Microsoft Sentinel
3,763 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 3,763
Microsoft Sentinel
Converted
KQL
high
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Show query
CommandLine contains "🦆" or CommandLine contains "🦅" or CommandLine contains "🦉" or CommandLine contains "🦇" or CommandLine contains "🐺" or CommandLine contains "🐗" or CommandLine contains "🐴" or CommandLine contains "🦄" or CommandLine contains "🐝" or CommandLine contains "🪱" or CommandLine contains "🐛" or CommandLine contains "🦋" or CommandLine contains "🐌" or CommandLine contains "🐞" or CommandLine contains "🐜" or CommandLine contains "🪰" or CommandLine contains "🪲" or CommandLine contains "🪳" or CommandLine contains "🦟" or CommandLine contains "🦗" or CommandLine contains "🕷" or CommandLine contains "🕸" or CommandLine contains "🦂" or CommandLine contains "🐢" or CommandLine contains "🐍" or CommandLine contains "🦎" or CommandLine contains "🦖" or CommandLine contains "🦕" or CommandLine contains "🐙" or CommandLine contains "🦑" or CommandLine contains "🦐" or CommandLine contains "🦞" or CommandLine contains "🦀" or CommandLine contains "🪸" or CommandLine contains "🐡" or CommandLine contains "🐠" or CommandLine contains "🐟" or CommandLine contains "🐬" or CommandLine contains "🐳" or CommandLine contains "🐋" or CommandLine contains "🦈" or CommandLine contains "🐊" or CommandLine contains "🐅" or CommandLine contains "🐆" or CommandLine contains "🦓" or CommandLine contains "🦍" or CommandLine contains "🦧" or CommandLine contains "🦣" or CommandLine contains "🐘" or CommandLine contains "🦛" or CommandLine contains "🦏" or CommandLine contains "🐪" or CommandLine contains "🐫" or CommandLine contains "🦒" or CommandLine contains "🦘" or CommandLine contains "🦬" or CommandLine contains "🐃" or CommandLine contains "🐂" or CommandLine contains "🐄" or CommandLine contains "🐎" or CommandLine contains "🐖" or CommandLine contains "🐏" or CommandLine contains "🐑" or CommandLine contains "🦙" or CommandLine contains "🐐" or CommandLine contains "🦌" or CommandLine contains "🐕" or CommandLine contains "🐩" or CommandLine contains "🦮" or CommandLine contains "🐕🦺" or CommandLine contains "🐈" or CommandLine contains "🐈⬛" or CommandLine contains "🪶" or CommandLine contains "🐓" or CommandLine contains "🦃" or CommandLine contains "🦤" or CommandLine contains "🦚" or CommandLine contains "🦜" or CommandLine contains "🦢" or CommandLine contains "🦩" or CommandLine contains "🕊" or CommandLine contains "🐇" or CommandLine contains "🦝" or CommandLine contains "🦨" or CommandLine contains "🦡" or CommandLine contains "🦫" or CommandLine contains "🦦" or CommandLine contains "🦥" or CommandLine contains "🐁" or CommandLine contains "🐀" or CommandLine contains "🐿" or CommandLine contains "🦔" or CommandLine contains "🐾" or CommandLine contains "🐉" or CommandLine contains "🐲" or CommandLine contains "🌵" or CommandLine contains "🎄" or CommandLine contains "🌲" or CommandLine contains "🌳" or CommandLine contains "🌴" or CommandLine contains "🪹" or CommandLine contains "🪺" or CommandLine contains "🪵" or CommandLine contains "🌱" or CommandLine contains "🌿" or CommandLine contains "☘️" or CommandLine contains "🍀" or CommandLine contains "🎍" or CommandLine contains "🪴" or CommandLine contains "🎋" or CommandLine contains "🍃" or CommandLine contains "🍂" or CommandLine contains "🍁" or CommandLine contains "🍄" or CommandLine contains "🐚" or CommandLine contains "🪨" or CommandLine contains "🌾" or CommandLine contains "💐" or CommandLine contains "🌷" or CommandLine contains "🪷" or CommandLine contains "🌹" or CommandLine contains "🥀" or CommandLine contains "🌺" or CommandLine contains "🌸" or CommandLine contains "🌼" or CommandLine contains "🌻" or CommandLine contains "🌞" or CommandLine contains "🌝" or CommandLine contains "🌛" or CommandLine contains "🌜" or CommandLine contains "🌚" or CommandLine contains "🌕" or CommandLine contains "🌖" or CommandLine contains "🌗" or CommandLine contains "🌘" or CommandLine contains "🌑" or CommandLine contains "🌒" or CommandLine contains "🌓" or CommandLine contains "🌔" or CommandLine contains "🌙" or CommandLine contains "🌎" or CommandLine contains "🌍" or CommandLine contains "🌏" or CommandLine contains "🪐" or CommandLine contains "💫" or CommandLine contains "⭐️" or CommandLine contains "🌟" or CommandLine contains "✨" or CommandLine contains "⚡️" or CommandLine contains "☄️" or CommandLine contains "💥" or CommandLine contains "🔥" or CommandLine contains "🌪" or CommandLine contains "🌈" or CommandLine contains "☀️" or CommandLine contains "🌤" or CommandLine contains "⛅️" or CommandLine contains "🌥" or CommandLine contains "☁️" or CommandLine contains "🌦" or CommandLine contains "🌧" or CommandLine contains "⛈" or CommandLine contains "🌩" or CommandLine contains "🌨" or CommandLine contains "❄️" or CommandLine contains "☃️" or CommandLine contains "⛄️" or CommandLine contains "🌬" or CommandLine contains "💨" or CommandLine contains "💧" or CommandLine contains "💦" or CommandLine contains "🫧" or CommandLine contains "☔️" or CommandLine contains "☂️" or CommandLine contains "🌊" or CommandLine contains "🌫🍏" or CommandLine contains "🍎" or CommandLine contains "🍐" or CommandLine contains "🍊" or CommandLine contains "🍋" or CommandLine contains "🍌" or CommandLine contains "🍉" or CommandLine contains "🍇" or CommandLine contains "🍓" or CommandLine contains "🫐" or CommandLine contains "🍈" or CommandLine contains "🍒" or CommandLine contains "🍑" or CommandLine contains "🥭" or CommandLine contains "🍍" or CommandLine contains "🥥" or CommandLine contains "🥝" or CommandLine contains "🍅" or CommandLine contains "🍆" or CommandLine contains "🥑" or CommandLine contains "🥦" or CommandLine contains "🥬" or CommandLine contains "🥒" or CommandLine contains "🌶" or CommandLine contains "🫑" or CommandLine contains "🌽" or CommandLine contains "🥕" or CommandLine contains "🫒" or CommandLine contains "🧄" or CommandLine contains "🧅" or CommandLine contains "🥔" or CommandLine contains "🍠" or CommandLine contains "🫘" or CommandLine contains "🥐" or CommandLine contains "🥯" or CommandLine contains "🍞" or CommandLine contains "🥖" or CommandLine contains "🥨" or CommandLine contains "🧀" or CommandLine contains "🥚" or CommandLine contains "🍳" or CommandLine contains "🧈" or CommandLine contains "🥞" or CommandLine contains "🧇" or CommandLine contains "🥓" or CommandLine contains "🥩" or CommandLine contains "🍗" or CommandLine contains "🍖" or CommandLine contains "🦴" or CommandLine contains "🌭" or CommandLine contains "🍔" or CommandLine contains "🍟" or CommandLine contains "🍕" or CommandLine contains "🫓" or CommandLine contains "🥪" or CommandLine contains "🥙" or CommandLine contains "🧆" or CommandLine contains "🌮" or CommandLine contains "🌯" or CommandLine contains "🫔" or CommandLine contains "🥗" or CommandLine contains "🥘" or CommandLine contains "🫕" or CommandLine contains "🥫" or CommandLine contains "🍝" or CommandLine contains "🍜" or CommandLine contains "🍲" or CommandLine contains "🍛" or CommandLine contains "🍣" or CommandLine contains "🍱" or CommandLine contains "🥟" or CommandLine contains "🦪" or CommandLine contains "🍤" or CommandLine contains "🍙" or CommandLine contains "🍚" or CommandLine contains "🍘" or CommandLine contains "🍥" or CommandLine contains "🥠" or CommandLine contains "🥮" or CommandLine contains "🍢" or CommandLine contains "🍡" or CommandLine contains "🍧" or CommandLine contains "🍨" or CommandLine contains "🍦" or CommandLine contains "🥧" or CommandLine contains "🧁" or CommandLine contains "🍰" or CommandLine contains "🎂" or CommandLine contains "🍮" or CommandLine contains "🍭" or CommandLine contains "🍬" or CommandLine contains "🍫" or CommandLine contains "🍿" or CommandLine contains "🍩" or CommandLine contains "🍪" or CommandLine contains "🌰" or CommandLine contains "🥜" or CommandLine contains "🍯" or CommandLine contains "🥛" or CommandLine contains "🍼" or CommandLine contains "🫖" or CommandLine contains "☕️" or CommandLine contains "🍵" or CommandLine contains "🧃" or CommandLine contains "🥤" or CommandLine contains "🧋" or CommandLine contains "🫙" or CommandLine contains "🍶" or CommandLine contains "🍺" or CommandLine contains "🍻" or CommandLine contains "🥂" or CommandLine contains "🍷" or CommandLine contains "🫗" or CommandLine contains "🥃" or CommandLine contains "🍸" or CommandLine contains "🍹" or CommandLine contains "🧉" or CommandLine contains "🍾" or CommandLine contains "🧊" or CommandLine contains "🥄" or CommandLine contains "🍴" or CommandLine contains "🍽" or CommandLine contains "🥣" or CommandLine contains "🥡" or CommandLine contains "🥢" or CommandLine contains "🧂" or CommandLine contains "⚽️" or CommandLine contains "🏀" or CommandLine contains "🏈" or CommandLine contains "⚾️" or CommandLine contains "🥎" or CommandLine contains "🎾" or CommandLine contains "🏐" or CommandLine contains "🏉" or CommandLine contains "🥏" or CommandLine contains "🎱" or CommandLine contains "🪀" or CommandLine contains "🏓" or CommandLine contains "🏸" or CommandLine contains "🏒" or CommandLine contains "🏑" or CommandLine contains "🥍" or CommandLine contains "🏏" or CommandLine contains "🪃" or CommandLine contains "🥅" or CommandLine contains "⛳️" or CommandLine contains "🪁" or CommandLine contains "🏹" or CommandLine contains "🎣" or CommandLine contains "🤿" or CommandLine contains "🥊" or CommandLine contains "🥋" or CommandLine contains "🎽" or CommandLine contains "🛹" or CommandLine contains "🛼" or CommandLine contains "🛷" or CommandLine contains "⛸" or CommandLine contains "🥌" or CommandLine contains "🎿" or CommandLine contains "⛷" or CommandLine contains "🏂" or CommandLine contains "🪂" or CommandLine contains "🏋️♀️" or CommandLine contains "🏋️" or CommandLine contains "🏋️♂️" or CommandLine contains "🤼♀️" or CommandLine contains "🤼" or CommandLine contains "🤼♂️" or CommandLine contains "🤸♀️" or CommandLine contains "🤸" or CommandLine contains "🤸♂️" or CommandLine contains "⛹️♀️" or CommandLine contains "⛹️" or CommandLine contains "⛹️♂️" or CommandLine contains "🤺" or CommandLine contains "🤾♀️" or CommandLine contains "🤾" or CommandLine contains "🤾♂️" or CommandLine contains "🏌️♀️" or CommandLine contains "🏌️" or CommandLine contains "🏌️♂️" or CommandLine contains "🏇" or CommandLine contains "🧘♀️" or CommandLine contains "🧘" or CommandLine contains "🧘♂️" or CommandLine contains "🏄♀️" or CommandLine contains "🏄" or CommandLine contains "🏄♂️" or CommandLine contains "🏊♀️" or CommandLine contains "🏊" or CommandLine contains "🏊♂️" or CommandLine contains "🤽♀️" or CommandLine contains "🤽" or CommandLine contains "🤽♂️" or CommandLine contains "🚣♀️" or CommandLine contains "🚣" or CommandLine contains "🚣♂️" or CommandLine contains "🧗♀️" or CommandLine contains "🧗" or CommandLine contains "🧗♂️" or CommandLine contains "🚵♀️" or CommandLine contains "🚵" or CommandLine contains "🚵♂️" or CommandLine contains "🚴♀️" or CommandLine contains "🚴" or CommandLine contains "🚴♂️" or CommandLine contains "🏆" or CommandLine contains "🥇" or CommandLine contains "🥈" or CommandLine contains "🥉" or CommandLine contains "🏅" or CommandLine contains "🎖" or CommandLine contains "🏵" or CommandLine contains "🎗" or CommandLine contains "🎫" or CommandLine contains "🎟" or CommandLine contains "🎪" or CommandLine contains "🤹" or CommandLine contains "🤹♂️" or CommandLine contains "🤹♀️" or CommandLine contains "🎭" or CommandLine contains "🩰" or CommandLine contains "🎨" or CommandLine contains "🎬" or CommandLine contains "🎤" or CommandLine contains "🎧" or CommandLine contains "🎼" or CommandLine contains "🎹" or CommandLine contains "🥁" or CommandLine contains "🪘" or CommandLine contains "🎷" or CommandLine contains "🎺" or CommandLine contains "🪗" or CommandLine contains "🎸" or CommandLine contains "🪕" or CommandLine contains "🎻" or CommandLine contains "🎲" or CommandLine contains "♟" or CommandLine contains "🎯" or CommandLine contains "🎳" or CommandLine contains "🎮" or CommandLine contains "🎰" or CommandLine contains "🧩" or CommandLine contains "🚗" or CommandLine contains "🚕" or CommandLine contains "🚙" or CommandLine contains "🚌" or CommandLine contains "🚎" or CommandLine contains "🏎" or CommandLine contains "🚓" or CommandLine contains "🚑" or CommandLine contains "🚒" or CommandLine contains "🚐" or CommandLine contains "🛻" or CommandLine contains "🚚" or CommandLine contains "🚛" or CommandLine contains "🚜" or CommandLine contains "🦯" or CommandLine contains "🦽" or CommandLine contains "🦼" or CommandLine contains "🛴" or CommandLine contains "🚲" or CommandLine contains "🛵" or CommandLine contains "🏍" or CommandLine contains "🛺" or CommandLine contains "🚨" or CommandLine contains "🚔" or CommandLine contains "🚍" or CommandLine contains "🚘" or CommandLine contains "🚖" or CommandLine contains "🛞" or CommandLine contains "🚡" or CommandLine contains "🚠" or CommandLine contains "🚟" or CommandLine contains "🚃" or CommandLine contains "🚋" or CommandLine contains "🚞" or CommandLine contains "🚝" or CommandLine contains "🚄" or CommandLine contains "🚅" or CommandLine contains "🚈" or CommandLine contains "🚂" or CommandLine contains "🚆" or CommandLine contains "🚇" or CommandLine contains "🚊" or CommandLine contains "🚉" or CommandLine contains "✈️" or CommandLine contains "🛫" or CommandLine contains "🛬" or CommandLine contains "🛩" or CommandLine contains "💺" or CommandLine contains "🛰" or CommandLine contains "🚀" or CommandLine contains "🛸" or CommandLine contains "🚁" or CommandLine contains "🛶" or CommandLine contains "⛵️" or CommandLine contains "🚤" or CommandLine contains "🛥" or CommandLine contains "🛳" or CommandLine contains "⛴" or CommandLine contains "🚢" or CommandLine contains "⚓️" or CommandLine contains "🛟" or CommandLine contains "🪝" or CommandLine contains "⛽️" or CommandLine contains "🚧" or CommandLine contains "🚦" or CommandLine contains "🚥" or CommandLine contains "🚏" or CommandLine contains "🗺" or CommandLine contains "🗿" or CommandLine contains "🗽" or CommandLine contains "🗼" or CommandLine contains "🏰" or CommandLine contains "🏯" or CommandLine contains "🏟" or CommandLine contains "🎡" or CommandLine contains "🎢" or CommandLine contains "🛝" or CommandLine contains "🎠" or CommandLine contains "⛲️" or CommandLine contains "⛱" or CommandLine contains "🏖" or CommandLine contains "🏝" or CommandLine contains "🏜" or CommandLine contains "🌋" or CommandLine contains "⛰" or CommandLine contains "🏔" or CommandLine contains "🗻" or CommandLine contains "🏕" or CommandLine contains "⛺️" or CommandLine contains "🛖" or CommandLine contains "🏠" or CommandLine contains "🏡" or CommandLine contains "🏘" or CommandLine contains "🏚" or CommandLine contains "🏗" or CommandLine contains "🏭" or CommandLine contains "🏢" or CommandLine contains "🏬" or CommandLine contains "🏣" or CommandLine contains "🏤" or CommandLine contains "🏥" or CommandLine contains "🏦" or CommandLine contains "🏨" or CommandLine contains "🏪" or CommandLine contains "🏫" or CommandLine contains "🏩" or CommandLine contains "💒" or CommandLine contains "🏛" or CommandLine contains "⛪️" or CommandLine contains "🕌" or CommandLine contains "🕍" or CommandLine contains "🛕" or CommandLine contains "🕋" or CommandLine contains "⛩" or CommandLine contains "🛤" or CommandLine contains "🛣" or CommandLine contains "🗾" or CommandLine contains "🎑" or CommandLine contains "🏞" or CommandLine contains "🌅" or CommandLine contains "🌄" or CommandLine contains "🌠" or CommandLine contains "🎇" or CommandLine contains "🎆" or CommandLine contains "🌇" or CommandLine contains "🌆" or CommandLine contains "🏙" or CommandLine contains "🌃" or CommandLine contains "🌌" or CommandLine contains "🌉" or CommandLine contains "🌁" or CommandLine contains "⌚️" or CommandLine contains "📱" or CommandLine contains "📲" or CommandLine contains "💻" or CommandLine contains "⌨️" or CommandLine contains "🖥" or CommandLine contains "🖨" or CommandLine contains "🖱" or CommandLine contains "🖲" or CommandLine contains "🕹" or CommandLine contains "🗜" or CommandLine contains "💽" or CommandLine contains "💾" or CommandLine contains "💿" or CommandLine contains "📀" or CommandLine contains "📼" or CommandLine contains "📷" or CommandLine contains "📸" or CommandLine contains "📹" or CommandLine contains "🎥" or CommandLine contains "📽" or CommandLine contains "🎞" or CommandLine contains "📞" or CommandLine contains "☎️" or CommandLine contains "📟" or CommandLine contains "📠" or CommandLine contains "📺" or CommandLine contains "📻" or CommandLine contains "🎙" or CommandLine contains "🎚" or CommandLine contains "🎛" or CommandLine contains "🧭" or CommandLine contains "⏱" or CommandLine contains "⏲" or CommandLine contains "⏰" or CommandLine contains "🕰" or CommandLine contains "⌛️" or CommandLine contains "⏳" or CommandLine contains "📡" or CommandLine contains "🔋" or CommandLine contains "🪫" or CommandLine contains "🔌" or CommandLine contains "💡" or CommandLine contains "🔦" or CommandLine contains "🕯" or CommandLine contains "🪔" or CommandLine contains "🧯" or CommandLine contains "🛢" or CommandLine contains "💸" or CommandLine contains "💵" or CommandLine contains "💴" or CommandLine contains "💶" or CommandLine contains "💷" or CommandLine contains "🪙" or CommandLine contains "💰" or CommandLine contains "💳" or CommandLine contains "💎" or CommandLine contains "⚖️" or CommandLine contains "🪜" or CommandLine contains "🧰" or CommandLine contains "🪛" or CommandLine contains "🔧" or CommandLine contains "🔨" or CommandLine contains "⚒" or CommandLine contains "🛠" or CommandLine contains "⛏" or CommandLine contains "🪚" or CommandLine contains "🔩" or CommandLine contains "⚙️" or CommandLine contains "🪤" or CommandLine contains "🧱" or CommandLine contains "⛓" or CommandLine contains "🧲" or CommandLine contains "🔫" or CommandLine contains "💣" or CommandLine contains "🧨" or CommandLine contains "🪓" or CommandLine contains "🔪" or CommandLine contains "🗡" or CommandLine contains "⚔️" or CommandLine contains "🛡" or CommandLine contains "🚬" or CommandLine contains "⚰️" or CommandLine contains "🪦" or CommandLine contains "⚱️" or CommandLine contains "🏺" or CommandLine contains "🔮" or CommandLine contains "📿" or CommandLine contains "🧿" or CommandLine contains "🪬" or CommandLine contains "💈" or CommandLine contains "⚗️" or CommandLine contains "🔭" or CommandLine contains "🔬" or CommandLine contains "🕳" or CommandLine contains "🩹" or CommandLine contains "🩺" or CommandLine contains "🩻" or CommandLine contains "🩼" or CommandLine contains "💊" or CommandLine contains "💉" or CommandLine contains "🩸" or CommandLine contains "🧬" or CommandLine contains "🦠" or CommandLine contains "🧫" or CommandLine contains "🧪" or CommandLine contains "🌡" or CommandLine contains "🧹" or CommandLine contains "🪠" or CommandLine contains "🧺" or CommandLine contains "🧻" or CommandLine contains "🚽" or CommandLine contains "🚰" or CommandLine contains "🚿" or CommandLine contains "🛁" or CommandLine contains "🛀" or CommandLine contains "🧼" or CommandLine contains "🪥" or CommandLine contains "🪒" or CommandLine contains "🧽" or CommandLine contains "🪣" or CommandLine contains "🧴" or CommandLine contains "🛎" or CommandLine contains "🔑" or CommandLine contains "🗝" or CommandLine contains "🚪" or CommandLine contains "🪑" or CommandLine contains "🛋" or CommandLine contains "🛏" or CommandLine contains "🛌" or CommandLine contains "🧸" or CommandLine contains "🪆" or CommandLine contains "🖼" or CommandLine contains "🪞" or CommandLine contains "🪟" or CommandLine contains "🛍" or CommandLine contains "🛒" or CommandLine contains "🎁" or CommandLine contains "🎈" or CommandLine contains "🎏" or CommandLine contains "🎀" or CommandLine contains "🪄" or CommandLine contains "🪅" or CommandLine contains "🎊" or CommandLine contains "🎉" or CommandLine contains "🪩" or CommandLine contains "🎎" or CommandLine contains "🏮" or CommandLine contains "🎐" or CommandLine contains "🧧" or CommandLine contains "✉️" or CommandLine contains "📩" or CommandLine contains "📨" or CommandLine contains "📧" or CommandLine contains "💌" or CommandLine contains "📥" or CommandLine contains "📤" or CommandLine contains "📦" or CommandLine contains "🏷" or CommandLine contains "🪧" or CommandLine contains "📪" or CommandLine contains "📫" or CommandLine contains "📬" or CommandLine contains "📭" or CommandLine contains "📮" or CommandLine contains "📯" or CommandLine contains "📜" or CommandLine contains "📃" or CommandLine contains "📄" or CommandLine contains "📑" or CommandLine contains "🧾" or CommandLine contains "📊" or CommandLine contains "📈" or CommandLine contains "📉" or CommandLine contains "🗒" or CommandLine contains "🗓" or CommandLine contains "📆" or CommandLine contains "📅" or CommandLine contains "🗑" or CommandLine contains "🪪" or CommandLine contains "📇" or CommandLine contains "🗃" or CommandLine contains "🗳" or CommandLine contains "🗄" or CommandLine contains "📋" or CommandLine contains "📁" or CommandLine contains "📂" or CommandLine contains "🗂" or CommandLine contains "🗞" or CommandLine contains "📰" or CommandLine contains "📓" or CommandLine contains "📔" or CommandLine contains "📒" or CommandLine contains "📕" or CommandLine contains "📗" or CommandLine contains "📘" or CommandLine contains "📙" or CommandLine contains "📚" or CommandLine contains "📖" or CommandLine contains "🔖" or CommandLine contains "🧷" or CommandLine contains "🔗" or CommandLine contains "📎" or CommandLine contains "🖇" or CommandLine contains "📐" or CommandLine contains "📏" or CommandLine contains "🧮" or CommandLine contains "📌" or CommandLine contains "📍" or CommandLine contains "✂️" or CommandLine contains "🖊" or CommandLine contains "🖋" or CommandLine contains "✒️" or CommandLine contains "🖌" or CommandLine contains "🖍" or CommandLine contains "📝" or CommandLine contains "✏️" or CommandLine contains "🔍" or CommandLine contains "🔎" or CommandLine contains "🔏" or CommandLine contains "🔐" or CommandLine contains "🔒" or CommandLine contains "🔓❤️" or CommandLine contains "🧡" or CommandLine contains "💛" or CommandLine contains "💚" or CommandLine contains "💙" or CommandLine contains "💜" or CommandLine contains "🖤" or CommandLine contains "🤍" or CommandLine contains "🤎" or CommandLine contains "❤️🔥" or CommandLine contains "❤️🩹" or CommandLine contains "💔" or CommandLine contains "❣️" or CommandLine contains "💕" or CommandLine contains "💞" or CommandLine contains "💓" or CommandLine contains "💗" or CommandLine contains "💖" or CommandLine contains "💘" or CommandLine contains "💝" or CommandLine contains "💟" or CommandLine contains "☮️" or CommandLine contains "✝️" or CommandLine contains "☪️" or CommandLine contains "🕉" or CommandLine contains "☸️" or CommandLine contains "✡️" or CommandLine contains "🔯" or CommandLine contains "🕎" or CommandLine contains "☯️" or CommandLine contains "☦️" or CommandLine contains "🛐" or CommandLine contains "⛎" or CommandLine contains "♈️" or CommandLine contains "♉️" or CommandLine contains "♊️" or CommandLine contains "♋️" or CommandLine contains "♌️" or CommandLine contains "♍️" or CommandLine contains "♎️" or CommandLine contains "♏️" or CommandLine contains "♐️" or CommandLine contains "♑️" or CommandLine contains "♒️" or CommandLine contains "♓️" or CommandLine contains "🆔" or CommandLine contains "⚛️" or CommandLine contains "🉑" or CommandLine contains "☢️" or CommandLine contains "☣️" or CommandLine contains "📴" or CommandLine contains "📳" or CommandLine contains "🈶" or CommandLine contains "🈚️" or CommandLine contains "🈸" or CommandLine contains "🈺" or CommandLine contains "🈷️" or CommandLine contains "✴️" or CommandLine contains "🆚" or CommandLine contains "💮" or CommandLine contains "🉐" or CommandLine contains "㊙️" or CommandLine contains "㊗️" or CommandLine contains "🈴" or CommandLine contains "🈵" or CommandLine contains "🈹" or CommandLine contains "🈲" or CommandLine contains "🅰️" or CommandLine contains "🅱️" or CommandLine contains "🆎" or CommandLine contains "🆑" or CommandLine contains "🅾️" or CommandLine contains "🆘" or CommandLine contains "❌" or CommandLine contains "⭕️" or CommandLine contains "🛑" or CommandLine contains "⛔️" or CommandLine contains "📛" or CommandLine contains "🚫" or CommandLine contains "💯" or CommandLine contains "💢" or CommandLine contains "♨️" or CommandLine contains "🚷" or CommandLine contains "🚯" or CommandLine contains "🚳" or CommandLine contains "🚱" or CommandLine contains "🔞" or CommandLine contains "📵" or CommandLine contains "🚭" or CommandLine contains "❗️" or CommandLine contains "❕" or CommandLine contains "❓" or CommandLine contains "❔" or CommandLine contains "‼️" or CommandLine contains "⁉️" or CommandLine contains "🔅" or CommandLine contains "🔆" or CommandLine contains "〽️" or CommandLine contains "⚠️" or CommandLine contains "🚸" or CommandLine contains "🔱" or CommandLine contains "⚜️" or CommandLine contains "🔰" or CommandLine contains "♻️" or CommandLine contains "✅" or CommandLine contains "🈯️" or CommandLine contains "💹" or CommandLine contains "❇️" or CommandLine contains "✳️" or CommandLine contains "❎" or CommandLine contains "🌐" or CommandLine contains "💠" or CommandLine contains "Ⓜ️" or CommandLine contains "🌀" or CommandLine contains "💤" or CommandLine contains "🏧" or CommandLine contains "🚾" or CommandLine contains "♿️" or CommandLine contains "🅿️" or CommandLine contains "🛗" or CommandLine contains "🈳" or CommandLine contains "🈂️" or CommandLine contains "🛂" or CommandLine contains "🛃" or CommandLine contains "🛄" or CommandLine contains "🛅" or CommandLine contains "🚹" or CommandLine contains "🚺" or CommandLine contains "🚼" or CommandLine contains "⚧" or CommandLine contains "🚻" or CommandLine contains "🚮" or CommandLine contains "🎦" or CommandLine contains "📶" or CommandLine contains "🈁" or CommandLine contains "🔣" or CommandLine contains "ℹ️" or CommandLine contains "🔤" or CommandLine contains "🔡" or CommandLine contains "🔠" or CommandLine contains "🆖" or CommandLine contains "🆗" or CommandLine contains "🆙" or CommandLine contains "🆒" or CommandLine contains "🆕" or CommandLine contains "🆓" or CommandLine contains "0️⃣" or CommandLine contains "1️⃣" or CommandLine contains "2️⃣" or CommandLine contains "3️⃣" or CommandLine contains "4️⃣" or CommandLine contains "5️⃣" or CommandLine contains "6️⃣" or CommandLine contains "7️⃣" or CommandLine contains "8️⃣" or CommandLine contains "9️⃣" or CommandLine contains "🔟" or CommandLine contains "🔢" or CommandLine contains "#️⃣" or CommandLine contains "️⃣" or CommandLine contains "⏏️" or CommandLine contains "▶️" or CommandLine contains "⏸" or CommandLine contains "⏯" or CommandLine contains "⏹" or CommandLine contains "⏺" or CommandLine contains "⏭" or CommandLine contains "⏮" or CommandLine contains "⏩" or CommandLine contains "⏪" or CommandLine contains "⏫" or CommandLine contains "⏬" or CommandLine contains "◀️" or CommandLine contains "🔼" or CommandLine contains "🔽" or CommandLine contains "➡️" or CommandLine contains "⬅️" or CommandLine contains "⬆️" or CommandLine contains "⬇️" or CommandLine contains "↗️" or CommandLine contains "↘️" or CommandLine contains "↙️" or CommandLine contains "↖️" or CommandLine contains "↕️" or CommandLine contains "↔️" or CommandLine contains "↪️" or CommandLine contains "↩️" or CommandLine contains "⤴️" or CommandLine contains "⤵️" or CommandLine contains "🔀" or CommandLine contains "🔁" or CommandLine contains "🔂" or CommandLine contains "🔄" or CommandLine contains "🔃" or CommandLine contains "🎵" or CommandLine contains "🎶" or CommandLine contains "➕" or CommandLine contains "➖" or CommandLine contains "➗" or CommandLine contains "✖️" or CommandLine contains "🟰" or CommandLine contains "♾" or CommandLine contains "💲" or CommandLine contains "💱" or CommandLine contains "™️" or CommandLine contains "©️" or CommandLine contains "®️" or CommandLine contains "〰️" or CommandLine contains "➰" or CommandLine contains "➿" or CommandLine contains "🔚" or CommandLine contains "🔙" or CommandLine contains "🔛" or CommandLine contains "🔝" or CommandLine contains "🔜" or CommandLine contains "✔️" or CommandLine contains "☑️" or CommandLine contains "🔘" or CommandLine contains "🔴" or CommandLine contains "🟠" or CommandLine contains "🟡" or CommandLine contains "🟢" or CommandLine contains "🔵" or CommandLine contains "🟣" or CommandLine contains "⚫️" or CommandLine contains "⚪️" or CommandLine contains "🟤" or CommandLine contains "🔺" or CommandLine contains "🔻"
Microsoft Sentinel
Converted
KQL
high
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Show query
CommandLine contains "🔸" or CommandLine contains "🔹" or CommandLine contains "🔶" or CommandLine contains "🔷" or CommandLine contains "🔳" or CommandLine contains "🔲" or CommandLine contains "▪️" or CommandLine contains "▫️" or CommandLine contains "◾️" or CommandLine contains "◽️" or CommandLine contains "◼️" or CommandLine contains "◻️" or CommandLine contains "🟥" or CommandLine contains "🟧" or CommandLine contains "🟨" or CommandLine contains "🟩" or CommandLine contains "🟦" or CommandLine contains "🟪" or CommandLine contains "⬛️" or CommandLine contains "⬜️" or CommandLine contains "🟫" or CommandLine contains "🔈" or CommandLine contains "🔇" or CommandLine contains "🔉" or CommandLine contains "🔊" or CommandLine contains "🔔" or CommandLine contains "🔕" or CommandLine contains "📣" or CommandLine contains "📢" or CommandLine contains "👁🗨" or CommandLine contains "💬" or CommandLine contains "💭" or CommandLine contains "🗯" or CommandLine contains "♠️" or CommandLine contains "♣️" or CommandLine contains "♥️" or CommandLine contains "♦️" or CommandLine contains "🃏" or CommandLine contains "🎴" or CommandLine contains "🀄️" or CommandLine contains "🕐" or CommandLine contains "🕑" or CommandLine contains "🕒" or CommandLine contains "🕓" or CommandLine contains "🕔" or CommandLine contains "🕕" or CommandLine contains "🕖" or CommandLine contains "🕗" or CommandLine contains "🕘" or CommandLine contains "🕙" or CommandLine contains "🕚" or CommandLine contains "🕛" or CommandLine contains "🕜" or CommandLine contains "🕝" or CommandLine contains "🕞" or CommandLine contains "🕟" or CommandLine contains "🕠" or CommandLine contains "🕡" or CommandLine contains "🕢" or CommandLine contains "🕣" or CommandLine contains "🕤" or CommandLine contains "🕥" or CommandLine contains "🕦" or CommandLine contains "🕧✢" or CommandLine contains "✣" or CommandLine contains "✤" or CommandLine contains "✥" or CommandLine contains "✦" or CommandLine contains "✧" or CommandLine contains "★" or CommandLine contains "☆" or CommandLine contains "✯" or CommandLine contains "✡︎" or CommandLine contains "✩" or CommandLine contains "✪" or CommandLine contains "✫" or CommandLine contains "✬" or CommandLine contains "✭" or CommandLine contains "✮" or CommandLine contains "✶" or CommandLine contains "✷" or CommandLine contains "✵" or CommandLine contains "✸" or CommandLine contains "✹" or CommandLine contains "→" or CommandLine contains "⇒" or CommandLine contains "⟹" or CommandLine contains "⇨" or CommandLine contains "⇾" or CommandLine contains "➾" or CommandLine contains "⇢" or CommandLine contains "☛" or CommandLine contains "☞" or CommandLine contains "➔" or CommandLine contains "➜" or CommandLine contains "➙" or CommandLine contains "➛" or CommandLine contains "➝" or CommandLine contains "➞" or CommandLine contains "♠︎" or CommandLine contains "♣︎" or CommandLine contains "♥︎" or CommandLine contains "♦︎" or CommandLine contains "♤" or CommandLine contains "♧" or CommandLine contains "♡" or CommandLine contains "♢" or CommandLine contains "♚" or CommandLine contains "♛" or CommandLine contains "♜" or CommandLine contains "♝" or CommandLine contains "♞" or CommandLine contains "♟" or CommandLine contains "♔" or CommandLine contains "♕" or CommandLine contains "♖" or CommandLine contains "♗" or CommandLine contains "♘" or CommandLine contains "♙" or CommandLine contains "⚀" or CommandLine contains "⚁" or CommandLine contains "⚂" or CommandLine contains "⚃" or CommandLine contains "⚄" or CommandLine contains "⚅" or CommandLine contains "🂠" or CommandLine contains "⚈" or CommandLine contains "⚉" or CommandLine contains "⚆" or CommandLine contains "⚇" or CommandLine contains "𓀀" or CommandLine contains "𓀁" or CommandLine contains "𓀂" or CommandLine contains "𓀃" or CommandLine contains "𓀄" or CommandLine contains "𓀅" or CommandLine contains "𓀆" or CommandLine contains "𓀇" or CommandLine contains "𓀈" or CommandLine contains "𓀉" or CommandLine contains "𓀊" or CommandLine contains "𓀋" or CommandLine contains "𓀌" or CommandLine contains "𓀍" or CommandLine contains "𓀎" or CommandLine contains "𓀏" or CommandLine contains "𓀐" or CommandLine contains "𓀑" or CommandLine contains "𓀒" or CommandLine contains "𓀓" or CommandLine contains "𓀔" or CommandLine contains "𓀕" or CommandLine contains "𓀖" or CommandLine contains "𓀗" or CommandLine contains "𓀘" or CommandLine contains "𓀙" or CommandLine contains "𓀚" or CommandLine contains "𓀛" or CommandLine contains "𓀜" or CommandLine contains "𓀝🏳️" or CommandLine contains "🏴" or CommandLine contains "🏁" or CommandLine contains "🚩" or CommandLine contains "🏳️🌈" or CommandLine contains "🏳️⚧️" or