Detect Critical Environment Variable Changes over SSH with Connection Details
The query identifies critical changes to critical environment variables, extracts connection details such as user, local and remote IPs and ports, and provides a direct link to the related process in Falcon Process Explorer.
EDRhuntingTA0003
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
#event_simpleName=CriticalEnvironmentVariableChanged
| EnvironmentVariableName =/(SSH_CONNECTION|USER)/
| EnvironmentVariableValue=/(?<localIP>\d+\.\d+\.\d+\.\d+)\s+(?<localPort>\d+)\s+(?<remoteIP>\d+\.\d+\.\d+\.\d+)\s+(?<remotePort>\d+)$/i
| table([@timestamp, aid, userName, remoteIP, remotePort, localIP, localPort])
| "Process Explorer" := format("[Process Explorer](https://falcon.crowdstrike.com/investigate/process-explorer/%s/%s)", field=["aid", "ContextProcessId"])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.