LogScale · CQL

CQL Knowledge Base

Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.

151 queries8 categories

·created bydarkreitor

K

20 queries

PAID

Persistence via Scheduled Tasks with Privilege Escalation

Detects the creation of scheduled tasks with privilege elevation flags, a technique documented in LotL attacks where adversaries combine schtasks with token manipulation to maintain persistence with elevated privileges

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)schtasks\.exe/
| CommandLine=/(?i)\/create/

Persistencescheduled-taskspersistence

Advanced

PAID

Linux Privilege Escalation via Sudo - CVE-2025-32463 Pattern

Detects privilege escalation attempts on Linux systems via sudo manipulation, inspired by CVE-2025-32463 which allows unauthorized elevation to root by tricking the sudo command (CVSS 7.8)

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)sudo$/
| CommandLine=/(?i)(sudo\s+(-u|--user|EDITOR|VISUAL|sudoedit|\.\.\/|\$\(|`|;|\|))/

EDRlinuxprivilege-escalation

Intermediate

PAID

Suspicious Child Processes Spawned from WinRAR

Detects when WinRAR spawns child processes that are command interpreters or known LOLBin binaries, a pattern of archive file vulnerability exploitation similar to CVE-2023-38831 and new WinRAR exploitation variants documented in the Kaspersky Securelist Q2 2025 vulnerability analysis

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)^winrar\.exe$/
| FileName!=/(?i)^(winrar\.exe|rar\.exe|unrar\.exe)$/

Malwarewinrararchive-exploitation

Advanced

PAID

Bulk WMIC Enumeration for System Discovery

Detects multiple WMIC queries executed by the same user on a host, covering enumeration of processes, operating system, accounts, services, and patches — a typical pattern of APT operators performing system discovery as described in APT hunting analysis and the distinction between legitimate IT use vs malicious activity

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)\\wmic\.exe$/
| CommandLine=/(?i)(process\s+(list|get|call)|os\s+get|computersystem\s+get|useraccount\s+(list|get)|service\s+(list|get)|qfe\s+(list|get)|product\s+get|startup\s+(list|get)|nicconfig\s+get|logicaldisk\s+get|shadowcopy)/

Threat Huntingwmicsystem-discovery

Intermediate

PAID

Remote Reconnaissance via WMIC Living-off-the-Land

Detects the use of WMIC for remote command execution and inventory queries on remote hosts, a key Living-off-the-Land technique used by APTs after exploiting perimeter devices such as FortiGate according to Cynet 2025 reports

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)wmic\.exe/
| CommandLine=/(?i)(node|process|os|computersystem|product|qfe|service|useraccount|group|logicaldisk|shadowcopy|startup)/

Threat Huntingwmicliving-off-the-land

Advanced

PAID

APT Hands-on-Keyboard Multi-Tool Reconnaissance Sequence

Detects the execution of multiple native Windows discovery tools by the same user on the same host, a distinctive pattern of APT operators with interactive access identified in CrowdStrike IR investigations with Falcon Identity Threat Protection

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|net\.exe|nltest\.exe|arp\.exe|ipconfig\.exe|systeminfo\.exe|tasklist\.exe|netstat\.exe|ping\.exe|nslookup\.exe|dsquery\.exe|wmic\.exe|quser\.exe)/
| groupBy([ComputerName, UserName, FileName], function=count())

Threat Huntingapthands-on-keyboard

Advanced

PAID

APT Office/PDF Document Spawning Shell with C2 Callback (APT3 / Spear-Phishing)

Detects Office or PDF documents spawning shell processes with a CommandLine indicating payload download or C2 callback, a core pattern in APT3 and advanced actor spear-phishing campaigns leveraging initial access TTPs via email

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|acrord32\.exe|foxitreader\.exe)/
| FileName=/(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)/

Malwareapt3spear-phishing

Intermediate

PAID

Lateral Movement via Compromised Identity (Network Logon Multi-Host)

Detects users authenticating over the network to multiple distinct hosts from the same source IP, a characteristic pattern of lateral movement with compromised credentials in APT hands-on-keyboard operations as described in CrowdStrike IR scenarios

#repo="base_sensor" #event_simpleName=UserLogon
| LogonType=3
| UserName!=*$

Identitylateral-movementidentity

Intermediate

PAID

Browser Spawning LOLBin with Download Indicator (Keitaro Malvertising Chain)

Detects web browsers spawning LOLBins with hidden download or encoded execution indicators in CommandLine, a drive-by exploitation pattern via malvertising or malicious extensions such as the Keitaro mass malware distribution campaign

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|brave\.exe|opera\.exe)/
| FileName=/(?i)(powershell\.exe|cmd\.exe|wscript\.exe|mshta\.exe|regsvr32\.exe|certutil\.exe|rundll32\.exe)/

Malwaremalvertisingbrowser-exploitation

Advanced

PAID

SmarterMail RCE Post-Exploitation (CVE-2025-52691 CVSS 10)

Detects shells or LOLBins spawned by SmarterMail server processes, indicative of active exploitation of CVE-2025-52691 (pre-authentication RCE CVSS 10) on build 9406 and earlier

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(mailservice\.exe|smarter|smtpsvc|MRSProxy\.exe)/
| FileName=/(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe)/