CommandLine contains "🏴☠️" or CommandLine contains "🇦🇫" or CommandLine contains "🇦🇽" or CommandLine contains "🇦🇱" or CommandLine contains "🇩🇿" or CommandLine contains "🇦🇸" or CommandLine contains "🇦🇩" or CommandLine contains "🇦🇴" or CommandLine contains "🇦🇮" or CommandLine contains "🇦🇶" or CommandLine contains "🇦🇬" or CommandLine contains "🇦🇷" or CommandLine contains "🇦🇲" or CommandLine contains "🇦🇼" or CommandLine contains "🇦🇺" or CommandLine contains "🇦🇹" or CommandLine contains "🇦🇿" or CommandLine contains "🇧🇸" or CommandLine contains "🇧🇭" or CommandLine contains "🇧🇩" or CommandLine contains "🇧🇧" or CommandLine contains "🇧🇾" or CommandLine contains "🇧🇪" or CommandLine contains "🇧🇿" or CommandLine contains "🇧🇯" or CommandLine contains "🇧🇲" or CommandLine contains "🇧🇹" or CommandLine contains "🇧🇴" or CommandLine contains "🇧🇦" or CommandLine contains "🇧🇼" or CommandLine contains "🇧🇷" or CommandLine contains "🇮🇴" or CommandLine contains "🇻🇬" or CommandLine contains "🇧🇳" or CommandLine contains "🇧🇬" or CommandLine contains "🇧🇫" or CommandLine contains "🇧🇮" or CommandLine contains "🇰🇭" or CommandLine contains "🇨🇲" or CommandLine contains "🇨🇦" or CommandLine contains "🇮🇨" or CommandLine contains "🇨🇻" or CommandLine contains "🇧🇶" or CommandLine contains "🇰🇾" or CommandLine contains "🇨🇫" or CommandLine contains "🇹🇩" or CommandLine contains "🇨🇱" or CommandLine contains "🇨🇳" or CommandLine contains "🇨🇽" or CommandLine contains "🇨🇨" or CommandLine contains "🇨🇴" or CommandLine contains "🇰🇲" or CommandLine contains "🇨🇬" or CommandLine contains "🇨🇩" or CommandLine contains "🇨🇰" or CommandLine contains "🇨🇷" or CommandLine contains "🇨🇮" or CommandLine contains "🇭🇷" or CommandLine contains "🇨🇺" or CommandLine contains "🇨🇼" or CommandLine contains "🇨🇾" or CommandLine contains "🇨🇿" or CommandLine contains "🇩🇰" or CommandLine contains "🇩🇯" or CommandLine contains "🇩🇲" or CommandLine contains "🇩🇴" or CommandLine contains "🇪🇨" or CommandLine contains "🇪🇬" or CommandLine contains "🇸🇻" or CommandLine contains "🇬🇶" or CommandLine contains "🇪🇷" or CommandLine contains "🇪🇪" or CommandLine contains "🇪🇹" or CommandLine contains "🇪🇺" or CommandLine contains "🇫🇰" or CommandLine contains "🇫🇴" or CommandLine contains "🇫🇯" or CommandLine contains "🇫🇮" or CommandLine contains "🇫🇷" or CommandLine contains "🇬🇫" or CommandLine contains "🇵🇫" or CommandLine contains "🇹🇫" or CommandLine contains "🇬🇦" or CommandLine contains "🇬🇲" or CommandLine contains "🇬🇪" or CommandLine contains "🇩🇪" or CommandLine contains "🇬🇭" or CommandLine contains "🇬🇮" or CommandLine contains "🇬🇷" or CommandLine contains "🇬🇱" or CommandLine contains "🇬🇩" or CommandLine contains "🇬🇵" or CommandLine contains "🇬🇺" or CommandLine contains "🇬🇹" or CommandLine contains "🇬🇬" or CommandLine contains "🇬🇳" or CommandLine contains "🇬🇼" or CommandLine contains "🇬🇾" or CommandLine contains "🇭🇹" or CommandLine contains "🇭🇳" or CommandLine contains "🇭🇰" or CommandLine contains "🇭🇺" or CommandLine contains "🇮🇸" or CommandLine contains "🇮🇳" or CommandLine contains "🇮🇩" or CommandLine contains "🇮🇷" or CommandLine contains "🇮🇶" or CommandLine contains "🇮🇪" or CommandLine contains "🇮🇲" or CommandLine contains "🇮🇱" or CommandLine contains "🇮🇹" or CommandLine contains "🇯🇲" or CommandLine contains "🇯🇵" or CommandLine contains "🎌" or CommandLine contains "🇯🇪" or CommandLine contains "🇯🇴" or CommandLine contains "🇰🇿" or CommandLine contains "🇰🇪" or CommandLine contains "🇰🇮" or CommandLine contains "🇽🇰" or CommandLine contains "🇰🇼" or CommandLine contains "🇰🇬" or CommandLine contains "🇱🇦" or CommandLine contains "🇱🇻" or CommandLine contains "🇱🇧" or CommandLine contains "🇱🇸" or CommandLine contains "🇱🇷" or CommandLine contains "🇱🇾" or CommandLine contains "🇱🇮" or CommandLine contains "🇱🇹" or CommandLine contains "🇱🇺" or CommandLine contains "🇲🇴" or CommandLine contains "🇲🇰" or CommandLine contains "🇲🇬" or CommandLine contains "🇲🇼" or CommandLine contains "🇲🇾" or CommandLine contains "🇲🇻" or CommandLine contains "🇲🇱" or CommandLine contains "🇲🇹" or CommandLine contains "🇲🇭" or CommandLine contains "🇲🇶" or CommandLine contains "🇲🇷" or CommandLine contains "🇲🇺" or CommandLine contains "🇾🇹" or CommandLine contains "🇲🇽" or CommandLine contains "🇫🇲" or CommandLine contains "🇲🇩" or CommandLine contains "🇲🇨" or CommandLine contains "🇲🇳" or CommandLine contains "🇲🇪" or CommandLine contains "🇲🇸" or CommandLine contains "🇲🇦" or CommandLine contains "🇲🇿" or CommandLine contains "🇲🇲" or CommandLine contains "🇳🇦" or CommandLine contains "🇳🇷" or CommandLine contains "🇳🇵" or CommandLine contains "🇳🇱" or CommandLine contains "🇳🇨" or CommandLine contains "🇳🇿" or CommandLine contains "🇳🇮" or CommandLine contains "🇳🇪" or CommandLine contains "🇳🇬" or CommandLine contains "🇳🇺" or CommandLine contains "🇳🇫" or CommandLine contains "🇰🇵" or CommandLine contains "🇲🇵" or CommandLine contains "🇳🇴" or CommandLine contains "🇴🇲" or CommandLine contains "🇵🇰" or CommandLine contains "🇵🇼" or CommandLine contains "🇵🇸" or CommandLine contains "🇵🇦" or CommandLine contains "🇵🇬" or CommandLine contains "🇵🇾" or CommandLine contains "🇵🇪" or CommandLine contains "🇵🇭" or CommandLine contains "🇵🇳" or CommandLine contains "🇵🇱" or CommandLine contains "🇵🇹" or CommandLine contains "🇵🇷" or CommandLine contains "🇶🇦" or CommandLine contains "🇷🇪" or CommandLine contains "🇷🇴" or CommandLine contains "🇷🇺" or CommandLine contains "🇷🇼" or CommandLine contains "🇼🇸" or CommandLine contains "🇸🇲" or CommandLine contains "🇸🇦" or CommandLine contains "🇸🇳" or CommandLine contains "🇷🇸" or CommandLine contains "🇸🇨" or CommandLine contains "🇸🇱" or CommandLine contains "🇸🇬" or CommandLine contains "🇸🇽" or CommandLine contains "🇸🇰" or CommandLine contains "🇸🇮" or CommandLine contains "🇬🇸" or CommandLine contains "🇸🇧" or CommandLine contains "🇸🇴" or CommandLine contains "🇿🇦" or CommandLine contains "🇰🇷" or CommandLine contains "🇸🇸" or CommandLine contains "🇪🇸" or CommandLine contains "🇱🇰" or CommandLine contains "🇧🇱" or CommandLine contains "🇸🇭" or CommandLine contains "🇰🇳" or CommandLine contains "🇱🇨" or CommandLine contains "🇵🇲" or CommandLine contains "🇻🇨" or CommandLine contains "🇸🇩" or CommandLine contains "🇸🇷" or CommandLine contains "🇸🇿" or CommandLine contains "🇸🇪" or CommandLine contains "🇨🇭" or CommandLine contains "🇸🇾" or CommandLine contains "🇹🇼" or CommandLine contains "🇹🇯" or CommandLine contains "🇹🇿" or CommandLine contains "🇹🇭" or CommandLine contains "🇹🇱" or CommandLine contains "🇹🇬" or CommandLine contains "🇹🇰" or CommandLine contains "🇹🇴" or CommandLine contains "🇹🇹" or CommandLine contains "🇹🇳" or CommandLine contains "🇹🇷" or CommandLine contains "🇹🇲" or CommandLine contains "🇹🇨" or CommandLine contains "🇹🇻" or CommandLine contains "🇻🇮" or CommandLine contains "🇺🇬" or CommandLine contains "🇺🇦" or CommandLine contains "🇦🇪" or CommandLine contains "🇬🇧" or CommandLine contains "🏴" or CommandLine contains "🏴" or CommandLine contains "🏴" or CommandLine contains "🇺🇳" or CommandLine contains "🇺🇸" or CommandLine contains "🇺🇾" or CommandLine contains "🇺🇿" or CommandLine contains "🇻🇺" or CommandLine contains "🇻🇦" or CommandLine contains "🇻🇪" or CommandLine contains "🇻🇳" or CommandLine contains "🇼🇫" or CommandLine contains "🇪🇭" or CommandLine contains "🇾🇪" or CommandLine contains "🇿🇲" or CommandLine contains "🇿🇼🫠" or CommandLine contains "🫢" or CommandLine contains "🫣" or CommandLine contains "🫡" or CommandLine contains "🫥" or CommandLine contains "🫤" or CommandLine contains "🥹" or CommandLine contains "🫱" or CommandLine contains "🫱🏻" or CommandLine contains "🫱🏼" or CommandLine contains "🫱🏽" or CommandLine contains "🫱🏾" or CommandLine contains "🫱🏿" or CommandLine contains "🫲" or CommandLine contains "🫲🏻" or CommandLine contains "🫲🏼" or CommandLine contains "🫲🏽" or CommandLine contains "🫲🏾" or CommandLine contains "🫲🏿" or CommandLine contains "🫳" or CommandLine contains "🫳🏻" or CommandLine contains "🫳🏼" or CommandLine contains "🫳🏽" or CommandLine contains "🫳🏾" or CommandLine contains "🫳🏿" or CommandLine contains "🫴" or CommandLine contains "🫴🏻" or CommandLine contains "🫴🏼" or CommandLine contains "🫴🏽" or CommandLine contains "🫴🏾" or CommandLine contains "🫴🏿" or CommandLine contains "🫰" or CommandLine contains "🫰🏻" or CommandLine contains "🫰🏼" or CommandLine contains "🫰🏽" or CommandLine