Fix logic, event listener leak, and performance bugs in userscript

LasCC · LasCC · commit 5d69229a5235 · 2026-02-23T16:43:15.000-05:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -28,7 +28,7 @@
     {
         "category": "Lateral Movement",
         "name": "ATExec was used",
-        "query": "indicator.name contains \"ScheduleTaskRegister\"\n| let taskCode = indicator.metadata.extract_matches('Task: \"\\\\\\\\([A-Za-z0-9]{1,8})\"').get(0)\n| filter taskCode != null\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count = count() by endpoint.name, src.process.user, src.process.storyline.id, taskCode, indicator.metadata\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.storyline.id, taskCode, indicator.metadata, Count\n| sort -Count\n| limit 100000"
+        "query": "indicator.name contains \"ScheduleTaskRegister\"\n| let taskCode = indicator.metadata.extract_matches('Task: \"\\\\\\\\([A-Za-z0-9_\\-]{1,64})\"').get(0)\n| filter taskCode != null\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count = count() by endpoint.name, src.process.user, src.process.storyline.id, taskCode, indicator.metadata\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.storyline.id, taskCode, indicator.metadata, Count\n| sort -Count\n| limit 100000"
     },
     {
         "category": "Credential Access",
@@ -38,7 +38,7 @@
     {
         "category": "Lateral Movement",
         "name": "Possible WMIC lateralisation",
-        "query": "(( src.process.name contains:anycase (\"cmd.exe\",\"powershell.exe\") OR tgt.process.name contains:anycase (\"cmd.exe\",\"powershell.exe\")) AND src.process.cmdline contains:anycase \"2\" AND src.process.cmdline contains:anycase \"&1\" AND src.process.cmdline In contains:anycase ( \"C$\",\"ADMIN$\",\"IPC$\",\"PRINT$\",\"FAX$\",\"Temp\") AND src.process.cmdline OR src.process.cmdline contains:anycase \"localhost\" OR src.process.cmdline contains:anycase \"WIndows\") and osSrc.process.name contains \"wmiprvse.exe\"\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.name, tgt.process.cmdline\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.name, tgt.process.cmdline, Count\n| sort -Count\n| limit 100000\n"
+        "query": "(( src.process.name contains:anycase (\"cmd.exe\",\"powershell.exe\") OR tgt.process.name contains:anycase (\"cmd.exe\",\"powershell.exe\")) AND src.process.cmdline contains:anycase \"2\" AND src.process.cmdline contains:anycase \"&1\" AND (src.process.cmdline contains:anycase (\"C$\",\"ADMIN$\",\"IPC$\",\"PRINT$\",\"FAX$\",\"Temp\") OR src.process.cmdline contains:anycase \"localhost\" OR src.process.cmdline contains:anycase \"Windows\") AND osSrc.process.name contains \"wmiprvse.exe\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.name, tgt.process.cmdline\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.name, tgt.process.cmdline, Count\n| sort -Count\n| limit 100000\n"
     },
     {
         "category": "Execution & LOLBAS",
@@ -63,7 +63,7 @@
     {
         "category": "Command & Control",
         "name": "LOLTunnels domain / url hits",
-        "query": "event.dns.request contains:anycase (\"shellhub.io\", \"sharedwithexpose.com\", \"sharedwithexpose.com\", \"eu-1.sharedwithexpose.com\", \"us-1.sharedwithexpose.com\", \"us-2.sharedwithexpose.com\", \"ap-1.sharedwithexpose.com\", \"in-1.sharedwithexpose.com\", \"sa-1.sharedwithexpose.com\", \"au-1.sharedwithexpose.com\", \"eu-2.sharedwithexpose.com\", \"tuns.sh\", \"ssi.sh\", \"tunnelto.dev\", \"pagekite.net\", \"pagekite.me\", \"loca.lt\", \"localtunnel.me\", \"dataplicity.