Copy regular expressions to a single click

Possible Monero Miner Delivery via BlueKeep Exploit

First BlueKeep exploitation activity seen in the wild.

# QRadar AQL

SELECT 'Process CommandLine', 'Image' from events where (LOGSOURCETYPENAME(devicetype) ilike '%Microsoft Windows Security Event Log%' and (((LOGSOURCETYPENAME(devicetype) ilike '%Microsoft Windows Security Event Log%' and ((("EventID"='1' and ("Image" ilike '%\svchost.exe')) and not (("Image" = 'C:\WINDOWS\System32\svchost.exe' or "Image" = 'C:\Windows\System32\svchost.exe'))) or (("EventID"='1' and ("Image" ilike '%\svchost.exe')) and not (("ParentImage" = 'C:\Windows\System32\services.exe'))))) or ("Process CommandLine" ilike '% schtasks /Delete /tn "relock" /f %' or "Process CommandLine" ilike '% schtasks /End /tn "relock" %' or "Process CommandLine" ilike '%relock%') or ("Image" ilike '%\spool\svchost.exe')) or ("EventID"='11' and ("Filename" ilike '%\spool\svchost.exe%')) or ("Commandline" ilike '%powershell -w hiDDeN -e %')))

# Splunk

(((((((EventCode="1" (Image="\svchost.exe")) NOT ((Image="C:\WINDOWS\System32\svchost.exe" OR Image="C:\Windows\System32\svchost.exe"))) OR ((EventCode="1" (Image="\svchost.exe")) NOT ((ParentImage="C:\Windows\System32\services.exe")))) OR ((CommandLine="* schtasks /Delete /tn \"relock\" /f " OR CommandLine=" schtasks /End /tn \"relock\" " OR CommandLine="relock") (EventCode="4688" OR EventCode="1"))) OR ((Image="\spool\svchost.exe") (EventCode="4688" OR EventCode="1"))) OR (EventCode="11" (TargetFilename="\spool\svchost.exe"))) OR ((Commandline="*powershell -w hiDDeN -e *") (EventCode="4688" OR EventCode="1"))) | table CommandLine,Image

# EDR Carbon Black

(((((((childproc_count:[1 to *] AND (process_name:\svchost.exe)) AND ( -((process_name:C\:\WINDOWS\System32\svchost.exe OR process_name:C\:\Windows\System32\svchost.exe)))) OR ((childproc_count:[1 to *] AND (process_name:\svchost.exe)) AND ( -((parent_name:C\:\Windows\System32\services.exe))))) OR ((cmdline:"schtasks /Delete /tn "relock" /f" OR cmdline:"schtasks /End /tn "relock"" OR cmdline:relock))) OR ((process_name:\spool\svchost.exe))) OR (filemod_count:[1 to *] AND (filemod:\spool\svchost.exe))) OR ((Commandline:"powershell -w hiDDeN -e")))

# Windows PowerShell

Get-WinEvent | where {((((((($_.ID -eq "1" -and ($_.message -match "Image..\svchost.exe")) -and -not (($_.message -match "C:\WINDOWS\System32\svchost.exe" -or $_.message -match "C:\Windows\System32\svchost.exe"))) -or (($_.ID -eq "1" -and ($_.message -match "Image..\svchost.exe")) -and -not (($_.message -match "C:\Windows\System32\services.exe")))) -or (($_.message -match "CommandLine.. schtasks /Delete /tn \"relock\" /f ." -or $_.message -match "CommandLine..* schtasks /End /tn \"relock\" ." -or $_.message -match "CommandLine..relock.") -and ($_.ID -eq "4688" -or $_.ID -eq "1"))) -or (($_.message -match "Image..\spool\svchost.exe") -and ($_.ID -eq "4688" -or $_.ID -eq "1"))) -or ($_.ID -eq "11" -and ($_.message -match "TargetFilename..\spool\svchost.exe."))) -or (($_.message -match "Commandline..powershell -w hiDDeN -e .") -and ($_.ID -eq "4688" -or $_.ID -eq "1"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message