contains "🫰🏾" or CommandLine contains "🫰🏿" or CommandLine contains "🫵" or CommandLine contains "🫵🏻" or CommandLine contains "🫵🏼" or CommandLine contains "🫵🏽" or CommandLine contains "🫵🏾" or CommandLine contains "🫵🏿" or CommandLine contains "🫶" or CommandLine contains "🫶🏻" or CommandLine contains "🫶🏼" or CommandLine contains "🫶🏽" or CommandLine contains "🫶🏾" or CommandLine contains "🫶🏿" or CommandLine contains "🤝🏻" or CommandLine contains "🤝🏼" or CommandLine contains "🤝🏽" or CommandLine contains "🤝🏾" or CommandLine contains "🤝🏿" or CommandLine contains "🫱🏻🫲🏼" or CommandLine contains "🫱🏻🫲🏽" or CommandLine contains "🫱🏻🫲🏾" or CommandLine contains "🫱🏻🫲🏿" or CommandLine contains "🫱🏼🫲🏻" or CommandLine contains "🫱🏼🫲🏽" or CommandLine contains "🫱🏼🫲🏾" or CommandLine contains "🫱🏼🫲🏿" or CommandLine contains "🫱🏽🫲🏻" or CommandLine contains "🫱🏽🫲🏼" or CommandLine contains "🫱🏽🫲🏾" or CommandLine contains "🫱🏽🫲🏿" or CommandLine contains "🫱🏾🫲🏻" or CommandLine contains "🫱🏾🫲🏼" or CommandLine contains "🫱🏾🫲🏽" or CommandLine contains "🫱🏾🫲🏿" or CommandLine contains "🫱🏿🫲🏻" or CommandLine contains "🫱🏿🫲🏼" or CommandLine contains "🫱🏿🫲🏽" or CommandLine contains "🫱🏿🫲🏾" or CommandLine contains "🫦" or CommandLine contains "🫅" or CommandLine contains "🫅🏻" or CommandLine contains "🫅🏼" or CommandLine contains "🫅🏽" or CommandLine contains "🫅🏾" or CommandLine contains "🫅🏿" or CommandLine contains "🫃" or CommandLine contains "🫃🏻" or CommandLine contains "🫃🏼" or CommandLine contains "🫃🏽" or CommandLine contains "🫃🏾" or CommandLine contains "🫃🏿" or CommandLine contains "🫄" or CommandLine contains "🫄🏻" or CommandLine contains "🫄🏼" or CommandLine contains "🫄🏽" or CommandLine contains "🫄🏾" or CommandLine contains "🫄🏿" or CommandLine contains "🧌" or CommandLine contains "🪸" or CommandLine contains "🪷" or CommandLine contains "🪹" or CommandLine contains "🪺" or CommandLine contains "🫘" or CommandLine contains "🫗" or CommandLine contains "🫙" or CommandLine contains "🛝" or CommandLine contains "🛞" or CommandLine contains "🛟" or CommandLine contains "🪬" or CommandLine contains "🪩" or CommandLine contains "🪫" or CommandLine contains "🩼" or CommandLine contains "🩻" or CommandLine contains "🫧" or CommandLine contains "🪪" or CommandLine contains "🟰" or CommandLine contains "😮💨" or CommandLine contains "😵💫" or CommandLine contains "😶🌫️" or CommandLine contains "❤️🔥" or CommandLine contains "❤️🩹" or CommandLine contains "🧔♀️" or CommandLine contains "🧔🏻♀️" or CommandLine contains "🧔🏼♀️" or CommandLine contains "🧔🏽♀️" or CommandLine contains "🧔🏾♀️" or CommandLine contains "🧔🏿♀️" or CommandLine contains "🧔♂️" or CommandLine contains "🧔🏻♂️" or CommandLine contains "🧔🏼♂️" or CommandLine contains "🧔🏽♂️" or CommandLine contains "🧔🏾♂️" or CommandLine contains "🧔🏿♂️" or CommandLine contains "💑🏻" or CommandLine contains "💑🏼" or CommandLine contains "💑🏽" or CommandLine contains "💑🏾" or CommandLine contains "💑🏿" or CommandLine contains "💏🏻" or CommandLine contains "💏🏼" or CommandLine contains "💏🏽" or CommandLine contains "💏🏾" or CommandLine contains "💏🏿" or CommandLine contains "👨🏻❤️👨🏻" or CommandLine contains "👨🏻❤️👨🏼" or CommandLine contains "👨🏻❤️👨🏽" or CommandLine contains "👨🏻❤️👨🏾" or CommandLine contains "👨🏻❤️👨🏿" or CommandLine contains "👨🏼❤️👨🏻" or CommandLine contains "👨🏼❤️👨🏼" or CommandLine contains "👨🏼❤️👨🏽" or CommandLine contains "👨🏼❤️👨🏾" or CommandLine contains "👨🏼❤️👨🏿" or CommandLine contains "👨🏽❤️👨🏻" or CommandLine contains "👨🏽❤️👨🏼" or CommandLine contains "👨🏽❤️👨🏽" or CommandLine contains "👨🏽❤️👨🏾" or CommandLine contains "👨🏽❤️👨🏿" or CommandLine contains "👨🏾❤️👨🏻" or CommandLine contains "👨🏾❤️👨🏼" or CommandLine contains "👨🏾❤️👨🏽" or CommandLine contains "👨🏾❤️👨🏾" or CommandLine contains "👨🏾❤️👨🏿" or CommandLine contains "👨🏿❤️👨🏻" or CommandLine contains "👨🏿❤️👨🏼" or CommandLine contains "👨🏿❤️👨🏽" or CommandLine contains "👨🏿❤️👨🏾" or CommandLine contains "👨🏿❤️👨🏿" or CommandLine contains "👩🏻❤️👨🏻" or CommandLine contains "👩🏻❤️👨🏼" or CommandLine contains "👩🏻❤️👨🏽" or CommandLine contains "👩🏻❤️👨🏾" or CommandLine contains "👩🏻❤️👨🏿" or CommandLine contains "👩🏻❤️👩🏻" or CommandLine contains "👩🏻❤️👩🏼" or CommandLine contains "👩🏻❤️👩🏽" or CommandLine contains "👩🏻❤️👩🏾" or CommandLine contains "👩🏻❤️👩🏿" or CommandLine contains "👩🏼❤️👨🏻" or CommandLine contains "👩🏼❤️👨🏼" or CommandLine contains "👩🏼❤️👨🏽" or CommandLine contains "👩🏼❤️👨🏾" or CommandLine contains "👩🏼❤️👨🏿" or CommandLine contains "👩🏼❤️👩🏻" or CommandLine contains "👩🏼❤️👩🏼" or CommandLine contains "👩🏼❤️👩🏽" or CommandLine contains "👩🏼❤️👩🏾" or CommandLine contains "👩🏼❤️👩🏿" or CommandLine contains "👩🏽❤️👨🏻" or CommandLine contains "👩🏽❤️👨🏼" or CommandLine contains "👩🏽❤️👨🏽" or CommandLine contains "👩🏽❤️👨🏾" or CommandLine contains "👩🏽❤️👨🏿" or CommandLine contains "👩🏽❤️👩🏻" or CommandLine contains "👩🏽❤️👩🏼" or CommandLine contains "👩🏽❤️👩🏽" or CommandLine contains "👩🏽❤️👩🏾" or CommandLine contains "👩🏽❤️👩🏿" or CommandLine contains "👩🏾❤️👨🏻" or CommandLine contains "👩🏾❤️👨🏼" or CommandLine contains "👩🏾❤️👨🏽" or CommandLine contains "👩🏾❤️👨🏾" or CommandLine contains "👩🏾❤️👨🏿" or CommandLine contains "👩🏾❤️👩🏻" or CommandLine contains "👩🏾❤️👩🏼" or CommandLine contains "👩🏾❤️👩🏽" or CommandLine contains "👩🏾❤️👩🏾" or CommandLine contains "👩🏾❤️👩🏿" or CommandLine contains "👩🏿❤️👨🏻" or CommandLine contains "👩🏿❤️👨🏼" or CommandLine contains "👩🏿❤️👨🏽" or CommandLine contains "👩🏿❤️👨🏾" or CommandLine contains "👩🏿❤️👨🏿" or CommandLine contains "👩🏿❤️👩🏻" or CommandLine contains "👩🏿❤️👩🏼" or CommandLine contains "👩🏿❤️👩🏽" or CommandLine contains "👩🏿❤️👩🏾" or CommandLine contains "👩🏿❤️👩🏿" or CommandLine contains "🧑🏻❤️🧑🏼" or CommandLine contains "🧑🏻❤️🧑🏽" or CommandLine contains "🧑🏻❤️🧑🏾" or CommandLine contains "🧑🏻❤️🧑🏿" or CommandLine contains "🧑🏼❤️🧑🏻" or CommandLine contains "🧑🏼❤️🧑🏽" or CommandLine contains "🧑🏼❤️🧑🏾" or CommandLine contains "🧑🏼❤️🧑🏿" or CommandLine contains "🧑🏽❤️🧑🏻" or CommandLine contains "🧑🏽❤️🧑🏼" or CommandLine contains "🧑🏽❤️🧑🏾" or CommandLine contains "🧑🏽❤️🧑🏿" or CommandLine contains "🧑🏾❤️🧑🏻" or CommandLine contains "🧑🏾❤️🧑🏼" or CommandLine contains "🧑🏾❤️🧑🏽" or CommandLine contains "🧑🏾❤️🧑🏿" or CommandLine contains "🧑🏿❤️🧑🏻" or CommandLine contains "🧑🏿❤️🧑🏼" or CommandLine contains "🧑🏿❤️🧑🏽" or CommandLine contains "🧑🏿❤️🧑🏾" or CommandLine contains "👨🏻❤️💋👨🏻" or CommandLine contains "👨🏻❤️💋👨🏼" or CommandLine contains "👨🏻❤️💋👨🏽" or CommandLine contains "👨🏻❤️💋👨🏾" or CommandLine contains "👨🏻❤️💋👨🏿" or CommandLine contains "👨🏼❤️💋👨🏻" or CommandLine contains "👨🏼❤️💋👨🏼" or CommandLine contains "👨🏼❤️💋👨🏽" or CommandLine contains "👨🏼❤️💋👨🏾" or CommandLine contains "👨🏼❤️💋👨🏿" or CommandLine contains "👨🏽❤️💋👨🏻" or CommandLine contains "👨🏽❤️💋👨🏼" or CommandLine contains "👨🏽❤️💋👨🏽" or CommandLine contains "👨🏽❤️💋👨🏾" or CommandLine contains "👨🏽❤️💋👨🏿" or CommandLine contains "👨🏾❤️💋👨🏻" or CommandLine contains "👨🏾❤️💋👨🏼" or CommandLine contains "👨🏾❤️💋👨🏽" or CommandLine contains "👨🏾❤️💋👨🏾" or CommandLine contains "👨🏾❤️💋👨🏿" or CommandLine contains "👨🏿❤️💋👨🏻" or CommandLine contains "👨🏿❤️💋👨🏼" or CommandLine contains "👨🏿❤️💋👨🏽" or CommandLine contains "👨🏿❤️💋👨🏾" or CommandLine contains "👨🏿❤️💋👨🏿" or CommandLine contains "👩🏻❤️💋👨🏻" or CommandLine contains "👩🏻❤️💋👨🏼" or CommandLine contains "👩🏻❤️💋👨🏽" or CommandLine contains "👩🏻❤️💋👨🏾" or CommandLine contains "👩🏻❤️💋👨🏿" or CommandLine contains "👩🏻❤️💋👩🏻" or CommandLine contains "👩🏻❤️💋👩🏼" or CommandLine contains "👩🏻❤️💋👩🏽" or CommandLine contains "👩🏻❤️💋👩🏾" or CommandLine contains "👩🏻❤️💋👩🏿" or CommandLine contains "👩🏼❤️💋👨🏻" or CommandLine contains "👩🏼❤️💋👨🏼" or CommandLine contains "👩🏼❤️💋👨🏽" or CommandLine contains "👩🏼❤️💋👨🏾" or CommandLine contains "👩🏼❤️💋👨🏿" or CommandLine contains "👩🏼❤️💋👩🏻" or CommandLine contains "👩🏼❤️💋👩🏼" or CommandLine contains "👩🏼❤️💋👩🏽" or CommandLine contains "👩🏼❤️💋👩🏾" or CommandLine contains "👩🏼❤️💋👩🏿" or CommandLine contains "👩🏽❤️💋👨🏻" or CommandLine contains "👩🏽❤️💋👨🏼" or CommandLine contains "👩🏽❤️💋👨🏽" or CommandLine contains "👩🏽❤️💋👨🏾" or CommandLine contains "👩🏽❤️💋👨🏿" or CommandLine contains "👩🏽❤️💋👩🏻" or CommandLine contains "👩🏽❤️💋👩🏼" or CommandLine contains "👩🏽❤️💋👩🏽" or CommandLine contains "👩🏽❤️💋👩🏾" or CommandLine contains "👩🏽❤️💋👩🏿" or CommandLine contains "👩🏾❤️💋👨🏻" or CommandLine contains "👩🏾❤️💋👨🏼" or CommandLine contains "👩🏾❤️💋👨🏽" or CommandLine contains "👩🏾❤️💋👨🏾" or CommandLine contains "👩🏾❤️💋👨🏿" or CommandLine contains "👩🏾❤️💋👩🏻" or CommandLine contains "👩🏾❤️💋👩🏼" or CommandLine contains "👩🏾❤️💋👩🏽" or CommandLine contains "👩🏾❤️💋👩🏾" or CommandLine contains "👩🏾❤️💋👩🏿" or CommandLine contains "👩🏿❤️💋👨🏻" or CommandLine contains "👩🏿❤️💋👨🏼" or CommandLine contains "👩🏿❤️💋👨🏽" or CommandLine contains "👩🏿❤️💋👨🏾" or CommandLine contains "👩🏿❤️💋👨🏿" or CommandLine contains "👩🏿❤️💋👩🏻" or CommandLine contains "👩🏿❤️💋👩🏼" or CommandLine contains "👩🏿❤️💋👩🏽" or CommandLine contains "👩🏿❤️💋👩🏾" or CommandLine contains "👩🏿❤️💋👩🏿" or CommandLine contains "🧑🏻❤️💋🧑🏼" or CommandLine contains "🧑🏻❤️💋🧑🏽" or CommandLine contains "🧑🏻❤️💋🧑🏾" or CommandLine contains "🧑🏻❤️💋🧑🏿" or CommandLine contains "🧑🏼❤️💋🧑🏻" or CommandLine contains "🧑🏼❤️💋🧑🏽" or CommandLine contains "🧑🏼❤️💋🧑🏾" or CommandLine contains "🧑🏼❤️💋🧑🏿" or CommandLine contains "🧑🏽❤️💋🧑🏻" or CommandLine contains "🧑🏽❤️💋🧑🏼" or CommandLine contains "🧑🏽❤️💋🧑🏾" or CommandLine contains "🧑🏽❤️💋🧑🏿" or CommandLine contains "🧑🏾❤️💋🧑🏻" or CommandLine contains "🧑🏾❤️💋🧑🏼" or CommandLine contains "🧑🏾❤️💋🧑🏽" or CommandLine contains "🧑🏾❤️💋🧑🏿" or CommandLine contains "🧑🏿❤️💋🧑🏻" or CommandLine contains "🧑🏿❤️💋🧑🏼" or CommandLine contains "🧑🏿❤️💋🧑🏽" or CommandLine contains "🧑🏿❤️💋🧑🏾"
