contains "🎃" or CommandLine contains "😺" or CommandLine contains "😸" or CommandLine contains "😹" or CommandLine contains "😻" or CommandLine contains "😼" or CommandLine contains "😽" or CommandLine contains "🙀" or CommandLine contains "😿" or CommandLine contains "😾" or CommandLine contains "👋" or CommandLine contains "🤚" or CommandLine contains "🖐" or CommandLine contains "✋" or CommandLine contains "🖖" or CommandLine contains "👌" or CommandLine contains "🤌" or CommandLine contains "🤏" or CommandLine contains "✌️" or CommandLine contains "🤞" or CommandLine contains "🫰" or CommandLine contains "🤟" or CommandLine contains "🤘" or CommandLine contains "🤙" or CommandLine contains "🫵" or CommandLine contains "🫱" or CommandLine contains "🫲" or CommandLine contains "🫳" or CommandLine contains "🫴" or CommandLine contains "👈" or CommandLine contains "👉" or CommandLine contains "👆" or CommandLine contains "🖕" or CommandLine contains "👇" or CommandLine contains "☝️" or CommandLine contains "👍" or CommandLine contains "👎" or CommandLine contains "✊" or CommandLine contains "👊" or CommandLine contains "🤛" or CommandLine contains "🤜" or CommandLine contains "👏" or CommandLine contains "🫶" or CommandLine contains "🙌" or CommandLine contains "👐" or CommandLine contains "🤲" or CommandLine contains "🤝" or CommandLine contains "🙏" or CommandLine contains "✍️" or CommandLine contains "💪" or CommandLine contains "🦾" or CommandLine contains "🦵" or CommandLine contains "🦿" or CommandLine contains "🦶" or CommandLine contains "👣" or CommandLine contains "👂" or CommandLine contains "🦻" or CommandLine contains "👃" or CommandLine contains "🫀" or CommandLine contains "🫁" or CommandLine contains "🧠" or CommandLine contains "🦷" or CommandLine contains "🦴" or CommandLine contains "👀" or CommandLine contains "👁" or CommandLine contains "👅" or CommandLine contains "👄" or CommandLine contains "🫦" or CommandLine contains "💋" or CommandLine contains "🩸" or CommandLine contains "👶" or CommandLine contains "👧" or CommandLine contains "🧒" or CommandLine contains "👦" or CommandLine contains "👩" or CommandLine contains "🧑" or CommandLine contains "👨" or CommandLine contains "👩‍🦱" or CommandLine contains "🧑‍🦱" or CommandLine contains "👨‍🦱" or CommandLine contains "👩‍🦰" or CommandLine contains "🧑‍🦰" or CommandLine contains "👨‍🦰" or CommandLine contains "👱‍♀️" or CommandLine contains "👱" or CommandLine contains "👱‍♂️" or CommandLine contains "👩‍🦳" or CommandLine contains "🧑‍🦳" or CommandLine contains "👨‍🦳" or CommandLine contains "👩‍🦲" or CommandLine contains "🧑‍🦲" or CommandLine contains "👨‍🦲" or CommandLine contains "🧔‍♀️" or CommandLine contains "🧔" or CommandLine contains "🧔‍♂️" or CommandLine contains "👵" or CommandLine contains "🧓" or CommandLine contains "👴" or CommandLine contains "👲" or CommandLine contains "👳‍♀️" or CommandLine contains "👳" or CommandLine contains "👳‍♂️" or CommandLine contains "🧕" or CommandLine contains "👮‍♀️" or CommandLine contains "👮" or CommandLine contains "👮‍♂️" or CommandLine contains "👷‍♀️" or CommandLine contains "👷" or CommandLine contains "👷‍♂️" or CommandLine contains "💂‍♀️" or CommandLine contains "💂" or CommandLine contains "💂‍♂️" or CommandLine contains "🕵️‍♀️" or CommandLine contains "🕵️" or CommandLine contains "🕵️‍♂️" or CommandLine contains "👩‍⚕️" or CommandLine contains "🧑‍⚕️" or CommandLine contains "👨‍⚕️" or CommandLine contains "👩‍🌾" or CommandLine contains "🧑‍🌾" or CommandLine contains "👨‍🌾" or CommandLine contains "👩‍🍳" or CommandLine contains "🧑‍🍳" or CommandLine contains "👨‍🍳" or CommandLine contains "👩‍🎓" or CommandLine contains "🧑‍🎓" or CommandLine contains "👨‍🎓" or CommandLine contains "👩‍🎤" or CommandLine contains "🧑‍🎤" or CommandLine contains "👨‍🎤" or CommandLine contains "👩‍🏫" or CommandLine contains "🧑‍🏫" or CommandLine contains "👨‍🏫" or CommandLine contains "👩‍🏭" or CommandLine contains "🧑‍🏭" or CommandLine contains "👨‍🏭" or CommandLine contains "👩‍💻" or CommandLine contains "🧑‍💻" or CommandLine contains "👨‍💻" or CommandLine contains "👩‍💼" or CommandLine contains "🧑‍💼" or CommandLine contains "👨‍💼" or CommandLine contains "👩‍🔧" or CommandLine contains "🧑‍🔧" or CommandLine contains "👨‍🔧" or CommandLine contains "👩‍🔬" or CommandLine contains "🧑‍🔬" or CommandLine contains "👨‍🔬" or CommandLine contains "👩‍🎨" or CommandLine contains "🧑‍🎨" or CommandLine contains "👨‍🎨" or CommandLine contains "👩‍🚒" or CommandLine contains "🧑‍🚒" or CommandLine contains "👨‍🚒" or CommandLine contains "👩‍✈️" or CommandLine contains "🧑‍✈️" or CommandLine contains "👨‍✈️" or CommandLine contains "👩‍🚀" or CommandLine contains "🧑‍🚀" or CommandLine contains "👨‍🚀" or CommandLine contains "👩‍⚖️" or CommandLine contains "🧑‍⚖️" or CommandLine contains "👨‍⚖️" or CommandLine contains "👰‍♀️" or CommandLine contains "👰" or CommandLine contains "👰‍♂️" or CommandLine contains "🤵‍♀️" or CommandLine contains "🤵" or CommandLine contains "🤵‍♂️" or CommandLine contains "👸" or CommandLine contains "🫅" or CommandLine contains "🤴" or CommandLine contains "🥷" or CommandLine contains "🦸‍♀️" or CommandLine contains "🦸" or CommandLine contains "🦸‍♂️" or CommandLine contains "🦹‍♀️" or CommandLine contains "🦹" or CommandLine contains "🦹‍♂️" or CommandLine contains "🤶" or CommandLine contains "🧑‍🎄" or CommandLine contains "🎅" or CommandLine contains "🧙‍♀️" or CommandLine contains "🧙" or CommandLine contains "🧙‍♂️" or CommandLine contains "🧝‍♀️" or CommandLine contains "🧝" or CommandLine contains "🧝‍♂️" or CommandLine contains "🧛‍♀️" or CommandLine contains "🧛" or CommandLine contains "🧛‍♂️" or CommandLine contains "🧟‍♀️" or CommandLine contains "🧟" or CommandLine contains "🧟‍♂️" or CommandLine contains "🧞‍♀️" or CommandLine contains "🧞" or CommandLine contains "🧞‍♂️" or CommandLine contains "🧜‍♀️" or CommandLine contains "🧜" or CommandLine contains "🧜‍♂️" or CommandLine contains "🧚‍♀️" or CommandLine contains "🧚" or CommandLine contains "🧚‍♂️" or CommandLine contains "🧌" or CommandLine contains "👼" or CommandLine contains "🤰" or CommandLine contains "🫄" or CommandLine contains "🫃" or CommandLine contains "🤱" or CommandLine contains "👩‍🍼" or CommandLine contains "🧑‍🍼" or CommandLine contains "👨‍🍼" or CommandLine contains "🙇‍♀️" or CommandLine contains "🙇" or CommandLine contains "🙇‍♂️" or CommandLine contains "💁‍♀️" or CommandLine contains "💁" or CommandLine contains "💁‍♂️" or CommandLine contains "🙅‍♀️" or CommandLine contains "🙅" or CommandLine contains "🙅‍♂️" or CommandLine contains "🙆‍♀️" or CommandLine contains "🙆" or CommandLine contains "🙆‍♂️" or CommandLine contains "🙋‍♀️" or CommandLine contains "🙋" or CommandLine contains "🙋‍♂️" or CommandLine contains "🧏‍♀️" or CommandLine contains "🧏" or CommandLine contains "🧏‍♂️" or CommandLine contains "🤦‍♀️" or CommandLine contains "🤦" or CommandLine contains "🤦‍♂️" or CommandLine contains "🤷‍♀️" or CommandLine contains "🤷" or CommandLine contains "🤷‍♂️" or CommandLine contains "🙎‍♀️" or CommandLine contains "🙎" or CommandLine contains "🙎‍♂️" or CommandLine contains "🙍‍♀️" or CommandLine contains "🙍" or CommandLine