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"get.telebit.io\", \"telebit.io\", \"telebit.cloud\", \"telebit.fun\", \"devtunnels.ms\", \"data.rel.tunnels.api.visualstudio.com\", \"rel.tunnels.api.visualstudio.com\", \"global.rel.tunnels.api.visualstudio.com\", \"localhost.run\", \"pinggy.io\", \"pinggy.link\", \"amazonaws.com/public.pinggy.binaries/\", \"loophole.eu.auth0.com\", \"loophole.site\", \"burrow.io\", \"burrow.link\", \"io.burrow.link:\", \"localto.net\", \"localtonet.com\", \"tmate.io\", \"tunnel.staqlab.com\", \"staqlab-tunnel.com\", \"staqlab.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"jprq.io\", \"bore.pub:\", \"btunnel.co.in\", \"btunnel.in\", \"ngrok.com\", \"ngrok.io\", \"ngrok.dev\", \"ngrok.app\", \"ngrok.pro\", \"ngrok.pizza\", \"ngrok-agent.com\", \"ngrok-free.app\", \"ngrok-cname.com\", \"serveo.net\", \"pitunnel.com\", \"openport.io\", \"beeceptor.com\", \"loca.lt\", \"localtunnel.me\", \"localxpose.io\", \"expose.sh\", \"expos.es\", \"trycloudflare.com\", \"cfargotunnel.com\", \"cftunnel.com\", \"bore.digital:\", \"bore.digital\") or url.address contains:anycase (\"shellhub.io\", \"sharedwithexpose.com\", \"sharedwithexpose.com\", \"eu-1.sharedwithexpose.com\", \"us-1.sharedwithexpose.com\", \"us-2.sharedwithexpose.com\", \"ap-1.sharedwithexpose.com\", \"in-1.sharedwithexpose.com\", \"sa-1.sharedwithexpose.com\", \"au-1.sharedwithexpose.com\", \"eu-2.sharedwithexpose.com\", \"tuns.sh\", \"ssi.sh\", \"tunnelto.dev\", \"pagekite.net\", \"pagekite.me\", \"loca.lt\", \"localtunnel.me\", \"dataplicity.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"get.telebit.io\", \"telebit.io\", \"telebit.cloud\", \"telebit.fun\", \"devtunnels.ms\", \"data.rel.tunnels.api.visualstudio.com\", \"rel.tunnels.api.visualstudio.com\", \"global.rel.tunnels.api.visualstudio.com\", \"localhost.run\", \"pinggy.io\", \"pinggy.link\", \"amazonaws.com/public.pinggy.binaries/\", \"loophole.eu.auth0.com\", \"loophole.site\", \"burrow.io\", \"burrow.link\", \"io.burrow.link:\", \"localto.net\", \"localtonet.com\", \"tmate.io\", \"tunnel.staqlab.com\", \"staqlab-tunnel.com\", \"staqlab.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"jprq.io\", \"bore.pub:\", \"btunnel.co.in\", \"btunnel.in\", \"ngrok.com\", \"ngrok.io\", \"ngrok.dev\", \"ngrok.app\", \"ngrok.pro\", \"ngrok.pizza\", \"ngrok-agent.com\", \"ngrok-free.app\", \"ngrok-cname.com\", \"serveo.net\", \"pitunnel.com\", \"openport.io\", \"beeceptor.com\", \"loca.lt\", \"localtunnel.me\", \"localxpose.io\", \"expose.sh\", \"expos.es\", \"trycloudflare.com\", \"cfargotunnel.com\", \"cftunnel.com\", \"bore.digital:\", \"bore.digital\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, event.dns.request, Count\n| sort -Count\n| limit 100000\n"
+        "query": "event.dns.request contains:anycase (\"shellhub.io\", \"sharedwithexpose.com\", \"eu-1.sharedwithexpose.com\", \"us-1.sharedwithexpose.com\", \"us-2.sharedwithexpose.com\", \"ap-1.sharedwithexpose.com\", \"in-1.sharedwithexpose.com\", \"sa-1.sharedwithexpose.com\", \"au-1.sharedwithexpose.com\", \"eu-2.sharedwithexpose.com\", \"tuns.sh\", \"ssi.sh\", \"tunnelto.dev\", \"pagekite.net\", \"pagekite.me\", \"loca.lt\", \"localtunnel.me\", \"dataplicity.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"get.telebit.io\", \"telebit.io\", \"telebit.cloud\", \"telebit.fun\", \"data.rel.tunnels.api.visualstudio.com\", \"rel.tunnels.api.visualstudio.com\", \"global.rel.tunnels.api.visualstudio.com\", \"localhost.run\", \"pinggy.io\", \"pinggy.link\", \"amazonaws.com/public.pinggy.binaries/\", \"loophole.eu.auth0.com\", \"loophole.site\", \"burrow.io\", \"burrow.link\", \"io.burrow.link\", \"localto.net\", \"localtonet.com\", \"tmate.io\", \"tunnel.staqlab.com\", \"staqlab-tunnel.com\", \"staqlab.com\", \"jprq.io\", \"bore.pub\", \"btunnel.co.in\", \"btunnel.in\", \"ngrok.com\", \"ngrok.io\", \"ngrok.dev\", \"ngrok.app\", \"ngrok.pro\", \"ngrok.pizza\", \"ngrok-agent.com\", \"ngrok-free.app\", \"ngrok-cname.com\", \"serveo.net\", \"pitunnel.com\", \"openport.io\", \"beeceptor.com\", \"localxpose.io\", \"expose.sh\", \"expos.es\", \"trycloudflare.com\", \"cfargotunnel.com\", \"cftunnel.com\", \"bore.digital\") or