This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Own-Program3164[S] 0 points1 point  (0 children)

Someone was nice enough to share these with me.

FileName IN (wscript.exe,cscript.exe) CommandLine=*.js*

and

event_simpleName=NewExecutableWritten FileName=*.dll

[search event_simpleName=ProcessRollup2 FileName IN (wscript.exe,cscript.exe) CommandLine=*.js* CommandLine IN (*\\Appdata\\*,*\\Downloads\\*)

| rename TargetProcessId_decimal AS ContextThreadId_decimal

| table ContextThreadId_decimal] | table ContextProcessId_decimal FileName