Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4

Hunt Hypothesis

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Detection Rule

Sigma (Original)

title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
id: 225274c4-8dd1-40db-9e09-71dff4f6fb3c
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
    - Internal Research
tags:
    - attack.stealth
date: 2022-12-05
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '🔸'
            - '🔹'
            - '🔶'
            - '🔷'
            - '🔳'
            - '🔲'
            - '▪️'
            - '▫️'
            - '◾️'
            - '◽️'
            - '◼️'
            - '◻️'
            - '🟥'
            - '🟧'
            - '🟨'
            - '🟩'
            - '🟦'
            - '🟪'
            - '⬛️'
            - '⬜️'
            - '🟫'
            - '🔈'
            - '🔇'
            - '🔉'
            - '🔊'
            - '🔔'
            - '🔕'
            - '📣'
            - '📢'
            - '👁‍🗨'
            - '💬'
            - '💭'
            - '🗯'
            - '♠️'
            - '♣️'
            - '♥️'
            - '♦️'
            - '🃏'
            - '🎴'
            - '🀄️'
            - '🕐'
            - '🕑'
            - '🕒'
            - '🕓'
            - '🕔'
            - '🕕'
            - '🕖'
            - '🕗'
            - '🕘'
            - '🕙'
            - '🕚'
            - '🕛'
            - '🕜'
            - '🕝'
            - '🕞'
            - '🕟'
            - '🕠'
            - '🕡'
            - '🕢'
            - '🕣'
            - '🕤'
            - '🕥'
            - '🕦'
            - '🕧✢'
            - '✣'
            - '✤'
            - '✥'
            - '✦'
            - '✧'
            - '★'
            - '☆'
            - '✯'
            - '✡︎'
            - '✩'
            - '✪'
            - '✫'
            - '✬'
            - '✭'
            - '✮'
            - '✶'
            - '✷'
            - '✵'
            - '✸'
            - '✹'
            - '→'
            - '⇒'
            - '⟹'
            - '⇨'
            - '⇾'
            - '➾'
            - '⇢'
            - '☛'
            - '☞'
            - '➔'
            - '➜'
            - '➙'
            - '➛'
            - '➝'
            - '➞'
            - '♠︎'
            - '♣︎'
            - '♥︎'
            - '♦︎'
            - '♤'
            - '♧'
            - '♡'
            - '♢'
            - '♚'
            - '♛'
            - '♜'
            - '♝'
            - '♞'
            - '♟'
            - '♔'
            - '♕'
            - '♖'
            - '♗'
            - '♘'
            - '♙'
            - '⚀'
            - '⚁'
            - '⚂'
            - '⚃'
            - '⚄'
            - '⚅'
            - '🂠'
            - '⚈'
            - '⚉'
            - '⚆'
            - '⚇'
            - '𓀀'
            - '𓀁'
            - '𓀂'
            - '𓀃'
            - '𓀄'
            - '𓀅'
            - '𓀆'
            - '𓀇'
            - '𓀈'
            - '𓀉'
            - '𓀊'
            - '𓀋'
            - '𓀌'
            - '𓀍'
            - '𓀎'
            - '𓀏'
            - '𓀐'
            - '𓀑'
            - '𓀒'
            - '𓀓'
            - '𓀔'
            - '𓀕'
            - '𓀖'
            - '𓀗'
            - '𓀘'
            - '𓀙'
            - '𓀚'
            - '𓀛'
            - '𓀜'
            - '𓀝🏳️'
            - '🏴'
            - '🏁'
            - '🚩'
            - '🏳️‍🌈'
            - '🏳️‍⚧️'
            - '🏴‍☠️'
            - '🇦🇫'
            - '🇦🇽'
            - '🇦🇱'
            - '🇩🇿'
            - '🇦🇸'
            - '🇦🇩'
            - '🇦🇴'
            - '🇦🇮'
            - '🇦🇶'
            - '🇦🇬'
            - '🇦🇷'
            - '🇦🇲'
            - '🇦🇼'
            - '🇦🇺'
            - '🇦🇹'
            - '🇦🇿'
            - '🇧🇸'
            - '🇧🇭'
            - '🇧🇩'
            - '🇧🇧'
            - '🇧🇾'
            - '🇧🇪'
            - '🇧🇿'
            - '🇧🇯'
            - '🇧🇲'
            - '🇧🇹'
            - '🇧🇴'
            - '🇧🇦'
            - '🇧🇼'
            - '🇧🇷'
            - '🇮🇴'
            - '🇻🇬'
            - '🇧🇳'
            - '🇧🇬'
            - '🇧🇫'
            - '🇧🇮'
            - '🇰🇭'
            - '🇨🇲'
            - '🇨🇦'
            - '🇮🇨'
            - '🇨🇻'
            - '🇧🇶'
            - '🇰🇾'
            - '🇨🇫'
            - '🇹🇩'
            - '🇨🇱'
            - '🇨🇳'
            - '🇨🇽'
            - '🇨🇨'
            - '🇨🇴'
            - '🇰🇲'
            - '🇨🇬'
            - '🇨🇩'
            - '🇨🇰'
            - '🇨🇷'
            - '🇨🇮'
            - '🇭🇷'
            - '🇨🇺'
            - '🇨🇼'
            - '🇨🇾'
            - '🇨🇿'
            - '🇩🇰'
            - '🇩🇯'
            - '🇩🇲'
            - '🇩🇴'
            - '🇪🇨'
            - '🇪🇬'
            - '🇸🇻'
            - '🇬🇶'
            - '🇪🇷'
            - '🇪🇪'
            - '🇪🇹'
            - '🇪🇺'
            - '🇫🇰'
            - '🇫🇴'
            - '🇫🇯'
            - '🇫🇮'
            - '🇫🇷'
            - '🇬🇫'
            - '🇵🇫'
            - '🇹🇫'
            - '🇬🇦'
            - '🇬🇲'
            - '🇬🇪'
            - '🇩🇪'
            - '🇬🇭'
            - '🇬🇮'
            - '🇬🇷'
            - '🇬🇱'
            - '🇬🇩'
            - '🇬🇵'
            - '🇬🇺'
            - '🇬🇹'
            - '🇬🇬'
            - '🇬🇳'
            - '🇬🇼'
            - '🇬🇾'
            - '🇭🇹'
            - '🇭🇳'
            - '🇭🇰'
            - '🇭🇺'
            - '🇮🇸'
            - '🇮🇳'
            - '🇮🇩'
            - '🇮🇷'
            - '🇮🇶'
            - '🇮🇪'
            - '🇮🇲'
            - '🇮🇱'
            - '🇮🇹'
            - '🇯🇲'
            - '🇯🇵'
            - '🎌'
            - '🇯🇪'
            - '🇯🇴'
            - '🇰🇿'
            - '🇰🇪'
            - '🇰🇮'
            - '🇽🇰'
            - '🇰🇼'
            - '🇰🇬'
            - '🇱🇦'
            - '🇱🇻'
            - '🇱🇧'
            - '🇱🇸'
            - '🇱🇷'
            - '🇱🇾'
            - '🇱🇮'
