LogScale · CQL

CQL Knowledge Base

Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.

154 queries8 categories

·created bydarkreitor

K

20queries

PAID

Shell Spawned from Browser Renderer Process - CVE-2025-10585 Pattern

Detects shell or scripting processes spawned as children of popular browsers (Chrome, Edge, Firefox, Brave), a pattern associated with JavaScript engine type confusion exploits like CVE-2025-10585 (Chrome V8 zero-day). A compromised renderer can escape the browser sandbox and execute arbitrary OS commands.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(chrome\.exe|msedge\.exe|firefox\.exe|brave\.exe|chromium\.exe)$/
| FileName=/(?i)(cmd\.exe|powershell\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)$/

EDRbrowser-exploitv8

Intermediate

PAID

Corporate Endpoint FTP and SMTP Data Exfiltration Detection

Identifies outbound connections to FTP (21, 990) and SMTP (25, 465, 587) ports from endpoints to external public IPs, indicative of possible data exfiltration using unauthorized file transfer or email protocols outside security policy

#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| (RemotePort=21 OR RemotePort=25 OR RemotePort=587 OR RemotePort=465 OR RemotePort=990)
| not RemoteAddressIP4=/^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/

Networkexfiltrationftp

Intermediate

PAID

Suspicious IIS Child Process - Possible ViewState Deserialization Exploitation

Detects shell or scripting processes spawned as direct children of w3wp.exe or iisexpress.exe, a high-fidelity indicator of deserialization vulnerability exploitation such as CVE-2025-53690 in Sitecore. This pattern occurs when an attacker exploits .NET ViewState to achieve remote code execution on IIS servers and runs OS commands.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(w3wp\.exe|iisexpress\.exe)$/
| FileName=/(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe)$/

Malwareiiswebshell

Advanced

PAID

Windows Living off the Land Multi-Tool Chain Detection

Detects chaining of multiple native Windows tools by the same user on the same host within a time window, a characteristic pattern of APT actors in the reconnaissance phase using LOTL techniques to evade security controls

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|net\.exe|nltest\.exe|arp\.exe|ipconfig\.exe|systeminfo\.exe|tasklist\.exe|netstat\.exe|nslookup\.exe|dsquery\.exe|wmic\.exe|reg\.exe|schtasks\.exe)$/
| groupBy([ComputerName, UserName], function=[count(as=tool_count), collect(field=FileName, as=tools_used, limit=20)], limit=max)

Threat Huntinglotlliving-off-the-land

Advanced

FREE

Data Exfiltration via Native FTP or LOLBin Tools

Detects use of native Windows tools such as ftp.exe, bitsadmin.exe, and certutil.exe with parameters associated with file transfer and data encoding to external destinations. These LOLBin techniques are commonly used by threat actors to exfiltrate compromised data while evading perimeter security controls.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(ftp\.exe|bitsadmin\.exe|certutil\.exe)$/
| CommandLine=/(?i)(open\s+\d{1,3}|put\s+|urlcache|base64|-encode|-transfer|\/transfer)/

EDRexfiltrationlolbin

Beginner

FREE

Shell Spawned from PHP Process - WordPress WebShell Detection

Detects shell or command interpreter processes spawned as children of PHP or web server processes, a basic indicator of webshell presence in WordPress or other PHP applications. Relevant given 6,700+ CVEs recorded in WordPress plugins and themes during H1 2025.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(php\.exe|php-cgi\.exe|php-fpm|httpd\.exe|apache2|nginx)$/
| FileName=/(?i)(cmd\.exe|powershell\.exe|sh|bash|python\.exe|python3|net\.exe|whoami\.exe)$/

Malwarewebshellphp

Beginner

FREE

Basic PowerShell Base64 Encoded Command Detection

Beginner-level query to detect the use of Base64 encoding parameters in PowerShell (-EncodedCommand, -enc), a technique widely used by attackers to obfuscate malicious scripts and evade plain-text detection. Ideal starting point for EDR threat hunting

