+ "query": "((src.process.name contains:anycase (\"powershell.exe\", \"cmd.exe\") and tgt.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \") and tgt.process.cmdline contains:anycase \"http\") OR (src.process.parent.name = \"explorer.exe\" and src.process.cmdline contains:anycase (\"mshta\",\"-w 1\",\"-w h\",\"/c curl \",\"iex \",\"iwr \",\"msiexec \",\"irm \") and src.process.cmdline contains:anycase \"http\") OR src.process.cmdline contains:anycase (\"iex(irm\", \"iex(iwr\",\"|iex\", \"| iex\", \").Content\", \"[ScriptBlock]::Create\")) NOT (tgt.process.cmdline contains (\"chocolatey.org\") OR src.process.cmdline contains (\"chocolatey.org\"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request, Count\n| sort -Count\n| limit 100000"
0 commit comments