CQL Knowledge Base
Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.
Browser Spawns Scripting Interpreter — Fake Update Delivery Indicator
Detects when a web browser directly spawns a scripting interpreter such as PowerShell, cmd.exe, or wscript.exe. This execution chain does not occur during normal user activity and is the primary delivery mechanism used by SocGholish and FakeUpdates campaigns distributing ransomware and banking trojans through compromised websites presenting fake browser update prompts.
CMD.exe Inline APT Reconnaissance — Basic Detection
Detects cmd.exe executing common APT reconnaissance commands inline via the /C flag, including whoami, hostname, net user, net group, systeminfo, ipconfig /all, and nltest. A beginner-friendly detection rule aligned with APT3 T1059.003 tradecraft and suitable as a baseline for new analysts building their first Falcon detection queries.
F5 BIG-IP APM Exploitation - Web Service Process Spawning Interactive Shell
Detects suspicious child process spawning from F5 BIG-IP web service and management plane processes, indicative of active exploitation of CVE-2025-53521 added to CISA KEV, where APM authentication bypass enables remote code execution through web shell deployment or command injection against the BIG-IP management interface
Fake Browser Update — Scripting Interpreter Spawned by Browser Process
Detects when Chrome, Firefox, or Edge spawns a scripting interpreter or proxy execution binary, the primary delivery mechanism in SocGholish and FakeUpdates campaigns. These campaigns distribute ransomware and banking malware families including IcedID, Dridex, and Cobalt Strike beacons via compromised or malicious websites serving fake update pages.
IIS w3wp.exe Spawning LOLBins - ViewState Deserialization RCE Detection
Detects IIS Application Pool Worker Process (w3wp.exe) spawning Living-off-the-Land binaries and scripting engines, the primary execution chain for successful ViewState deserialization attacks such as CVE-2025-53690 in Sitecore where exposed ASP.NET machineKey values enable .NET object injection leading to unauthenticated remote code execution on internet-facing web applications
Play Ransomware ESXi Variant - Virtual Machine Shutdown Detection
Detects execution of ESXi-specific management binaries used by the Play ransomware ESXi variant to enumerate and forcibly power off virtual machines before encrypting VMDK files, behavior documented in the CISA StopRansomware advisory on Play ransomware targeting VMware ESXi infrastructure
Multi-Stage Ransomware Kill Chain Correlation - Pre-Encryption Activity Clustering
Correlates multiple distinct ransomware preparation behaviors executed by the same user on the same host within a detection window, identifying the combination of VSS deletion, boot recovery disablement, and backup service termination that consistently precedes encryption in ALPHV, Play, LockBit, and Akira ransomware deployments observed in CrowdStrike IR investigations
Ransomware Pre-Encryption Stage — Shadow Copy and Recovery Inhibition
Detects execution of commands targeting Volume Shadow Copies and Windows recovery mechanisms, a universal pre-encryption step across virtually all ransomware families. Covers vssadmin delete shadows, wmic shadowcopy delete, bcdedit recoveryenabled no, wbadmin delete catalog, and cipher wipe. Early detection of this stage enables response before file encryption begins.
VSS Shadow Copy Deletion - Basic Ransomware Pre-Encryption Indicator
Detects deletion of Windows Volume Shadow Copies via vssadmin.exe or wmic.exe, the most universally performed ransomware preparation step executed by virtually all modern ransomware families including WannaCry, ALPHV, Play, LockBit, and Akira to eliminate local snapshot recovery options before encrypting files — essential beginner detection for any Windows endpoint monitoring program
WMIC Abuse for APT Reconnaissance and Remote Execution
Detects anomalous wmic.exe usage with high-risk arguments typical of nation-state APT actors: remote process execution via /node:, Shadow Copy deletion, and system/network enumeration. Based on TTPs documented by Intel 471 for APT groups abusing WMI for stealthy operations that evade traditional security controls.
APT3 Reconnaissance Chain via cmd.exe
Detects reconnaissance command execution via cmd.exe with arguments typical of APT3 operators, excluding legitimate OS parent processes. Inspired by the APT3 TTP profile that abuses Windows Command Shell to run whoami, net, ipconfig, and systeminfo on compromised systems.
Basic Detection: cmd.exe Executing whoami (APT3 TTP)
Beginner-level query to detect cmd.exe executions invoking whoami — the first technique documented in the public APT3 profile per T1059.003 and T1033. Ideal for SOC analysts new to threat hunting with CQL who want to get familiar with basic Falcon LogScale syntax using FDR process events.
Code Execution from Archive Tool (WinRAR/7-Zip Style CVE-2023-38831)
Detects command interpreter and script execution as direct child processes of archive applications. Technique similar to CVE-2023-38831 where user interaction with a malicious file triggers code execution through WinRAR, 7-Zip, or other archive utilities common in corporate environments.
Archive Tool Shell Spawn - Code Execution via Compressed File
Detects when archive tools (WinRAR, 7-Zip, PeaZip, Bandizip, native Windows extractor) spawn command interpreters or loaders as a direct child process. High-fidelity pattern for detecting active 2025 archive exploitation vulnerabilities that execute hidden payloads when manipulated compressed files are opened.
LOLBAS Process Spawned from Web Browser (Keitaro Malvertising)
Detects popular web browsers spawning child processes that are known LOLBAS binaries, a pattern consistent with Keitaro malvertising campaigns that infect users through malicious ads and phishing pages to deliver multi-stage malware. Covers Chrome, Edge, Firefox, Opera, Brave, and Vivaldi with exclusions for internal browser processes.
CMD Discovery Recon - APT3 Basic Enumeration Detection
Detects native Windows enumeration tools invoked from cmd.exe, following the basic reconnaissance pattern documented in the APT3 TTP profile. Covers use of whoami, net, ipconfig, systeminfo, and other LOLBins utilities to map the environment after initial intrusion.
Compromised Identity Multi-Host Lateral Movement via Admin Protocols
Detects potentially compromised identities performing lateral movement by identifying users with connections to multiple distinct hosts via remote administration protocols (SMB, RDP, WinRM, SSH). Inspired by CrowdStrike IR use of Falcon Identity Threat Protection to identify active hands-on-keyboard adversaries abusing valid credentials.
PowerShell LOTL with Base64-Encoded Payload (-EncodedCommand)
Detects PowerShell executions using the -EncodedCommand parameter to conceal the actual payload, a primary LOTL technique documented by CISA where adversaries abuse native PowerShell to evade signature-based detection. Critical for detecting post-initial infection stages in ransomware and APT campaigns that prefer LOTL over custom binaries.
Linux Sudo Privilege Escalation Pattern - CVE-2025-32463
Detects suspicious sudo binary invocations originating from command interpreters or network tools with privilege escalation flags. Covers the CVE-2025-32463 (CVSS 7.8) pattern that allows unauthorized escalation to root on Linux by manipulating the sudo command from illegitimate parent processes.
WinRAR/7-Zip Archive Exploitation - Child Executable Detection
Detects execution of binaries or scripts originating from archive tools (WinRAR, 7-Zip, unrar) outside legitimate system paths. Covers the pattern of active 2025 archive vulnerabilities similar to CVE-2023-38831 that allow code execution when interacting with socially-engineered manipulated compressed files.