Volver al hub

Applications Spawning CMD or Powershell

Table listing processes that spawned cmd.exe or powershell.exe child processes.

EDRhuntingT1059
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

"#event_simpleName" = ProcessRollup2 event_platform="Win" FileName=/(cmd.exe|powershell.exe)/i
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| groupBy([ParentBaseFileName], function=[count(aid, distinct=true, as="DistinctHosts")])
| sort(DistinctHosts)
| rename(field="ParentBaseFileName", as="FileName")

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.