LP_ReconProcs.bat

REM A "RECON / SUSPICIOUS" process was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM '.\files\c\windows\system32\winevt\logs\Security.evtx' WHERE EventID = 4688 AND (Process LIKE '%\\at.exe'  OR Process LIKE '%\\ceipdata.exe'  OR Process LIKE '%\\ceiprole.exe'  OR  Process LIKE '%\\chcp.exe' OR Process LIKE '%\\cmd.exe'  OR Process LIKE '%\\compmgmtlauncher.exe'  OR Process LIKE '%\\csvde.exe'  OR Process LIKE '%\\dsget.exe' OR Process LIKE '%\\dsquery.exe'  OR Process LIKE '%\\esentutl.exe'  OR Process LIKE '%\\\\find.exe'  OR Process LIKE '%\\fsutil.exe'  OR Process LIKE '%\\hostname.exe'  OR Process LIKE '%\\ipconfig.exe'  OR Process LIKE '%\\ldifde.exe'  OR Process LIKE '%\\nbtstat.exe'  OR Process LIKE '%\\net.exe'  OR Process LIKE '%\\net1.exe'  OR Process LIKE '%\\netdom.exe' OR Process LIKE '%\\netsh.exe' OR Process LIKE '%\\netstat.exe' OR Process LIKE '%\\nltest.exe' OR Process LIKE '%\\nslookup.exe' OR Process LIKE '%\\ping.exe' OR Process LIKE '%\\psexec.exe' OR Process LIKE '%\\qprocess.exe' OR Process LIKE '%\\query.exe' OR Process LIKE '%\\quser.exe' OR Process LIKE '%\\qwinsta.exe' OR Process LIKE '%\\reg.exe'  OR Process LIKE '%\\sc.exe' OR Process LIKE '%\\schtasks.exe' OR Process LIKE '%\\servermanagercmd.exe' OR Process LIKE '%\\set.exe' OR Process LIKE '%\\systeminfo.exe' OR Process LIKE '%\\tasklist.exe' OR Process LIKE '%\\time.exe' OR Process LIKE '%\\tracert.exe'  OR Process LIKE '%\\tree.exe' OR Process LIKE '%\\type.exe' OR Process LIKE '%\\vds.exe' OR Process LIKE '%\\vdsldr.exe' OR Process LIKE '%\\ver.exe' OR Process LIKE '%\\wevtutil.exe' OR Process LIKE '%\\whoami.exe' OR Process LIKE '%\\WinrsHost.exe' OR Process LIKE '%\\inver.exe' OR Process LIKE '%\\wmic.exe' OR Process LIKE '%\\wusa.exe') AND NOT Process LIKE '%\\dsregcmd.exe'"