LogScale · CQL

CQL Knowledge Base

Ready-to-use CQL queries for threat hunting, detection, and SOC triage. Copy, filter, and search in seconds.

151 queries8 categories

·created bydarkreitor

K

11 queries

PAID

Registry Run Key Modification

Detects modifications to Run/RunOnce registry keys commonly used by malware and threat actors for persistence.

#event_simpleName=AsepValueUpdate RegObjectName=/(\\Run\\|\\RunOnce\\)/i | groupBy([ComputerName, UserName, RegObjectName, RegValueName], function=count()) | _count > 5 | sort(_count, limit=20)

Persistencesofisticpersistence

Intermediate

PAID

Scheduled Task Creation

Detects new scheduled task creation used for persistence or lateral movement, especially by non-administrative users.

#event_simpleName=ProcessRollup2 FileName=schtasks.exe CommandLine=*/create*/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 3 | sort(_count, limit=20)

Persistencesofisticpersistence

Intermediate

PAID

Script Execution from Temp/Downloads

Detects scripts executed from temporary or downloads directories — a common staging area for malicious payloads.

#event_simpleName=ProcessRollup2 FileName=/(powershell|cmd|wscript|cscript|mshta)\.exe/i CommandLine=/(\\Temp\\|\\tmp\\|\\Downloads\\|\\AppData\\Local\\Temp)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)

EDRsofisticexecution

Intermediate

PAID

Security Tool Tampering

Detects attempts to disable Windows Defender, the firewall, or security services — often a pre-ransomware or persistence step.

#event_simpleName=ProcessRollup2 CommandLine=/(Set-MpPreference.*DisableRealtimeMonitoring.*True|DisableBehaviorMonitoring.*True|net\s+stop\s+.*(MpsSvc|WinDefend|Sense|wscsvc)|sc\s+(stop|config|delete)\s+.*(WinDefend|Sense|MpsSvc))/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)

EDRsofisticdefense-evasion

Advanced

PAID

Shadow Copy Deletion (Ransomware Indicator)

Detects Volume Shadow Copy deletion via vssadmin or wmic — a strong pre-ransomware indicator used to prevent recovery.

#event_simpleName=ProcessRollup2 CommandLine=/(vssadmin.*delete.*shadows|wmic.*shadowcopy.*delete|bcdedit.*recoveryenabled.*no|bcdedit.*bootstatuspolicy.*ignoreallfailures)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | sort(_count, limit=20)

Malwaresofisticransomware

Advanced

PAID

SSO Application Access Failures

Detects repeated SSO application access failures (GlobalProtect, AzureAD, Okta) that may indicate credential stuffing or account takeover.

#event_simpleName=SsoApplicationAccessFailure | groupBy([SourceAccountUserName, SsoApplicationIdentifier, AzureErrorCode], function=count()) | _count > 15 | sort(_count, limit=20)

Identitysofisticngsiem

Intermediate

PAID

Suspicious DLL Loading from Temp Dirs

Detects DLLs loaded from temporary or downloads directories — indicative of DLL side-loading or dropped payload execution.

#event_simpleName=ClassifiedModuleLoad ImageFileName=/(\\Temp\\|\\tmp\\|\\Downloads\\|\\AppData\\Local\\Temp\\|\\Public\\)/i | groupBy([ComputerName, ImageFileName], function=count()) | _count > 5 | sort(_count, limit=20)

EDRsofisticdefense-evasion

Intermediate

PAID

Suspicious LOLBin Execution

Detects LOLBin executions with suspicious arguments (download, encode, decode, execute) used for defense evasion.

#event_simpleName=ProcessRollup2 FileName=/(mshta|regsvr32|certutil|rundll32|cscript|wscript|msiexec)\.exe/i CommandLine=/(http|download|encode|decode|bypass|hidden|invoke|iex)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 5 | sort(_count, limit=20)

EDRsofisticexecution

Intermediate

PAID

Suspicious Service Installation

Detects service installations with binaries in temporary or suspicious paths — indicative of malware persistence or lateral movement.

#event_simpleName=ProcessRollup2 FileName=sc.exe CommandLine=*create* CommandLine=/(\\Temp\\|\\tmp\\|\\Downloads\\|\\Public\\)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 2 | sort(_count, limit=20)

Persistencesofisticpersistence

Intermediate

FREE

Timestomping Detection

Detects file timestamp manipulation (timestomping) used as an anti-forensics technique to conceal malicious activity.

#event_simpleName=ProcessRollup2 CommandLine=/(timestomp|Set\-ItemProperty.*LastWriteTime|touch\s)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 3 | sort(_count, limit=20)

EDRsofisticdefense-evasion

Beginner

PAID

WMI Remote Execution

Detects remote execution via WMI (wmic process call create, Invoke-WmiMethod) — a fileless lateral movement technique.

#event_simpleName=ProcessRollup2 FileName=/(wmic|wmiprvse)\.exe/i CommandLine=/(process\s+call\s+create|Invoke-WmiMethod|Invoke-CimMethod|node:)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | _count > 2 | sort(_count, limit=20)

EDRsofisticlateral-movement

Intermediate