url.address contains:anycase (\"shellhub.io\", \"sharedwithexpose.com\", \"eu-1.sharedwithexpose.com\", \"us-1.sharedwithexpose.com\", \"us-2.sharedwithexpose.com\", \"ap-1.sharedwithexpose.com\", \"in-1.sharedwithexpose.com\", \"sa-1.sharedwithexpose.com\", \"au-1.sharedwithexpose.com\", \"eu-2.sharedwithexpose.com\", \"tuns.sh\", \"ssi.sh\", \"tunnelto.dev\", \"pagekite.net\", \"pagekite.me\", \"loca.lt\", \"localtunnel.me\", \"dataplicity.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"get.telebit.io\", \"telebit.io\", \"telebit.cloud\", \"telebit.fun\", \"data.rel.tunnels.api.visualstudio.com\", \"rel.tunnels.api.visualstudio.com\", \"global.rel.tunnels.api.visualstudio.com\", \"localhost.run\", \"pinggy.io\", \"pinggy.link\", \"amazonaws.com/public.pinggy.binaries/\", \"loophole.eu.auth0.com\", \"loophole.site\", \"burrow.io\", \"burrow.link\", \"io.burrow.link\", \"localto.net\", \"localtonet.com\", \"tmate.io\", \"tunnel.staqlab.com\", \"staqlab-tunnel.com\", \"staqlab.com\", \"jprq.io\", \"bore.pub\", \"btunnel.co.in\", \"btunnel.in\", \"ngrok.com\", \"ngrok.io\", \"ngrok.dev\", \"ngrok.app\", \"ngrok.pro\", \"ngrok.pizza\", \"ngrok-agent.com\", \"ngrok-free.app\", \"ngrok-cname.com\", \"serveo.net\", \"pitunnel.com\", \"openport.io\", \"beeceptor.com\", \"localxpose.io\", \"expose.sh\", \"expos.es\", \"trycloudflare.com\", \"cfargotunnel.com\", \"cftunnel.com\", \"bore.digital\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, event.dns.request, Count\n| sort -Count\n| limit 100000\n"
     },
     {
         "category": "Execution & Persistence",
@@ -148,7 +148,7 @@
     {
         "category": "Execution & TTPs",
         "name": "NetExec RDP Behaviour detected",
-        "query": "((src.process.name contains:anycase ('| clip & exit' ,'clip; exit')) OR (tgt.process.cmdline contains:anycase ('| clip & exit' ,'clip; exit'))) OR (src.process.name contains:anycase (\"clip.exe\") AND src.parent.process.name contains:anycase (\"powershell.exe\",\"pwsh.exe\",\"mshta.exe\",\"msiexec.exe\",\"cmd.exe\"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, Count\n| sort -Count\n| limit 100000\n"
+        "query": "((src.process.name contains:anycase ('| clip & exit' ,'clip; exit')) OR (tgt.process.cmdline contains:anycase ('| clip & exit' ,'clip; exit'))) OR (src.process.name contains:anycase (\"clip.exe\") AND src.process.parent.name contains:anycase (\"powershell.exe\",\"pwsh.exe\",\"mshta.exe\",\"msiexec.exe\",\"cmd.exe\"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, Count\n| sort -Count\n| limit 100000\n"
     },
     {
         "category": "Credential Access",
@@ -258,7 +258,7 @@
     {
         "category": "Discovery & Reconnaissance",
         "name": "Burp Suite Tool Detected",
-        "query": "(event.dns.request contains:anycase 'burpcollaborator.net' OR url.address contains:anycase 'burpcollaborator.net' AND (src.ip.address matches '^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[0-1])\\\\.|192\\\\.168\\\\.|127\\\\.).*' OR dst.ip.address matches '^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[0-1])\\\\.|192\\\\.168\\\\.|127\\\\.).*'))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.name, event.dns.request, url.address, src.ip.address, dst.ip.address\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.name, event.dns.request, url.address, src.ip.address, dst.ip.address, Count\n| sort -Count\n| limit 100000"