contains "🙍‍♂️" or CommandLine contains "💇‍♀️" or CommandLine contains "💇" or CommandLine contains "💇‍♂️" or CommandLine contains "💆‍♀️" or CommandLine contains "💆" or CommandLine contains "💆‍♂️" or CommandLine contains "🧖‍♀️" or CommandLine contains "🧖" or CommandLine contains "🧖‍♂️" or CommandLine contains "💅" or CommandLine contains "💃" or CommandLine contains "🕺" or CommandLine contains "👯‍♀️" or CommandLine contains "👯" or CommandLine contains "👯‍♂️" or CommandLine contains "🕴" or CommandLine contains "👩‍🦽" or CommandLine contains "🧑‍🦽" or CommandLine contains "👨‍🦽" or CommandLine contains "👩‍🦼" or CommandLine contains "🧑‍🦼" or CommandLine contains "👨‍🦼" or CommandLine contains "🚶‍♀️" or CommandLine contains "🚶" or CommandLine contains "🚶‍♂️" or CommandLine contains "👩‍🦯" or CommandLine contains "🧑‍🦯" or CommandLine contains "👨‍🦯" or CommandLine contains "🧎‍♀️" or CommandLine contains "🧎" or CommandLine contains "🧎‍♂️" or CommandLine contains "🏃‍♀️" or CommandLine contains "🏃" or CommandLine contains "🏃‍♂️" or CommandLine contains "🧍‍♀️" or CommandLine contains "🧍" or CommandLine contains "🧍‍♂️" or CommandLine contains "👭" or CommandLine contains "🧑‍🤝‍🧑" or CommandLine contains "👬" or CommandLine contains "👫" or CommandLine contains "👩‍❤️‍👩" or CommandLine contains "💑" or CommandLine contains "👨‍❤️‍👨" or CommandLine contains "👩‍❤️‍👨" or CommandLine contains "👩‍❤️‍💋‍👩" or CommandLine contains "💏" or CommandLine contains "👨‍❤️‍💋‍👨" or CommandLine contains "👩‍❤️‍💋‍👨" or CommandLine contains "👪" or CommandLine contains "👨‍👩‍👦" or CommandLine contains "👨‍👩‍👧" or CommandLine contains "👨‍👩‍👧‍👦" or CommandLine contains "👨‍👩‍👦‍👦" or CommandLine contains "👨‍👩‍👧‍👧" or CommandLine contains "👨‍👨‍👦" or CommandLine contains "👨‍👨‍👧" or CommandLine contains "👨‍👨‍👧‍👦" or CommandLine contains "👨‍👨‍👦‍👦" or CommandLine contains "👨‍👨‍👧‍👧" or CommandLine contains "👩‍👩‍👦" or CommandLine contains "👩‍👩‍👧" or CommandLine contains "👩‍👩‍👧‍👦" or CommandLine contains "👩‍👩‍👦‍👦" or CommandLine contains "👩‍👩‍👧‍👧" or CommandLine contains "👨‍👦" or CommandLine contains "👨‍👦‍👦" or CommandLine contains "👨‍👧" or CommandLine contains "👨‍👧‍👦" or CommandLine contains "👨‍👧‍👧" or CommandLine contains "👩‍👦" or CommandLine contains "👩‍👦‍👦" or CommandLine contains "👩‍👧" or CommandLine contains "👩‍👧‍👦" or CommandLine contains "👩‍👧‍👧" or CommandLine contains "🗣" or CommandLine contains "👤" or CommandLine contains "👥" or CommandLine contains "🫂" or CommandLine contains "🧳" or CommandLine contains "🌂" or CommandLine contains "☂️" or CommandLine contains "🧵" or CommandLine contains "🪡" or CommandLine contains "🪢" or CommandLine contains "🧶" or CommandLine contains "👓" or CommandLine contains "🕶" or CommandLine contains "🥽" or CommandLine contains "🥼" or CommandLine contains "🦺" or CommandLine contains "👔" or CommandLine contains "👕" or CommandLine contains "👖" or CommandLine contains "🧣" or CommandLine contains "🧤" or CommandLine contains "🧥" or CommandLine contains "🧦" or CommandLine contains "👗" or CommandLine contains "👘" or CommandLine contains "🥻" or CommandLine contains "🩴" or CommandLine contains "🩱" or CommandLine contains "🩲" or CommandLine contains "🩳" or CommandLine contains "👙" or CommandLine contains "👚" or CommandLine contains "👛" or CommandLine contains "👜" or CommandLine contains "👝" or CommandLine contains "🎒" or CommandLine contains "👞" or CommandLine contains "👟" or CommandLine contains "🥾" or CommandLine contains "🥿" or CommandLine contains "👠" or CommandLine contains "👡" or CommandLine contains "🩰" or CommandLine contains "👢" or CommandLine contains "👑" or CommandLine contains "👒" or CommandLine contains "🎩" or CommandLine contains "🎓" or CommandLine contains "🧢" or CommandLine contains "⛑" or CommandLine contains "🪖" or CommandLine contains "💄" or CommandLine contains "💍" or CommandLine contains "💼" or CommandLine contains "👋🏻" or CommandLine contains "🤚🏻" or CommandLine contains "🖐🏻" or CommandLine contains "✋🏻" or CommandLine contains "🖖🏻" or CommandLine contains "👌🏻" or CommandLine contains "🤌🏻" or CommandLine contains "🤏🏻" or CommandLine contains "✌🏻" or CommandLine contains "🤞🏻" or CommandLine contains "🫰🏻" or CommandLine contains "🤟🏻" or CommandLine contains "🤘🏻" or CommandLine contains "🤙🏻" or CommandLine contains "🫵🏻" or CommandLine contains "🫱🏻" or CommandLine contains "🫲🏻" or CommandLine contains "🫳🏻" or CommandLine contains "🫴🏻" or CommandLine contains "👈🏻" or CommandLine contains "👉🏻" or CommandLine contains "👆🏻" or CommandLine contains "🖕🏻" or CommandLine contains "👇🏻" or CommandLine contains "☝🏻" or CommandLine contains "👍🏻" or CommandLine contains "👎🏻" or CommandLine contains "✊🏻" or CommandLine contains "👊🏻" or CommandLine contains "🤛🏻" or CommandLine contains "🤜🏻" or CommandLine contains "👏🏻" or CommandLine contains "🫶🏻" or CommandLine contains "🙌🏻" or CommandLine contains "👐🏻" or CommandLine contains "🤲🏻" or CommandLine contains "🙏🏻" or CommandLine contains "✍🏻" or CommandLine contains "💪🏻" or CommandLine contains "🦵🏻" or CommandLine contains "🦶🏻" or CommandLine contains "👂🏻" or CommandLine contains "🦻🏻" or CommandLine contains "👃🏻" or CommandLine contains "👶🏻" or CommandLine contains "👧🏻" or CommandLine contains "🧒🏻" or CommandLine contains "👦🏻" or CommandLine contains "👩🏻" or CommandLine contains "🧑🏻" or CommandLine contains "👨🏻" or CommandLine contains "👩🏻‍🦱" or CommandLine contains "🧑🏻‍🦱" or CommandLine contains "👨🏻‍🦱" or CommandLine contains "👩🏻‍🦰" or CommandLine contains "🧑🏻‍🦰" or CommandLine contains "👨🏻‍🦰" or CommandLine contains "👱🏻‍♀️" or CommandLine contains "👱🏻" or CommandLine contains "👱🏻‍♂️" or CommandLine contains "👩🏻‍🦳" or CommandLine contains "🧑🏻‍🦳" or CommandLine contains "👨🏻‍🦳" or CommandLine contains "👩🏻‍🦲" or CommandLine contains "🧑🏻‍🦲" or CommandLine contains "👨🏻‍🦲" or CommandLine contains "🧔🏻‍♀️" or CommandLine contains "🧔🏻" or CommandLine contains "🧔🏻‍♂️" or CommandLine contains "👵🏻" or CommandLine contains "🧓🏻" or CommandLine contains "👴🏻" or CommandLine contains "👲🏻" or CommandLine contains "👳🏻‍♀️" or CommandLine contains "👳🏻" or CommandLine contains "👳🏻‍♂️" or CommandLine contains "🧕🏻" or CommandLine contains "👮🏻‍♀️" or CommandLine contains "👮🏻" or CommandLine contains "👮🏻‍♂️" or CommandLine contains "👷🏻‍♀️" or CommandLine contains "👷🏻" or CommandLine contains "👷🏻‍♂️" or CommandLine contains "💂🏻‍♀️" or CommandLine contains "💂🏻" or CommandLine contains "💂🏻‍♂️" or CommandLine contains "🕵🏻‍♀️" or CommandLine contains "🕵🏻" or CommandLine contains "🕵🏻‍♂️" or CommandLine contains "👩🏻‍⚕️" or CommandLine contains "🧑🏻‍⚕️" or CommandLine contains "👨🏻‍⚕️" or CommandLine contains "👩🏻‍🌾" or CommandLine contains "🧑🏻‍🌾" or CommandLine contains "👨🏻‍🌾" or CommandLine contains "👩🏻‍🍳" or CommandLine contains "🧑🏻‍🍳" or CommandLine contains "👨🏻‍🍳" or CommandLine contains "👩🏻‍🎓" or CommandLine contains "🧑🏻‍🎓" or CommandLine contains "👨🏻‍🎓" or CommandLine contains "👩🏻‍🎤" or CommandLine contains "🧑🏻‍🎤" or CommandLine contains "👨🏻‍🎤" or CommandLine contains "👩🏻‍🏫" or CommandLine contains "🧑🏻‍🏫" or CommandLine contains "👨🏻‍🏫" or CommandLine contains "👩🏻‍🏭" or CommandLine contains "🧑🏻‍🏭" or CommandLine contains "👨🏻‍🏭" or CommandLine contains "👩🏻‍💻" or CommandLine contains "🧑🏻‍💻" or CommandLine contains "👨🏻‍💻" or CommandLine contains "👩🏻‍💼" or CommandLine contains "🧑🏻‍💼" or CommandLine contains "👨🏻‍💼" or CommandLine contains "👩🏻‍🔧" or CommandLine contains "🧑🏻‍🔧" or CommandLine contains "👨🏻‍🔧" or CommandLine contains "👩🏻‍🔬" or CommandLine contains "🧑🏻‍🔬" or CommandLine contains "👨🏻‍🔬" or CommandLine contains "👩🏻‍🎨" or CommandLine contains "🧑🏻‍🎨" or CommandLine contains "👨🏻‍🎨" or CommandLine contains "👩🏻‍🚒" or CommandLine contains "🧑🏻‍🚒" or CommandLine contains "👨🏻‍🚒" or CommandLine contains "👩🏻‍✈️" or CommandLine contains "🧑🏻‍✈️" or CommandLine contains "👨🏻‍✈️" or CommandLine contains "👩🏻‍🚀" or CommandLine contains "🧑🏻‍🚀" or CommandLine contains "👨🏻‍🚀" or CommandLine contains "👩🏻‍⚖️" or CommandLine contains "🧑🏻‍⚖️" or CommandLine contains "👨🏻‍⚖️" or CommandLine contains "👰🏻‍♀️" or CommandLine contains "👰🏻" or CommandLine contains "👰🏻‍♂️" or CommandLine contains "🤵🏻‍♀️" or CommandLine contains "🤵🏻" or CommandLine contains "🤵🏻‍♂️" or CommandLine contains "👸🏻" or CommandLine contains "🫅🏻" or CommandLine contains "🤴🏻" or CommandLine contains "🥷🏻" or CommandLine contains "🦸🏻‍♀️" or CommandLine contains "🦸🏻" or CommandLine contains "🦸🏻‍♂️" or CommandLine contains "🦹🏻‍♀️" or CommandLine contains "🦹🏻" or CommandLine contains "🦹🏻‍♂️" or CommandLine contains "🤶🏻" or CommandLine contains "🧑🏻‍🎄" or CommandLine contains "🎅🏻" or CommandLine contains "🧙🏻‍♀️" or CommandLine contains "🧙🏻" or CommandLine contains "🧙🏻‍♂️" or CommandLine contains "🧝🏻‍♀️" or CommandLine contains "🧝🏻" or CommandLine contains "🧝🏻‍♂️" or CommandLine contains "🧛🏻‍♀️" or CommandLine contains "🧛🏻" or CommandLine contains "🧛🏻‍♂️" or CommandLine contains "🧜🏻‍♀️" or CommandLine contains "🧜🏻" or CommandLine contains "🧜🏻‍♂️" or CommandLine contains "🧚🏻‍♀️" or CommandLine contains "🧚🏻" or CommandLine contains "🧚🏻‍♂️" or CommandLine contains "👼🏻" or CommandLine contains "🤰🏻" or CommandLine contains "🫄🏻" or CommandLine contains "🫃🏻" or CommandLine contains "🤱🏻" or CommandLine contains "👩🏻‍🍼" or CommandLine contains "🧑🏻‍🍼" or CommandLine contains "👨🏻‍🍼" or CommandLine contains "🙇🏻‍♀️" or CommandLine contains "🙇🏻" or CommandLine contains "🙇🏻‍♂️" or CommandLine contains "💁🏻‍♀️" or CommandLine contains "💁🏻" or CommandLine contains "💁🏻‍♂️" or CommandLine contains "🙅🏻‍♀️" or CommandLine contains "🙅🏻" or CommandLine contains "🙅🏻‍♂️" or CommandLine contains "🙆🏻‍♀️" or CommandLine contains "🙆🏻" or CommandLine contains "🙆🏻‍♂️" or CommandLine contains "🙋🏻‍♀️" or CommandLine contains "🙋🏻" or CommandLine contains "🙋🏻‍♂️" or CommandLine contains "🧏🏻‍♀️" or CommandLine contains "🧏🏻" or CommandLine contains "🧏🏻‍♂️" or CommandLine contains "🤦🏻‍♀️" or CommandLine contains "🤦🏻" or CommandLine contains "🤦🏻‍♂️" or CommandLine contains "🤷🏻‍♀️" or CommandLine contains "🤷🏻" or CommandLine contains "🤷🏻‍♂️" or CommandLine contains "🙎🏻‍♀️" or CommandLine contains "🙎🏻" or CommandLine contains "🙎🏻‍♂️" or CommandLine contains "🙍🏻‍♀️" or CommandLine contains "🙍🏻" or CommandLine contains "🙍🏻‍♂️" or CommandLine contains "💇🏻‍♀️" or CommandLine contains "💇🏻" or CommandLine contains "💇🏻‍♂️" or CommandLine contains "💆🏻‍♀️" or CommandLine contains "💆🏻" or CommandLine contains "💆🏻‍♂️" or CommandLine contains "🧖🏻‍♀️" or CommandLine contains "🧖🏻" or CommandLine contains "🧖🏻‍♂️" or CommandLine contains "💃🏻" or CommandLine contains "🕺🏻" or CommandLine contains "🕴🏻" or CommandLine contains "👩🏻‍🦽" or CommandLine contains "🧑🏻‍🦽" or CommandLine contains "👨🏻‍🦽" or CommandLine contains "👩🏻‍🦼" or CommandLine contains "🧑🏻‍🦼" or CommandLine contains "👨🏻‍🦼" or CommandLine contains "🚶🏻‍♀️" or CommandLine contains "🚶🏻" or CommandLine contains "🚶🏻‍♂️" or CommandLine contains "👩🏻‍🦯" or CommandLine contains "🧑🏻‍🦯" or CommandLine contains "👨🏻‍🦯" or CommandLine contains "🧎🏻‍♀️" or CommandLine contains "🧎🏻" or CommandLine contains "🧎🏻‍♂️" or CommandLine contains "🏃🏻‍♀️" or CommandLine contains "🏃🏻" or CommandLine contains "🏃🏻‍♂️" or CommandLine contains "🧍🏻‍♀️" or CommandLine contains "🧍🏻" or CommandLine contains "🧍🏻‍♂️" or CommandLine contains "👭🏻" or CommandLine contains "🧑🏻‍🤝‍🧑🏻" or CommandLine contains "👬🏻" or CommandLine contains "👫🏻" or CommandLine contains "🧗🏻‍♀️" or CommandLine contains "🧗🏻" or CommandLine contains "🧗🏻‍♂️" or CommandLine contains "🏇🏻" or CommandLine contains "🏂🏻" or CommandLine contains "🏌🏻‍♀️" or CommandLine contains "🏌🏻" or CommandLine contains "🏌🏻‍♂️" or CommandLine contains "🏄🏻‍♀️" or CommandLine contains "🏄🏻" or CommandLine contains "🏄🏻‍♂️" or CommandLine contains "🚣🏻‍♀️" or CommandLine contains "🚣🏻" or CommandLine contains "🚣🏻‍♂️" or CommandLine contains "🏊🏻‍♀️" or CommandLine contains "🏊🏻" or CommandLine contains "🏊🏻‍♂️" or CommandLine contains "⛹🏻‍♀️" or CommandLine contains "⛹🏻" or CommandLine contains "⛹🏻‍♂️" or CommandLine contains "🏋🏻‍♀️" or CommandLine contains "🏋🏻" or CommandLine contains "🏋🏻‍♂️" or CommandLine contains "🚴🏻‍♀️" or CommandLine contains "🚴🏻" or CommandLine contains "🚴🏻‍♂️" or CommandLine contains "🚵🏻‍♀️" or CommandLine contains "🚵🏻" or CommandLine contains "🚵🏻‍♂️" or CommandLine contains "🤸🏻‍♀️" or CommandLine contains "🤸🏻" or CommandLine contains "🤸🏻‍♂️" or CommandLine contains "🤽🏻‍♀️" or CommandLine contains "🤽🏻" or CommandLine contains "🤽🏻‍♂️" or CommandLine contains "🤾🏻‍♀️" or CommandLine contains "🤾🏻" or CommandLine contains "🤾🏻‍♂️" or CommandLine contains "🤹🏻‍♀️" or CommandLine contains "🤹🏻" or CommandLine contains "🤹🏻‍♂️" or CommandLine contains "🧘🏻‍♀️" or CommandLine contains "🧘🏻" or CommandLine contains "🧘🏻‍♂️" or CommandLine contains "🛀🏻" or CommandLine contains "🛌🏻" or CommandLine contains "👋🏼" or CommandLine contains "🤚🏼" or CommandLine contains "🖐🏼" or CommandLine contains "✋🏼" or CommandLine contains "🖖🏼" or CommandLine contains "👌🏼" or CommandLine contains "🤌🏼" or CommandLine contains "🤏🏼" or CommandLine contains "✌🏼" or CommandLine contains "🤞🏼" or CommandLine contains "🫰🏼" or CommandLine contains "🤟🏼" or CommandLine contains "🤘🏼" or CommandLine contains "🤙🏼" or CommandLine contains "🫵🏼" or CommandLine contains "🫱🏼" or CommandLine contains "🫲🏼" or CommandLine contains "🫳🏼" or CommandLine contains "🫴🏼" or CommandLine contains "👈🏼" or CommandLine contains "👉🏼" or CommandLine contains "👆🏼" or CommandLine contains "🖕🏼" or CommandLine contains "👇🏼" or CommandLine contains "☝🏼" or CommandLine contains "👍🏼" or CommandLine contains "👎🏼" or CommandLine contains "✊🏼" or CommandLine contains "👊🏼" or CommandLine contains "🤛🏼" or CommandLine contains "🤜🏼" or CommandLine contains "👏🏼" or CommandLine contains "🫶🏼" or CommandLine contains "🙌🏼" or CommandLine contains "👐🏼" or CommandLine contains "🤲🏼" or CommandLine contains "🙏🏼" or CommandLine contains "✍🏼" or CommandLine contains "💪🏼" or CommandLine contains "🦵🏼" or CommandLine contains "🦶🏼" or CommandLine contains "👂🏼" or CommandLine contains "🦻🏼" or CommandLine contains "👃🏼" or CommandLine contains "👶🏼" or CommandLine contains "👧🏼" or CommandLine