            - '🇱🇹'
            - '🇱🇺'
            - '🇲🇴'
            - '🇲🇰'
            - '🇲🇬'
            - '🇲🇼'
            - '🇲🇾'
            - '🇲🇻'
            - '🇲🇱'
            - '🇲🇹'
            - '🇲🇭'
            - '🇲🇶'
            - '🇲🇷'
            - '🇲🇺'
            - '🇾🇹'
            - '🇲🇽'
            - '🇫🇲'
            - '🇲🇩'
            - '🇲🇨'
            - '🇲🇳'
            - '🇲🇪'
            - '🇲🇸'
            - '🇲🇦'
            - '🇲🇿'
            - '🇲🇲'
            - '🇳🇦'
            - '🇳🇷'
            - '🇳🇵'
            - '🇳🇱'
            - '🇳🇨'
            - '🇳🇿'
            - '🇳🇮'
            - '🇳🇪'
            - '🇳🇬'
            - '🇳🇺'
            - '🇳🇫'
            - '🇰🇵'
            - '🇲🇵'
            - '🇳🇴'
            - '🇴🇲'
            - '🇵🇰'
            - '🇵🇼'
            - '🇵🇸'
            - '🇵🇦'
            - '🇵🇬'
            - '🇵🇾'
            - '🇵🇪'
            - '🇵🇭'
            - '🇵🇳'
            - '🇵🇱'
            - '🇵🇹'
            - '🇵🇷'
            - '🇶🇦'
            - '🇷🇪'
            - '🇷🇴'
            - '🇷🇺'
            - '🇷🇼'
            - '🇼🇸'
            - '🇸🇲'
            - '🇸🇦'
            - '🇸🇳'
            - '🇷🇸'
            - '🇸🇨'
            - '🇸🇱'
            - '🇸🇬'
            - '🇸🇽'
            - '🇸🇰'
            - '🇸🇮'
            - '🇬🇸'
            - '🇸🇧'
            - '🇸🇴'
            - '🇿🇦'
            - '🇰🇷'
            - '🇸🇸'
            - '🇪🇸'
            - '🇱🇰'
            - '🇧🇱'
            - '🇸🇭'
            - '🇰🇳'
            - '🇱🇨'
            - '🇵🇲'
            - '🇻🇨'
            - '🇸🇩'
            - '🇸🇷'
            - '🇸🇿'
            - '🇸🇪'
            - '🇨🇭'
            - '🇸🇾'
            - '🇹🇼'
            - '🇹🇯'
            - '🇹🇿'
            - '🇹🇭'
            - '🇹🇱'
            - '🇹🇬'
            - '🇹🇰'
            - '🇹🇴'
            - '🇹🇹'
            - '🇹🇳'
            - '🇹🇷'
            - '🇹🇲'
            - '🇹🇨'
            - '🇹🇻'
            - '🇻🇮'
            - '🇺🇬'
            - '🇺🇦'
            - '🇦🇪'
            - '🇬🇧'
            - '🏴󠁧󠁢󠁥󠁮󠁧󠁿'
            - '🏴󠁧󠁢󠁳󠁣󠁴󠁿'
            - '🏴󠁧󠁢󠁷󠁬󠁳󠁿'
            - '🇺🇳'
            - '🇺🇸'
            - '🇺🇾'
            - '🇺🇿'
            - '🇻🇺'
            - '🇻🇦'
            - '🇻🇪'
            - '🇻🇳'
            - '🇼🇫'
            - '🇪🇭'
            - '🇾🇪'
            - '🇿🇲'
            - '🇿🇼🫠'
            - '🫢'
            - '🫣'
            - '🫡'
            - '🫥'
            - '🫤'
            - '🥹'
            - '🫱'
            - '🫱🏻'
            - '🫱🏼'
            - '🫱🏽'
            - '🫱🏾'
            - '🫱🏿'
            - '🫲'
            - '🫲🏻'
            - '🫲🏼'
            - '🫲🏽'
            - '🫲🏾'
            - '🫲🏿'
            - '🫳'
            - '🫳🏻'
            - '🫳🏼'
            - '🫳🏽'
            - '🫳🏾'
            - '🫳🏿'
            - '🫴'
            - '🫴🏻'
            - '🫴🏼'
            - '🫴🏽'
            - '🫴🏾'
            - '🫴🏿'
            - '🫰'
            - '🫰🏻'
            - '🫰🏼'
            - '🫰🏽'
            - '🫰🏾'
            - '🫰🏿'
            - '🫵'
            - '🫵🏻'
            - '🫵🏼'
            - '🫵🏽'
            - '🫵🏾'
            - '🫵🏿'
            - '🫶'
            - '🫶🏻'
            - '🫶🏼'
            - '🫶🏽'
            - '🫶🏾'
            - '🫶🏿'
            - '🤝🏻'
            - '🤝🏼'
            - '🤝🏽'
            - '🤝🏾'
            - '🤝🏿'
            - '🫱🏻‍🫲🏼'
            - '🫱🏻‍🫲🏽'
            - '🫱🏻‍🫲🏾'
            - '🫱🏻‍🫲🏿'
            - '🫱🏼‍🫲🏻'
            - '🫱🏼‍🫲🏽'
            - '🫱🏼‍🫲🏾'
            - '🫱🏼‍🫲🏿'
            - '🫱🏽‍🫲🏻'
            - '🫱🏽‍🫲🏼'
            - '🫱🏽‍🫲🏾'
            - '🫱🏽‍🫲🏿'
            - '🫱🏾‍🫲🏻'
            - '🫱🏾‍🫲🏼'
            - '🫱🏾‍🫲🏽'
            - '🫱🏾‍🫲🏿'
            - '🫱🏿‍🫲🏻'
            - '🫱🏿‍🫲🏼'
            - '🫱🏿‍🫲🏽'
            - '🫱🏿‍🫲🏾'
            - '🫦'
            - '🫅'
            - '🫅🏻'
            - '🫅🏼'
            - '🫅🏽'
            - '🫅🏾'
            - '🫅🏿'
            - '🫃'
            - '🫃🏻'
            - '🫃🏼'
            - '🫃🏽'
            - '🫃🏾'
            - '🫃🏿'
            - '🫄'
            - '🫄🏻'
            - '🫄🏼'
            - '🫄🏽'
            - '🫄🏾'
            - '🫄🏿'
            - '🧌'
            - '🪸'
            - '🪷'
            - '🪹'
            - '🪺'
            - '🫘'
            - '🫗'
            - '🫙'
            - '🛝'
            - '🛞'
            - '🛟'
            - '🪬'
            - '🪩'
            - '🪫'
            - '🩼'
            - '🩻'
            - '🫧'
            - '🪪'
            - '🟰'
            - '😮‍💨'
            - '😵‍💫'
            - '😶‍🌫️'
            - '❤️‍🔥'
            - '❤️‍🩹'
            - '🧔‍♀️'
            - '🧔🏻‍♀️'
            - '🧔🏼‍♀️'
            - '🧔🏽‍♀️'
            - '🧔🏾‍♀️'
            - '🧔🏿‍♀️'
            - '🧔‍♂️'
            - '🧔🏻‍♂️'
            - '🧔🏼‍♂️'
            - '🧔🏽‍♂️'
            - '🧔🏾‍♂️'
            - '🧔🏿‍♂️'
            - '💑🏻'
            - '💑🏼'
            - '💑🏽'
            - '💑🏾'
            - '💑🏿'
            - '💏🏻'
            - '💏🏼'
            - '💏🏽'
            - '💏🏾'
            - '💏🏿'
            - '👨🏻‍❤️‍👨🏻'
            - '👨🏻‍❤️‍👨🏼'
            - '👨🏻‍❤️‍👨🏽'
            - '👨🏻‍❤️‍👨🏾'
            - '👨🏻‍❤️‍👨🏿'
            - '👨🏼‍❤️‍👨🏻'
            - '👨🏼‍❤️‍👨🏼'
            - '👨🏼‍❤️‍👨🏽'
            - '👨🏼‍❤️‍👨🏾'
            - '👨🏼‍❤️‍👨🏿'
            - '👨🏽‍❤️‍👨🏻'
            - '👨🏽‍❤️‍👨🏼'
            - '👨🏽‍❤️‍👨🏽'
            - '👨🏽‍❤️‍👨🏾'
            - '👨🏽‍❤️‍👨🏿'
            - '👨🏾‍❤️‍👨🏻'
            - '👨🏾‍❤️‍👨🏼'
            - '👨🏾‍❤️‍👨🏽'
            - '👨🏾‍❤️‍👨🏾'
            - '👨🏾‍❤️‍👨🏿'
            - '👨🏿‍❤️‍👨🏻'
            - '👨🏿‍❤️‍👨🏼'
            - '👨🏿‍❤️‍👨🏽'
            - '👨🏿‍❤️‍👨🏾'
            - '👨🏿‍❤️‍👨🏿'
            - '👩🏻‍❤️‍👨🏻'
            - '👩🏻‍❤️‍👨🏼'
            - '👩🏻‍❤️‍👨🏽'
            - '👩🏻‍❤️‍👨🏾'
            - '👩🏻‍❤️‍👨🏿'
            - '👩🏻‍❤️‍👩🏻'
            - '👩🏻‍❤️‍👩🏼'
            - '👩🏻‍❤️‍👩🏽'
            - '👩🏻‍❤️‍👩🏾'
            - '👩🏻‍❤️‍👩🏿'
            - '👩🏼‍❤️‍👨🏻'
            - '👩🏼‍❤️‍👨🏼'
            - '👩🏼‍❤️‍👨🏽'
            - '👩🏼‍❤️‍👨🏾'
            - '👩🏼‍❤️‍👨🏿'
            - '👩🏼‍❤️‍👩🏻'
            - '👩🏼‍❤️‍👩🏼'
            - '👩🏼‍❤️‍👩🏽'
            - '👩🏼‍❤️‍👩🏾'
            - '👩🏼‍❤️‍👩🏿'
            - '👩🏽‍❤️‍👨🏻'
            - '👩🏽‍❤️‍👨🏼'
            - '👩🏽‍❤️‍👨🏽'
            - '👩🏽‍❤️‍👨🏾'
            - '👩🏽‍❤️‍👨🏿'
            - '👩🏽‍❤️‍👩🏻'
            - '👩🏽‍❤️‍👩🏼'
            - '👩🏽‍❤️‍👩🏽'
            - '👩🏽‍❤️‍👩🏾'
            - '👩🏽‍❤️‍👩🏿'
            - '👩🏾‍❤️‍👨🏻'
            - '👩🏾‍❤️‍👨🏼'
            - '👩🏾‍❤️‍👨🏽'
            - '👩🏾‍❤️‍👨🏾'
            - '👩🏾‍❤️‍👨🏿'
            - '👩🏾‍❤️‍👩🏻'
            - '👩🏾‍❤️‍👩🏼'
            - '👩🏾‍❤️‍👩🏽'
            - '👩🏾‍❤️‍👩🏾'
            - '👩🏾‍❤️‍👩🏿'
            - '👩🏿‍❤️‍👨🏻'
            - '👩🏿‍❤️‍👨🏼'
            - '👩🏿‍❤️‍👨🏽'
            - '👩🏿‍❤️‍👨🏾'
            - '👩🏿‍❤️‍👨🏿'
            - '👩🏿‍❤️‍👩🏻'
            - '👩🏿‍❤️‍👩🏼'
            - '👩🏿‍❤️‍👩🏽'
            - '👩🏿‍❤️‍👩🏾'
            - '👩🏿‍❤️‍👩🏿'
            - '🧑🏻‍❤️‍🧑🏼'
            - '🧑🏻‍❤️‍🧑🏽'
            - '🧑🏻‍❤️‍🧑🏾'
            - '🧑🏻‍❤️‍🧑🏿'
            - '🧑🏼‍❤️‍🧑🏻'
            - '🧑🏼‍❤️‍🧑🏽'
            - '🧑🏼‍❤️‍🧑🏾'
            - '🧑🏼‍❤️‍🧑🏿'
            - '🧑🏽‍❤️‍🧑🏻'
            - '🧑🏽‍❤️‍🧑🏼'
            - '🧑🏽‍❤️‍🧑🏾'
            - '🧑🏽‍❤️‍🧑🏿'
            - '🧑🏾‍❤️‍🧑🏻'
            - '🧑🏾‍❤️‍🧑🏼'
            - '🧑🏾‍❤️‍🧑🏽'
            - '🧑🏾‍❤️‍🧑🏿'
            - '🧑🏿‍❤️‍🧑🏻'
            - '🧑🏿‍❤️‍🧑🏼'
            - '🧑🏿‍❤️‍🧑🏽'
            - '🧑🏿‍❤️‍🧑🏾'
            - '👨🏻‍❤️‍💋‍👨🏻'
            - '👨🏻‍❤️‍💋‍👨🏼'
            - '👨🏻‍❤️‍💋‍👨🏽'
            - '👨🏻‍❤️‍💋‍👨🏾'
            - '👨🏻‍❤️‍💋‍👨🏿'
            - '👨🏼‍❤️‍💋‍👨🏻'
            - '👨🏼‍❤️‍💋‍👨🏼'
            - '👨🏼‍❤️‍💋‍👨🏽'
            - '👨🏼‍❤️‍💋‍👨🏾'
            - '👨🏼‍❤️‍💋‍👨🏿'
            - '👨🏽‍❤️‍💋‍👨🏻'
            - '👨🏽‍❤️‍💋‍👨🏼'
            - '👨🏽‍❤️‍💋‍👨🏽'
            - '👨🏽‍❤️‍💋‍👨🏾'
            - '👨🏽‍❤️‍💋‍👨🏿'
            - '👨🏾‍❤️‍💋‍👨🏻'
            - '👨🏾‍❤️‍💋‍👨🏼'
            - '👨🏾‍❤️‍💋‍👨🏽'
            - '👨🏾‍❤️‍💋‍👨🏾'
            - '👨🏾‍❤️‍💋‍👨🏿'
            - '👨🏿‍❤️‍💋‍👨🏻'
            - '👨🏿‍❤️‍💋‍👨🏼'
            - '👨🏿‍❤️‍💋‍👨🏽'
            - '👨🏿‍❤️‍💋‍👨🏾'
            - '👨🏿‍❤️‍💋‍👨🏿'
            - '👩🏻‍❤️‍💋‍👨🏻'
            - '👩🏻‍❤️‍💋‍👨🏼'
            - '👩🏻‍❤️‍💋‍👨🏽'
            - '👩🏻‍❤️‍💋‍👨🏾'
            - '👩🏻‍❤️‍💋‍👨🏿'
            - '👩🏻‍❤️‍💋‍👩🏻'
            - '👩🏻‍❤️‍💋‍👩🏼'
            - '👩🏻‍❤️‍💋‍👩🏽'
            - '👩🏻‍❤️‍💋‍👩🏾'
            - '👩🏻‍❤️‍💋‍👩🏿'
            - '👩🏼‍❤️‍💋‍👨🏻'
            - '👩🏼‍❤️‍💋‍👨🏼'
            - '👩🏼‍❤️‍💋‍👨🏽'
            - '👩🏼‍❤️‍💋‍👨🏾'
            - '👩🏼‍❤️‍💋‍👨🏿'
            - '👩🏼‍❤️‍💋‍👩🏻'
            - '👩🏼‍❤️‍💋‍👩🏼'
            - '👩🏼‍❤️‍💋‍👩🏽'
            - '👩🏼‍❤️‍💋‍👩🏾'
            - '👩🏼‍❤️‍💋‍👩🏿'
            - '👩🏽‍❤️‍💋‍👨🏻'
            - '👩🏽‍❤️‍💋‍👨🏼'
            - '👩🏽‍❤️‍💋‍👨🏽'
            - '👩🏽‍❤️‍💋‍👨🏾'
            - '👩🏽‍❤️‍💋‍👨🏿'
            - '👩🏽‍❤️‍💋‍👩🏻'
            - '👩🏽‍❤️‍💋‍👩🏼'
            - '👩🏽‍❤️‍💋‍👩🏽'
            - '👩🏽‍❤️‍💋‍👩🏾'
            - '👩🏽‍❤️‍💋‍👩🏿'
            - '👩🏾‍❤️‍💋‍👨🏻'
            - '👩🏾‍❤️‍💋‍👨🏼'
            - '👩🏾‍❤️‍💋‍👨🏽'
            - '👩🏾‍❤️‍💋‍👨🏾'
            - '👩🏾‍❤️‍💋‍👨🏿'
            - '👩🏾‍❤️‍💋‍👩🏻'
            - '👩🏾‍❤️‍💋‍👩🏼'
            - '👩🏾‍❤️‍💋‍👩🏽'
            - '👩🏾‍❤️‍💋‍👩🏾'
            - '👩🏾‍❤️‍💋‍👩🏿'
            - '👩🏿‍❤️‍💋‍👨🏻'
            - '👩🏿‍❤️‍💋‍👨🏼'
            - '👩🏿‍❤️‍💋‍👨🏽'
            - '👩🏿‍❤️‍💋‍👨🏾'
            - '👩🏿‍❤️‍💋‍👨🏿'
            - '👩🏿‍❤️‍💋‍👩🏻'
            - '👩🏿‍❤️‍💋‍👩🏼'
            - '👩🏿‍❤️‍💋‍👩🏽'
            - '👩🏿‍❤️‍💋‍👩🏾'
            - '👩🏿‍❤️‍💋‍👩🏿'
            - '🧑🏻‍❤️‍💋‍🧑🏼'
            - '🧑🏻‍❤️‍💋‍🧑🏽'
            - '🧑🏻‍❤️‍💋‍🧑🏾'
            - '🧑🏻‍❤️‍💋‍🧑🏿'
            - '🧑🏼‍❤️‍💋‍🧑🏻'
            - '🧑🏼‍❤️‍💋‍🧑🏽'
            - '🧑🏼‍❤️‍💋‍🧑🏾'
            - '🧑🏼‍❤️‍💋‍🧑🏿'
            - '🧑🏽‍❤️‍💋‍🧑🏻'
            - '🧑🏽‍❤️‍💋‍🧑🏼'
            - '🧑🏽‍❤️‍💋‍🧑🏾'
            - '🧑🏽‍❤️‍💋‍🧑🏿'
            - '🧑🏾‍❤️‍💋‍🧑🏻'
            - '🧑🏾‍❤️‍💋‍🧑🏼'
            - '🧑🏾‍❤️‍💋‍🧑🏽'
            - '🧑🏾‍❤️‍💋‍🧑🏿'
            - '🧑🏿‍❤️‍💋‍🧑🏻'
            - '🧑🏿‍❤️‍💋‍🧑🏼'
            - '🧑🏿‍❤️‍💋‍🧑🏽'
            - '🧑🏿‍❤️‍💋‍🧑🏾'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "🔸" or TargetProcessCommandLine contains "🔹" or TargetProcessCommandLine contains "🔶" or TargetProcessCommandLine contains "🔷" or TargetProcessCommandLine contains "🔳" or TargetProcessCommandLine contains "🔲" or TargetProcessCommandLine contains "▪️" or TargetProcessCommandLine contains "▫️" or TargetProcessCommandLine contains "◾️" or TargetProcessCommandLine contains "◽️" or TargetProcessCommandLine contains "◼️" or TargetProcessCommandLine contains "◻️" or TargetProcessCommandLine contains "🟥" or TargetProcessCommandLine contains "🟧" or TargetProcessCommandLine contains "🟨" or TargetProcessCommandLine contains "🟩" or TargetProcessCommandLine contains "🟦" or TargetProcessCommandLine contains "🟪" or TargetProcessCommandLine contains "⬛️" or TargetProcessCommandLine contains "⬜️" or TargetProcessCommandLine contains "🟫" or TargetProcessCommandLine contains "🔈" or TargetProcessCommandLine contains "🔇" or TargetProcessCommandLine contains "🔉" or TargetProcessCommandLine contains "🔊" or TargetProcessCommandLine contains "🔔" or TargetProcessCommandLine contains "🔕" or TargetProcessCommandLine contains "📣" or TargetProcessCommandLine contains "📢" or TargetProcessCommandLine contains "👁‍🗨" or TargetProcessCommandLine contains "💬" or TargetProcessCommandLine contains "💭" or TargetProcessCommandLine contains "🗯" or TargetProcessCommandLine contains "♠️" or TargetProcessCommandLine contains "♣️" or TargetProcessCommandLine contains "♥️" or TargetProcessCommandLine contains "♦️" or TargetProcessCommandLine contains "🃏" or TargetProcessCommandLine contains "🎴" or TargetProcessCommandLine contains "🀄️" or TargetProcessCommandLine contains "🕐" or TargetProcessCommandLine contains "🕑" or TargetProcessCommandLine contains "🕒" or TargetProcessCommandLine contains "🕓" or TargetProcessCommandLine contains "🕔" or TargetProcessCommandLine contains "🕕" or TargetProcessCommandLine contains "🕖" or TargetProcessCommandLine contains "🕗" or TargetProcessCommandLine contains "🕘" or TargetProcessCommandLine contains "🕙" or TargetProcessCommandLine contains "🕚" or TargetProcessCommandLine contains "🕛" or TargetProcessCommandLine contains "🕜" or TargetProcessCommandLine contains "🕝" or TargetProcessCommandLine contains "🕞" or TargetProcessCommandLine contains "🕟" or TargetProcessCommandLine contains "🕠" or TargetProcessCommandLine contains "🕡" or TargetProcessCommandLine contains "🕢" or TargetProcessCommandLine contains "🕣" or TargetProcessCommandLine contains "🕤" or TargetProcessCommandLine contains "🕥" or TargetProcessCommandLine contains "🕦" or TargetProcessCommandLine contains "🕧✢" or TargetProcessCommandLine contains "✣" or TargetProcessCommandLine contains "✤" or TargetProcessCommandLine contains "✥" or TargetProcessCommandLine contains "✦" or TargetProcessCommandLine contains "✧" or TargetProcessCommandLine contains "★" or TargetProcessCommandLine contains "☆" or TargetProcessCommandLine contains "✯" or TargetProcessCommandLine contains "✡︎" or TargetProcessCommandLine contains "✩" or TargetProcessCommandLine contains "✪" or TargetProcessCommandLine contains "✫" or TargetProcessCommandLine contains "✬" or TargetProcessCommandLine contains "✭" or TargetProcessCommandLine contains "✮" or TargetProcessCommandLine contains "✶" or TargetProcessCommandLine contains "✷" or TargetProcessCommandLine contains "✵" or TargetProcessCommandLine contains "✸" or TargetProcessCommandLine contains "✹" or TargetProcessCommandLine contains "→" or TargetProcessCommandLine contains "⇒" or TargetProcessCommandLine contains "⟹" or TargetProcessCommandLine contains "⇨" or TargetProcessCommandLine contains "⇾" or TargetProcessCommandLine contains "➾" or TargetProcessCommandLine contains "⇢" or TargetProcessCommandLine contains "☛" or TargetProcessCommandLine contains "☞" or TargetProcessCommandLine contains "➔" or TargetProcessCommandLine contains "➜" or TargetProcessCommandLine contains "➙" or TargetProcessCommandLine contains "➛" or TargetProcessCommandLine contains "➝" or TargetProcessCommandLine contains "➞" or TargetProcessCommandLine contains "♠︎" or TargetProcessCommandLine contains "♣︎" or TargetProcessCommandLine contains "♥︎" or TargetProcessCommandLine contains "♦︎" or TargetProcessCommandLine contains "♤" or TargetProcessCommandLine contains "♧" or TargetProcessCommandLine contains "♡" or TargetProcessCommandLine contains "♢" or TargetProcessCommandLine contains "♚" or TargetProcessCommandLine contains "♛" or TargetProcessCommandLine contains "♜" or TargetProcessCommandLine contains "♝" or TargetProcessCommandLine contains "♞" or TargetProcessCommandLine contains "♟" or TargetProcessCommandLine contains "♔" or TargetProcessCommandLine contains "♕" or TargetProcessCommandLine contains "♖" or TargetProcessCommandLine contains "♗" or TargetProcessCommandLine contains "♘" or TargetProcessCommandLine contains "♙" or TargetProcessCommandLine contains "⚀" or TargetProcessCommandLine contains "⚁" or TargetProcessCommandLine contains "⚂" or TargetProcessCommandLine contains "⚃" or TargetProcessCommandLine contains "⚄" or TargetProcessCommandLine contains "⚅" or TargetProcessCommandLine contains "🂠" or TargetProcessCommandLine contains "⚈" or TargetProcessCommandLine contains "⚉" or TargetProcessCommandLine contains "⚆" or TargetProcessCommandLine contains "⚇" or TargetProcessCommandLine contains "𓀀" or TargetProcessCommandLine contains "𓀁" or TargetProcessCommandLine contains "𓀂" or TargetProcessCommandLine contains "𓀃" or TargetProcessCommandLine contains "𓀄" or TargetProcessCommandLine contains "𓀅" or TargetProcessCommandLine contains "𓀆" or TargetProcessCommandLine contains "𓀇" or TargetProcessCommandLine contains "𓀈" or TargetProcessCommandLine contains "𓀉" or TargetProcessCommandLine contains "𓀊" or TargetProcessCommandLine contains "𓀋" or TargetProcessCommandLine contains "𓀌" or TargetProcessCommandLine contains "𓀍" or TargetProcessCommandLine contains "𓀎" or TargetProcessCommandLine contains "𓀏" or TargetProcessCommandLine contains "𓀐" or TargetProcessCommandLine contains "𓀑" or TargetProcessCommandLine contains "𓀒" or TargetProcessCommandLine contains "𓀓" or TargetProcessCommandLine contains "𓀔" or TargetProcessCommandLine contains "𓀕" or TargetProcessCommandLine contains "𓀖" or TargetProcessCommandLine contains "𓀗" or TargetProcessCommandLine contains "𓀘" or TargetProcessCommandLine contains "𓀙" or TargetProcessCommandLine contains "𓀚" or TargetProcessCommandLine contains "𓀛" or TargetProcessCommandLine contains "𓀜" or TargetProcessCommandLine contains "𓀝🏳️" or TargetProcessCommandLine contains "🏴" or TargetProcessCommandLine contains "🏁" or TargetProcessCommandLine contains "🚩" or TargetProcessCommandLine contains "🏳️‍🌈" or TargetProcessCommandLine contains "🏳️‍⚧️" or TargetProcessCommandLine contains "🏴‍☠️" or TargetProcessCommandLine contains "🇦🇫" or TargetProcessCommandLine contains "🇦🇽" or TargetProcessCommandLine contains "🇦🇱" or TargetProcessCommandLine contains "🇩🇿" or TargetProcessCommandLine contains "🇦🇸" or TargetProcessCommandLine contains "🇦🇩" or TargetProcessCommandLine contains "🇦🇴" or TargetProcessCommandLine contains "🇦🇮" or TargetProcessCommandLine contains "🇦🇶" or TargetProcessCommandLine contains "🇦🇬" or TargetProcessCommandLine contains "🇦🇷" or TargetProcessCommandLine contains "🇦🇲" or TargetProcessCommandLine contains "🇦🇼" or TargetProcessCommandLine contains "🇦🇺" or TargetProcessCommandLine contains "🇦🇹" or TargetProcessCommandLine contains "🇦🇿" or TargetProcessCommandLine contains "🇧🇸" or TargetProcessCommandLine contains "🇧🇭" or