+        "query": "(event.dns.request contains:anycase 'burpcollaborator.net' OR url.address contains:anycase 'burpcollaborator.net') AND (src.ip.address matches '^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[0-1])\\\\.|192\\\\.168\\\\.|127\\\\.).*' OR dst.ip.address matches '^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[0-1])\\\\.|192\\\\.168\\\\.|127\\\\.).*'))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.name, event.dns.request, url.address, src.ip.address, dst.ip.address\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.name, event.dns.request, url.address, src.ip.address, dst.ip.address, Count\n| sort -Count\n| limit 100000"
     },
     {
         "category": "Lateral Movement",
diff --git a/userscript.js b/userscript.js
@@ -18,6 +18,8 @@
     const PINNED_QUERIES_KEY = "s1_pinned_hunting_queries";
 
     let allFetchedQueries = [];
+    let documentListenerController = null;
+    let fetchInProgress = false;
 
     const listIconSVG = `
     <img src="data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A//www.w3.org/2000/svg%22%20viewBox%3D%220%200%2077.09%2095.88%22%20xmlns%3Axlink%3D%22http%3A//www.w3.org/1999/xlink%22%3E%0A%20%3Cdefs%3E%0A%20%20%3Cstyle%3E%0A%20%20%20.cls-1%7Bfill%3A%236b0aea%3Bfill-rule%3Aevenodd%3B%7D%0A%20%20%3C/style%3E%0A%20%3C/defs%3E%0A%20%3Cg%20id%3D%22Layer_2%22%20data-name%3D%22Layer%202%22%3E%0A%20%20%3Cg%20id%3D%22ART%22%3E%0A%20%20%20%3Cpath%20class%3D%22cls-1%22%20d%3D%22M32.08%2C0H45V77.25H32.08ZM48.13%2C95.88l12.91-8V21a32.21%2C32.21%2C0%2C0%2C0-12.91-5.72ZM16%2C87.92l12.92%2C8V15.32A32.19%2C32.19%2C0%2C0%2C0%2C16%2C21ZM64.17%2C3.67V86.48l6-3.72a15.3%2C15.3%2C0%2C0%2C0%2C6.89-13V30.65C77.09%2C19.37%2C64.17%2C3.67%2C64.17%2C3.67ZM0%2C69.73a15.27%2C15.27%2C0%2C0%2C0%2C6.89%2C13l6%2C3.72V3.67S0%2C19.37%2C0%2C30.65Z%22/%3E%0A%20%20%3C/g%3E%0A%20%3C/g%3E%0A%3C/svg%3E" style="height:1rem;" alt="Logo" srcset="">
@@ -58,20 +60,19 @@
         const queryTextarea = document.querySelector(
             '[data-test-id="power-query-input"]'
         );
+        if (!queryTextarea) return;
         const searchButton = document.querySelector(
             '[data-test-id="power-query-search-button"]'
         );
-        if (queryTextarea) {
-            const nativeInputValueSetter = Object.getOwnPropertyDescriptor(
-                window.HTMLTextAreaElement.prototype,
-                "value"
-            ).set;
-            nativeInputValueSetter.call(queryTextarea, query);
-            ["input", "change"].forEach((eventType) =>
-                queryTextarea.dispatchEvent(new Event(eventType, { bubbles: true }))
-            );
-            queryTextarea.focus();
-        }
+        const nativeInputValueSetter = Object.getOwnPropertyDescriptor(
+            window.HTMLTextAreaElement.prototype,
+            "value"
+        ).set;
+        nativeInputValueSetter.call(queryTextarea, query);
+        ["input", "change"].forEach((eventType) =>
+            queryTextarea.dispatchEvent(new Event(eventType, { bubbles: true }))
+        );
+        queryTextarea.focus();
         if (searchButton) searchButton.click();
         showNotification("Query executed successfully!");
     }
@@ -481,7 +482,7 @@
                     const pinButton = document.createElement("button");
                     pinButton.className = "hunting-queries-pin-btn";
                     pinButton.innerHTML = starIconSVG;
-                    if (isQueryPinned(queryObj.name)) {
+                    if (pinnedQueryNames.includes(queryObj.name)) {
