LogScale · CQL

CQL Knowledge Base

Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.

151 queries8 categories

·created bydarkreitor

K

20 queries

NEW

PAID

Windows Living off the Land Multi-Tool Chain Detection

Detects chaining of multiple native Windows tools by the same user on the same host within a time window, a characteristic pattern of APT actors in the reconnaissance phase using LOTL techniques to evade security controls

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|net\.exe|nltest\.exe|arp\.exe|ipconfig\.exe|systeminfo\.exe|tasklist\.exe|netstat\.exe|nslookup\.exe|dsquery\.exe|wmic\.exe|reg\.exe|schtasks\.exe)$/
| groupBy([ComputerName, UserName], function=[count(as=tool_count), collect(field=FileName, as=tools_used, limit=20)], limit=max)

Threat Huntinglotlliving-off-the-land

Advanced

NEW

FREE

Data Exfiltration via Native FTP or LOLBin Tools

Detects use of native Windows tools such as ftp.exe, bitsadmin.exe, and certutil.exe with parameters associated with file transfer and data encoding to external destinations. These LOLBin techniques are commonly used by threat actors to exfiltrate compromised data while evading perimeter security controls.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(ftp\.exe|bitsadmin\.exe|certutil\.exe)$/
| CommandLine=/(?i)(open\s+\d{1,3}|put\s+|urlcache|base64|-encode|-transfer|\/transfer)/

EDRexfiltrationlolbin

Beginner

NEW

FREE

Shell Spawned from PHP Process - WordPress WebShell Detection

Detects shell or command interpreter processes spawned as children of PHP or web server processes, a basic indicator of webshell presence in WordPress or other PHP applications. Relevant given 6,700+ CVEs recorded in WordPress plugins and themes during H1 2025.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(php\.exe|php-cgi\.exe|php-fpm|httpd\.exe|apache2|nginx)$/
| FileName=/(?i)(cmd\.exe|powershell\.exe|sh|bash|python\.exe|python3|net\.exe|whoami\.exe)$/

Malwarewebshellphp

Beginner

NEW

FREE

Basic PowerShell Base64 Encoded Command Detection

Beginner-level query to detect the use of Base64 encoding parameters in PowerShell (-EncodedCommand, -enc), a technique widely used by attackers to obfuscate malicious scripts and evade plain-text detection. Ideal starting point for EDR threat hunting

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell\.exe$/
| CommandLine=/(?i)(-enc\s|-encodedcommand\s|-e\s+[A-Za-z0-9+\/=]{20,})/

EDRpowershellbase64

Beginner

NEW

PAID

Ransomware Pre-Encryption Shadow Copy Deletion and Recovery Sabotage Detection

Detects VSS volume shadow copy deletion commands and boot recovery system disabling, standard behavior of modern ransomware prior to mass file encryption to prevent data recovery without paying the ransom

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(vssadmin\.exe|wmic\.exe|wbadmin\.exe|bcdedit\.exe|diskshadow\.exe)$/
| CommandLine=/(?i)(delete\s+shadows|shadow\s+copy|no\s+recover|bootstatuspolicy|catalog\s+-quiet|resize\s+shadowstorage|Win32_ShadowCopy)/

Malwareransomwarevss

Advanced

NEW

PAID

PEASS Privilege Escalation Tool Execution Detection

Identifies execution of WinPEAS and LinPEAS, automated privilege escalation audit tools widely used by attackers after initial compromise to map available escalation vectors on Windows and Linux systems

#repo="base_sensor" #event_simpleName=ProcessRollup2
| (FileName=/(?i)(winpeas|linpeas|peass)/ OR CommandLine=/(?i)(winpeas|linpeas|peass\.bat|peass\.sh|peass\.exe)/)
| groupBy([ComputerName, UserName, FileName, SHA256HashData, CommandLine], function=count(as=execution_count), limit=max)

