DNS Resolutions from Browser Processes
This query correlates web browser process executions with their DNS queries to identify which domains were resolved by browser processes on specific endpoints
EDRhunting
FDR intermediatepor CrowdStrike (cql-hub.com) 1 min read
Query
// Get all process execution and DNS events on Windows
(#event_simpleName=ProcessRollup2 OR #event_simpleName=DnsRequest) event_platform=Win
| ComputerName=~wildcard(?ComputerName, ignoreCase=true)
// Normalize file name value across both events
| fileName:=concat([FileName, ContextBaseFileName])
// Make sure responsible process is a web browser
| in(field="fileName", values=[chrome.exe, firefox.exe, msedge.exe], ignoreCase=true)
// Normalize Falcon UPID
| falconPID:=TargetProcessId | falconPID:=ContextProcessId
// Use selfJoinFilter to make sure execution and DNS resolution occured under the same UPID value
| selfJoinFilter(field=[aid, falconPID], where=[{#event_simpleName=ProcessRollup2}, {#event_simpleName=DnsRequest}])
// Aggregate results
| groupBy([aid, falconPID], function=([collect([ComputerName, UserName, fileName, DomainName])]))Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.