                         pinButton.classList.add("pinned");
                         pinButton.title = "Unpin query";
                     } else {
@@ -576,10 +577,12 @@
             tableButtonToolbarItem.nextSibling
         );
 
+        let searchDebounceTimer;
         searchInput.addEventListener("input", (e) => {
             const value = e.target.value;
             clearButton.style.display = value ? "block" : "none";
-            renderQueryItems(value);
+            clearTimeout(searchDebounceTimer);
+            searchDebounceTimer = setTimeout(() => renderQueryItems(value), 150);
         });
         searchInput.addEventListener("keydown", (e) => {
             if (e.key === "Escape") closeDropdown();
@@ -603,20 +606,24 @@
                 renderQueryItems(searchInput.value);
             }
         });
+        if (documentListenerController) documentListenerController.abort();
+        documentListenerController = new AbortController();
+        const { signal: docSignal } = documentListenerController;
+
         document.addEventListener("click", (e) => {
             if (
                 !dropdownDiv.contains(e.target) &&
                 dropdownMenu.classList.contains("show")
             )
                 closeDropdown();
-        });
+        }, { signal: docSignal });
 
         document.addEventListener("pinnedQueryChange", () => {
             if (dropdownMenu.classList.contains("show")) {
                 renderTabs();
                 renderQueryItems(searchInput.value);
             }
-        });
+        }, { signal: docSignal });
 
         renderTabs();
         renderQueryItems();
@@ -865,6 +872,7 @@
             method: "GET",
             url: QUERIES_URL,
             onload: function (response) {
+                fetchInProgress = false;
                 try {
                     const queries = JSON.parse(response.responseText);
                     allFetchedQueries = queries;
@@ -878,6 +886,7 @@
                 }
             },
             onerror: function (error) {
+                fetchInProgress = false;
                 console.error("Error fetching queries:", error);
                 allFetchedQueries = null;
                 addCustomQueryButton(null);
@@ -898,7 +907,8 @@
                 const tableButton = powerQueryPage.querySelector(
                     '[data-test-id="graph-style-dropdown"]'
                 );
-                if (toolbar && tableButton) {
+                if (toolbar && tableButton && !fetchInProgress) {
+                    fetchInProgress = true;
                     fetchQueriesAndInject();
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`{`
`29`	`29`	`"category": "Lateral Movement",`
`30`	`30`	`"name": "ATExec was used",`
`31`		- "query": "indicator.name contains \"ScheduleTaskRegister\"\n\| let taskCode = indicator.metadata.extract_matches('Task: \"\\\\\\\\([A-Za-z0-9]{1,8})\"').get(0)\n\| filter taskCode != null\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count = count() by endpoint.name, src.process.user, src.process.storyline.id, taskCode, indicator.metadata\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.storyline.id, taskCode, indicator.metadata, Count\n\| sort -Count\n\| limit 100000"
	`31`	+ "query": "indicator.name contains \"ScheduleTaskRegister\"\n\| let taskCode = indicator.metadata.extract_matches('Task: \"\\\\\\\\([A-Za-z0-9_\\-]{1,64})\"').get(0)\n\| filter taskCode != null\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count = count() by endpoint.name, src.process.user, src.process.storyline.id, taskCode, indicator.metadata\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.storyline.id, taskCode, indicator.metadata, Count\n\| sort -Count\n\| limit 100000"
