CQL Knowledge Base
Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.
APT Lateral Movement via Remote Administrative Protocols
Detects APT lateral movement using remote administration protocols (SMB, WMI, WinRM) initiated from command-line tools on end-user hosts. Correlates administrative processes with outbound connections to management ports.
APT Chained WMIC Reconnaissance Detection
Detects suspicious chained use of wmic.exe by APT actors for system reconnaissance: hardware inventory, user accounts, running processes, and network config. Filters legitimate parents like WmiPrvSE and msiexec to reduce false positives.
Archive Tool Spawning Shell Processes (Compressed File Exploitation)
Detects shell or LOLBin processes directly spawned by archiving utilities like WinRAR or 7-Zip, behavior associated with code execution via malicious archives similar to WinRAR CVE-2023-38831.
Credential Spray and Authentication Bypass on Network Logon
Detects credential spraying attacks and potential authentication bypass attempts exploiting incomplete access control implementations. Identifies high-frequency network logons from the same source IP and classifies by risk level.
AWS IAM Abuse for Establishing Persistence
Detects AWS IAM operations indicative of APT persistence: user creation, administrative policy attachment, access key generation, role creation, and trust policy modification. Designed for environments with Falcon Cloud Security integrated.
Web Browser Spawning a Command Interpreter Process
Detects when a web browser process directly spawns a command interpreter or scripting engine. Highly anomalous behavior associated with browser exploitation, advanced social engineering, or drive-by download attacks.
CMD Shell Reconnaissance Commands APT-3 Style
Detects cmd.exe executions with system enumeration commands associated with APT-3 group, including whoami, net user, ipconfig, systeminfo, and nltest for domain trust reconnaissance.
Linux GTFOBins Abuse for Privilege Escalation
Detects abuse of native Linux binaries listed in GTFOBins to escape restricted environments, read sensitive system files, or spawn elevated shells. Covers LOTL techniques actively used by threat actors in Linux and macOS environments.
Shell Process Spawned by Node.js (Potential React2Shell Exploitation)
Detects shell or scripting processes spawned by Node.js, a potential indicator of CVE-2025-55182 (React2Shell) exploitation — an insecure deserialization vulnerability in the React Server Components Flight protocol enabling remote code execution.
PowerShell Remote Download Cradle Detection
Identifies PowerShell executions containing typical remote download patterns (IEX, Net.WebClient, BitsTransfer), techniques used in early APT compromise stages to download and execute in-memory payloads without touching disk.
Basic Detection: Child Processes Spawned by WMI Provider Host
Basic query to detect any process spawned by WmiPrvSE.exe. Unexpected child process generation from the WMI Provider Host may indicate remote command execution or persistence. Ideal for SOC analysts starting with threat hunting in CrowdStrike Falcon.
WMIC Abuse via Non-Standard Parent Process (APT-Style)
Detects WMIC.exe executions spawned by unusual parent processes matching APT reconnaissance and lateral movement techniques. Excludes legitimate management tools and classifies risk by frequency.
Impossible Travel Detection via RDP Logon Sequences
Detects impossible travel by analyzing consecutive RDP logons from the same user across different countries using neighbor() to compare adjacent events in time.
Lateral Movement Scoring via SMB + Process Correlation
Detects lateral movement by correlating outbound SMB connections with remote process execution on the destination host, assigning a composite risk score per behavior.
Process Injection Chain Detection with Risk Scoring
Identifies process injection chains by correlating CreateRemoteThread, WriteProcessMemory, and post-injection behavior using correlate() to link the 3-step sequence.
APT 3 - Multi-Tool Discovery via CMD Shell (T1059.003)
Detects multiple native Windows discovery tools launched from cmd.exe by the same user on the same host. Characteristic pattern of APT 3 (Gothic Panda) using Windows Command Shell (T1059.003) to run commands like whoami, ipconfig, and systeminfo during initial compromise phases.
Browser Engine Exploit Indicator — Suspicious Shell Spawned from Browser Process
Detects when a web browser process (Chrome, Edge, Firefox) directly spawns a command interpreter or LOLBin, anomalous behavior that may indicate exploitation of critical browser engine vulnerabilities such as type-confusion V8 zero-days
Shell Spawned from Browser Renderer Process - CVE-2025-10585 Pattern
Detects shell or scripting processes spawned as children of popular browsers (Chrome, Edge, Firefox, Brave), a pattern associated with JavaScript engine type confusion exploits like CVE-2025-10585 (Chrome V8 zero-day). A compromised renderer can escape the browser sandbox and execute arbitrary OS commands.
Corporate Endpoint FTP and SMTP Data Exfiltration Detection
Identifies outbound connections to FTP (21, 990) and SMTP (25, 465, 587) ports from endpoints to external public IPs, indicative of possible data exfiltration using unauthorized file transfer or email protocols outside security policy
Suspicious IIS Child Process - Possible ViewState Deserialization Exploitation
Detects shell or scripting processes spawned as direct children of w3wp.exe or iisexpress.exe, a high-fidelity indicator of deserialization vulnerability exploitation such as CVE-2025-53690 in Sitecore. This pattern occurs when an attacker exploits .NET ViewState to achieve remote code execution on IIS servers and runs OS commands.