Apply automatic changes

Author: wikijm

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_boinc_execution.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and tgt.process.displayName="University of California, Berkeley")
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_conhost_headless_execution.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\\conhost.exe" and src.process.cmdline contains "--headless"))
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_csc_compilation.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\\csc.exe" and tgt.process.cmdline contains "/noconfig /fullpaths @"))
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_curl_download.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\\curl.exe" or tgt.process.displayName="The curl executable") and (tgt.process.cmdline contains " -O" or tgt.process.cmdline contains "--remote-name" or tgt.process.cmdline contains "--output")))
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_curl_execution.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and (tgt.process.image.path contains "\\curl.exe" or tgt.process.displayName="The curl executable"))
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_curl_fileupload.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and (((tgt.process.image.path contains "\\curl.exe" or tgt.process.displayName="The curl executable") and ((tgt.process.cmdline contains " --form" or tgt.process.cmdline contains " --upload-file " or tgt.process.cmdline contains " --data " or tgt.process.cmdline contains " --data-") or tgt.process.cmdline matches "\\s-[FTd]\\s")) and (not (tgt.process.cmdline contains "://localhost" or tgt.process.cmdline contains "://127.0.0.1"))))
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_curl_useragent.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and ((tgt.process.image.path contains "\\curl.exe" or tgt.process.displayName="The curl executable") and (tgt.process.cmdline contains " -A " or tgt.process.cmdline contains " --user-agent ")))
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_dfsvc_child_processes.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\\dfsvc.exe" and tgt.process.image.path contains "\\AppData\\Local\\Apps\\2.0\\"))
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_diskshadow_child_process.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and (src.process.image.path contains "\\diskshadow.exe" and (not tgt.process.image.path contains ":\\Windows\\System32\\WerFault.exe")))
 ```
 

S1PQ-rules-threat-hunting-windows-process_creation/proc_creation_win_explorer_child_of_shell_process.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 12-01-2026 00:57:10):
+// Translated content (automatically translated on 13-01-2026 00:50:20):
 event.type="Process Creation" and (endpoint.os="windows" and ((src.process.image.path contains "\\cmd.exe" or src.process.image.path contains "\\powershell.exe" or src.process.image.path contains "\\pwsh.exe") and tgt.process.image.path contains "\\explorer.exe" and tgt.process.cmdline contains "explorer.exe"))
 ```