contains "🧒🏼" or CommandLine contains "👦🏼" or CommandLine contains "👩🏼" or CommandLine contains "🧑🏼" or CommandLine contains "👨🏼" or CommandLine contains "👩🏼‍🦱" or CommandLine contains "🧑🏼‍🦱" or CommandLine contains "👨🏼‍🦱" or CommandLine contains "👩🏼‍🦰" or CommandLine contains "🧑🏼‍🦰" or CommandLine contains "👨🏼‍🦰" or CommandLine contains "👱🏼‍♀️" or CommandLine contains "👱🏼" or CommandLine contains "👱🏼‍♂️" or CommandLine contains "👩🏼‍🦳" or CommandLine contains "🧑🏼‍🦳" or CommandLine contains "👨🏼‍🦳" or CommandLine contains "👩🏼‍🦲" or CommandLine contains "🧑🏼‍🦲" or CommandLine contains "👨🏼‍🦲" or CommandLine contains "🧔🏼‍♀️" or CommandLine contains "🧔🏼" or CommandLine contains "🧔🏼‍♂️" or CommandLine contains "👵🏼" or CommandLine contains "🧓🏼" or CommandLine contains "👴🏼" or CommandLine contains "👲🏼" or CommandLine contains "👳🏼‍♀️" or CommandLine contains "👳🏼" or CommandLine contains "👳🏼‍♂️" or CommandLine contains "🧕🏼" or CommandLine contains "👮🏼‍♀️" or CommandLine contains "👮🏼" or CommandLine contains "👮🏼‍♂️" or CommandLine contains "👷🏼‍♀️" or CommandLine contains "👷🏼" or CommandLine contains "👷🏼‍♂️" or CommandLine contains "💂🏼‍♀️" or CommandLine contains "💂🏼" or CommandLine contains "💂🏼‍♂️" or CommandLine contains "🕵🏼‍♀️" or CommandLine contains "🕵🏼" or CommandLine contains "🕵🏼‍♂️" or CommandLine contains "👩🏼‍⚕️" or CommandLine contains "🧑🏼‍⚕️" or CommandLine contains "👨🏼‍⚕️" or CommandLine contains "👩🏼‍🌾" or CommandLine contains "🧑🏼‍🌾" or CommandLine contains "👨🏼‍🌾" or CommandLine contains "👩🏼‍🍳" or CommandLine contains "🧑🏼‍🍳" or CommandLine contains "👨🏼‍🍳" or CommandLine contains "👩🏼‍🎓" or CommandLine contains "🧑🏼‍🎓" or CommandLine contains "👨🏼‍🎓" or CommandLine contains "👩🏼‍🎤" or CommandLine contains "🧑🏼‍🎤" or CommandLine contains "👨🏼‍🎤" or CommandLine contains "👩🏼‍🏫" or CommandLine contains "🧑🏼‍🏫" or CommandLine contains "👨🏼‍🏫" or CommandLine contains "👩🏼‍🏭" or CommandLine contains "🧑🏼‍🏭" or CommandLine contains "👨🏼‍🏭" or CommandLine contains "👩🏼‍💻" or CommandLine contains "🧑🏼‍💻" or CommandLine contains "👨🏼‍💻" or CommandLine contains "👩🏼‍💼" or CommandLine contains "🧑🏼‍💼" or CommandLine contains "👨🏼‍💼" or CommandLine contains "👩🏼‍🔧" or CommandLine contains "🧑🏼‍🔧" or CommandLine contains "👨🏼‍🔧" or CommandLine contains "👩🏼‍🔬" or CommandLine contains "🧑🏼‍🔬" or CommandLine contains "👨🏼‍🔬" or CommandLine contains "👩🏼‍🎨" or CommandLine contains "🧑🏼‍🎨" or CommandLine contains "👨🏼‍🎨" or CommandLine contains "👩🏼‍🚒" or CommandLine contains "🧑🏼‍🚒" or CommandLine contains "👨🏼‍🚒" or CommandLine contains "👩🏼‍✈️" or CommandLine contains "🧑🏼‍✈️" or CommandLine contains "👨🏼‍✈️" or CommandLine contains "👩🏼‍🚀" or CommandLine contains "🧑🏼‍🚀" or CommandLine contains "👨🏼‍🚀" or CommandLine contains "👩🏼‍⚖️" or CommandLine contains "🧑🏼‍⚖️" or CommandLine contains "👨🏼‍⚖️" or CommandLine contains "👰🏼‍♀️" or CommandLine contains "👰🏼" or CommandLine contains "👰🏼‍♂️" or CommandLine contains "🤵🏼‍♀️" or CommandLine contains "🤵🏼" or CommandLine contains "🤵🏼‍♂️" or CommandLine contains "👸🏼" or CommandLine contains "🫅🏼" or CommandLine contains "🤴🏼" or CommandLine contains "🥷🏼" or CommandLine contains "🦸🏼‍♀️" or CommandLine contains "🦸🏼" or CommandLine contains "🦸🏼‍♂️" or CommandLine contains "🦹🏼‍♀️" or CommandLine contains "🦹🏼" or CommandLine contains "🦹🏼‍♂️" or CommandLine contains "🤶🏼" or CommandLine contains "🧑🏼‍🎄" or CommandLine contains "🎅🏼" or CommandLine contains "🧙🏼‍♀️" or CommandLine contains "🧙🏼" or CommandLine contains "🧙🏼‍♂️" or CommandLine contains "🧝🏼‍♀️" or CommandLine contains "🧝🏼" or CommandLine contains "🧝🏼‍♂️" or CommandLine contains "🧛🏼‍♀️" or CommandLine contains "🧛🏼" or CommandLine contains "🧛🏼‍♂️" or CommandLine contains "🧜🏼‍♀️" or CommandLine contains "🧜🏼" or CommandLine contains "🧜🏼‍♂️" or CommandLine contains "🧚🏼‍♀️" or CommandLine contains "🧚🏼" or CommandLine contains "🧚🏼‍♂️" or CommandLine contains "👼🏼" or CommandLine contains "🤰🏼" or CommandLine contains "🫄🏼" or CommandLine contains "🫃🏼" or CommandLine contains "🤱🏼" or CommandLine contains "👩🏼‍🍼" or CommandLine contains "🧑🏼‍🍼" or CommandLine contains "👨🏼‍🍼" or CommandLine contains "🙇🏼‍♀️" or CommandLine contains "🙇🏼" or CommandLine contains "🙇🏼‍♂️" or CommandLine contains "💁🏼‍♀️" or CommandLine contains "💁🏼" or CommandLine contains "💁🏼‍♂️" or CommandLine contains "🙅🏼‍♀️" or CommandLine contains "🙅🏼" or CommandLine contains "🙅🏼‍♂️" or CommandLine contains "🙆🏼‍♀️" or CommandLine contains "🙆🏼" or CommandLine contains "🙆🏼‍♂️" or CommandLine contains "🙋🏼‍♀️" or CommandLine contains "🙋🏼" or CommandLine contains "🙋🏼‍♂️" or CommandLine contains "🧏🏼‍♀️" or CommandLine contains "🧏🏼" or CommandLine contains "🧏🏼‍♂️" or CommandLine contains "🤦🏼‍♀️" or CommandLine contains "🤦🏼" or CommandLine contains "🤦🏼‍♂️" or CommandLine contains "🤷🏼‍♀️"
Microsoft Sentinel Converted KQL high
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Show query 
CommandLine contains "🤷🏼" or CommandLine contains "🤷🏼‍♂️" or CommandLine contains "🙎🏼‍♀️" or CommandLine contains "🙎🏼" or CommandLine contains "🙎🏼‍♂️" or CommandLine contains "🙍🏼‍♀️" or CommandLine contains "🙍🏼" or CommandLine contains "🙍🏼‍♂️" or CommandLine contains "💇🏼‍♀️" or CommandLine contains "💇🏼" or CommandLine contains "💇🏼‍♂️" or CommandLine contains "💆🏼‍♀️" or CommandLine contains "💆🏼" or CommandLine contains "💆🏼‍♂️" or CommandLine contains "🧖🏼‍♀️" or CommandLine contains "🧖🏼" or CommandLine contains "🧖🏼‍♂️" or CommandLine contains "💃🏼" or CommandLine contains "🕺🏼" or CommandLine contains "🕴🏼" or CommandLine contains "👩🏼‍🦽" or CommandLine contains "🧑🏼‍🦽" or CommandLine contains "👨🏼‍🦽" or CommandLine contains "👩🏼‍🦼" or CommandLine contains "🧑🏼‍🦼" or CommandLine contains "👨🏼‍🦼" or CommandLine contains "🚶🏼‍♀️" or CommandLine contains "🚶🏼" or CommandLine contains "🚶🏼‍♂️" or CommandLine contains "👩🏼‍🦯" or CommandLine contains "🧑🏼‍🦯" or CommandLine contains "👨🏼‍🦯" or CommandLine contains "🧎🏼‍♀️" or CommandLine contains "🧎🏼" or CommandLine contains "🧎🏼‍♂️" or CommandLine contains "🏃🏼‍♀️" or CommandLine contains "🏃🏼" or CommandLine contains "🏃🏼‍♂️" or CommandLine contains "🧍🏼‍♀️" or CommandLine contains "🧍🏼" or CommandLine contains "🧍🏼‍♂️" or CommandLine contains "👭🏼" or CommandLine contains "🧑🏼‍🤝‍🧑🏼" or CommandLine contains "👬🏼" or CommandLine contains "👫🏼" or CommandLine contains "🧗🏼‍♀️" or CommandLine contains "🧗🏼" or CommandLine contains "🧗🏼‍♂️" or CommandLine contains "🏇🏼" or CommandLine contains "🏂🏼" or CommandLine contains "🏌🏼‍♀️" or CommandLine contains "🏌🏼" or CommandLine contains "🏌🏼‍♂️" or CommandLine contains "🏄🏼‍♀️" or CommandLine contains "🏄🏼" or CommandLine contains "🏄🏼‍♂️" or CommandLine contains "🚣🏼‍♀️" or CommandLine contains "🚣🏼" or CommandLine contains "🚣🏼‍♂️" or CommandLine contains "🏊🏼‍♀️" or CommandLine contains "🏊🏼" or CommandLine contains "🏊🏼‍♂️" or CommandLine contains "⛹🏼‍♀️" or CommandLine contains "⛹🏼" or CommandLine contains "⛹🏼‍♂️" or CommandLine contains "🏋🏼‍♀️" or CommandLine contains "🏋🏼" or CommandLine contains "🏋🏼‍♂️" or CommandLine contains "🚴🏼‍♀️" or CommandLine contains "🚴🏼" or CommandLine contains "🚴🏼‍♂️" or