alert:
- debug
description: Detects all Emotet like process executions that are not covered by the more generic rules
filter:
- query:
    query_string:
      query: data.win.eventdata.commandLine.keyword:(*\ \-e*\ PAA* OR *JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ* OR *QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA* OR *kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA* OR *IgAoACcAKgAnACkAOwAkA* OR *IAKAAnACoAJwApADsAJA* OR *iACgAJwAqACcAKQA7ACQA* OR *JABGAGwAeAByAGgAYwBmAGQ*)
index: wazuh-alerts-3.x-*
name: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18_0
priority: 1
realert:
  minutes: 0
type: any