TargetProcessCommandLine contains "🇧🇩" or TargetProcessCommandLine contains "🇧🇧" or TargetProcessCommandLine contains "🇧🇾" or TargetProcessCommandLine contains "🇧🇪" or TargetProcessCommandLine contains "🇧🇿" or TargetProcessCommandLine contains "🇧🇯" or TargetProcessCommandLine contains "🇧🇲" or TargetProcessCommandLine contains "🇧🇹" or TargetProcessCommandLine contains "🇧🇴" or TargetProcessCommandLine contains "🇧🇦" or TargetProcessCommandLine contains "🇧🇼" or TargetProcessCommandLine contains "🇧🇷" or TargetProcessCommandLine contains "🇮🇴" or TargetProcessCommandLine contains "🇻🇬" or TargetProcessCommandLine contains "🇧🇳" or TargetProcessCommandLine contains "🇧🇬" or TargetProcessCommandLine contains "🇧🇫" or TargetProcessCommandLine contains "🇧🇮" or TargetProcessCommandLine contains "🇰🇭" or TargetProcessCommandLine contains "🇨🇲" or TargetProcessCommandLine contains "🇨🇦" or TargetProcessCommandLine contains "🇮🇨" or TargetProcessCommandLine contains "🇨🇻" or TargetProcessCommandLine contains "🇧🇶" or TargetProcessCommandLine contains "🇰🇾" or TargetProcessCommandLine contains "🇨🇫" or TargetProcessCommandLine contains "🇹🇩" or TargetProcessCommandLine contains "🇨🇱" or TargetProcessCommandLine contains "🇨🇳" or TargetProcessCommandLine contains "🇨🇽" or TargetProcessCommandLine contains "🇨🇨" or TargetProcessCommandLine contains "🇨🇴" or TargetProcessCommandLine contains "🇰🇲" or TargetProcessCommandLine contains "🇨🇬" or TargetProcessCommandLine contains "🇨🇩" or TargetProcessCommandLine contains "🇨🇰" or TargetProcessCommandLine contains "🇨🇷" or TargetProcessCommandLine contains "🇨🇮" or TargetProcessCommandLine contains "🇭🇷" or TargetProcessCommandLine contains "🇨🇺" or TargetProcessCommandLine contains "🇨🇼" or TargetProcessCommandLine contains "🇨🇾" or TargetProcessCommandLine contains "🇨🇿" or TargetProcessCommandLine contains "🇩🇰" or TargetProcessCommandLine contains "🇩🇯" or TargetProcessCommandLine contains "🇩🇲" or TargetProcessCommandLine contains "🇩🇴" or TargetProcessCommandLine contains "🇪🇨" or TargetProcessCommandLine contains "🇪🇬" or TargetProcessCommandLine contains "🇸🇻" or TargetProcessCommandLine contains "🇬🇶" or TargetProcessCommandLine contains "🇪🇷" or TargetProcessCommandLine contains "🇪🇪" or TargetProcessCommandLine contains "🇪🇹" or TargetProcessCommandLine contains "🇪🇺" or TargetProcessCommandLine contains "🇫🇰" or TargetProcessCommandLine contains "🇫🇴" or TargetProcessCommandLine contains "🇫🇯" or TargetProcessCommandLine contains "🇫🇮" or TargetProcessCommandLine contains "🇫🇷" or TargetProcessCommandLine contains "🇬🇫" or TargetProcessCommandLine contains "🇵🇫" or TargetProcessCommandLine contains "🇹🇫" or TargetProcessCommandLine contains "🇬🇦" or TargetProcessCommandLine contains "🇬🇲" or TargetProcessCommandLine contains "🇬🇪" or TargetProcessCommandLine contains "🇩🇪" or TargetProcessCommandLine contains "🇬🇭" or TargetProcessCommandLine contains "🇬🇮" or TargetProcessCommandLine contains "🇬🇷" or TargetProcessCommandLine contains "🇬🇱" or TargetProcessCommandLine contains "🇬🇩" or TargetProcessCommandLine contains "🇬🇵" or TargetProcessCommandLine contains "🇬🇺" or TargetProcessCommandLine contains "🇬🇹" or TargetProcessCommandLine contains "🇬🇬" or TargetProcessCommandLine contains "🇬🇳" or TargetProcessCommandLine contains "🇬🇼" or TargetProcessCommandLine contains "🇬🇾" or TargetProcessCommandLine contains "🇭🇹" or TargetProcessCommandLine contains "🇭🇳" or TargetProcessCommandLine contains "🇭🇰" or TargetProcessCommandLine contains "🇭🇺" or TargetProcessCommandLine contains "🇮🇸" or TargetProcessCommandLine contains "🇮🇳" or TargetProcessCommandLine contains "🇮🇩" or TargetProcessCommandLine contains "🇮🇷" or TargetProcessCommandLine contains "🇮🇶" or TargetProcessCommandLine contains "🇮🇪" or TargetProcessCommandLine contains "🇮🇲" or TargetProcessCommandLine contains "🇮🇱" or TargetProcessCommandLine contains "🇮🇹" or TargetProcessCommandLine contains "🇯🇲" or TargetProcessCommandLine contains "🇯🇵" or TargetProcessCommandLine contains "🎌" or TargetProcessCommandLine contains "🇯🇪" or TargetProcessCommandLine contains "🇯🇴" or TargetProcessCommandLine contains "🇰🇿" or TargetProcessCommandLine contains "🇰🇪" or TargetProcessCommandLine contains "🇰🇮" or TargetProcessCommandLine contains "🇽🇰" or TargetProcessCommandLine contains "🇰🇼" or TargetProcessCommandLine contains "🇰🇬" or TargetProcessCommandLine contains "🇱🇦" or TargetProcessCommandLine contains "🇱🇻" or TargetProcessCommandLine contains "🇱🇧" or TargetProcessCommandLine contains "🇱🇸" or TargetProcessCommandLine contains "🇱🇷" or TargetProcessCommandLine contains "🇱🇾" or TargetProcessCommandLine contains "🇱🇮" or TargetProcessCommandLine contains "🇱🇹" or TargetProcessCommandLine contains "🇱🇺" or TargetProcessCommandLine contains "🇲🇴" or TargetProcessCommandLine contains "🇲🇰" or TargetProcessCommandLine contains "🇲🇬" or TargetProcessCommandLine contains "🇲🇼" or TargetProcessCommandLine contains "🇲🇾" or TargetProcessCommandLine contains "🇲🇻" or TargetProcessCommandLine contains "🇲🇱" or TargetProcessCommandLine contains "🇲🇹" or TargetProcessCommandLine contains "🇲🇭" or TargetProcessCommandLine contains "🇲🇶" or TargetProcessCommandLine contains "🇲🇷" or TargetProcessCommandLine contains "🇲🇺" or TargetProcessCommandLine contains "🇾🇹" or TargetProcessCommandLine contains "🇲🇽" or TargetProcessCommandLine contains "🇫🇲" or TargetProcessCommandLine contains "🇲🇩" or TargetProcessCommandLine contains "🇲🇨" or TargetProcessCommandLine contains "🇲🇳" or TargetProcessCommandLine contains "🇲🇪" or TargetProcessCommandLine contains "🇲🇸" or TargetProcessCommandLine contains "🇲🇦" or TargetProcessCommandLine contains "🇲🇿" or TargetProcessCommandLine contains "🇲🇲" or TargetProcessCommandLine contains "🇳🇦" or TargetProcessCommandLine contains "🇳🇷" or TargetProcessCommandLine contains "🇳🇵" or TargetProcessCommandLine contains "🇳🇱" or TargetProcessCommandLine