`32`	`32`	`},`
`33`	`33`	`{`
`34`	`34`	`"category": "Credential Access",`
`@@ -38,7 +38,7 @@`
`38`	`38`	`{`
`39`	`39`	`"category": "Lateral Movement",`
`40`	`40`	`"name": "Possible WMIC lateralisation",`
`41`		- "query": "(( src.process.name contains:anycase (\"cmd.exe\",\"powershell.exe\") OR tgt.process.name contains:anycase (\"cmd.exe\",\"powershell.exe\")) AND src.process.cmdline contains:anycase \"2\" AND src.process.cmdline contains:anycase \"&1\" AND src.process.cmdline In contains:anycase ( \"C$\",\"ADMIN$\",\"IPC$\",\"PRINT$\",\"FAX$\",\"Temp\") AND src.process.cmdline OR src.process.cmdline contains:anycase \"localhost\" OR src.process.cmdline contains:anycase \"WIndows\") and osSrc.process.name contains \"wmiprvse.exe\"\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.name, tgt.process.cmdline\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.name, tgt.process.cmdline, Count\n\| sort -Count\n\| limit 100000\n"
	`41`	+ "query": "(( src.process.name contains:anycase (\"cmd.exe\",\"powershell.exe\") OR tgt.process.name contains:anycase (\"cmd.exe\",\"powershell.exe\")) AND src.process.cmdline contains:anycase \"2\" AND src.process.cmdline contains:anycase \"&1\" AND (src.process.cmdline contains:anycase (\"C$\",\"ADMIN$\",\"IPC$\",\"PRINT$\",\"FAX$\",\"Temp\") OR src.process.cmdline contains:anycase \"localhost\" OR src.process.cmdline contains:anycase \"Windows\") AND osSrc.process.name contains \"wmiprvse.exe\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.name, tgt.process.cmdline\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.name, tgt.process.cmdline, Count\n\| sort -Count\n\| limit 100000\n"
`42`	`42`	`},`
`43`	`43`	`{`
`44`	`44`	`"category": "Execution & LOLBAS",`
`@@ -63,7 +63,7 @@`
`63`	`63`	`{`
`64`	`64`	`"category": "Command & Control",`
`65`	`65`	`"name": "LOLTunnels domain / url hits",`
`66`		- "query": "event.dns.request contains:anycase (\"shellhub.io\", \"sharedwithexpose.com\", \"sharedwithexpose.com\", \"eu-1.sharedwithexpose.com\", \"us-1.sharedwithexpose.com\", \"us-2.sharedwithexpose.com\", \"ap-1.sharedwithexpose.com\", \"in-1.sharedwithexpose.com\", \"sa-1.sharedwithexpose.com\", \"au-1.sharedwithexpose.com\", \"eu-2.sharedwithexpose.com\", \"tuns.sh\", \"ssi.sh\", \"tunnelto.dev\", \"pagekite.net\", \"pagekite.me\", \"loca.lt\", \"localtunnel.me\", \"dataplicity.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"get.telebit.io\", \"telebit.io\", \"telebit.cloud\", \"telebit.fun\", \"devtunnels.ms\", \"data.rel.tunnels.api.visualstudio.com\", \"rel.tunnels.api.visualstudio.com\", \"global.rel.tunnels.api.visualstudio.com\", \"localhost.run\", \"pinggy.io\", \"pinggy.link\", \"amazonaws.com/public.pinggy.binaries/\", \"loophole.eu.auth0.com\", \"loophole.site\", \"burrow.io\", \"burrow.link\", \"io.burrow.link:\", \"localto.net\", \"localtonet.com\", \"tmate.io\", \"tunnel.staqlab.com\", \"staqlab-tunnel.com\", \"staqlab.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"jprq.io\", \"bore.pub:\", \"btunnel.co.in\", \"btunnel.in\", \"ngrok.com\", \"ngrok.io\", \"ngrok.dev\", \"ngrok.app\", \"ngrok.pro\", \"ngrok.pizza\", \"ngrok-agent.com\", \"ngrok-free.app\", \"ngrok-cname.com\", \"serveo.net\", \"pitunnel.com\", \"openport.io\", \"beeceptor.com\", \"loca.lt\", \"localtunnel.me\", \"localxpose.io\", \"expose.sh\", \"expos.es\", \"trycloudflare.com\", \"cfargotunnel.com\", \"cftunnel.com\", \"bore.digital:\", \"bore.digital\") or url.address contains:anycase (\"shellhub.io\", \"sharedwithexpose.com\", \"sharedwithexpose.com\", \"eu-1.sharedwithexpose.com\", \"us-1.sharedwithexpose.com\", \"us-2.sharedwithexpose.com\", \"ap-1.sharedwithexpose.com\", \"in-1.sharedwithexpose.com\", \"sa-1.sharedwithexpose.com\", \"au-1.sharedwithexpose.com\", \"eu-2.sharedwithexpose.com\", \"tuns.sh\", \"ssi.sh\", \"tunnelto.dev\", \"pagekite.net\", \"pagekite.me\", \"loca.lt\", \"localtunnel.me\", \"dataplicity.