"selection1 OR selection2 OR selection3"
evaluates and matches to (EventID == 7045 AND ServiceName == 'PSEXESVC' AND ServiceFileName == '
\PSEXESVC.exe') OR (EventID == 7036 AND ServiceName == 'PSEXESVC') OR (EventID == 1 AND Image == '*
\PSEXESVC.exe' AND User == 'NT AUTHORITY\SYSTEM')
"1/any of Search-Identifiers"
operators SIGMA provides:"selection1 AND selection2"
evaluates and matches to Image == '*\
mshta.exe' AND (ParentImage == '*
\cmd.exe' or ParentImage == '*\powershell.exe')
“all of search-identifier"
operators:"selection AND NOT filter"
evaluates and matches to Image == '*\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')
"selection1 AND (selection2 OR selection3)"
evaluates and matches to Image == '*
\mshta.exe' AND ((ParentImage == '*
\cmd.exe' or ParentImage == '*\powershell.exe') OR (CommandLine == '*\AppData\Local*' or CommandLine == '*C:\Windows\Temp*' or CommandLine == '*C:\Users\Public*'))
selection_base and (selection1 or selection2) or ( selection_base and not filter1) or ( selection_base and not filter2)
evaluates and matches to (Image == '
\mshta.exe' AND ((ParentImage == '
\cmd.exe' or ParentImage == '
\powershell.exe') OR (CommandLine == '\AppData\Local' or CommandLine == 'C:\Windows\Temp' or CommandLine == 'C:\Users\Public'))) OR (Image == '
\mshta.exe' AND NOT (Image == 'C:\Windows\System32' or Image == 'C:\Windows\SysWOW64')) OR (Image == '*\mshta.exe' AND NOT ((CommandLine == '.htm' or CommandLine == '.htm') AND (CommandLine == 'mshta.exe' or CommandLine == 'mshta.exe')))