contains "🇳🇨" or TargetProcessCommandLine contains "🇳🇿" or TargetProcessCommandLine contains "🇳🇮" or TargetProcessCommandLine contains "🇳🇪" or TargetProcessCommandLine contains "🇳🇬" or TargetProcessCommandLine contains "🇳🇺" or TargetProcessCommandLine contains "🇳🇫" or TargetProcessCommandLine contains "🇰🇵" or TargetProcessCommandLine contains "🇲🇵" or TargetProcessCommandLine contains "🇳🇴" or TargetProcessCommandLine contains "🇴🇲" or TargetProcessCommandLine contains "🇵🇰" or TargetProcessCommandLine contains "🇵🇼" or TargetProcessCommandLine contains "🇵🇸" or TargetProcessCommandLine contains "🇵🇦" or TargetProcessCommandLine contains "🇵🇬" or TargetProcessCommandLine contains "🇵🇾" or TargetProcessCommandLine contains "🇵🇪" or TargetProcessCommandLine contains "🇵🇭" or TargetProcessCommandLine contains "🇵🇳" or TargetProcessCommandLine contains "🇵🇱" or TargetProcessCommandLine contains "🇵🇹" or TargetProcessCommandLine contains "🇵🇷" or TargetProcessCommandLine contains "🇶🇦" or TargetProcessCommandLine contains "🇷🇪" or TargetProcessCommandLine contains "🇷🇴" or TargetProcessCommandLine contains "🇷🇺" or TargetProcessCommandLine contains "🇷🇼" or TargetProcessCommandLine contains "🇼🇸" or TargetProcessCommandLine contains "🇸🇲" or TargetProcessCommandLine contains "🇸🇦" or TargetProcessCommandLine contains "🇸🇳" or TargetProcessCommandLine contains "🇷🇸" or TargetProcessCommandLine contains "🇸🇨" or TargetProcessCommandLine contains "🇸🇱" or TargetProcessCommandLine contains "🇸🇬" or TargetProcessCommandLine contains "🇸🇽" or TargetProcessCommandLine contains "🇸🇰" or TargetProcessCommandLine contains "🇸🇮" or TargetProcessCommandLine contains "🇬🇸" or TargetProcessCommandLine contains "🇸🇧" or TargetProcessCommandLine contains "🇸🇴" or TargetProcessCommandLine contains "🇿🇦" or TargetProcessCommandLine contains "🇰🇷" or TargetProcessCommandLine contains "🇸🇸" or TargetProcessCommandLine contains "🇪🇸" or TargetProcessCommandLine contains "🇱🇰" or TargetProcessCommandLine contains "🇧🇱" or TargetProcessCommandLine contains "🇸🇭" or TargetProcessCommandLine contains "🇰🇳" or TargetProcessCommandLine contains "🇱🇨" or TargetProcessCommandLine contains "🇵🇲" or TargetProcessCommandLine contains "🇻🇨" or TargetProcessCommandLine contains "🇸🇩" or TargetProcessCommandLine contains "🇸🇷" or TargetProcessCommandLine contains "🇸🇿" or TargetProcessCommandLine contains "🇸🇪" or TargetProcessCommandLine contains "🇨🇭" or TargetProcessCommandLine contains "🇸🇾" or TargetProcessCommandLine contains "🇹🇼" or TargetProcessCommandLine contains "🇹🇯" or TargetProcessCommandLine contains "🇹🇿" or TargetProcessCommandLine contains "🇹🇭" or TargetProcessCommandLine contains "🇹🇱" or TargetProcessCommandLine contains "🇹🇬" or TargetProcessCommandLine contains "🇹🇰" or TargetProcessCommandLine contains "🇹🇴" or TargetProcessCommandLine contains "🇹🇹" or TargetProcessCommandLine contains "🇹🇳" or TargetProcessCommandLine contains "🇹🇷" or TargetProcessCommandLine contains "🇹🇲" or TargetProcessCommandLine contains "🇹🇨" or TargetProcessCommandLine contains "🇹🇻" or TargetProcessCommandLine contains "🇻🇮" or TargetProcessCommandLine contains "🇺🇬" or TargetProcessCommandLine contains "🇺🇦" or TargetProcessCommandLine contains "🇦🇪" or TargetProcessCommandLine contains "🇬🇧" or TargetProcessCommandLine contains "🏴󠁧󠁢󠁥󠁮󠁧󠁿" or TargetProcessCommandLine contains "🏴󠁧󠁢󠁳󠁣󠁴󠁿" or TargetProcessCommandLine contains "🏴󠁧󠁢󠁷󠁬󠁳󠁿" or TargetProcessCommandLine contains "🇺🇳" or TargetProcessCommandLine contains "🇺🇸" or TargetProcessCommandLine contains "🇺🇾" or TargetProcessCommandLine contains "🇺🇿" or TargetProcessCommandLine contains "🇻🇺" or TargetProcessCommandLine contains "🇻🇦" or TargetProcessCommandLine contains "🇻🇪" or TargetProcessCommandLine contains "🇻🇳" or TargetProcessCommandLine contains "🇼🇫" or TargetProcessCommandLine contains "🇪🇭" or TargetProcessCommandLine contains "🇾🇪" or TargetProcessCommandLine contains "🇿🇲" or TargetProcessCommandLine contains "🇿🇼🫠" or TargetProcessCommandLine contains "🫢" or TargetProcessCommandLine contains "🫣" or TargetProcessCommandLine contains "🫡" or TargetProcessCommandLine contains "🫥" or TargetProcessCommandLine contains "🫤" or TargetProcessCommandLine contains "🥹" or TargetProcessCommandLine contains "🫱" or TargetProcessCommandLine contains "🫱🏻" or TargetProcessCommandLine contains "🫱🏼" or TargetProcessCommandLine contains "🫱🏽" or TargetProcessCommandLine contains "🫱🏾" or TargetProcessCommandLine contains "🫱🏿" or TargetProcessCommandLine contains "🫲" or TargetProcessCommandLine contains "🫲🏻" or TargetProcessCommandLine contains "🫲🏼" or TargetProcessCommandLine contains "🫲🏽" or TargetProcessCommandLine contains "🫲🏾" or TargetProcessCommandLine contains "🫲🏿" or TargetProcessCommandLine contains "🫳" or TargetProcessCommandLine contains "🫳🏻" or TargetProcessCommandLine contains "🫳🏼" or TargetProcessCommandLine contains "🫳🏽" or TargetProcessCommandLine contains "🫳🏾" or TargetProcessCommandLine contains "🫳🏿" or TargetProcessCommandLine contains "🫴" or TargetProcessCommandLine contains "🫴🏻" or TargetProcessCommandLine contains "🫴🏼" or TargetProcessCommandLine contains "🫴🏽" or TargetProcessCommandLine contains "🫴🏾" or TargetProcessCommandLine contains "🫴🏿" or TargetProcessCommandLine contains "🫰" or TargetProcessCommandLine contains "🫰🏻" or TargetProcessCommandLine contains "🫰🏼" or TargetProcessCommandLine contains "🫰🏽" or TargetProcessCommandLine contains "🫰🏾" or TargetProcessCommandLine contains "🫰🏿" or TargetProcessCommandLine contains "🫵" or TargetProcessCommandLine contains "🫵🏻" or TargetProcessCommandLine contains "🫵🏼" or TargetProcessCommandLine contains "🫵🏽" or TargetProcessCommandLine contains "🫵🏾" or TargetProcessCommandLine contains "🫵🏿" or TargetProcessCommandLine contains "🫶" or TargetProcessCommandLine contains "🫶🏻" or TargetProcessCommandLine contains "🫶🏼" or TargetProcessCommandLine contains "🫶🏽" or