CommandLine contains "🚵🏼‍♀️" or CommandLine contains "🚵🏼" or CommandLine contains "🚵🏼‍♂️" or CommandLine contains "🤸🏼‍♀️" or CommandLine contains "🤸🏼" or CommandLine contains "🤸🏼‍♂️" or CommandLine contains "🤽🏼‍♀️" or CommandLine contains "🤽🏼" or CommandLine contains "🤽🏼‍♂️" or CommandLine contains "🤾🏼‍♀️" or CommandLine contains "🤾🏼" or CommandLine contains "🤾🏼‍♂️" or CommandLine contains "🤹🏼‍♀️" or CommandLine contains "🤹🏼" or CommandLine contains "🤹🏼‍♂️" or CommandLine contains "🧘🏼‍♀️" or CommandLine contains "🧘🏼" or CommandLine contains "🧘🏼‍♂️" or CommandLine contains "🛀🏼" or CommandLine contains "🛌🏼" or CommandLine contains "👋🏽" or CommandLine contains "🤚🏽" or CommandLine contains "🖐🏽" or CommandLine contains "✋🏽" or CommandLine contains "🖖🏽" or CommandLine contains "👌🏽" or CommandLine contains "🤌🏽" or CommandLine contains "🤏🏽" or CommandLine contains "✌🏽" or CommandLine contains "🤞🏽" or CommandLine contains "🫰🏽" or CommandLine contains "🤟🏽" or CommandLine contains "🤘🏽" or CommandLine contains "🤙🏽" or CommandLine contains "🫵🏽" or CommandLine contains "🫱🏽" or CommandLine contains "🫲🏽" or CommandLine contains "🫳🏽" or CommandLine contains "🫴🏽" or CommandLine contains "👈🏽" or CommandLine contains "👉🏽" or CommandLine contains "👆🏽" or CommandLine contains "🖕🏽" or CommandLine contains "👇🏽" or CommandLine contains "☝🏽" or CommandLine contains "👍🏽" or CommandLine contains "👎🏽" or CommandLine contains "✊🏽" or CommandLine contains "👊🏽" or CommandLine contains "🤛🏽" or CommandLine contains "🤜🏽" or CommandLine contains "👏🏽" or CommandLine contains "🫶🏽" or CommandLine contains "🙌🏽" or CommandLine contains "👐🏽" or CommandLine contains "🤲🏽" or CommandLine contains "🙏🏽" or CommandLine contains "✍🏽" or CommandLine contains "💪🏽" or CommandLine contains "🦵🏽" or CommandLine contains "🦶🏽" or CommandLine contains "👂🏽" or CommandLine contains "🦻🏽" or CommandLine contains "👃🏽" or CommandLine contains "👶🏽" or CommandLine contains "👧🏽" or CommandLine contains "🧒🏽" or CommandLine contains "👦🏽" or CommandLine contains "👩🏽" or CommandLine contains "🧑🏽" or CommandLine contains "👨🏽" or CommandLine contains "👩🏽‍🦱" or CommandLine contains "🧑🏽‍🦱" or CommandLine contains "👨🏽‍🦱" or CommandLine contains "👩🏽‍🦰" or CommandLine contains "🧑🏽‍🦰" or CommandLine contains "👨🏽‍🦰" or CommandLine contains "👱🏽‍♀️" or CommandLine contains "👱🏽" or CommandLine contains "👱🏽‍♂️" or CommandLine contains "👩🏽‍🦳" or CommandLine contains "🧑🏽‍🦳" or CommandLine contains "👨🏽‍🦳" or CommandLine contains "👩🏽‍🦲" or CommandLine contains "🧑🏽‍🦲" or CommandLine contains "👨🏽‍🦲" or CommandLine contains "🧔🏽‍♀️" or CommandLine contains "🧔🏽" or CommandLine contains "🧔🏽‍♂️" or CommandLine contains "👵🏽" or CommandLine contains "🧓🏽" or CommandLine contains "👴🏽" or CommandLine contains "👲🏽" or CommandLine contains "👳🏽‍♀️" or CommandLine contains "👳🏽" or CommandLine contains "👳🏽‍♂️" or CommandLine contains "🧕🏽" or CommandLine contains "👮🏽‍♀️" or CommandLine contains "👮🏽" or CommandLine contains "👮🏽‍♂️" or CommandLine contains "👷🏽‍♀️" or CommandLine contains "👷🏽" or CommandLine contains "👷🏽‍♂️" or CommandLine contains "💂🏽‍♀️" or CommandLine contains "💂🏽" or CommandLine contains "💂🏽‍♂️" or CommandLine contains "🕵🏽‍♀️" or CommandLine contains "🕵🏽" or CommandLine contains "🕵🏽‍♂️" or CommandLine contains "👩🏽‍⚕️" or CommandLine contains "🧑🏽‍⚕️" or CommandLine contains "👨🏽‍⚕️" or CommandLine contains "👩🏽‍🌾" or CommandLine contains "🧑🏽‍🌾" or CommandLine contains "👨🏽‍🌾" or CommandLine contains "👩🏽‍🍳" or CommandLine contains "🧑🏽‍🍳" or CommandLine contains "👨🏽‍🍳" or CommandLine contains "👩🏽‍🎓" or CommandLine contains "🧑🏽‍🎓" or CommandLine contains "👨🏽‍🎓" or CommandLine contains "👩🏽‍🎤" or CommandLine contains "🧑🏽‍🎤" or CommandLine contains "👨🏽‍🎤" or CommandLine contains "👩🏽‍🏫" or CommandLine contains "🧑🏽‍🏫" or CommandLine contains "👨🏽‍🏫" or CommandLine contains "👩🏽‍🏭" or CommandLine contains "🧑🏽‍🏭" or CommandLine contains "👨🏽‍🏭" or CommandLine contains "👩🏽‍💻" or CommandLine contains "🧑🏽‍💻" or CommandLine contains "👨🏽‍💻" or CommandLine contains "👩🏽‍💼" or CommandLine contains "🧑🏽‍💼" or CommandLine contains "👨🏽‍💼" or CommandLine contains "👩🏽‍🔧" or CommandLine contains "🧑🏽‍🔧" or CommandLine contains "👨🏽‍🔧" or CommandLine contains "👩🏽‍🔬" or CommandLine contains "🧑🏽‍🔬" or CommandLine contains "👨🏽‍🔬" or CommandLine contains "👩🏽‍🎨" or CommandLine contains "🧑🏽‍🎨" or CommandLine contains "👨🏽‍🎨" or CommandLine contains "👩🏽‍🚒" or CommandLine contains "🧑🏽‍🚒" or CommandLine contains "👨🏽‍🚒" or CommandLine contains "👩🏽‍✈️" or CommandLine contains "🧑🏽‍✈️" or CommandLine contains "👨🏽‍✈️" or CommandLine contains "👩🏽‍🚀" or CommandLine contains "🧑🏽‍🚀" or CommandLine contains "👨🏽‍🚀" or CommandLine contains "👩🏽‍⚖️" or CommandLine contains "🧑🏽‍⚖️" or CommandLine contains "👨🏽‍⚖️" or CommandLine contains "👰🏽‍♀️" or CommandLine contains "👰🏽" or CommandLine contains "👰🏽‍♂️" or CommandLine contains "🤵🏽‍♀️" or CommandLine contains "🤵🏽" or CommandLine contains "🤵🏽‍♂️" or CommandLine contains "👸🏽" or CommandLine contains "🫅🏽" or CommandLine contains "🤴🏽" or CommandLine contains "🥷🏽" or CommandLine contains "🦸🏽‍♀️" or CommandLine contains "🦸🏽" or CommandLine contains "🦸🏽‍♂️" or CommandLine contains "🦹🏽‍♀️" or CommandLine contains "🦹🏽" or CommandLine contains "🦹🏽‍♂️" or CommandLine contains "🤶🏽" or CommandLine contains "🧑🏽‍🎄" or CommandLine contains "🎅🏽" or CommandLine contains "🧙🏽‍♀️" or CommandLine contains "🧙🏽" or CommandLine contains "🧙🏽‍♂️" or CommandLine contains "🧝🏽‍♀️" or CommandLine contains "🧝🏽" or CommandLine contains "🧝🏽‍♂️" or CommandLine contains "🧛🏽‍♀️" or CommandLine contains "🧛🏽" or CommandLine contains "🧛🏽‍♂️" or CommandLine contains "🧜🏽‍♀️" or CommandLine contains "🧜🏽" or CommandLine contains "🧜🏽‍♂️" or CommandLine contains "🧚🏽‍♀️" or CommandLine contains "🧚🏽" or CommandLine contains "🧚🏽‍♂️" or CommandLine contains "👼🏽" or CommandLine contains "🤰🏽" or CommandLine contains "🫄🏽" or CommandLine contains "🫃🏽" or CommandLine contains "🤱🏽" or CommandLine contains "👩🏽‍🍼" or CommandLine contains "🧑🏽‍🍼" or CommandLine contains "👨🏽‍🍼" or CommandLine contains "🙇🏽‍♀️" or CommandLine contains "🙇🏽" or CommandLine contains "🙇🏽‍♂️" or CommandLine contains "💁🏽‍♀️" or CommandLine contains "💁🏽" or CommandLine contains "💁🏽‍♂️" or CommandLine contains "🙅🏽‍♀️" or CommandLine contains "🙅🏽" or CommandLine contains "🙅🏽‍♂️" or CommandLine contains "🙆🏽‍♀️" or CommandLine contains "🙆🏽" or CommandLine contains "🙆🏽‍♂️" or CommandLine contains "🙋🏽‍♀️" or CommandLine contains "🙋🏽" or CommandLine contains "🙋🏽‍♂️" or CommandLine contains "🧏🏽‍♀️" or CommandLine contains "🧏🏽" or CommandLine contains "🧏🏽‍♂️" or CommandLine contains "🤦🏽‍♀️" or CommandLine contains "🤦🏽" or CommandLine contains "🤦🏽‍♂️" or CommandLine contains "🤷🏽‍♀️" or CommandLine contains "🤷🏽" or CommandLine contains "🤷🏽‍♂️" or CommandLine contains "🙎🏽‍♀️" or CommandLine contains "🙎🏽" or CommandLine contains "🙎🏽‍♂️" or CommandLine contains "🙍🏽‍♀️" or CommandLine contains "🙍🏽" or CommandLine contains "🙍🏽‍♂️" or CommandLine contains "💇🏽‍♀️" or CommandLine contains "💇🏽" or CommandLine contains "💇🏽‍♂️" or CommandLine contains "💆🏽‍♀️" or CommandLine contains "💆🏽" or CommandLine contains "💆🏽‍♂️" or CommandLine contains "🧖🏽‍♀️" or CommandLine contains "🧖🏽" or CommandLine contains "🧖🏽‍♂️" or CommandLine contains "💃🏽" or CommandLine contains "🕺🏽" or CommandLine contains "🕴🏽" or CommandLine contains "👩🏽‍🦽" or CommandLine contains "🧑🏽‍🦽" or CommandLine contains "👨🏽‍🦽" or CommandLine contains "👩🏽‍🦼" or CommandLine contains "🧑🏽‍🦼" or CommandLine contains "👨🏽‍🦼" or CommandLine contains "🚶🏽‍♀️" or CommandLine contains "🚶🏽" or CommandLine contains "🚶🏽‍♂️" or CommandLine contains "👩🏽‍🦯" or CommandLine contains "🧑🏽‍🦯" or CommandLine contains "👨🏽‍🦯" or CommandLine contains "🧎🏽‍♀️" or CommandLine contains "🧎🏽" or CommandLine contains "🧎🏽‍♂️" or CommandLine contains "🏃🏽‍♀️" or CommandLine contains "🏃🏽" or CommandLine contains "🏃🏽‍♂️" or CommandLine contains "🧍🏽‍♀️" or CommandLine contains "🧍🏽" or CommandLine contains "🧍🏽‍♂️" or CommandLine contains "👭🏽" or CommandLine contains "🧑🏽‍🤝‍🧑🏽" or CommandLine contains "👬🏽" or CommandLine contains "👫🏽" or CommandLine contains "🧗🏽‍♀️" or CommandLine contains "🧗🏽" or CommandLine contains "🧗🏽‍♂️" or CommandLine contains "🏇🏽" or CommandLine contains "🏂🏽" or CommandLine contains "🏌🏽‍♀️" or CommandLine contains "🏌🏽" or CommandLine contains "🏌🏽‍♂️" or CommandLine contains "🏄🏽‍♀️" or CommandLine contains "🏄🏽" or CommandLine contains "🏄🏽‍♂️" or CommandLine contains "🚣🏽‍♀️" or CommandLine contains "🚣🏽" or CommandLine contains "🚣🏽‍♂️" or CommandLine contains "🏊🏽‍♀️" or CommandLine contains "🏊🏽" or CommandLine contains "🏊🏽‍♂️" or CommandLine contains "⛹🏽‍♀️" or CommandLine contains "⛹🏽" or CommandLine contains "⛹🏽‍♂️" or CommandLine contains "🏋🏽‍♀️" or CommandLine contains "🏋🏽" or CommandLine contains "🏋🏽‍♂️" or CommandLine contains "🚴🏽‍♀️" or CommandLine contains "🚴🏽" or CommandLine contains "🚴🏽‍♂️" or CommandLine contains "🚵🏽‍♀️" or CommandLine contains "🚵🏽" or CommandLine contains "🚵🏽‍♂️" or CommandLine contains "🤸🏽‍♀️" or CommandLine contains "🤸🏽" or CommandLine contains "🤸🏽‍♂️" or CommandLine contains "🤽🏽‍♀️" or CommandLine contains "🤽🏽" or CommandLine contains "🤽🏽‍♂️" or CommandLine contains "🤾🏽‍♀️" or CommandLine contains "🤾🏽" or CommandLine contains "🤾🏽‍♂️" or CommandLine contains "🤹🏽‍♀️" or CommandLine contains "🤹🏽" or CommandLine contains "🤹🏽‍♂️" or CommandLine contains "🧘🏽‍♀️" or CommandLine contains "🧘🏽" or CommandLine contains "🧘🏽‍♂️" or CommandLine contains "🛀🏽" or CommandLine contains "🛌🏽" or CommandLine contains "👋🏾" or CommandLine contains "🤚🏾" or CommandLine contains "🖐🏾" or CommandLine contains "✋🏾" or CommandLine contains "🖖🏾" or CommandLine contains "👌🏾" or CommandLine contains "🤌🏾" or CommandLine contains "🤏🏾" or CommandLine contains "✌🏾" or CommandLine contains "🤞🏾" or CommandLine contains "🫰🏾" or CommandLine contains "🤟🏾" or CommandLine contains "🤘🏾" or CommandLine contains "🤙🏾" or CommandLine contains "🫵🏾" or CommandLine contains "🫱🏾" or CommandLine contains "🫲🏾" or CommandLine contains "🫳🏾" or CommandLine contains "🫴🏾" or CommandLine contains "👈🏾" or CommandLine contains "👉🏾" or CommandLine contains "👆🏾" or CommandLine contains "🖕🏾" or CommandLine contains "👇🏾" or CommandLine contains "☝🏾" or CommandLine contains "👍🏾" or CommandLine contains "👎🏾" or CommandLine contains "✊🏾" or CommandLine contains "👊🏾" or CommandLine contains "🤛🏾" or CommandLine contains "🤜🏾" or CommandLine contains "👏🏾" or CommandLine contains "🫶🏾" or CommandLine contains "🙌🏾" or CommandLine contains "👐🏾" or CommandLine contains "🤲🏾" or CommandLine contains "🙏🏾" or CommandLine contains "✍🏾" or CommandLine contains "💪🏾" or CommandLine contains "🦵🏾" or CommandLine contains "🦶🏾" or CommandLine contains "👂🏾" or CommandLine contains "🦻🏾" or CommandLine contains "👃🏾" or CommandLine contains "👶🏾" or CommandLine contains "👧🏾" or CommandLine contains "🧒🏾" or CommandLine contains "👦🏾" or CommandLine contains "👩🏾" or CommandLine contains "🧑🏾" or CommandLine contains "👨🏾" or CommandLine contains "👩🏾‍🦱" or CommandLine contains "🧑🏾‍🦱" or CommandLine contains "👨🏾‍🦱" or CommandLine contains "👩🏾‍🦰" or CommandLine contains "🧑🏾‍🦰" or CommandLine contains "👨🏾‍🦰" or CommandLine contains "👱🏾‍♀️" or CommandLine contains "👱🏾" or CommandLine contains "👱🏾‍♂️" or CommandLine contains "👩🏾‍🦳" or CommandLine contains "🧑🏾‍🦳" or CommandLine contains "👨🏾‍🦳" or CommandLine contains "👩🏾‍🦲" or CommandLine contains "🧑🏾‍🦲" or CommandLine contains "👨🏾‍🦲" or CommandLine contains "🧔🏾‍♀️" or CommandLine contains "🧔🏾" or CommandLine contains "🧔🏾‍♂️" or CommandLine contains "👵🏾" or CommandLine contains "🧓🏾" or CommandLine contains "👴🏾" or CommandLine contains "👲🏾" or CommandLine contains "👳🏾‍♀️" or CommandLine contains "👳🏾" or CommandLine contains "👳🏾‍♂️" or CommandLine contains "🧕🏾" or CommandLine contains "👮🏾‍♀️" or CommandLine contains "👮🏾" or CommandLine contains "👮🏾‍♂️" or CommandLine contains "👷🏾‍♀️" or CommandLine contains "👷🏾" or CommandLine contains "👷🏾‍♂️" or CommandLine contains "💂🏾‍♀️" or CommandLine contains "💂🏾" or CommandLine contains "💂🏾‍♂️" or CommandLine contains "🕵🏾‍♀️" or CommandLine contains "🕵🏾" or CommandLine contains "🕵🏾‍♂️" or CommandLine contains "👩🏾‍⚕️" or CommandLine contains "🧑🏾‍⚕️" or CommandLine contains "👨🏾‍⚕️" or CommandLine contains "👩🏾‍🌾" or CommandLine contains "🧑🏾‍🌾" or CommandLine contains "👨🏾‍🌾" or CommandLine contains "👩🏾‍🍳" or CommandLine contains "🧑🏾‍🍳" or CommandLine contains "👨🏾‍🍳" or CommandLine contains "👩🏾‍🎓" or CommandLine contains "🧑🏾‍🎓" or CommandLine contains "👨🏾‍🎓" or CommandLine contains "👩🏾‍🎤" or CommandLine contains "🧑🏾‍🎤" or CommandLine contains "👨🏾‍🎤" or CommandLine contains "👩🏾‍🏫" or CommandLine contains "🧑🏾‍🏫" or CommandLine contains "👨🏾‍🏫" or CommandLine contains "👩🏾‍🏭" or CommandLine contains "🧑🏾‍🏭" or CommandLine contains "👨🏾‍🏭" or CommandLine contains "👩🏾‍💻" or CommandLine contains "🧑🏾‍💻" or CommandLine contains "👨🏾‍💻" or CommandLine contains "👩🏾‍💼" or CommandLine contains "🧑🏾‍💼" or CommandLine contains "👨🏾‍💼" or CommandLine contains "👩🏾‍🔧" or CommandLine contains "🧑🏾‍🔧" or CommandLine contains "👨🏾‍🔧" or CommandLine contains "👩🏾‍🔬" or CommandLine contains "🧑🏾‍🔬" or CommandLine contains "👨🏾‍🔬" or CommandLine contains "👩🏾‍🎨" or CommandLine contains "🧑🏾‍🎨" or CommandLine contains "👨🏾‍🎨" or CommandLine contains "👩🏾‍🚒" or CommandLine contains "🧑🏾‍🚒" or CommandLine contains "👨🏾‍🚒" or CommandLine contains "👩🏾‍✈️" or CommandLine contains "🧑🏾‍✈️" or CommandLine contains "👨🏾‍✈️" or CommandLine contains "👩🏾‍🚀" or CommandLine contains "🧑🏾‍🚀" or CommandLine contains "👨🏾‍🚀" or CommandLine contains "👩🏾‍⚖️" or CommandLine contains "🧑🏾‍⚖️" or CommandLine contains "👨🏾‍⚖️" or CommandLine contains "👰🏾‍♀️" or CommandLine contains "👰🏾" or CommandLine contains "👰🏾‍♂️" or CommandLine contains "🤵🏾‍♀️" or CommandLine contains "🤵🏾" or CommandLine contains "🤵🏾‍♂️" or CommandLine contains "👸🏾" or CommandLine contains "🫅🏾" or CommandLine contains "🤴🏾" or CommandLine contains "🥷🏾" or CommandLine contains "🦸🏾‍♀️" or CommandLine contains "🦸🏾" or CommandLine contains "🦸🏾‍♂️" or CommandLine contains "🦹🏾‍♀️" or CommandLine