API tools faq
paste
shotgunner101

Filefix sample query

shotgunner101
Jun 25th, 2025 (edited)
472
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.46 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. index=* EventCode=1 source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
  2. | eval ParentImage_lower=lower(ParentImage)
  3. | eval Image_lower=lower(Image)
  4. | where (
  5. (match(ParentImage_lower, ".*\\\\chrome\.exe$") OR
  6. match(ParentImage_lower, ".*\\\\brave\.exe$") OR
  7. match(ParentImage_lower, ".*\\\\firefox\.exe$") OR
  8. match(ParentImage_lower, ".*\\\\msedge\.exe$") OR
  9. match(ParentImage_lower, ".*\\\\iexplore\.exe$"))
  10. AND
  11. (match(Image_lower, ".*\\\\powershell\.exe$") OR
  12. match(Image_lower, ".*\\\\pwsh\.exe$") OR
  13. match(Image_lower, ".*\\\\cmd\.exe$") OR
  14. match(Image_lower, ".*\\\\wscript\.exe$") OR
  15. match(Image_lower, ".*\\\\cscript\.exe$") OR
  16. match(Image_lower, ".*\\\\mshta\.exe$") OR
  17. match(Image_lower, ".*\\\\rundll32\.exe$") OR
  18. match(Image_lower, ".*\\\\regsvr32\.exe$") OR
  19. match(Image_lower, ".*\\\\bitsadmin\.exe$") OR
  20. match(Image_lower, ".*\\\\certutil\.exe$") OR
  21. match(Image_lower, ".*\\\\schtasks\.exe$") OR
  22. match(Image_lower, ".*\\\\at\.exe$") OR
  23. match(Image_lower, ".*\\\\wmic\.exe$") OR
  24. match(Image_lower, ".*\\\\forfiles\.exe$") OR
  25. match(Image_lower, ".*\\\\pcalua\.exe$") OR
  26. match(Image_lower, ".*\\\\msiexec\.exe$") OR
  27. match(Image_lower, ".*\\\\installutil\.exe$") OR
  28. match(Image_lower, ".*\\\\regasm\.exe$") OR
  29. match(Image_lower, ".*\\\\regsvcs\.exe$") OR
  30. match(Image_lower, ".*\\\\msxsl\.exe$") OR
  31. match(Image_lower, ".*\\\\odbcconf\.exe$") OR
  32. match(Image_lower, ".*\\\\ieexec\.exe$") OR
  33. match(Image_lower, ".*\\\\hh\.exe$") OR
  34. match(Image_lower, ".*\\\\makecab\.exe$") OR
  35. match(Image_lower, ".*\\\\expand\.exe$") OR
  36. match(Image_lower, ".*\\\\extrac32\.exe$") OR
  37. match(Image_lower, ".*\\\\findstr\.exe$") OR
  38. match(Image_lower, ".*\\\\sc\.exe$") OR
  39. match(Image_lower, ".*\\\\net\.exe$") OR
  40. match(Image_lower, ".*\\\\net1\.exe$") OR
  41. match(Image_lower, ".*\\\\netsh\.exe$") OR
  42. match(Image_lower, ".*\\\\nltest\.exe$") OR
  43. match(Image_lower, ".*\\\\whoami\.exe$") OR
  44. match(Image_lower, ".*\\\\tasklist\.exe$") OR
  45. match(Image_lower, ".*\\\\query\.exe$") OR
  46. match(Image_lower, ".*\\\\qprocess\.exe$") OR
  47. match(Image_lower, ".*\\\\qwinsta\.exe$") OR
  48. match(Image_lower, ".*\\\\rwinsta\.exe$") OR
  49. match(Image_lower, ".*\\\\logoff\.exe$") OR
  50. match(Image_lower, ".*\\\\shutdown\.exe$") OR
  51. match(Image_lower, ".*\\\\taskkill\.exe$") OR
  52. match(Image_lower, ".*\\\\gpresult\.exe$") OR
  53. match(Image_lower, ".*\\\\systeminfo\.exe$") OR
  54. match(Image_lower, ".*\\\\dism\.exe$") OR
  55. match(Image_lower, ".*\\\\bcdedit\.exe$") OR
  56. match(Image_lower, ".*\\\\vssadmin\.exe$") OR
  57. match(Image_lower, ".*\\\\wbadmin\.exe$") OR
  58. match(Image_lower, ".*\\\\diskpart\.exe$") OR
  59. match(Image_lower, ".*\\\\fsutil\.exe$") OR
  60. match(Image_lower, ".*\\\\cipher\.exe$") OR
  61. match(Image_lower, ".*\\\\sdbinst\.exe$") OR
  62. match(Image_lower, ".*\\\\control\.exe$") OR
  63. match(Image_lower, ".*\\\\appvlp\.exe$") OR
  64. match(Image_lower, ".*\\\\mavinject\.exe$") OR
  65. match(Image_lower, ".*\\\\dllhost\.exe$") OR
  66. match(Image_lower, ".*\\\\verclsid\.exe$") OR
  67. match(Image_lower, ".*\\\\psr\.exe$") OR
  68. match(Image_lower, ".*\\\\infdefaultinstall\.exe$") OR
  69. match(Image_lower, ".*\\\\cmstp\.exe$") OR
  70. match(Image_lower, ".*\\\\xwizard\.exe$") OR
  71. match(Image_lower, ".*\\\\fltmc\.exe$") OR
  72. match(Image_lower, ".*\\\\winrm\.exe$") OR
  73. match(Image_lower, ".*\\\\winrs\.exe$") OR
  74. match(Image_lower, ".*\\\\wusa\.exe$") OR
  75. match(Image_lower, ".*\\\\pkgmgr\.exe$") OR
  76. match(Image_lower, ".*\\\\driverquery\.exe$") OR
  77. match(Image_lower, ".*\\\\pnputil\.exe$") OR
  78. match(Image_lower, ".*\\\\devcon\.exe$") OR
  79. match(Image_lower, ".*\\\\sigverif\.exe$") OR
  80. match(Image_lower, ".*\\\\mmc\.exe$") OR
  81. match(Image_lower, ".*\\\\runas\.exe$") OR
  82. match(Image_lower, ".*\\\\runonce\.exe$") OR
  83. match(Image_lower, ".*\\\\runoncex\.exe$") OR
  84. match(Image_lower, ".*\\\\replace\.exe$") OR
  85. match(Image_lower, ".*\\\\print\.exe$") OR
  86. match(Image_lower, ".*\\\\scriptrunner\.exe$") OR
  87. match(Image_lower, ".*\\\\syncappvpublishingserver\.exe$") OR
  88. match(Image_lower, ".*\\\\presentationhost\.exe$")
  89. )
  90. )
  91. | table _time, Computer, User, ParentImage, ParentCommandLine, Image, CommandLine, ProcessId, ParentProcessId, Hashes
  92. | sort -_time
Tags: query splunk filefix threathunt
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!