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Show query
(Description =~ "Execute processes remotely" or Product =~ "Sysinternals PsExec" or (Description startswith "Windows PowerShell" or Description startswith "pwsh") or (OriginalFileName in~ ("certutil.exe", "cmstp.exe", "cscript.exe", "IE4UINIT.EXE", "finger.exe", "mshta.exe", "msiexec.exe", "msxsl.exe", "powershell_ise.exe", "powershell.exe", "psexec.c", "psexec.exe", "psexesvc.exe", "pwsh.dll", "reg.exe", "regsvr32.exe", "rundll32.exe", "WerMgr", "wmic.exe", "wscript.exe"))) and (not((Image endswith "\\certutil.exe" or Image endswith "\\cmstp.exe" or Image endswith "\\cscript.exe" or Image endswith "\\ie4uinit.exe" or Image endswith "\\finger.exe" or Image endswith "\\mshta.exe" or Image endswith "\\msiexec.exe" or Image endswith "\\msxsl.exe" or Image endswith "\\powershell_ise.exe" or Image endswith "\\powershell.exe" or Image endswith "\\psexec.exe" or Image endswith "\\psexec64.exe" or Image endswith "\\PSEXESVC.exe" or Image endswith "\\pwsh.exe" or Image endswith "\\reg.exe" or Image endswith "\\regsvr32.exe" or Image endswith "\\rundll32.exe" or Image endswith "\\wermgr.exe" or Image endswith "\\wmic.exe" or Image endswith "\\wscript.exe")))Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
Show query
CommandLine contains "\\u202e" or CommandLine contains "[U+202E]" or CommandLine contains ""
Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
Show query
ImageLoaded endswith "\\EACore.dll" and (not(((Image contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and Image contains "\\EACoreServer.exe") and ImageLoaded startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\")))
Potential Edputil.DLL Sideloading
Detects potential DLL sideloading of "edputil.dll"
Show query
ImageLoaded endswith "\\edputil.dll" and (not((ImageLoaded startswith "C:\\Windows\\System32\\" or ImageLoaded startswith "C:\\Windows\\SysWOW64\\" or ImageLoaded startswith "C\\Windows\\WinSxS\\")))
Potential EventLog File Location Tampering
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
Show query
(TargetObject contains "\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\" and TargetObject endswith "\\File") and (not(Details contains "\\System32\\Winevt\\Logs\\"))
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
Show query
ParentImage endswith "\\excel.exe" and ((OriginalFileName in~ ("foxprow.exe", "schdplus.exe", "winproj.exe")) or (Image endswith "\\foxprow.exe" or Image endswith "\\schdplus.exe" or Image endswith "\\winproj.exe"))Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Show query
(TargetFilename contains "\\u202e" or TargetFilename contains "[U+202E]" or TargetFilename contains "") and (TargetFilename contains "3pm." or TargetFilename contains "4pm." or TargetFilename contains "cod." or TargetFilename contains "fdp." or TargetFilename contains "ftr." or TargetFilename contains "gepj." or TargetFilename contains "gnp." or TargetFilename contains "gpj." or TargetFilename contains "ism." or TargetFilename contains "lmth." or TargetFilename contains "nls." or TargetFilename contains "piz." or TargetFilename contains "slx." or TargetFilename contains "tdo." or TargetFilename contains "vsc." or TargetFilename contains "vwm." or TargetFilename contains "xcod." or TargetFilename contains "xslx." or TargetFilename contains "xtpp.")
Potential File Overwrite Via Sysinternals SDelete
Detects the use of SDelete to erase a file not the free space
Show query
OriginalFileName =~ "sdelete.exe" and (not((CommandLine contains " -h" or CommandLine contains " -c" or CommandLine contains " -z" or CommandLine contains " /?")))
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
Show query
Image endswith "/grep" and (CommandLine contains "apached" or CommandLine contains "frpc" or CommandLine contains "sshd.sh" or CommandLine contains "zone.arm")
Potential Invoke-Mimikatz PowerShell Script
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
Show query
(ScriptBlockText contains "DumpCreds" and ScriptBlockText contains "DumpCerts") or ScriptBlockText contains "sekurlsa::logonpasswords" or (ScriptBlockText contains "crypto::certificates" and ScriptBlockText contains "CERT_SYSTEM_STORE_LOCAL_MACHINE")
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
Show query
ImageLoaded endswith "\\iviewers.dll" and (not((ImageLoaded startswith "C:\\Program Files (x86)\\Windows Kits\\" or ImageLoaded startswith "C:\\Program Files\\Windows Kits\\")))
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll.
JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
and others in order to load malicious payloads in context of legitimate Java processes.
Show query
ImageLoaded endswith "\\jli.dll" and (not(((ImageLoaded startswith "C:\\Program Files\\" or ImageLoaded startswith "C:\\Program Files (x86)\\") and Description =~ "OpenJDK Platform binary" and OriginalFileName =~ "jli.dll" and Product startswith "OpenJDK Platform" and Signed =~ "true"))) and (not(ImageLoaded startswith "C:\\eclipse\\plugins\\"))
Potential JNDI Injection Exploitation In JVM Based Application
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
Show query
"com.sun.jndi.ldap." or "org.apache.logging.log4j.core.net.JndiManager"
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
Show query
((EventID in~ ("5136", "5137")) and ObjectClass =~ "dnsNode" and (ObjectDN contains "UWhRCA" and ObjectDN contains "BAAAA" and ObjectDN contains "CN=MicrosoftDNS")) or (EventID == 4662 and (AdditionalInfo contains "UWhRCA" and AdditionalInfo contains "BAAAA" and AdditionalInfo contains "CN=MicrosoftDNS"))Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
Show query
(CommandLine contains " -ma " or CommandLine contains " /ma " or CommandLine contains " –ma " or CommandLine contains " —ma " or CommandLine contains " ―ma " or CommandLine contains " -mm " or CommandLine contains " /mm " or CommandLine contains " –mm " or CommandLine contains " —mm " or CommandLine contains " ―mm " or CommandLine contains " -mp " or CommandLine contains " /mp " or CommandLine contains " –mp " or CommandLine contains " —mp " or CommandLine contains " ―mp ") and (CommandLine contains " ls" or CommandLine contains " keyiso" or CommandLine contains " samss")
Potential LethalHTA Technique Execution
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
Show query
ParentImage endswith "\\svchost.exe" and Image endswith "\\mshta.exe"
Potential Local File Read Vulnerability In JVM Based Application
Detects potential local file read vulnerability in JVM based apps.
If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
Show query
"FileNotFoundException" and "/../../.."
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Show query
Status =~ "Success" and (userAgent contains "BAV2ROPC" or userAgent contains "CBAinPROD" or userAgent contains "CBAinTAR")
Potential MSTSC Shadowing Activity
Detects RDP session hijacking by using MSTSC shadowing
Show query
CommandLine contains "noconsentprompt" and CommandLine contains "shadow:"
Potential Malicious Usage of CloudTrail System Manager
Detect when System Manager successfully executes commands against an instance.