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell\.exe$/
| CommandLine=/(?i)(-enc\s|-encodedcommand\s|-e\s+[A-Za-z0-9+\/=]{20,})/

EDRpowershellbase64

Beginner

PAID

Ransomware Pre-Encryption Shadow Copy Deletion and Recovery Sabotage Detection

Detects VSS volume shadow copy deletion commands and boot recovery system disabling, standard behavior of modern ransomware prior to mass file encryption to prevent data recovery without paying the ransom

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(vssadmin\.exe|wmic\.exe|wbadmin\.exe|bcdedit\.exe|diskshadow\.exe)$/
| CommandLine=/(?i)(delete\s+shadows|shadow\s+copy|no\s+recover|bootstatuspolicy|catalog\s+-quiet|resize\s+shadowstorage|Win32_ShadowCopy)/

Malwareransomwarevss

Advanced

PAID

PEASS Privilege Escalation Tool Execution Detection

Identifies execution of WinPEAS and LinPEAS, automated privilege escalation audit tools widely used by attackers after initial compromise to map available escalation vectors on Windows and Linux systems

#repo="base_sensor" #event_simpleName=ProcessRollup2
| (FileName=/(?i)(winpeas|linpeas|peass)/ OR CommandLine=/(?i)(winpeas|linpeas|peass\.bat|peass\.sh|peass\.exe)/)
| groupBy([ComputerName, UserName, FileName, SHA256HashData, CommandLine], function=count(as=execution_count), limit=max)

EDRwinpeaslinpeas

Intermediate

PAID

Chained WMIC Discovery with Dynamic Risk Scoring - APT Pattern

Detects chained use of wmic.exe to execute multiple system inventory queries (users, groups, services, patches, products) by the same actor on the same host. APT actors use WMIC for silent reconnaissance before lateral movement. The query assigns a dynamic risk level (LOW/MEDIUM/HIGH) and calculates total attack duration.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)wmic\.exe$/
| CommandLine=/(?i)(process\s+call\s+create|os\s+get|computersystem\s+get|qfe|useraccount|group\s+(list|get)|share\s+(list|get)|service\s+list|product\s+get)/

Threat Huntingwmicapt

Advanced

PAID

APT Hands-on-Keyboard Interactive Discovery Burst

Identifies APT operators with interactive access by detecting rapid successive execution of multiple native Windows reconnaissance tools by the same user on the same host within a short time window, typical pattern of manual post-exploitation phases

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|net\.exe|net1\.exe|ipconfig\.exe|systeminfo\.exe|tasklist\.exe|netstat\.exe|hostname\.exe|nltest\.exe|arp\.exe|nslookup\.exe|ping\.exe|route\.exe|quser\.exe|qwinsta\.exe)$/
| groupBy([ComputerName, UserName], function=[

Threat Huntingapthands-on-keyboard

Intermediate

FREE

Basic APT Reconnaissance Tools Detection with Domain Discovery Arguments

Introductory query for analysts learning threat hunting in CrowdStrike LogScale. Detects execution of classic APT reconnaissance tools (whoami, nltest, systeminfo) with specific domain and Active Directory discovery arguments, fundamental technique documented in APT TTP profiles.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|nltest\.exe|systeminfo\.exe)/
| CommandLine=/(?i)(\/all|\/domain|\/dclist|\/trusted_domains|\/domain_trusts)/

EDRaptreconnaissance

Beginner

PAID

APT3 Interactive CMD Shell Reconnaissance Chain Detection

Detects chained execution of native Windows reconnaissance tools through cmd.exe by the same user on the same host, characteristic pattern of APT3 executing remote discovery commands via Windows Command Shell. Triggers when 3 or more tools are executed in the same user session.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName="cmd.exe"
| FileName=/(?i)(whoami\.exe|net\.exe|nltest\.exe|wmic\.exe|ipconfig\.exe|systeminfo\.exe|tasklist\.exe|netstat\.exe|arp\.exe|nslookup\.exe)/