contains "🦹🏾" or CommandLine contains "🦹🏾‍♂️" or CommandLine contains "🤶🏾" or CommandLine contains "🧑🏾‍🎄" or CommandLine contains "🎅🏾" or CommandLine contains "🧙🏾‍♀️" or CommandLine contains "🧙🏾" or CommandLine contains "🧙🏾‍♂️" or CommandLine contains "🧝🏾‍♀️" or CommandLine contains "🧝🏾" or CommandLine contains "🧝🏾‍♂️" or CommandLine contains "🧛🏾‍♀️" or CommandLine contains "🧛🏾" or CommandLine contains "🧛🏾‍♂️" or CommandLine contains "🧜🏾‍♀️" or CommandLine contains "🧜🏾" or CommandLine contains "🧜🏾‍♂️" or CommandLine contains "🧚🏾‍♀️" or CommandLine contains "🧚🏾" or CommandLine contains "🧚🏾‍♂️" or CommandLine contains "👼🏾" or CommandLine contains "🤰🏾" or CommandLine contains "🫄🏾" or CommandLine contains "🫃🏾" or CommandLine contains "🤱🏾" or CommandLine contains "👩🏾‍🍼" or CommandLine contains "🧑🏾‍🍼" or CommandLine contains "👨🏾‍🍼" or CommandLine contains "🙇🏾‍♀️" or CommandLine contains "🙇🏾" or CommandLine contains "🙇🏾‍♂️" or CommandLine contains "💁🏾‍♀️" or CommandLine contains "💁🏾" or CommandLine contains "💁🏾‍♂️" or CommandLine contains "🙅🏾‍♀️" or CommandLine contains "🙅🏾" or CommandLine contains "🙅🏾‍♂️" or CommandLine contains "🙆🏾‍♀️" or CommandLine contains "🙆🏾" or CommandLine contains "🙆🏾‍♂️" or CommandLine contains "🙋🏾‍♀️" or CommandLine contains "🙋🏾" or CommandLine contains "🙋🏾‍♂️" or CommandLine contains "🧏🏾‍♀️" or CommandLine contains "🧏🏾" or CommandLine contains "🧏🏾‍♂️" or CommandLine contains "🤦🏾‍♀️" or CommandLine contains "🤦🏾" or CommandLine contains "🤦🏾‍♂️" or CommandLine contains "🤷🏾‍♀️" or CommandLine contains "🤷🏾" or CommandLine contains "🤷🏾‍♂️" or CommandLine contains "🙎🏾‍♀️" or CommandLine contains "🙎🏾" or CommandLine contains "🙎🏾‍♂️" or CommandLine contains "🙍🏾‍♀️" or CommandLine contains "🙍🏾" or CommandLine contains "🙍🏾‍♂️" or CommandLine contains "💇🏾‍♀️" or CommandLine contains "💇🏾" or CommandLine contains "💇🏾‍♂️" or CommandLine contains "💆🏾‍♀️" or CommandLine contains "💆🏾" or CommandLine contains "💆🏾‍♂️" or CommandLine contains "🧖🏾‍♀️" or CommandLine contains "🧖🏾" or CommandLine contains "🧖🏾‍♂️" or CommandLine contains "💃🏾" or CommandLine contains "🕺🏾" or CommandLine contains "👩🏾‍🦽" or CommandLine contains "🧑🏾‍🦽" or CommandLine contains "👨🏾‍🦽" or CommandLine contains "👩🏾‍🦼" or CommandLine contains "🧑🏾‍🦼" or CommandLine contains "👨🏾‍🦼" or CommandLine contains "🚶🏾‍♀️" or CommandLine contains "🚶🏾" or CommandLine contains "🚶🏾‍♂️" or CommandLine contains "👩🏾‍🦯" or CommandLine contains "🧑🏾‍🦯" or CommandLine contains "👨🏾‍🦯" or CommandLine contains "🧎🏾‍♀️" or CommandLine contains "🧎🏾" or CommandLine contains "🧎🏾‍♂️" or CommandLine contains "🏃🏾‍♀️" or CommandLine contains "🏃🏾" or CommandLine contains "🏃🏾‍♂️" or CommandLine contains "🧍🏾‍♀️" or CommandLine contains "🧍🏾" or CommandLine contains "🧍🏾‍♂️" or CommandLine contains "👭🏾" or CommandLine contains "🧑🏾‍🤝‍🧑🏾" or CommandLine contains "👬🏾" or CommandLine contains "👫🏾" or CommandLine contains "🧗🏾‍♀️" or CommandLine contains "🧗🏾" or CommandLine contains "🧗🏾‍♂️" or CommandLine contains "🏇🏾" or CommandLine contains "🏂🏾" or CommandLine contains "🏌🏾‍♀️" or CommandLine contains "🏌🏾" or CommandLine contains "🏌🏾‍♂️" or CommandLine contains "🏄🏾‍♀️" or CommandLine contains "🏄🏾" or CommandLine contains "🏄🏾‍♂️" or CommandLine contains "🚣🏾‍♀️" or CommandLine contains "🚣🏾" or CommandLine contains "🚣🏾‍♂️" or CommandLine contains "🏊🏾‍♀️" or CommandLine contains "🏊🏾" or CommandLine contains "🏊🏾‍♂️" or CommandLine contains "⛹🏾‍♀️" or CommandLine contains "⛹🏾" or CommandLine contains "⛹🏾‍♂️" or CommandLine contains "🏋🏾‍♀️" or CommandLine contains "🏋🏾" or CommandLine contains "🏋🏾‍♂️" or CommandLine contains "🚴🏾‍♀️" or CommandLine contains "🚴🏾" or CommandLine contains "🚴🏾‍♂️" or CommandLine contains "🚵🏾‍♀️" or CommandLine contains "🚵🏾" or CommandLine contains "🚵🏾‍♂️" or CommandLine contains "🤸🏾‍♀️" or CommandLine contains "🤸🏾" or CommandLine contains "🤸🏾‍♂️" or CommandLine contains "🤽🏾‍♀️" or CommandLine contains "🤽🏾" or CommandLine contains "🤽🏾‍♂️" or CommandLine contains "🤾🏾‍♀️" or CommandLine contains "🤾🏾" or CommandLine contains "🤾🏾‍♂️" or CommandLine contains "🤹🏾‍♀️" or CommandLine contains "🤹🏾" or CommandLine contains "🤹🏾‍♂️" or CommandLine contains "🧘🏾‍♀️" or CommandLine contains "🧘🏾" or CommandLine contains "🧘🏾‍♂️" or CommandLine contains "🛀🏾" or CommandLine contains "🛌🏾" or CommandLine contains "👋🏿" or CommandLine contains "🤚🏿" or CommandLine contains "🖐🏿" or CommandLine contains "✋🏿" or CommandLine contains "🖖🏿" or CommandLine contains "👌🏿" or CommandLine contains "🤌🏿" or CommandLine contains "🤏🏿" or CommandLine contains "✌🏿" or CommandLine contains "🤞🏿" or CommandLine contains "🫰🏿" or CommandLine contains "🤟🏿" or CommandLine contains "🤘🏿" or CommandLine contains "🤙🏿" or CommandLine contains "🫵🏿" or CommandLine contains "🫱🏿" or CommandLine contains "🫲🏿" or CommandLine contains "🫳🏿" or CommandLine contains "🫴🏿" or CommandLine contains "👈🏿" or CommandLine contains "👉🏿" or CommandLine contains "👆🏿" or CommandLine contains "🖕🏿" or CommandLine contains "👇🏿" or CommandLine contains "☝🏿" or CommandLine contains "👍🏿" or CommandLine contains "👎🏿" or CommandLine contains "✊🏿" or CommandLine contains "👊🏿" or CommandLine contains "🤛🏿" or CommandLine contains "🤜🏿" or CommandLine contains "👏🏿" or CommandLine contains "🫶🏿" or CommandLine contains "🙌🏿" or CommandLine contains "👐🏿" or CommandLine contains "🤲🏿" or CommandLine contains "🙏🏿" or CommandLine contains "✍🏿" or CommandLine contains "🤳🏿" or CommandLine contains "💪🏿" or CommandLine contains "🦵🏿" or CommandLine contains "🦶🏿" or CommandLine contains "👂🏿" or CommandLine contains "🦻🏿" or CommandLine contains "👃🏿" or CommandLine contains "👶🏿" or CommandLine contains "👧🏿" or CommandLine contains "🧒🏿" or CommandLine contains "👦🏿" or CommandLine contains "👩🏿" or CommandLine contains "🧑🏿" or CommandLine contains "👨🏿" or CommandLine contains "👩🏿‍🦱" or CommandLine contains "🧑🏿‍🦱" or CommandLine contains "👨🏿‍🦱" or CommandLine contains "👩🏿‍🦰" or CommandLine contains "🧑🏿‍🦰" or CommandLine contains "👨🏿‍🦰" or CommandLine contains "👱🏿‍♀️" or CommandLine contains "👱🏿" or CommandLine contains "👱🏿‍♂️" or CommandLine contains "👩🏿‍🦳" or CommandLine contains "🧑🏿‍🦳" or CommandLine contains "👨🏿‍🦳" or CommandLine contains "👩🏿‍🦲" or CommandLine contains "🧑🏿‍🦲" or CommandLine contains "👨🏿‍🦲" or CommandLine contains "🧔🏿‍♀️" or CommandLine contains "🧔🏿" or CommandLine contains "🧔🏿‍♂️" or CommandLine contains "👵🏿" or CommandLine contains "🧓🏿" or CommandLine contains "👴🏿" or CommandLine contains "👲🏿" or CommandLine contains "👳🏿‍♀️" or CommandLine contains "👳🏿" or CommandLine contains "👳🏿‍♂️" or CommandLine contains "🧕🏿" or CommandLine contains "👮🏿‍♀️" or CommandLine contains "👮🏿" or CommandLine contains "👮🏿‍♂️" or CommandLine contains "👷🏿‍♀️" or CommandLine contains "👷🏿" or CommandLine contains "👷🏿‍♂️" or CommandLine contains "💂🏿‍♀️" or CommandLine contains "💂🏿" or CommandLine contains "💂🏿‍♂️" or CommandLine contains "🕵🏿‍♀️" or CommandLine contains "🕵🏿" or CommandLine contains "🕵🏿‍♂️" or CommandLine contains "👩🏿‍⚕️" or CommandLine contains "🧑🏿‍⚕️" or CommandLine