LogScale · CQL

CQL Knowledge Base

Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.

151 queries8 categories
Powered bySofistic·created bydarkreitor
K
20 queries
PAID

WMIC Discovery Chain - APT3 TTP Reconnaissance Detection

Detects wmic.exe usage for reconnaissance queries following documented APT3 TTPs: enumeration of processes, accounts, services, installed products, network shares, and patches. Characteristic pattern of hands-on-keyboard operators identified in CrowdStrike IR investigations.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)^wmic\.exe$/
| CommandLine=/(?i)(process\s+(get|list|call\s+create)|computersystem\s+get|os\s+get|useraccount\s+get|service\s+(get|list)|startup\s+list|product\s+get|share\s+get|netuse\s+list|qfe\s+get)/
Threat Huntingapt3wmic
Intermediate
FREE

Basic Reconnaissance with Native Windows Tools

Detects execution of common Windows reconnaissance commands such as whoami, ipconfig, net user, and systeminfo, frequently used in the initial phase of a Living Off the Land (LOTL) attack

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Win
| FileName=/(?i)(whoami\.exe|ipconfig\.exe|systeminfo\.exe|net\.exe|hostname\.exe)/
EDRlotlreconnaissance
Beginner
FREE

Windows Executables Making Suspicious Outbound Connections

Basic query to detect Windows executables located in temporary or download directories establishing outbound network connections, useful for identifying newly downloaded malware contacting command and control servers

#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| ImageFileName=/(?i)(\\temp\\|\\tmp\\|\\downloads\\|\\appdata\\local\\temp\\).*\.exe$/
| select([timestamp, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort])
EDRnetwork-connectionsc2
Beginner
PAID

Compromised Identity with Rapid Lateral Movement

Detects suspicious authentication patterns where an account authenticates remotely to multiple hosts in a short time window, indicative of a compromised identity used for lateral movement as observed in CrowdStrike hands-on-keyboard IR scenarios

#repo="base_sensor" #event_simpleName=UserLogon LogonType=10
| groupBy([UserName], function=[count(as=logon_count), dc(ComputerName, as=unique_hosts)])
| unique_hosts >= 5
Identityidentitylateral-movement
Intermediate
PAID

Lateral Movement Post-Firewall Compromise — Interlock Ransomware Pattern

Detects remote execution of administration tools after perimeter device compromise, consistent with Interlock ransomware TTPs that exploit enterprise firewalls as an initial access vector as documented by Amazon threat intelligence

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)^(psexec\.exe|psexesvc\.exe|wmic\.exe|wmiprvse\.exe)$/
| CommandLine=/(?i)(\\\\[0-9]{1,3}\.[0-9]{1,3}|\\\\[a-zA-Z])/
Threat Huntinginterlockransomware
Intermediate
PAID

Deno Runtime-Based Loader — LeakNet Ransomware Indicator

Detects execution of the Deno runtime on corporate endpoints, a technique adopted by the LeakNet ransomware group as a malicious loader after initial access via ClickFix — a legitimate JavaScript runtime rarely present in enterprise environments

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)^deno(\.exe)?$/
| select([timestamp, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, SHA256HashData])
Malwareleaknetransomware
Advanced
FREE

Suspicious Access to Linux Shadow File

Detects read attempts against the /etc/shadow file on Linux systems, a technique used by attackers to extract password hashes and perform offline cracking after gaining initial access to the system

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Lin
| CommandLine=/\/etc\/shadow/
EDRlinuxshadow-file
Beginner
PAID

Linux Privilege Escalation via Suspicious Sudo Execution

Detects suspicious sudo execution patterns on Linux systems that may indicate exploitation of CVE-2025-32463 (CVSS 7.8) or sudoers misconfigurations, including interactive shell spawning and interpreter execution as root

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Lin
| ParentBaseFileName=sudo
EDRlinuxsudo
Intermediate
PAID

LOLBAS Remote Download Cradle Execution Chain

Detects native Windows binaries (certutil, bitsadmin, mshta, regsvr32, cmstp) used with arguments indicative of remote download and execution, a key Living Off the Land technique documented in the LOLBAS project for bypassing security controls

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Win
| FileName=/(?i)(certutil\.exe|bitsadmin\.exe|mshta\.exe|regsvr32\.exe|msiexec\.exe|cmstp\.exe)/
Threat Huntinglolbaslotl
Advanced
PAID

Living-off-the-Land Persistence via Suspicious Scheduled Task Creation

Identifies scheduled task creation via schtasks.exe with suspicious parameters such as encoded execution, temporary path references, or remote download, a LOTL technique documented in The Hacker Recipes for maintaining post-exploitation persistence

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)schtasks\.exe/
| CommandLine=/(?i)(\/(create|sc))/
Persistenceliving-off-the-landscheduled-task
Intermediate
PAID

Keitaro Malvertising — Browser Spawning Encoded PowerShell

Detects execution chains where a web browser spawns PowerShell processes with Base64-encoded commands, a pattern associated with malvertising campaigns such as Keitaro that distribute malware through malicious ads and phishing pages

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)^(chrome|msedge|firefox|iexplore|brave|opera)\.exe$/
| FileName=/(?i)^powershell\.exe$/
Malwaremalvertisingkeitaro
Intermediate
PAID

React2Shell CVE-2025-55182 — Node.js Process Spawning System Shell

Detects exploitation of CVE-2025-55182 in React Server Components by monitoring Node.js processes that spawn system command interpreters, indicative of remote code execution via malicious deserialization in the Flight protocol

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)^(node|node\.exe)$/
| FileName=/(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|bash|sh|wscript\.exe|cscript\.exe|mshta\.exe)$/
Vulnerabilityreact2shellcve-2025-55182
Advanced
PAID

Windows Token Impersonation Tool Detection

Detects execution of Potato family tools and other Windows token impersonation utilities used to escalate privileges to SYSTEM via named pipe abuse and COM service exploitation

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Win
| FileName=/(?i)(JuicyPotato|SweetPotato|PrintSpoofer|GodPotato|RoguePotato|SharpImpersonation|Incognito|CoercedPotato)\.exe/
Threat Huntingtoken-impersonationprivilege-escalation
Advanced
PAID

APT3-Style Remote Execution Pattern via cmd.exe

Detects cmd.exe with the /C parameter executing discovery commands typical of the APT3 profile (whoami, net user, systeminfo, nltest) when the parent process is unusual, indicating possible remote execution or lateral movement via command shell (T1059.003) as documented in APT3 TTP analysis

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)\\cmd\.exe$/
| CommandLine=/(?i)\/[cC]\s+.*(whoami|net\s+(user|group|localgroup|view|share)|systeminfo|ipconfig|tasklist|reg\s+query|nltest|dsquery)/
EDRapt3command-shell
Intermediate
FREE

Basic Windows Net Command Enumeration

Detects use of the net.exe command to enumerate users, groups, and shared resources, one of the most abused native Windows tools in Living-off-the-Land attacks according to multiple CISA and CrowdStrike reports

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)net1?\.exe/
| CommandLine=/(?i)net1?\s+(user|group|localgroup|share|view|session|accounts|use)\s/
EDRnet-commandenumeration
Beginner
FREE

Basic PowerShell Encoded Command Detection

Query for junior SOC analysts that detects PowerShell executions with the -EncodedCommand flag, a common LotL technique for obfuscating malicious commands and evading plaintext signature-based detections

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell\.exe/
| CommandLine=/(?i)(-enc|-encodedcommand|-ec\s)/
EDRpowershellencoded-command
Beginner
FREE

Basic whoami.exe Execution Monitor

Simple query to detect any whoami.exe execution on endpoints, a tool frequently used as the first command by attackers after gaining initial access to verify user context and privileges, referenced in multiple APT profiles including APT3 and APT28

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)\\whoami\.exe$/
| select([timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName])
EDRwhoamidiscovery
Beginner
PAID

Remote Execution via cmd.exe with APT Operator Pattern

Detects cmd.exe /C execution chains with chained reconnaissance commands, a pattern documented in the APT3 profile where operators run whoami, net user, and systeminfo in rapid sequence after compromising systems

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)cmd\.exe/
| CommandLine=/(?i)cmd(.exe)?\s+\/[cC]/
Threat Huntingaptcmd-execution
Intermediate
PAID

Linux LOTL Reconnaissance Chain Detection with Native Tools

Detects chained execution of multiple native Linux tools (curl, wget, whoami, id, ss, etc.) from the same host and user, a pattern indicative of APT operators using Living-Off-the-Land techniques on Linux systems as highlighted by the 2025 LOTL trend affecting not only Windows but also Linux and macOS

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)^(curl|wget|whoami|id|uname|ifconfig|ip|ss|netstat|cat|find|chmod|crontab|nmap|dig|host)$/
| ParentBaseFileName=/(?i)^(bash|sh|zsh|dash|csh|python3?|perl|ruby)$/
Threat Huntinglotllinux
Advanced
PAID

Post-Exploitation Persistence via Scheduled Task and Firewall LOLBins

Detects the combined use of LOTL binaries to establish post-exploitation persistence, including schtasks, sc, reg, and netsh for creating scheduled tasks, modifying services, editing the registry, and altering firewall rules — a pattern observed after network device exploitation such as FortiGate where attackers pivot to LOTL to maintain access

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(schtasks\.exe|sc\.exe|reg\.exe|netsh\.exe|certutil\.exe|bitsadmin\.exe)$/
| CommandLine=/(?i)(\/create|\/add|\/change|advfirewall\s+firewall\s+add|urlcache|transfer|config\s+.*start\s*=|add\s+.*\/[vdt]\s)/
Persistencepersistencelotl
Advanced