Vulnerabilitycve-2025-52691smartermail

Intermediate

PAID

Post-Compromise LDAP Reconnaissance in Active Directory (FDR)

Detects aggressive Active Directory enumeration via LDAP/LDAPS connections from non-standard processes, a common technique after initial compromise in domain-joined environments per the LOTL model of hands-on-keyboard adversaries

#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| RemotePort=389 OR RemotePort=636 OR RemotePort=3268 OR RemotePort=3269
| not regex(field=ImageFileName, regex="(?i)(lsass|svchost|Microsoft\.Identity|AzureADConnect|MsMpEng|w3wp|AADConnect|dsac|dsa|mmc)\.exe$")

Identityactive-directoryldap

Intermediate

FREE

Native Windows Tools with External Internet Connections (FDR)

Detects connections to external IPs (non-RFC1918) originating from native Windows administration and scripting tools, a basic LOTL pattern for payload download or C2 communication

#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| regex(field=ImageFileName, regex="(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|bitsadmin|certutil|regsvr32|rundll32)\.exe$")
| not regex(field=RemoteAddressIP4, regex="^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.|::1|fd)")

EDRlotlc2

Beginner

PAID

LOLBins Abuse: Living Off the Land Execution Chain (FDR)

Detects the abuse of legitimate Windows binaries (LOLBins) used by attackers to execute malicious code without external tools, a common LOTL technique in advanced intrusions

#repo="base_sensor" #event_simpleName=ProcessRollup2
| regex(field=ImageFileName, regex="(?i)(certutil|bitsadmin|mshta|wscript|cscript|regsvr32|rundll32|msiexec|installutil|regasm|regsvcs|odbcconf|xwizard|microsoft\.workflow\.compiler|appsyncpublishingserver)\.exe$")
| regex(field=CommandLine, regex="(?i)(-urlcache|-transfer|javascript:|vbscript:|scrobj\.dll|\/i\/n|\/u\/n|webclient|downloadstring|downloadfile|iex|invoke-expression|frombase64string)")

Threat Huntinglotllolbins

Advanced

FREE

PowerShell with Base64-Encoded Commands (FDR)

Detects PowerShell executions using the EncodedCommand parameter, a basic LOTL technique used to obfuscate malicious payloads and evade command-line detection

#repo="base_sensor" #event_simpleName=ProcessRollup2
| regex(field=ImageFileName, regex="(?i)(powershell|pwsh)\.exe$")
| regex(field=CommandLine, regex="(?i)(-EncodedCommand|-enc\s|-e\s+[A-Za-z0-9+/]{20,}|FromBase64String)")

EDRpowershellencoded-command

Beginner

PAID

UAC Bypass via Trusted Windows Binaries (FDR)

Detects UAC bypass techniques via unexpected child processes spawned by trusted Windows binaries such as fodhelper, eventvwr, sdclt, and wsreset, used by LOTL attackers for privilege escalation

#repo="base_sensor" #event_simpleName=ProcessRollup2
| regex(field=ParentBaseFileName, regex="(?i)^(fodhelper|eventvwr|sdclt|computerdefaults|slui|wsreset|cmstp|colorcpl|eudcedit|perfmon|recdisc|rekeywiz|shrpubw)\.exe$")
| not ImageFileName=/(\\Windows\\System32\\conhost\.exe|\\Windows\\System32\\WerFault\.exe)/i

Persistenceuac-bypassprivilege-escalation

Advanced

PAID

WSUS Abuse for Lateral Movement and RCE (FDR)

Detects anomalous use of wuauclt and WSUS-related processes pointing to non-Microsoft servers, indicative of CVE-2025-59287 exploitation or WSUS hijacking techniques for lateral movement

#repo="base_sensor"
| #event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2
| case {

Vulnerabilitywsuslateral-movement

Intermediate

FREE

Web/VPN Server Spawning Shell (Fortinet CVE-2025)

Detects web server or VPN processes spawning shells or command interpreters, indicative of active RCE exploitation such as CVE-2025-59718/CVE-2025-59719 on internet-facing Fortinet devices

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(httpd|nginx|apache2|httpsd|sslvpnd|fortid)/
| FileName=/(?i)(bash|sh|cmd\.exe|powershell\.exe|python[23]?|perl|wget|curl)/

Vulnerabilityrcefortinet

Beginner

PAID

DNS Tunneling Detection

Identifies potential DNS tunneling by detecting unusually long DNS query names or high query frequency to a single domain.

EventType = "DnsRequest"
| DomainName = /\.[a-z]{2,}\.[a-z]{2,}$/
| eval(domainLength = length(DomainName))

Networkdnstunneling

Advanced

FREE

Failed Authentication Spike

Detects brute-force attempts by counting authentication failures per user and source IP within a time window.

EventType = "AuthFailure"
| stats(
    count() as FailCount,

Identitybrute-forceauthentication

Beginner

PAID

Lateral Movement via SMB

Detects lateral movement using SMB protocol by correlating process events with network connections on port 445.

FileName = "cmd.exe" OR FileName = "powershell.exe"
| join(
    { NetworkEvent

EDRlateral-movementsmb

Intermediate