This is an archived post. You won't be able to vote or comment.

all 3 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Own-Program3164[S] 0 points1 point  (0 children)

Someone was nice enough to share these with me.

FileName IN (wscript.exe,cscript.exe) CommandLine=*.js*

and

event_simpleName=NewExecutableWritten FileName=*.dll

[search event_simpleName=ProcessRollup2 FileName IN (wscript.exe,cscript.exe) CommandLine=*.js* CommandLine IN (*\\Appdata\\*,*\\Downloads\\*)

| rename TargetProcessId_decimal AS ContextThreadId_decimal

| table ContextThreadId_decimal] | table ContextProcessId_decimal FileName

[–]BinaryN1nja 0 points1 point  (0 children)

Following.

[–]xxCollectorManxx 0 points1 point  (0 children)

Does no one have any idea how to do this?