CQL Knowledge Base
Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.
ALPHV BlackCat Ransomware - Windows Defender Disablement via PowerShell and Registry
Detects PowerShell and service control commands used by ALPHV BlackCat ransomware operators to disable Windows Defender and related AV services before deploying ransomware payload, consistent with pre-encryption TTPs documented in the DOJ BlackCat disruption case where two operators pleaded guilty to targeting multiple U.S. victims
APT Network Discovery Sequence — 5 or More Tools Within 30-Minute Window
Identifies hosts running 5 or more distinct network reconnaissance binaries (ping, nslookup, nltest, arp, route, netstat, ipconfig, tracert) within a 30-minute window. This multi-tool burst pattern is a high-fidelity indicator of hands-on-keyboard APT operators performing internal network mapping after initial compromise, consistent with APT TTPs analyzed in Azeria Labs and CrowdStrike threat intelligence reporting.
APT3 Multi-Stage Windows Command Shell Reconnaissance Chain
Detects hosts where cmd.exe or PowerShell execute 3 or more inline reconnaissance commands (whoami, hostname, net, systeminfo, nltest) within a session. A high-fidelity hands-on-keyboard indicator attributed to APT3 and similar threat actors documented in CrowdStrike Falcon IR investigations.
Browser Spawns Scripting Interpreter — Fake Update Delivery Indicator
Detects when a web browser directly spawns a scripting interpreter such as PowerShell, cmd.exe, or wscript.exe. This execution chain does not occur during normal user activity and is the primary delivery mechanism used by SocGholish and FakeUpdates campaigns distributing ransomware and banking trojans through compromised websites presenting fake browser update prompts.
CMD.exe Inline APT Reconnaissance — Basic Detection
Detects cmd.exe executing common APT reconnaissance commands inline via the /C flag, including whoami, hostname, net user, net group, systeminfo, ipconfig /all, and nltest. A beginner-friendly detection rule aligned with APT3 T1059.003 tradecraft and suitable as a baseline for new analysts building their first Falcon detection queries.
F5 BIG-IP APM Exploitation - Web Service Process Spawning Interactive Shell
Detects suspicious child process spawning from F5 BIG-IP web service and management plane processes, indicative of active exploitation of CVE-2025-53521 added to CISA KEV, where APM authentication bypass enables remote code execution through web shell deployment or command injection against the BIG-IP management interface
Fake Browser Update — Scripting Interpreter Spawned by Browser Process
Detects when Chrome, Firefox, or Edge spawns a scripting interpreter or proxy execution binary, the primary delivery mechanism in SocGholish and FakeUpdates campaigns. These campaigns distribute ransomware and banking malware families including IcedID, Dridex, and Cobalt Strike beacons via compromised or malicious websites serving fake update pages.
IIS w3wp.exe Spawning LOLBins - ViewState Deserialization RCE Detection
Detects IIS Application Pool Worker Process (w3wp.exe) spawning Living-off-the-Land binaries and scripting engines, the primary execution chain for successful ViewState deserialization attacks such as CVE-2025-53690 in Sitecore where exposed ASP.NET machineKey values enable .NET object injection leading to unauthenticated remote code execution on internet-facing web applications
Play Ransomware ESXi Variant - Virtual Machine Shutdown Detection
Detects execution of ESXi-specific management binaries used by the Play ransomware ESXi variant to enumerate and forcibly power off virtual machines before encrypting VMDK files, behavior documented in the CISA StopRansomware advisory on Play ransomware targeting VMware ESXi infrastructure
Multi-Stage Ransomware Kill Chain Correlation - Pre-Encryption Activity Clustering
Correlates multiple distinct ransomware preparation behaviors executed by the same user on the same host within a detection window, identifying the combination of VSS deletion, boot recovery disablement, and backup service termination that consistently precedes encryption in ALPHV, Play, LockBit, and Akira ransomware deployments observed in CrowdStrike IR investigations
Ransomware Pre-Encryption Stage — Shadow Copy and Recovery Inhibition
Detects execution of commands targeting Volume Shadow Copies and Windows recovery mechanisms, a universal pre-encryption step across virtually all ransomware families. Covers vssadmin delete shadows, wmic shadowcopy delete, bcdedit recoveryenabled no, wbadmin delete catalog, and cipher wipe. Early detection of this stage enables response before file encryption begins.
VSS Shadow Copy Deletion - Basic Ransomware Pre-Encryption Indicator
Detects deletion of Windows Volume Shadow Copies via vssadmin.exe or wmic.exe, the most universally performed ransomware preparation step executed by virtually all modern ransomware families including WannaCry, ALPHV, Play, LockBit, and Akira to eliminate local snapshot recovery options before encrypting files — essential beginner detection for any Windows endpoint monitoring program
WMIC Abuse for APT Reconnaissance and Remote Execution
Detects anomalous wmic.exe usage with high-risk arguments typical of nation-state APT actors: remote process execution via /node:, Shadow Copy deletion, and system/network enumeration. Based on TTPs documented by Intel 471 for APT groups abusing WMI for stealthy operations that evade traditional security controls.
APT3 Reconnaissance Chain via cmd.exe
Detects reconnaissance command execution via cmd.exe with arguments typical of APT3 operators, excluding legitimate OS parent processes. Inspired by the APT3 TTP profile that abuses Windows Command Shell to run whoami, net, ipconfig, and systeminfo on compromised systems.
Basic Detection: cmd.exe Executing whoami (APT3 TTP)
Beginner-level query to detect cmd.exe executions invoking whoami — the first technique documented in the public APT3 profile per T1059.003 and T1033. Ideal for SOC analysts new to threat hunting with CQL who want to get familiar with basic Falcon LogScale syntax using FDR process events.
Code Execution from Archive Tool (WinRAR/7-Zip Style CVE-2023-38831)
Detects command interpreter and script execution as direct child processes of archive applications. Technique similar to CVE-2023-38831 where user interaction with a malicious file triggers code execution through WinRAR, 7-Zip, or other archive utilities common in corporate environments.
Archive Tool Shell Spawn - Code Execution via Compressed File
Detects when archive tools (WinRAR, 7-Zip, PeaZip, Bandizip, native Windows extractor) spawn command interpreters or loaders as a direct child process. High-fidelity pattern for detecting active 2025 archive exploitation vulnerabilities that execute hidden payloads when manipulated compressed files are opened.
LOLBAS Process Spawned from Web Browser (Keitaro Malvertising)
Detects popular web browsers spawning child processes that are known LOLBAS binaries, a pattern consistent with Keitaro malvertising campaigns that infect users through malicious ads and phishing pages to deliver multi-stage malware. Covers Chrome, Edge, Firefox, Opera, Brave, and Vivaldi with exclusions for internal browser processes.
CMD Discovery Recon - APT3 Basic Enumeration Detection
Detects native Windows enumeration tools invoked from cmd.exe, following the basic reconnaissance pattern documented in the APT3 TTP profile. Covers use of whoami, net, ipconfig, systeminfo, and other LOLBins utilities to map the environment after initial intrusion.
Compromised Identity Multi-Host Lateral Movement via Admin Protocols
Detects potentially compromised identities performing lateral movement by identifying users with connections to multiple distinct hosts via remote administration protocols (SMB, RDP, WinRM, SSH). Inspired by CrowdStrike IR use of Falcon Identity Threat Protection to identify active hands-on-keyboard adversaries abusing valid credentials.