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"get.telebit.io\", \"telebit.io\", \"telebit.cloud\", \"telebit.fun\", \"devtunnels.ms\", \"data.rel.tunnels.api.visualstudio.com\", \"rel.tunnels.api.visualstudio.com\", \"global.rel.tunnels.api.visualstudio.com\", \"localhost.run\", \"pinggy.io\", \"pinggy.link\", \"amazonaws.com/public.pinggy.binaries/\", \"loophole.eu.auth0.com\", \"loophole.site\", \"burrow.io\", \"burrow.link\", \"io.burrow.link:\", \"localto.net\", \"localtonet.com\", \"tmate.io\", \"tunnel.staqlab.com\", \"staqlab-tunnel.com\", \"staqlab.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"jprq.io\", \"bore.pub:\", \"btunnel.co.in\", \"btunnel.in\", \"ngrok.com\", \"ngrok.io\", \"ngrok.dev\", \"ngrok.app\", \"ngrok.pro\", \"ngrok.pizza\", \"ngrok-agent.com\", \"ngrok-free.app\", \"ngrok-cname.com\", \"serveo.net\", \"pitunnel.com\", \"openport.io\", \"beeceptor.com\", \"loca.lt\", \"localtunnel.me\", \"localxpose.io\", \"expose.sh\", \"expos.es\", \"trycloudflare.com\", \"cfargotunnel.com\", \"cftunnel.com\", \"bore.digital:\", \"bore.digital\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, event.dns.request\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, event.dns.request, Count\n\| sort -Count\n\| limit 100000\n"
	`66`	+ "query": "event.dns.request contains:anycase (\"shellhub.io\", \"sharedwithexpose.com\", \"eu-1.sharedwithexpose.com\", \"us-1.sharedwithexpose.com\", \"us-2.sharedwithexpose.com\", \"ap-1.sharedwithexpose.com\", \"in-1.sharedwithexpose.com\", \"sa-1.sharedwithexpose.com\", \"au-1.sharedwithexpose.com\", \"eu-2.sharedwithexpose.com\", \"tuns.sh\", \"ssi.sh\", \"tunnelto.dev\", \"pagekite.net\", \"pagekite.me\", \"loca.lt\", \"localtunnel.me\", \"dataplicity.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"get.telebit.io\", \"telebit.io\", \"telebit.cloud\", \"telebit.fun\", \"data.rel.tunnels.api.visualstudio.com\", \"rel.tunnels.api.visualstudio.com\", \"global.rel.tunnels.api.visualstudio.com\", \"localhost.run\", \"pinggy.io\", \"pinggy.link\", \"amazonaws.com/public.pinggy.binaries/\", \"loophole.eu.auth0.com\", \"loophole.site\", \"burrow.io\", \"burrow.link\", \"io.burrow.link\", \"localto.net\", \"localtonet.com\", \"tmate.io\", \"tunnel.staqlab.com\", \"staqlab-tunnel.com\", \"staqlab.com\", \"jprq.io\", \"bore.pub\", \"btunnel.co.in\", \"btunnel.in\", \"ngrok.com\", \"ngrok.io\", \"ngrok.dev\", \"ngrok.app\", \"ngrok.pro\", \"ngrok.pizza\", \"ngrok-agent.com\", \"ngrok-free.app\", \"ngrok-cname.com\", \"serveo.net\", \"pitunnel.com\", \"openport.io\", \"beeceptor.com\", \"localxpose.io\", \"expose.sh\", \"expos.es\", \"trycloudflare.com\", \"cfargotunnel.com\", \"cftunnel.com\", \"bore.digital\") or url.address contains:anycase (\"shellhub.io\", \"sharedwithexpose.com\", \"eu-1.sharedwithexpose.com\", \"us-1.sharedwithexpose.com\", \"us-2.sharedwithexpose.com\", \"ap-1.sharedwithexpose.com\", \"in-1.sharedwithexpose.com\", \"sa-1.sharedwithexpose.com\", \"au-1.sharedwithexpose.com\", \"eu-2.sharedwithexpose.com\", \"tuns.sh\", \"ssi.sh\", \"tunnelto.dev\", \"pagekite.net\", \"pagekite.me\", \"loca.lt\", \"localtunnel.me\", \"dataplicity.com\", \"devtunnels.ms\", \"tunnels.api.visualstudio.com\", \"get.telebit.io\", \"telebit.io\", \"telebit.cloud\", \"telebit.fun\", \"data.rel.tunnels.api.visualstudio.com\", \"rel.tunnels.api.visualstudio.com\", \"global.rel.tunnels.api.visualstudio.com\", \"localhost.run\", \"pinggy.io\", \"pinggy.link\", \"amazonaws.com/public.pinggy.binaries/\", \"loophole.eu.auth0.com\", \"loophole.site\", \"burrow.io\", \"burrow.link\", \"io.burrow.link\", \"localto.net\", \"localtonet.com\", \"tmate.io\", \"tunnel.staqlab.com\", \"staqlab-tunnel.com\", \"staqlab.com\", \"jprq.io\", \"bore.pub\", \"btunnel.co.in\", \"btunnel.in\", \"ngrok.com\", \"ngrok.io\", \"ngrok.dev\", \"ngrok.app\", \"ngrok.pro\", \"ngrok.pizza\", \"ngrok-agent.com\", \"ngrok-free.app\", \"ngrok-cname.com\", \"serveo.net\", \"pitunnel.com\", \"openport.io\", \"beeceptor.com\", \"localxpose.io\", \"expose.sh\", \"expos.es\", \"trycloudflare.com\", \"cfargotunnel.com\", \"cftunnel.com\", \"bore.digital\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, event.dns.request\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, event.dns.request, Count\n\| sort -Count\n\| limit 100000\n"
`67`	`67`	`},`
`68`	`68`	`{`
`69`	`69`	`"category": "Execution & Persistence",`
`@@ -148,7 +148,7 @@`
`148`	`148`	`{`
`149`	`149`	`"category": "Execution & TTPs",`
`150`	`150`	`"name": "NetExec RDP Behaviour detected",`
`151`		- "query": "((src.process.name contains:anycase ('\| clip & exit' ,'clip; exit')) OR (tgt.process.cmdline contains:anycase ('\| clip & exit' ,'clip; exit'))) OR (src.process.name contains:anycase (\"clip.exe\") AND src.parent.process.name contains:anycase (\"powershell.exe\",\"pwsh.exe\",\"mshta.exe\",\"msiexec.exe\",\"cmd.exe\"))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, Count\n\| sort -Count\n\| limit 100000\n"
	`151`	+ "query": "((src.process.name contains:anycase ('\| clip & exit' ,'clip; exit')) OR (tgt.process.cmdline contains:anycase ('\| clip & exit' ,'clip; exit'))) OR (src.process.name contains:anycase (\"clip.exe\") AND src.process.parent.name contains:anycase (\"powershell.exe\",\"pwsh.exe\",\"mshta.exe\",\"msiexec.exe\",\"cmd.exe\"))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, Count\n\| sort -Count\n\| limit 100000\n"
`152`	`152`	`},`
`153`	`153`	`{`
`154`	`154`	`"category": "Credential Access",`
`@@ -258,7 +258,7 @@`
`258`	`258`	`{`
`259`	`259`	`"category": "Discovery & Reconnaissance",`
`260`	`260`	`"name": "Burp Suite Tool Detected",`
`261`		- "query": "(event.dns.request contains:anycase 'burpcollaborator.net' OR url.address contains:anycase 'burpcollaborator.net' AND (src.ip.address matches '^(10\\\\.\|172\\\\.(1[6-9]\|2[0-9]\|3[0-1])\\\\.\|192\\\\.168\\\\.\|127\\\\.).' OR dst.ip.address matches '^(10\\\\.\|172\\\\.(1[6-9]\|2[0-9]\|3[0-1])\\\\.\|192\\\\.168\\\\.\|127\\\\.).'))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.name, event.dns.request, url.address, src.ip.address, dst.ip.address\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.name, event.dns.request, url.address, src.ip.address, dst.ip.address, Count\n\| sort -Count\n\| limit 100000"
	`261`	+ "query": "(event.dns.request contains:anycase 'burpcollaborator.net' OR url.address contains:anycase 'burpcollaborator.net') AND (src.ip.address matches '^(10\\\\.\|172\\\\.(1[6-9]\|2[0-9]\|3[0-1])\\\\.\|192\\\\.168\\\\.\|127\\\\.).' OR dst.ip.address matches '^(10\\\\.\|172\\\\.(1[6-9]\|2[0-9]\|3[0-1])\\\\.\|192\\\\.168\\\\.\|127\\\\.).'))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.name, event.dns.request, url.address, src.ip.address, dst.ip.address\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.name, event.dns.request, url.address, src.ip.address, dst.ip.address, Count\n\| sort -Count\n\| limit 100000"
`262`	`262`	`},`
`263`	`263`	`{`
`264`	`264`	`"category": "Lateral Movement",`