contains "👨🏿‍⚕️" or CommandLine contains "👩🏿‍🌾" or CommandLine contains "🧑🏿‍🌾" or CommandLine contains "👨🏿‍🌾" or CommandLine contains "👩🏿‍🍳" or CommandLine contains "🧑🏿‍🍳" or CommandLine contains "👨🏿‍🍳" or CommandLine contains "👩🏿‍🎓" or CommandLine contains "🧑🏿‍🎓" or CommandLine contains "👨🏿‍🎓" or CommandLine contains "👩🏿‍🎤" or CommandLine contains "🧑🏿‍🎤" or CommandLine contains "👨🏿‍🎤" or CommandLine contains "👩🏿‍🏫" or CommandLine contains "🧑🏿‍🏫" or CommandLine contains "👨🏿‍🏫" or CommandLine contains "👩🏿‍🏭" or CommandLine contains "🧑🏿‍🏭" or CommandLine contains "👨🏿‍🏭" or CommandLine contains "👩🏿‍💻" or CommandLine contains "🧑🏿‍💻" or CommandLine contains "👨🏿‍💻" or CommandLine contains "👩🏿‍💼" or CommandLine contains "🧑🏿‍💼" or CommandLine contains "👨🏿‍💼" or CommandLine contains "👩🏿‍🔧" or CommandLine contains "🧑🏿‍🔧" or CommandLine contains "👨🏿‍🔧" or CommandLine contains "👩🏿‍🔬" or CommandLine contains "🧑🏿‍🔬" or CommandLine contains "👨🏿‍🔬" or CommandLine contains "👩🏿‍🎨" or CommandLine contains "🧑🏿‍🎨" or CommandLine contains "👨🏿‍🎨" or CommandLine contains "👩🏿‍🚒" or CommandLine contains "🧑🏿‍🚒" or CommandLine contains "👨🏿‍🚒" or CommandLine contains "👩🏿‍✈️" or CommandLine contains "🧑🏿‍✈️" or CommandLine contains "👨🏿‍✈️" or CommandLine contains "👩🏿‍🚀" or CommandLine contains "🧑🏿‍🚀" or CommandLine contains "👨🏿‍🚀" or CommandLine contains "👩🏿‍⚖️" or CommandLine contains "🧑🏿‍⚖️" or CommandLine contains "👨🏿‍⚖️" or CommandLine contains "👰🏿‍♀️" or CommandLine contains "👰🏿" or CommandLine contains "👰🏿‍♂️" or CommandLine contains "🤵🏿‍♀️" or CommandLine contains "🤵🏿" or CommandLine contains "🤵🏿‍♂️" or CommandLine contains "👸🏿" or CommandLine contains "🫅🏿" or CommandLine contains "🤴🏿" or CommandLine contains "🥷🏿" or CommandLine contains "🦸🏿‍♀️" or CommandLine contains "🦸🏿" or CommandLine contains "🦸🏿‍♂️" or CommandLine contains "🦹🏿‍♀️" or CommandLine contains "🦹🏿" or CommandLine contains "🦹🏿‍♂️" or CommandLine contains "🤶🏿" or CommandLine contains "🧑🏿‍🎄" or CommandLine contains "🎅🏿" or CommandLine contains "🧙🏿‍♀️" or CommandLine contains "🧙🏿" or CommandLine contains "🧙🏿‍♂️" or CommandLine contains "🧝🏿‍♀️" or CommandLine contains "🧝🏿" or CommandLine contains "🧝🏿‍♂️" or CommandLine contains "🧛🏿‍♀️" or CommandLine contains "🧛🏿" or CommandLine contains "🧛🏿‍♂️" or CommandLine contains "🧜🏿‍♀️" or CommandLine contains "🧜🏿" or CommandLine contains "🧜🏿‍♂️" or CommandLine contains "🧚🏿‍♀️" or CommandLine contains "🧚🏿" or CommandLine contains "🧚🏿‍♂️" or CommandLine contains "👼🏿" or CommandLine contains "🤰🏿" or CommandLine contains "🫄🏿" or CommandLine contains "🫃🏿" or CommandLine contains "🤱🏿" or CommandLine contains "👩🏿‍🍼" or CommandLine contains "🧑🏿‍🍼" or CommandLine contains "👨🏿‍🍼" or CommandLine contains "🙇🏿‍♀️" or CommandLine contains "🙇🏿" or CommandLine contains "🙇🏿‍♂️" or CommandLine contains "💁🏿‍♀️" or CommandLine contains "💁🏿" or CommandLine contains "💁🏿‍♂️" or CommandLine contains "🙅🏿‍♀️" or CommandLine contains "🙅🏿" or CommandLine contains "🙅🏿‍♂️" or CommandLine contains "🙆🏿‍♀️" or CommandLine contains "🙆🏿" or CommandLine contains "🙆🏿‍♂️" or CommandLine contains "🙋🏿‍♀️" or CommandLine contains "🙋🏿" or CommandLine contains "🙋🏿‍♂️" or CommandLine contains "🧏🏿‍♀️" or CommandLine contains "🧏🏿" or CommandLine contains "🧏🏿‍♂️" or CommandLine contains "🤦🏿‍♀️" or CommandLine contains "🤦🏿" or CommandLine contains "🤦🏿‍♂️" or CommandLine contains "🤷🏿‍♀️" or CommandLine contains "🤷🏿" or CommandLine contains "🤷🏿‍♂️" or CommandLine contains "🙎🏿‍♀️" or CommandLine contains "🙎🏿" or CommandLine contains "🙎🏿‍♂️" or CommandLine contains "🙍🏿‍♀️" or CommandLine contains "🙍🏿" or CommandLine contains "🙍🏿‍♂️" or CommandLine contains "💇🏿‍♀️" or CommandLine contains "💇🏿" or CommandLine contains "💇🏿‍♂️" or CommandLine contains "💆🏿‍♀️" or CommandLine contains "💆🏿" or CommandLine contains "💆🏿‍♂️" or CommandLine contains "🧖🏿‍♀️" or CommandLine contains "🧖🏿" or CommandLine contains "🧖🏿‍♂️" or CommandLine contains "💃🏿" or CommandLine contains "🕺🏿" or CommandLine contains "🕴🏿" or CommandLine contains "👩🏿‍🦽" or CommandLine contains "🧑🏿‍🦽" or CommandLine contains "👨🏿‍🦽" or CommandLine contains "👩🏿‍🦼" or CommandLine contains "🧑🏿‍🦼" or CommandLine contains "👨🏿‍🦼" or CommandLine contains "🚶🏿‍♀️" or CommandLine contains "🚶🏿" or CommandLine contains "🚶🏿‍♂️" or CommandLine contains "👩🏿‍🦯" or CommandLine contains "🧑🏿‍🦯" or CommandLine contains "👨🏿‍🦯" or CommandLine contains "🧎🏿‍♀️" or CommandLine contains "🧎🏿" or CommandLine contains "🧎🏿‍♂️" or CommandLine contains "🏃🏿‍♀️" or CommandLine contains "🏃🏿" or CommandLine contains "🏃🏿‍♂️" or CommandLine contains "🧍🏿‍♀️" or CommandLine contains "🧍🏿" or CommandLine contains "🧍🏿‍♂️" or CommandLine contains "👭🏿" or CommandLine contains "🧑🏿‍🤝‍🧑🏿" or CommandLine contains "👬🏿" or CommandLine contains "👫🏿" or CommandLine contains "🧗🏿‍♀️" or CommandLine contains "🧗🏿" or CommandLine contains "🧗🏿‍♂️" or CommandLine contains "🏇🏿" or CommandLine contains "🏂🏿" or CommandLine contains "🏌🏿‍♀️" or CommandLine contains "🏌🏿" or CommandLine contains "🏌🏿‍♂️" or CommandLine contains "🏄🏿‍♀️" or CommandLine contains "🏄🏿" or CommandLine contains "🏄🏿‍♂️" or CommandLine contains "🚣🏿‍♀️" or CommandLine contains "🚣🏿" or CommandLine contains "🚣🏿‍♂️" or CommandLine contains "🏊🏿‍♀️" or CommandLine contains "🏊🏿" or CommandLine contains "🏊🏿‍♂️" or CommandLine contains "⛹🏿‍♀️" or CommandLine contains "⛹🏿" or CommandLine contains "⛹🏿‍♂️" or CommandLine contains "🏋🏿‍♀️" or CommandLine contains "🏋🏿" or CommandLine contains "🏋🏿‍♂️" or CommandLine contains "🚴🏿‍♀️" or CommandLine contains "🚴🏿" or CommandLine contains "🚴🏿‍♂️" or CommandLine contains "🚵🏿‍♀️" or CommandLine contains "🚵🏿" or CommandLine contains "🚵🏿‍♂️" or CommandLine contains "🤸🏿‍♀️" or CommandLine contains "🤸🏿" or CommandLine contains "🤸🏿‍♂️" or CommandLine contains "🤽🏿‍♀️" or CommandLine contains "🤽🏿" or CommandLine contains "🤽🏿‍♂️" or CommandLine contains "🤾🏿‍♀️" or CommandLine contains "🤾🏿" or CommandLine contains "🤾🏿‍♂️" or CommandLine contains "🤹🏿‍♀️" or CommandLine contains "🤹🏿" or CommandLine contains "🤹🏿‍♂️" or CommandLine contains "🧘🏿‍♀️" or CommandLine contains "🧘🏿" or CommandLine contains "🧘🏿‍♂️" or CommandLine contains "🛀🏿" or CommandLine contains "🛌🏿" or CommandLine contains "🐶" or CommandLine contains "🐱" or CommandLine contains "🐭" or CommandLine contains "🐹" or CommandLine contains "🐰" or CommandLine contains "🦊" or CommandLine contains "🐻" or CommandLine contains "🐼" or CommandLine contains "🐻‍❄️" or CommandLine contains "🐨" or CommandLine contains "🐯" or CommandLine contains "🦁" or CommandLine contains "🐮" or CommandLine contains "🐷" or CommandLine contains "🐽" or CommandLine contains "🐸" or CommandLine contains "🐵" or CommandLine contains "🙈" or CommandLine contains "🙉" or CommandLine contains "🙊" or CommandLine contains "🐒" or CommandLine contains "🐔" or CommandLine contains "🐧" or CommandLine contains "🐦" or CommandLine contains "🐤" or CommandLine contains "🐣" or CommandLine contains "🐥"
Showing 701-750 of 3,763
Prev 15 Next
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
About
threatengine.sh