TargetProcessCommandLine contains "🫶🏾" or TargetProcessCommandLine contains "🫶🏿" or TargetProcessCommandLine contains "🤝🏻" or TargetProcessCommandLine contains "🤝🏼" or TargetProcessCommandLine contains "🤝🏽" or TargetProcessCommandLine contains "🤝🏾" or TargetProcessCommandLine contains "🤝🏿" or TargetProcessCommandLine contains "🫱🏻‍🫲🏼" or TargetProcessCommandLine contains "🫱🏻‍🫲🏽" or TargetProcessCommandLine contains "🫱🏻‍🫲🏾" or TargetProcessCommandLine contains "🫱🏻‍🫲🏿" or TargetProcessCommandLine contains "🫱🏼‍🫲🏻" or TargetProcessCommandLine contains "🫱🏼‍🫲🏽" or TargetProcessCommandLine contains "🫱🏼‍🫲🏾" or TargetProcessCommandLine contains "🫱🏼‍🫲🏿" or TargetProcessCommandLine contains "🫱🏽‍🫲🏻" or TargetProcessCommandLine contains "🫱🏽‍🫲🏼" or TargetProcessCommandLine contains "🫱🏽‍🫲🏾" or TargetProcessCommandLine contains "🫱🏽‍🫲🏿" or TargetProcessCommandLine contains "🫱🏾‍🫲🏻" or TargetProcessCommandLine contains "🫱🏾‍🫲🏼" or TargetProcessCommandLine contains "🫱🏾‍🫲🏽" or TargetProcessCommandLine contains "🫱🏾‍🫲🏿" or TargetProcessCommandLine contains "🫱🏿‍🫲🏻" or TargetProcessCommandLine contains "🫱🏿‍🫲🏼" or TargetProcessCommandLine contains "🫱🏿‍🫲🏽" or TargetProcessCommandLine contains "🫱🏿‍🫲🏾" or TargetProcessCommandLine contains "🫦" or TargetProcessCommandLine contains "🫅" or TargetProcessCommandLine contains "🫅🏻" or TargetProcessCommandLine contains "🫅🏼" or TargetProcessCommandLine contains "🫅🏽" or TargetProcessCommandLine contains "🫅🏾" or TargetProcessCommandLine contains "🫅🏿" or TargetProcessCommandLine contains "🫃" or TargetProcessCommandLine contains "🫃🏻" or TargetProcessCommandLine contains "🫃🏼" or TargetProcessCommandLine contains "🫃🏽" or TargetProcessCommandLine contains "🫃🏾" or TargetProcessCommandLine contains "🫃🏿" or TargetProcessCommandLine contains "🫄" or TargetProcessCommandLine contains "🫄🏻" or TargetProcessCommandLine contains "🫄🏼" or TargetProcessCommandLine contains "🫄🏽" or TargetProcessCommandLine contains "🫄🏾" or TargetProcessCommandLine contains "🫄🏿" or TargetProcessCommandLine contains "🧌" or TargetProcessCommandLine contains "🪸" or TargetProcessCommandLine contains "🪷" or TargetProcessCommandLine contains "🪹" or TargetProcessCommandLine contains "🪺" or TargetProcessCommandLine contains "🫘" or TargetProcessCommandLine contains "🫗" or TargetProcessCommandLine contains "🫙" or TargetProcessCommandLine contains "🛝" or TargetProcessCommandLine contains "🛞" or TargetProcessCommandLine contains "🛟" or TargetProcessCommandLine contains "🪬" or TargetProcessCommandLine contains "🪩" or TargetProcessCommandLine contains "🪫" or TargetProcessCommandLine contains "🩼" or TargetProcessCommandLine contains "🩻" or TargetProcessCommandLine contains "🫧" or TargetProcessCommandLine contains "🪪" or TargetProcessCommandLine contains "🟰" or TargetProcessCommandLine contains "😮‍💨" or TargetProcessCommandLine contains "😵‍💫" or TargetProcessCommandLine contains "😶‍🌫️" or TargetProcessCommandLine contains "❤️‍🔥" or TargetProcessCommandLine contains "❤️‍🩹" or TargetProcessCommandLine contains "🧔‍♀️" or TargetProcessCommandLine contains "🧔🏻‍♀️" or TargetProcessCommandLine contains "🧔🏼‍♀️" or TargetProcessCommandLine contains "🧔🏽‍♀️" or TargetProcessCommandLine contains "🧔🏾‍♀️" or TargetProcessCommandLine contains "🧔🏿‍♀️" or TargetProcessCommandLine contains "🧔‍♂️" or TargetProcessCommandLine contains "🧔🏻‍♂️" or TargetProcessCommandLine contains "🧔🏼‍♂️" or TargetProcessCommandLine contains "🧔🏽‍♂️" or TargetProcessCommandLine contains "🧔🏾‍♂️" or TargetProcessCommandLine contains "🧔🏿‍♂️" or TargetProcessCommandLine contains "💑🏻" or TargetProcessCommandLine contains "💑🏼" or TargetProcessCommandLine contains "💑🏽" or TargetProcessCommandLine contains "💑🏾" or TargetProcessCommandLine contains "💑🏿" or TargetProcessCommandLine contains "💏🏻" or TargetProcessCommandLine contains "💏🏼" or TargetProcessCommandLine contains "💏🏽" or TargetProcessCommandLine contains "💏🏾" or TargetProcessCommandLine contains "💏🏿" or TargetProcessCommandLine contains "👨🏻‍❤️‍👨🏻" or TargetProcessCommandLine contains "👨🏻‍❤️‍👨🏼" or TargetProcessCommandLine contains "👨🏻‍❤️‍👨🏽" or TargetProcessCommandLine contains "👨🏻‍❤️‍👨🏾" or TargetProcessCommandLine contains "👨🏻‍❤️‍👨🏿" or TargetProcessCommandLine contains "👨🏼‍❤️‍👨🏻" or TargetProcessCommandLine contains "👨🏼‍❤️‍👨🏼" or TargetProcessCommandLine contains "👨🏼‍❤️‍👨🏽" or TargetProcessCommandLine contains "👨🏼‍❤️‍👨🏾" or TargetProcessCommandLine contains "👨🏼‍❤️‍👨🏿" or TargetProcessCommandLine contains "👨🏽‍❤️‍👨🏻" or TargetProcessCommandLine contains "👨🏽‍❤️‍👨🏼" or TargetProcessCommandLine contains "👨🏽‍❤️‍👨🏽" or TargetProcessCommandLine contains "👨🏽‍❤️‍👨🏾" or TargetProcessCommandLine contains "👨🏽‍❤️‍👨🏿" or TargetProcessCommandLine contains "👨🏾‍❤️‍👨🏻" or TargetProcessCommandLine contains "👨🏾‍❤️‍👨🏼" or TargetProcessCommandLine contains "👨🏾‍❤️‍👨🏽" or TargetProcessCommandLine contains "👨🏾‍❤️‍👨🏾" or TargetProcessCommandLine contains "👨🏾‍❤️‍👨🏿" or TargetProcessCommandLine contains "👨🏿‍❤️‍👨🏻" or TargetProcessCommandLine contains "👨🏿‍❤️‍👨🏼" or TargetProcessCommandLine contains "👨🏿‍❤️‍👨🏽" or TargetProcessCommandLine contains "👨🏿‍❤️‍👨🏾" or TargetProcessCommandLine contains "👨🏿‍❤️‍👨🏿" or TargetProcessCommandLine contains "👩🏻‍❤️‍👨🏻" or TargetProcessCommandLine contains "👩🏻‍❤️‍👨🏼" or TargetProcessCommandLine contains "👩🏻‍❤️‍👨🏽" or TargetProcessCommandLine contains "👩🏻‍❤️‍👨🏾" or TargetProcessCommandLine contains "👩🏻‍❤️‍👨🏿" or TargetProcessCommandLine contains "👩🏻‍❤️‍👩🏻" or TargetProcessCommandLine contains "👩🏻‍❤️‍👩🏼" or TargetProcessCommandLine contains "👩🏻‍❤️‍👩🏽" or TargetProcessCommandLine contains "👩🏻‍❤️‍👩🏾" or TargetProcessCommandLine contains "👩🏻‍❤️‍👩🏿" or TargetProcessCommandLine contains "👩🏼‍❤️‍👨🏻" or TargetProcessCommandLine contains "👩🏼‍❤️‍👨🏼" or TargetProcessCommandLine contains "👩🏼‍❤️‍👨🏽" or TargetProcessCommandLine contains "👩🏼‍❤️‍👨🏾" or TargetProcessCommandLine contains "👩🏼‍❤️‍👨🏿" or TargetProcessCommandLine