wikijm
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_addinutil_uncommon_child_process.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_addinutil_uncommon_child_process.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_appvlp_uncommon_child_process.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_appvlp_uncommon_child_process.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_arcsoc_susp_child_process.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_arcsoc_susp_child_process.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_aspnet_compiler_exectuion.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_aspnet_compiler_exectuion.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_aspnet_compiler_susp_child_process.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_aspnet_compiler_susp_child_process.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_aspnet_compiler_susp_paths.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_aspnet_compiler_susp_paths.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_at_interactive_execution.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_at_interactive_execution.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_baaupdate_susp_child_process.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_baaupdate_susp_child_process.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎S1PQ-rules-windows-process_creation/proc_creation_win_bginfo_suspicious_child_process.md‎
Lines changed: 1 addition & 1 deletion b/‎S1PQ-rules-windows-process_creation/proc_creation_win_bginfo_suspicious_child_process.md‎
Lines changed: 1 addition & 1 deletion
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\\addinutil.exe" and (not (tgt.process.image.path contains ":\\Windows\\System32\\conhost.exe" or tgt.process.image.path contains ":\\Windows\\System32\\werfault.exe" or tgt.process.image.path contains ":\\Windows\\SysWOW64\\werfault.exe"))))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\\appvlp.exe" and (not (tgt.process.image.path contains ":\\Windows\\SysWOW64\\rundll32.exe" or tgt.process.image.path contains ":\\Windows\\System32\\rundll32.exe")) and (not ((tgt.process.image.path contains ":\\Program Files\\Microsoft Office" and tgt.process.image.path contains "\\msoasb.exe") or ((tgt.process.image.path contains ":\\Program Files\\Microsoft Office" and tgt.process.image.path contains "\\SkypeSrv\\") and tgt.process.image.path contains "\\SKYPESERVER.EXE") or (tgt.process.image.path contains ":\\Program Files\\Microsoft Office" and tgt.process.image.path contains "\\MSOUC.EXE")))))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\\ArcSOC.exe" and (tgt.process.image.path contains "\\cmd.exe" or tgt.process.image.path contains "\\cscript.exe" or tgt.process.image.path contains "\\mshta.exe" or tgt.process.image.path contains "\\powershell.exe" or tgt.process.image.path contains "\\pwsh.exe" or tgt.process.image.path contains "\\regsvr32.exe" or tgt.process.image.path contains "\\rundll32.exe" or tgt.process.image.path contains "\\wmic.exe" or tgt.process.image.path contains "\\wscript.exe")) and (not (tgt.process.image.path contains "\\cmd.exe" and tgt.process.cmdline="cmd.exe /c \"ver\""))))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\\Windows\\Microsoft.NET\\Framework\\" or tgt.process.image.path contains ":\\Windows\\Microsoft.NET\\Framework64\\" or tgt.process.image.path contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or tgt.process.image.path contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and tgt.process.image.path contains "\\aspnet_compiler.exe"))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\\aspnet_compiler.exe" and ((tgt.process.image.path contains "\\calc.exe" or tgt.process.image.path contains "\\notepad.exe") or (tgt.process.image.path contains "\\Users\\Public\\" or tgt.process.image.path contains "\\AppData\\Local\\Temp\\" or tgt.process.image.path contains "\\AppData\\Local\\Roaming\\" or tgt.process.image.path contains ":\\Temp\\" or tgt.process.image.path contains ":\\Windows\\Temp\\" or tgt.process.image.path contains ":\\Windows\\System32\\Tasks\\" or tgt.process.image.path contains ":\\Windows\\Tasks\\"))))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains ":\\Windows\\Microsoft.NET\\Framework\\" or tgt.process.image.path contains ":\\Windows\\Microsoft.NET\\Framework64\\" or tgt.process.image.path contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or tgt.process.image.path contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and tgt.process.image.path contains "\\aspnet_compiler.exe" and (tgt.process.cmdline contains "\\Users\\Public\\" or tgt.process.cmdline contains "\\AppData\\Local\\Temp\\" or tgt.process.cmdline contains "\\AppData\\Local\\Roaming\\" or tgt.process.cmdline contains ":\\Temp\\" or tgt.process.cmdline contains ":\\Windows\\Temp\\" or tgt.process.cmdline contains ":\\Windows\\System32\\Tasks\\" or tgt.process.cmdline contains ":\\Windows\\Tasks\\")))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\\at.exe" and tgt.process.cmdline contains "interactive"))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.cmdline contains "/logon:none" or tgt.process.cmdline contains "/system:none" or tgt.process.cmdline contains "/sam:none" or tgt.process.cmdline contains "/privilege:none" or tgt.process.cmdline contains "/object:none" or tgt.process.cmdline contains "/process:none" or tgt.process.cmdline contains "/policy:none"))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\\baaupdate.exe" and (tgt.process.image.path contains "\\bitsadmin.exe" or tgt.process.image.path contains "\\cmd.exe" or tgt.process.image.path contains "\\cscript.exe" or tgt.process.image.path contains "\\mshta.exe" or tgt.process.image.path contains "\\powershell_ise.exe" or tgt.process.image.path contains "\\powershell.exe" or tgt.process.image.path contains "\\regsvr32.exe" or tgt.process.image.path contains "\\rundll32.exe" or tgt.process.image.path contains "\\schtasks.exe" or tgt.process.image.path contains "\\wmic.exe" or tgt.process.image.path contains "\\wscript.exe")))
 ```
 
 
@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 11-01-2026 02:30:34):
+// Translated content (automatically translated on 12-01-2026 02:26:06):
 event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\\bginfo.exe" or src.process.image.path contains "\\bginfo64.exe") and ((tgt.process.image.path contains "\\calc.exe" or tgt.process.image.path contains "\\cmd.exe" or tgt.process.image.path contains "\\cscript.exe" or tgt.process.image.path contains "\\mshta.exe" or tgt.process.image.path contains "\\notepad.exe" or tgt.process.image.path contains "\\powershell.exe" or tgt.process.image.path contains "\\pwsh.exe" or tgt.process.image.path contains "\\wscript.exe") or (tgt.process.image.path contains "\\AppData\\Local\\" or tgt.process.image.path contains "\\AppData\\Roaming\\" or tgt.process.image.path contains ":\\Users\\Public\\" or tgt.process.image.path contains ":\\Temp\\" or tgt.process.image.path contains ":\\Windows\\Temp\\" or tgt.process.image.path contains ":\\PerfLogs\\"))))
 ```