Query Details
Go Simple Tunnel
Query
Tags: Query: DeviceProcessEvents | where ProcessCommandLine matches regex "\\-(?i)[f,l]\\=.*:\\/\\/" References: https://github.com/ginuerzh/gost
Explanation
Sure! Here's a simple summary of the query:
The query is looking at events related to processes on devices (DeviceProcessEvents). It filters these events to find instances where the command line used to start a process includes a specific pattern. This pattern is a command-line argument that starts with either -f or -l (case-insensitive), followed by an equals sign (=), and then a URL (which starts with a protocol like http:// or https://).
In other words, it searches for processes that were started with command-line arguments specifying URLs using -f= or -l=.
Details
Ali Hussein
Released: October 30, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
DeviceProcessEvents|wherematches regex