contains "👩🏼‍❤️‍👩🏻" or TargetProcessCommandLine contains "👩🏼‍❤️‍👩🏼" or TargetProcessCommandLine contains "👩🏼‍❤️‍👩🏽" or TargetProcessCommandLine contains "👩🏼‍❤️‍👩🏾" or TargetProcessCommandLine contains "👩🏼‍❤️‍👩🏿" or TargetProcessCommandLine contains "👩🏽‍❤️‍👨🏻" or TargetProcessCommandLine contains "👩🏽‍❤️‍👨🏼" or TargetProcessCommandLine contains "👩🏽‍❤️‍👨🏽" or TargetProcessCommandLine contains "👩🏽‍❤️‍👨🏾" or TargetProcessCommandLine contains "👩🏽‍❤️‍👨🏿" or TargetProcessCommandLine contains "👩🏽‍❤️‍👩🏻" or TargetProcessCommandLine contains "👩🏽‍❤️‍👩🏼" or TargetProcessCommandLine contains "👩🏽‍❤️‍👩🏽" or TargetProcessCommandLine contains "👩🏽‍❤️‍👩🏾" or TargetProcessCommandLine contains "👩🏽‍❤️‍👩🏿" or TargetProcessCommandLine contains "👩🏾‍❤️‍👨🏻" or TargetProcessCommandLine contains "👩🏾‍❤️‍👨🏼" or TargetProcessCommandLine contains "👩🏾‍❤️‍👨🏽" or TargetProcessCommandLine contains "👩🏾‍❤️‍👨🏾" or TargetProcessCommandLine contains "👩🏾‍❤️‍👨🏿" or TargetProcessCommandLine contains "👩🏾‍❤️‍👩🏻" or TargetProcessCommandLine contains "👩🏾‍❤️‍👩🏼" or TargetProcessCommandLine contains "👩🏾‍❤️‍👩🏽" or TargetProcessCommandLine contains "👩🏾‍❤️‍👩🏾" or TargetProcessCommandLine contains "👩🏾‍❤️‍👩🏿" or TargetProcessCommandLine contains "👩🏿‍❤️‍👨🏻" or TargetProcessCommandLine contains "👩🏿‍❤️‍👨🏼" or TargetProcessCommandLine contains "👩🏿‍❤️‍👨🏽" or TargetProcessCommandLine contains "👩🏿‍❤️‍👨🏾" or TargetProcessCommandLine contains "👩🏿‍❤️‍👨🏿" or TargetProcessCommandLine contains "👩🏿‍❤️‍👩🏻" or TargetProcessCommandLine contains "👩🏿‍❤️‍👩🏼" or TargetProcessCommandLine contains "👩🏿‍❤️‍👩🏽" or TargetProcessCommandLine contains "👩🏿‍❤️‍👩🏾" or TargetProcessCommandLine contains "👩🏿‍❤️‍👩🏿" or TargetProcessCommandLine contains "🧑🏻‍❤️‍🧑🏼" or TargetProcessCommandLine contains "🧑🏻‍❤️‍🧑🏽" or TargetProcessCommandLine contains "🧑🏻‍❤️‍🧑🏾" or TargetProcessCommandLine contains "🧑🏻‍❤️‍🧑🏿" or TargetProcessCommandLine contains "🧑🏼‍❤️‍🧑🏻" or TargetProcessCommandLine contains "🧑🏼‍❤️‍🧑🏽" or TargetProcessCommandLine contains "🧑🏼‍❤️‍🧑🏾" or TargetProcessCommandLine contains "🧑🏼‍❤️‍🧑🏿" or TargetProcessCommandLine contains "🧑🏽‍❤️‍🧑🏻" or TargetProcessCommandLine contains "🧑🏽‍❤️‍🧑🏼" or TargetProcessCommandLine contains "🧑🏽‍❤️‍🧑🏾" or TargetProcessCommandLine contains "🧑🏽‍❤️‍🧑🏿" or TargetProcessCommandLine contains "🧑🏾‍❤️‍🧑🏻" or TargetProcessCommandLine contains "🧑🏾‍❤️‍🧑🏼" or TargetProcessCommandLine contains "🧑🏾‍❤️‍🧑🏽" or TargetProcessCommandLine contains "🧑🏾‍❤️‍🧑🏿" or TargetProcessCommandLine contains "🧑🏿‍❤️‍🧑🏻" or TargetProcessCommandLine contains "🧑🏿‍❤️‍🧑🏼" or TargetProcessCommandLine contains "🧑🏿‍❤️‍🧑🏽" or TargetProcessCommandLine contains "🧑🏿‍❤️‍🧑🏾" or TargetProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏻" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏼" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏽" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏾" or TargetProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏿" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏻" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏼" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏽" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏾" or TargetProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏿" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏻" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏼" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏽" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏾" or TargetProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏿" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏻" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏼" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏽" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏾" or TargetProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏿" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏻" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏼" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏽" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏾" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏿" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏻" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏼" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏽" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏾" or TargetProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏿" or TargetProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏼" or TargetProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏽" or TargetProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏾" or TargetProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏿" or TargetProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏻" or TargetProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏽" or TargetProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏾" or TargetProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏿" or TargetProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏻" or TargetProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏼" or TargetProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏾" or TargetProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏿" or TargetProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏻" or TargetProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏼" or TargetProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏽" or TargetProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏿" or TargetProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏻" or TargetProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏼" or TargetProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏽" or TargetProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏾"

Required Data Sources

False Positive Guidance

• Unknown

References

• Internal Research
• SigmaHQ Rule