EDRwinpeaslinpeas

Intermediate

NEW

PAID

Chained WMIC Discovery with Dynamic Risk Scoring - APT Pattern

Detects chained use of wmic.exe to execute multiple system inventory queries (users, groups, services, patches, products) by the same actor on the same host. APT actors use WMIC for silent reconnaissance before lateral movement. The query assigns a dynamic risk level (LOW/MEDIUM/HIGH) and calculates total attack duration.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)wmic\.exe$/
| CommandLine=/(?i)(process\s+call\s+create|os\s+get|computersystem\s+get|qfe|useraccount|group\s+(list|get)|share\s+(list|get)|service\s+list|product\s+get)/

Threat Huntingwmicapt

Advanced

NEW

PAID

APT Hands-on-Keyboard Interactive Discovery Burst

Identifies APT operators with interactive access by detecting rapid successive execution of multiple native Windows reconnaissance tools by the same user on the same host within a short time window, typical pattern of manual post-exploitation phases

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|net\.exe|net1\.exe|ipconfig\.exe|systeminfo\.exe|tasklist\.exe|netstat\.exe|hostname\.exe|nltest\.exe|arp\.exe|nslookup\.exe|ping\.exe|route\.exe|quser\.exe|qwinsta\.exe)$/
| groupBy([ComputerName, UserName], function=[

Threat Huntingapthands-on-keyboard

Intermediate

NEW

FREE

Basic APT Reconnaissance Tools Detection with Domain Discovery Arguments

Introductory query for analysts learning threat hunting in CrowdStrike LogScale. Detects execution of classic APT reconnaissance tools (whoami, nltest, systeminfo) with specific domain and Active Directory discovery arguments, fundamental technique documented in APT TTP profiles.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|nltest\.exe|systeminfo\.exe)/
| CommandLine=/(?i)(\/all|\/domain|\/dclist|\/trusted_domains|\/domain_trusts)/

EDRaptreconnaissance

Beginner

NEW

PAID

APT3 Interactive CMD Shell Reconnaissance Chain Detection

Detects chained execution of native Windows reconnaissance tools through cmd.exe by the same user on the same host, characteristic pattern of APT3 executing remote discovery commands via Windows Command Shell. Triggers when 3 or more tools are executed in the same user session.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName="cmd.exe"
| FileName=/(?i)(whoami\.exe|net\.exe|nltest\.exe|wmic\.exe|ipconfig\.exe|systeminfo\.exe|tasklist\.exe|netstat\.exe|arp\.exe|nslookup\.exe)/

Threat Huntingapt3cmd-shell

Advanced

NEW

PAID

Anomalous Child Process from IIS Worker: ViewState Deserialization Exploitation

Detects anomalous child processes spawned from w3wp.exe (IIS worker process), primary exploitation vector in CVE-2025-53690 and other .NET deserialization vulnerabilities in ASP.NET applications. Shell or tool execution from w3wp.exe is highly suspicious in production environments.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName="w3wp.exe"
| FileName=/(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe)/

Vulnerabilityiisdeserialization

Advanced

NEW

PAID

Linux Sudo Misconfiguration Exploitation for Privilege Escalation

Detects exploitation attempts of insecure sudo configurations on Linux hosts, including use of dangerous environment variables (LD_PRELOAD, LD_LIBRARY_PATH) and execution of shells or commands with unexpected root context

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(sudo|pkexec|su)$/
| CommandLine=/(?i)(LD_PRELOAD|LD_LIBRARY_PATH|PYTHONPATH|PERL5LIB|env\s+-E|--preserve-env|NOPASSWD|ALL=\(ALL\))/

EDRlinuxsudo

Intermediate

NEW

PAID

Windows LOLBAS Multi-Stage Privilege Escalation Chain

Detects chained abuse of native Windows binaries (LOLBAS) used to download, decode, or execute payloads in privilege escalation contexts, a common pattern among APT actors avoiding detectable tooling