Threat Huntingapt3cmd-shell

Advanced

PAID

Anomalous Child Process from IIS Worker: ViewState Deserialization Exploitation

Detects anomalous child processes spawned from w3wp.exe (IIS worker process), primary exploitation vector in CVE-2025-53690 and other .NET deserialization vulnerabilities in ASP.NET applications. Shell or tool execution from w3wp.exe is highly suspicious in production environments.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName="w3wp.exe"
| FileName=/(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe)/

Vulnerabilityiisdeserialization

Advanced

PAID

Linux Sudo Misconfiguration Exploitation for Privilege Escalation

Detects exploitation attempts of insecure sudo configurations on Linux hosts, including use of dangerous environment variables (LD_PRELOAD, LD_LIBRARY_PATH) and execution of shells or commands with unexpected root context

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(sudo|pkexec|su)$/
| CommandLine=/(?i)(LD_PRELOAD|LD_LIBRARY_PATH|PYTHONPATH|PERL5LIB|env\s+-E|--preserve-env|NOPASSWD|ALL=\(ALL\))/

EDRlinuxsudo

Intermediate

PAID

Windows LOLBAS Multi-Stage Privilege Escalation Chain

Detects chained abuse of native Windows binaries (LOLBAS) used to download, decode, or execute payloads in privilege escalation contexts, a common pattern among APT actors avoiding detectable tooling

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(certutil\.exe|mshta\.exe|regsvr32\.exe|odbcconf\.exe|forfiles\.exe|pcalua\.exe|msiexec\.exe|installutil\.exe|ieexec\.exe)$/
| CommandLine=/(?i)(http|ftp|\.exe|\.dll|\.ps1|/i\s|/e\s|javascript:|vbscript:|decode|urlcache|-split|-join|hidden|bypass)/

Threat Huntinglolbasprivilege-escalation

Advanced

FREE

Basic Detection of PowerShell Encoded Command Execution

Beginner-level query to detect PowerShell executions with base64 encoding or profile suppression parameters, a fundamental technique used by attackers to obfuscate malicious scripts in Windows environments

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(powershell\.exe|pwsh\.exe)$/
| CommandLine=/(?i)(-enc|-encodedcommand|-ec\s)/

EDRpowershellencoded-command

Beginner

PAID

Scheduled Task Persistence with Suspicious Script Interpreter Payload

Detects scheduled task creation invoking script interpreters or LOLBAS tools (PowerShell, WScript, CertUtil, MSHTA, Rundll32), critical persistence technique found in Falcon IR investigations even on apparently clean hosts after initial triage.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)schtasks\.exe/
| CommandLine=/(?i)\/create/

Persistencepersistenceschtasks

Advanced

PAID

Shell Spawned by Web Interpreter: RCE Post-Exploitation Pattern

Detects RCE post-exploitation patterns on web servers by identifying command shells or discovery tools spawned by web interpreters (PHP, Python, Java, Node.js), active exploitation vector in CVE-2025-0520 (ShowDoc) and similar remote code execution vulnerabilities.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(php\.exe|php-cgi\.exe|httpd\.exe|python\.exe|python3\.exe|ruby\.exe|node\.exe|java\.exe)/
| FileName=/(?i)(cmd\.exe|powershell\.exe|whoami\.exe|net\.exe|certutil\.exe|curl\.exe|wget\.exe|sh\.exe|bash\.exe)/

Malwarerceweb-shell

Intermediate

FREE

Basic Windows Token Privilege Enumeration via whoami

Introductory query to detect whoami.exe usage with privilege and group enumeration parameters, the typical first step of an attacker after gaining initial access to understand the privilege level available on the compromised host

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)whoami\.exe$/
| CommandLine=/(?i)(\/priv|\/groups|\/all|\/logonid|\/fo csv)/

EDRwhoamitoken-enumeration

Beginner