Show query
(eventName =~ "SendCommand" and eventSource =~ "ssm.amazonaws.com") and (errorCode =~ "Success" or isnull(errorCode))
Potential Manage-bde.wsf Abuse To Proxy Execution
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
Show query
((Image endswith "\\wscript.exe" or OriginalFileName =~ "wscript.exe") and CommandLine contains "manage-bde.wsf") or (((ParentImage endswith "\\cscript.exe" or ParentImage endswith "\\wscript.exe") and ParentCommandLine contains "manage-bde.wsf") and (not(Image endswith "\\cmd.exe")))
Potential Meterpreter/CobaltStrike Activity
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
Show query
ParentImage endswith "\\services.exe" and (((CommandLine contains "/c" and CommandLine contains "echo" and CommandLine contains "\\pipe\\") and (CommandLine contains "cmd" or CommandLine contains "%COMSPEC%")) or (CommandLine contains "rundll32" and CommandLine contains ".dll,a" and CommandLine contains "/p:")) and (not(CommandLine contains "MpCmdRun"))
Potential Mpclient.DLL Sideloading
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Show query
(ImageLoaded endswith "\\mpclient.dll" and (Image endswith "\\MpCmdRun.exe" or Image endswith "\\NisSrv.exe")) and (not((Image startswith "C:\\Program Files (x86)\\Windows Defender\\" or Image startswith "C:\\Program Files\\Microsoft Security Client\\" or Image startswith "C:\\Program Files\\Windows Defender\\" or Image startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or Image startswith "C:\\Windows\\WinSxS\\")))
Potential Mpclient.DLL Sideloading Via Defender Binaries
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Show query
(Image endswith "\\MpCmdRun.exe" or Image endswith "\\NisSrv.exe") and (not((Image startswith "C:\\Program Files (x86)\\Windows Defender\\" or Image startswith "C:\\Program Files\\Microsoft Security Client\\" or Image startswith "C:\\Program Files\\Windows Defender\\" or Image startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or Image startswith "C:\\Windows\\WinSxS\\")))
Potential MsiExec Masquerading
Detects the execution of msiexec.exe from an uncommon directory
Show query
(Image endswith "\\msiexec.exe" or OriginalFileName =~ "\\msiexec.exe") and (not((Image startswith "C:\\Windows\\System32\\" or Image startswith "C:\\Windows\\SysWOW64\\" or Image startswith "C:\\Windows\\WinSxS\\")))
Potential NTLM Coercion Via Certutil.EXE
Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
Show query
(Image endswith "\\certutil.exe" or OriginalFileName =~ "CertUtil.exe") and (CommandLine contains " -syncwithWU " and CommandLine contains " \\\\")
Potential Netcat Reverse Shell Execution
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Show query
(Image endswith "/nc" or Image endswith "/ncat") and (CommandLine contains " -c " or CommandLine contains " -e ") and (CommandLine contains " ash" or CommandLine contains " bash" or CommandLine contains " bsh" or CommandLine contains " csh" or CommandLine contains " ksh" or CommandLine contains " pdksh" or CommandLine contains " sh" or CommandLine contains " tcsh" or CommandLine contains "/bin/ash" or CommandLine contains "/bin/bash" or CommandLine contains "/bin/bsh" or CommandLine contains "/bin/csh" or CommandLine contains "/bin/ksh" or CommandLine contains "/bin/pdksh" or CommandLine contains "/bin/sh" or CommandLine contains "/bin/tcsh" or CommandLine contains "/bin/zsh" or CommandLine contains "$IFSash" or CommandLine contains "$IFSbash" or CommandLine contains "$IFSbsh" or CommandLine contains "$IFScsh" or CommandLine contains "$IFSksh" or CommandLine contains "$IFSpdksh" or CommandLine contains "$IFSsh" or CommandLine contains "$IFStcsh" or CommandLine contains "$IFSzsh")
Potential OGNL Injection Exploitation In JVM Based Application
Detects potential OGNL Injection exploitation, which may lead to RCE.
OGNL is an expression language that is supported in many JVM based systems.
OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
Show query
"org.apache.commons.ognl.OgnlException" or "ExpressionSyntaxException"
Potential Okta Password in AlternateID Field
Detects when a user has potentially entered their password into the
username field, which will cause the password to be retained in log files.
Show query
legacyEventType =~ "core.user_auth.login_failed" and (not('actor.alternateId' matches regex "(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,10})"))
Microsoft Sentinel
Converted
KQL
high
Potential PHP Reverse Shell
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
Show query
Image contains "/php" and (CommandLine contains " -r " and CommandLine contains "fsockopen") and (CommandLine contains "ash" or CommandLine contains "bash" or CommandLine contains "bsh" or CommandLine contains "csh" or CommandLine contains "ksh" or CommandLine contains "pdksh" or CommandLine contains "sh" or CommandLine contains "tcsh" or CommandLine contains "zsh")
Potential PSFactoryBuffer COM Hijacking
Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
Show query
TargetObject endswith "\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and (not((Details in~ ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll"))))
Microsoft Sentinel
Converted
KQL
high
Potential Perl Reverse Shell Execution
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Show query
(Image endswith "/perl" and CommandLine contains " -e ") and ((CommandLine contains "fdopen(" and CommandLine contains "::Socket::INET") or (CommandLine contains "Socket" and CommandLine contains "connect" and CommandLine contains "open" and CommandLine contains "exec"))Potential Persistence Via App Paths Default Property
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
The entries found under App Paths are used primarily for the following purposes.
First, to map an application's executable file name to that file's fully qualified path.
Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
Show query
TargetObject contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" and (TargetObject endswith "(Default)" or TargetObject endswith "Path") and (Details contains "\\Users\\Public" or Details contains "\\AppData\\Local\\Temp\\" or Details contains "\\Windows\\Temp\\" or Details contains "\\Desktop\\" or Details contains "\\Downloads\\" or Details contains "%temp%" or Details contains "%tmp%" or Details contains "iex" or Details contains "Invoke-" or Details contains "rundll32" or Details contains "regsvr32" or Details contains "mshta" or Details contains "cscript" or Details contains "wscript" or Details contains ".bat" or Details contains ".hta" or Details contains ".dll" or Details contains ".ps1")
Microsoft Sentinel
Converted
KQL
high
Potential Persistence Via AutodialDLL
Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
Show query
TargetObject contains "\\Services\\WinSock2\\Parameters\\AutodialDLL"
Microsoft Sentinel
Converted
KQL
high
Potential Persistence Via CHM Helper DLL
Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
Show query
TargetObject contains "\\Software\\Microsoft\\HtmlHelp Author\\Location" or TargetObject contains "\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location"
Microsoft Sentinel
Converted
KQL
high
Potential Persistence Via DLLPathOverride
Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
Show query
TargetObject contains "\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\" and (TargetObject contains "\\StemmerDLLPathOverride" or TargetObject contains "\\WBDLLPathOverride" or TargetObject contains "\\StemmerClass" or TargetObject contains "\\WBreakerClass")
Potential Persistence Via Excel Add-in - Registry
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
Show query
TargetObject contains "Software\\Microsoft\\Office\\" and TargetObject endswith "\\Excel\\Options" and Details startswith "/R " and Details endswith ".xll"
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Show query
(TargetObject contains "\\Microsoft\\Windows NT\\CurrentVersion\\" and TargetObject contains "\\Image File Execution Options\\" and TargetObject contains "\\GlobalFlag") or ((TargetObject contains "\\Microsoft\\Windows NT\\CurrentVersion\\" and TargetObject contains "\\SilentProcessExit\\") and (TargetObject contains "\\ReportingMode" or TargetObject contains "\\MonitorProcess"))
Microsoft Sentinel
Converted
KQL
high
Potential Persistence Via LSA Extensions
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
Show query
TargetObject contains "\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions"
Potential Persistence Via Logon Scripts - CommandLine
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
Show query
CommandLine contains "UserInitMprLogonScript"
Potential Persistence Via Microsoft Office Add-In
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
Show query
(TargetFilename contains "\\Microsoft\\Word\\Startup\\" and TargetFilename endswith ".wll") or (TargetFilename contains "\\Microsoft\\Excel\\Startup\\" and TargetFilename endswith ".xll") or (TargetFilename contains "Microsoft\\Excel\\XLSTART\\" and TargetFilename endswith ".xlam") or (TargetFilename contains "\\Microsoft\\Addins\\" and (TargetFilename endswith ".xlam" or TargetFilename endswith ".xla" or TargetFilename endswith ".ppam"))
Potential Persistence Via Microsoft Office Startup Folder
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
Show query
(((TargetFilename contains "\\Microsoft\\Word\\STARTUP" or (TargetFilename contains "\\Office" and TargetFilename contains "\\Program Files" and TargetFilename contains "\\STARTUP")) and (TargetFilename endswith ".doc" or TargetFilename endswith ".docm" or TargetFilename endswith ".docx" or TargetFilename endswith ".dot" or TargetFilename endswith ".dotm" or TargetFilename endswith ".rtf")) or ((TargetFilename contains "\\Microsoft\\Excel\\XLSTART" or (TargetFilename contains "\\Office" and TargetFilename contains "\\Program Files" and TargetFilename contains "\\XLSTART")) and (TargetFilename endswith ".xls" or TargetFilename endswith ".xlsm" or TargetFilename endswith ".xlsx" or TargetFilename endswith ".xlt" or TargetFilename endswith ".xltm"))) and (not((Image endswith "\\WINWORD.exe" or Image endswith "\\EXCEL.exe")))
Microsoft Sentinel
Converted
KQL
high
Potential Persistence Via Mpnotify
Detects when an attacker register a new SIP provider for persistence and defense evasion
Show query
TargetObject contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify"
Microsoft Sentinel
Converted
KQL
high
Potential Persistence Via MyComputer Registry Keys
Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
Show query
TargetObject contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer" and TargetObject endswith "(Default)"
Potential Persistence Via Outlook Form
Detects the creation of a new Outlook form which can contain malicious code
Show query
Image endswith "\\outlook.exe" and (TargetFilename contains "\\AppData\\Local\\Microsoft\\FORMS\\IPM" or TargetFilename contains "\\Local Settings\\Application Data\\Microsoft\\Forms")
Potential Persistence Via Outlook Home Page
Detects potential persistence activity via outlook home page.
An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
Show query
(TargetObject contains "\\Software\\Microsoft\\Office\\" and TargetObject contains "\\Outlook\\WebView\\") and TargetObject endswith "\\URL"
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
Show query
TargetObject endswith "\\Outlook\\LoadMacroProviderOnBoot" and Details contains "0x00000001"
Potential Persistence Via Outlook Today Page
Detects potential persistence activity via outlook today page.
An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
Show query
(TargetObject contains "Software\\Microsoft\\Office\\" and TargetObject contains "\\Outlook\\Today\\") and ((TargetObject endswith "\\Stamp" and Details =~ "DWORD (0x00000001)") or (TargetObject endswith "\\URL" or TargetObject endswith "\\UserDefinedUrl")) and (not(((Image startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or Image startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\") and Image endswith "\\OfficeClickToRun.exe")))
Showing 751-800 of 3,763