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(certutil\.exe|mshta\.exe|regsvr32\.exe|odbcconf\.exe|forfiles\.exe|pcalua\.exe|msiexec\.exe|installutil\.exe|ieexec\.exe)$/
| CommandLine=/(?i)(http|ftp|\.exe|\.dll|\.ps1|/i\s|/e\s|javascript:|vbscript:|decode|urlcache|-split|-join|hidden|bypass)/

Threat Huntinglolbasprivilege-escalation

Advanced

NEW

FREE

Basic Detection of PowerShell Encoded Command Execution

Beginner-level query to detect PowerShell executions with base64 encoding or profile suppression parameters, a fundamental technique used by attackers to obfuscate malicious scripts in Windows environments

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(powershell\.exe|pwsh\.exe)$/
| CommandLine=/(?i)(-enc|-encodedcommand|-ec\s)/

EDRpowershellencoded-command

Beginner

NEW

PAID

Scheduled Task Persistence with Suspicious Script Interpreter Payload

Detects scheduled task creation invoking script interpreters or LOLBAS tools (PowerShell, WScript, CertUtil, MSHTA, Rundll32), critical persistence technique found in Falcon IR investigations even on apparently clean hosts after initial triage.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)schtasks\.exe/
| CommandLine=/(?i)\/create/

Persistencepersistenceschtasks

Advanced

NEW

PAID

Shell Spawned by Web Interpreter: RCE Post-Exploitation Pattern

Detects RCE post-exploitation patterns on web servers by identifying command shells or discovery tools spawned by web interpreters (PHP, Python, Java, Node.js), active exploitation vector in CVE-2025-0520 (ShowDoc) and similar remote code execution vulnerabilities.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(php\.exe|php-cgi\.exe|httpd\.exe|python\.exe|python3\.exe|ruby\.exe|node\.exe|java\.exe)/
| FileName=/(?i)(cmd\.exe|powershell\.exe|whoami\.exe|net\.exe|certutil\.exe|curl\.exe|wget\.exe|sh\.exe|bash\.exe)/

Malwarerceweb-shell

Intermediate

NEW

FREE

Basic Windows Token Privilege Enumeration via whoami

Introductory query to detect whoami.exe usage with privilege and group enumeration parameters, the typical first step of an attacker after gaining initial access to understand the privilege level available on the compromised host

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)whoami\.exe$/
| CommandLine=/(?i)(\/priv|\/groups|\/all|\/logonid|\/fo csv)/

EDRwhoamitoken-enumeration

Beginner

NEW

PAID

APT WMIC Enumeration: Multiple System Discovery Queries in Same Session

Detects WMIC usage for multiple system enumeration queries within the same user session, documented technique in APT campaigns for asset inventory prior to lateral movement. Differentiates legitimate admins from adversarial operators by query volume and type.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName="wmic.exe"
| CommandLine=/(?i)(process\s+list|os\s+get|computersystem\s+get|nic.*get|share\s+get|startup\s+get|service\s+get|logicaldisk\s+get|useraccount\s+get)/

Threat Huntingwmicapt

Intermediate

NEW

PAID

APT Lateral Movement via WMIC with Explicit Remote Node Targeting

Identifies wmic.exe usage with /node: parameter targeting remote hosts other than localhost, a documented APT3 technique for remote command execution and system information gathering in compromised networks

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)wmic\.exe$/
| CommandLine=/(?i)\/node:/

Threat Huntingwmiclateral-movement

Advanced

NEW

PAID

Malicious Child Process from Office Application — APT3 Spear-Phishing Pattern

Detects the execution of command interpreters and download tools as child processes of Office and Acrobat applications, an initial access pattern documented in the APT3 profile via spear-phishing with malicious documents that execute macros or embedded exploits to deploy second-stage payloads.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrord32\.exe|mspub\.exe|onenote\.exe)/
| FileName=/(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe)/

Malwareapt3spear-phishing

Intermediate