Skip to content

Instantly share code, notes, and snippets.

@Samirbous
Created November 16, 2021 14:21
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save Samirbous/41c20ff87514ce34883d861e807cc91f to your computer and use it in GitHub Desktop.
sequence by host.id with maxspan=1s
[process where event.action : "creation_event" and
process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe") and
not (process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\WINDOWS\\splwow64.exe") and
process.args_count >= 2)
] by process.parent.entity_id
[process where event.action : "termination_event" and
process.name : ("winword.exe", "excel.exe", "powerpnt.exe") and
process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "outlook.exe", "thunderbird.exe")
] by process.entity_id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment