LogScale · CQL

CQL Knowledge Base

$

Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.

154 queries8 categories
Powered bySofistic·created bydarkreitor
K
20queries
PAID

PowerShell LOTL with Base64-Encoded Payload (-EncodedCommand)

Detects PowerShell executions using the -EncodedCommand parameter to conceal the actual payload, a primary LOTL technique documented by CISA where adversaries abuse native PowerShell to evade signature-based detection. Critical for detecting post-initial infection stages in ransomware and APT campaigns that prefer LOTL over custom binaries.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell(\.exe)?/
| CommandLine=/(?i)-[eE][nN][cC]\w*\s+[A-Za-z0-9+\/=]{50,}/
EDRpowershellencoded-command
Intermediate
PAID

Linux Sudo Privilege Escalation Pattern - CVE-2025-32463

Detects suspicious sudo binary invocations originating from command interpreters or network tools with privilege escalation flags. Covers the CVE-2025-32463 (CVSS 7.8) pattern that allows unauthorized escalation to root on Linux by manipulating the sudo command from illegitimate parent processes.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=sudo
| CommandLine=/(?i)(-s\b|-i\b|--stdin|--shell|LD_PRELOAD=|SUDO_ASKPASS=|\/bin\/(ba)?sh)/
EDRprivilege-escalationsudo
Advanced
PAID

WinRAR/7-Zip Archive Exploitation - Child Executable Detection

Detects execution of binaries or scripts originating from archive tools (WinRAR, 7-Zip, unrar) outside legitimate system paths. Covers the pattern of active 2025 archive vulnerabilities similar to CVE-2023-38831 that allow code execution when interacting with socially-engineered manipulated compressed files.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)^(winrar\.exe|rar\.exe|unrar\.exe|7z\.exe|7zg\.exe|7zfm\.exe)$/
| ImageFileName=/(?i)\.(exe|dll|bat|cmd|ps1|vbs|js|wsf|hta|scr|com|pif|cpl)$/
Malwarewinrararchive
Intermediate
PAID

WMIC Discovery Chain - APT3 TTP Reconnaissance Detection

Detects wmic.exe usage for reconnaissance queries following documented APT3 TTPs: enumeration of processes, accounts, services, installed products, network shares, and patches. Characteristic pattern of hands-on-keyboard operators identified in CrowdStrike IR investigations.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)^wmic\.exe$/
| CommandLine=/(?i)(process\s+(get|list|call\s+create)|computersystem\s+get|os\s+get|useraccount\s+get|service\s+(get|list)|startup\s+list|product\s+get|share\s+get|netuse\s+list|qfe\s+get)/
Threat Huntingapt3wmic
Intermediate
FREE

Basic Reconnaissance with Native Windows Tools

Detects execution of common Windows reconnaissance commands such as whoami, ipconfig, net user, and systeminfo, frequently used in the initial phase of a Living Off the Land (LOTL) attack

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Win
| FileName=/(?i)(whoami\.exe|ipconfig\.exe|systeminfo\.exe|net\.exe|hostname\.exe)/
EDRlotlreconnaissance
Beginner
FREE

Windows Executables Making Suspicious Outbound Connections

Basic query to detect Windows executables located in temporary or download directories establishing outbound network connections, useful for identifying newly downloaded malware contacting command and control servers

#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| ImageFileName=/(?i)(\\temp\\|\\tmp\\|\\downloads\\|\\appdata\\local\\temp\\).*\.exe$/
| select([timestamp, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort])
EDRnetwork-connectionsc2
Beginner
PAID

Compromised Identity with Rapid Lateral Movement

Detects suspicious authentication patterns where an account authenticates remotely to multiple hosts in a short time window, indicative of a compromised identity used for lateral movement as observed in CrowdStrike hands-on-keyboard IR scenarios

#repo="base_sensor" #event_simpleName=UserLogon LogonType=10
| groupBy([UserName], function=[count(as=logon_count), dc(ComputerName, as=unique_hosts)])
| unique_hosts >= 5
Identityidentitylateral-movement
Intermediate
PAID

Lateral Movement Post-Firewall Compromise — Interlock Ransomware Pattern

Detects remote execution of administration tools after perimeter device compromise, consistent with Interlock ransomware TTPs that exploit enterprise firewalls as an initial access vector as documented by Amazon threat intelligence

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)^(psexec\.exe|psexesvc\.exe|wmic\.exe|wmiprvse\.exe)$/
| CommandLine=/(?i)(\\\\[0-9]{1,3}\.[0-9]{1,3}|\\\\[a-zA-Z])/
Threat Huntinginterlockransomware
Intermediate
PAID

Deno Runtime-Based Loader — LeakNet Ransomware Indicator

Detects execution of the Deno runtime on corporate endpoints, a technique adopted by the LeakNet ransomware group as a malicious loader after initial access via ClickFix — a legitimate JavaScript runtime rarely present in enterprise environments

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)^deno(\.exe)?$/
| select([timestamp, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, SHA256HashData])
Malwareleaknetransomware
Advanced
FREE

Suspicious Access to Linux Shadow File

Detects read attempts against the /etc/shadow file on Linux systems, a technique used by attackers to extract password hashes and perform offline cracking after gaining initial access to the system

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Lin
| CommandLine=/\/etc\/shadow/
EDRlinuxshadow-file
Beginner
PAID

Linux Privilege Escalation via Suspicious Sudo Execution

Detects suspicious sudo execution patterns on Linux systems that may indicate exploitation of CVE-2025-32463 (CVSS 7.8) or sudoers misconfigurations, including interactive shell spawning and interpreter execution as root

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Lin
| ParentBaseFileName=sudo
EDRlinuxsudo
Intermediate
PAID

LOLBAS Remote Download Cradle Execution Chain

Detects native Windows binaries (certutil, bitsadmin, mshta, regsvr32, cmstp) used with arguments indicative of remote download and execution, a key Living Off the Land technique documented in the LOLBAS project for bypassing security controls

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Win
| FileName=/(?i)(certutil\.exe|bitsadmin\.exe|mshta\.exe|regsvr32\.exe|msiexec\.exe|cmstp\.exe)/
Threat Huntinglolbaslotl
Advanced
PAID

Living-off-the-Land Persistence via Suspicious Scheduled Task Creation

Identifies scheduled task creation via schtasks.exe with suspicious parameters such as encoded execution, temporary path references, or remote download, a LOTL technique documented in The Hacker Recipes for maintaining post-exploitation persistence

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)schtasks\.exe/
| CommandLine=/(?i)(\/(create|sc))/
Persistenceliving-off-the-landscheduled-task
Intermediate
PAID

Keitaro Malvertising — Browser Spawning Encoded PowerShell

Detects execution chains where a web browser spawns PowerShell processes with Base64-encoded commands, a pattern associated with malvertising campaigns such as Keitaro that distribute malware through malicious ads and phishing pages

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)^(chrome|msedge|firefox|iexplore|brave|opera)\.exe$/
| FileName=/(?i)^powershell\.exe$/
Malwaremalvertisingkeitaro
Intermediate
PAID

React2Shell CVE-2025-55182 — Node.js Process Spawning System Shell

Detects exploitation of CVE-2025-55182 in React Server Components by monitoring Node.js processes that spawn system command interpreters, indicative of remote code execution via malicious deserialization in the Flight protocol

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)^(node|node\.exe)$/
| FileName=/(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|bash|sh|wscript\.exe|cscript\.exe|mshta\.exe)$/
Vulnerabilityreact2shellcve-2025-55182
Advanced
PAID

Windows Token Impersonation Tool Detection

Detects execution of Potato family tools and other Windows token impersonation utilities used to escalate privileges to SYSTEM via named pipe abuse and COM service exploitation

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Win
| FileName=/(?i)(JuicyPotato|SweetPotato|PrintSpoofer|GodPotato|RoguePotato|SharpImpersonation|Incognito|CoercedPotato)\.exe/
Threat Huntingtoken-impersonationprivilege-escalation
Advanced
PAID

APT3-Style Remote Execution Pattern via cmd.exe

Detects cmd.exe with the /C parameter executing discovery commands typical of the APT3 profile (whoami, net user, systeminfo, nltest) when the parent process is unusual, indicating possible remote execution or lateral movement via command shell (T1059.003) as documented in APT3 TTP analysis

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)\\cmd\.exe$/
| CommandLine=/(?i)\/[cC]\s+.*(whoami|net\s+(user|group|localgroup|view|share)|systeminfo|ipconfig|tasklist|reg\s+query|nltest|dsquery)/
EDRapt3command-shell
Intermediate
FREE

Basic Windows Net Command Enumeration

Detects use of the net.exe command to enumerate users, groups, and shared resources, one of the most abused native Windows tools in Living-off-the-Land attacks according to multiple CISA and CrowdStrike reports

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)net1?\.exe/
| CommandLine=/(?i)net1?\s+(user|group|localgroup|share|view|session|accounts|use)\s/
EDRnet-commandenumeration
Beginner
FREE

Basic PowerShell Encoded Command Detection

Query for junior SOC analysts that detects PowerShell executions with the -EncodedCommand flag, a common LotL technique for obfuscating malicious commands and evading plaintext signature-based detections

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell\.exe/
| CommandLine=/(?i)(-enc|-encodedcommand|-ec\s)/
EDRpowershellencoded-command
Beginner
FREE

Basic whoami.exe Execution Monitor

Simple query to detect any whoami.exe execution on endpoints, a tool frequently used as the first command by attackers after gaining initial access to verify user context and privileges, referenced in multiple APT profiles including APT3 and APT28

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)\\whoami\.exe$/
| select([timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName])
EDRwhoamidiscovery
Beginner