EDR

52 queries en esta categoría

K
20 queries in EDR
NEW
PAID

APT Lateral Movement via Remote Administrative Protocols

Detects APT lateral movement using remote administration protocols (SMB, WMI, WinRM) initiated from command-line tools on end-user hosts. Correlates administrative processes with outbound connections to management ports.

#repo="base_sensor" event_simpleName=NetworkConnectIP4
| RemotePort in [135, 139, 445, 5985, 5986, 47001]
| FileName in ["wmic.exe", "powershell.exe", "cmd.exe", "sc.exe", "net.exe", "net1.exe", "wbemtest.exe", "mmc.exe"]
EDRaptlateral-movement
Advanced
NEW
FREE

Web Browser Spawning a Command Interpreter Process

Detects when a web browser process directly spawns a command interpreter or scripting engine. Highly anomalous behavior associated with browser exploitation, advanced social engineering, or drive-by download attacks.

#repo="base_sensor" event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|MicrosoftEdge\.exe)$/i
| FileName = /^(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)$/i
EDRbrowsercmd
Beginner
NEW
PAID

CMD Shell Reconnaissance Commands APT-3 Style

Detects cmd.exe executions with system enumeration commands associated with APT-3 group, including whoami, net user, ipconfig, systeminfo, and nltest for domain trust reconnaissance.

#repo="base_sensor" event_simpleName=ProcessRollup2
| FileName = /^cmd\.exe$/i
| CommandLine = /(?i)(whoami|net user|net group|net localgroup|ipconfig|systeminfo|tasklist|netstat|nltest)/
EDRapt3cmd
Intermediate
NEW
FREE

PowerShell Remote Download Cradle Detection

Identifies PowerShell executions containing typical remote download patterns (IEX, Net.WebClient, BitsTransfer), techniques used in early APT compromise stages to download and execute in-memory payloads without touching disk.

#repo="base_sensor" event_simpleName=ProcessRollup2
| FileName = /^powershell(\.exe)?$/i
| CommandLine = /(?i)(IEX|Invoke-Expression|New-Object Net\.WebClient|DownloadString|DownloadFile|WebRequest|Start-BitsTransfer|Invoke-WebRequest)/
EDRpowershelldownload-cradle
Beginner
NEW
FREE

Basic Detection: Child Processes Spawned by WMI Provider Host

Basic query to detect any process spawned by WmiPrvSE.exe. Unexpected child process generation from the WMI Provider Host may indicate remote command execution or persistence. Ideal for SOC analysts starting with threat hunting in CrowdStrike Falcon.

#repo="base_sensor" event_simpleName=ProcessRollup2
| ParentBaseFileName="WmiPrvSE.exe"
| FileName!="WmiPrvSE.exe"
EDRwmiprocess-creation
Beginner
NEW
PAID

Lateral Movement Scoring via SMB + Process Correlation

Detects lateral movement by correlating outbound SMB connections with remote process execution on the destination host, assigning a composite risk score per behavior.

// ──────────────────────────────────────────────────────────
// Stage 1: Find hosts making outbound SMB connections (port 445)
// to non-RFC1918 targets OR internal hosts they've never connected to before
EDRlateral-movementsmb
Advanced
NEW
PAID

Process Injection Chain Detection with Risk Scoring

Identifies process injection chains by correlating CreateRemoteThread, WriteProcessMemory, and post-injection behavior using correlate() to link the 3-step sequence.

// ──────────────────────────────────────────────────────────
// APPROACH: Use correlate() to link a 3-step injection sequence:
//   1. Suspicious process spawns (known injection parents)
EDRprocess-injectiondefense-evasion
Advanced
NEW
PAID

Shell Spawned from Browser Renderer Process - CVE-2025-10585 Pattern

Detects shell or scripting processes spawned as children of popular browsers (Chrome, Edge, Firefox, Brave), a pattern associated with JavaScript engine type confusion exploits like CVE-2025-10585 (Chrome V8 zero-day). A compromised renderer can escape the browser sandbox and execute arbitrary OS commands.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(chrome\.exe|msedge\.exe|firefox\.exe|brave\.exe|chromium\.exe)$/
| FileName=/(?i)(cmd\.exe|powershell\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)$/
EDRbrowser-exploitv8
Intermediate
NEW
FREE

Data Exfiltration via Native FTP or LOLBin Tools

Detects use of native Windows tools such as ftp.exe, bitsadmin.exe, and certutil.exe with parameters associated with file transfer and data encoding to external destinations. These LOLBin techniques are commonly used by threat actors to exfiltrate compromised data while evading perimeter security controls.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(ftp\.exe|bitsadmin\.exe|certutil\.exe)$/
| CommandLine=/(?i)(open\s+\d{1,3}|put\s+|urlcache|base64|-encode|-transfer|\/transfer)/
EDRexfiltrationlolbin
Beginner
NEW
FREE

Basic PowerShell Base64 Encoded Command Detection

Beginner-level query to detect the use of Base64 encoding parameters in PowerShell (-EncodedCommand, -enc), a technique widely used by attackers to obfuscate malicious scripts and evade plain-text detection. Ideal starting point for EDR threat hunting

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell\.exe$/
| CommandLine=/(?i)(-enc\s|-encodedcommand\s|-e\s+[A-Za-z0-9+\/=]{20,})/
EDRpowershellbase64
Beginner
NEW
PAID

PEASS Privilege Escalation Tool Execution Detection

Identifies execution of WinPEAS and LinPEAS, automated privilege escalation audit tools widely used by attackers after initial compromise to map available escalation vectors on Windows and Linux systems

#repo="base_sensor" #event_simpleName=ProcessRollup2
| (FileName=/(?i)(winpeas|linpeas|peass)/ OR CommandLine=/(?i)(winpeas|linpeas|peass\.bat|peass\.sh|peass\.exe)/)
| groupBy([ComputerName, UserName, FileName, SHA256HashData, CommandLine], function=count(as=execution_count), limit=max)
EDRwinpeaslinpeas
Intermediate
NEW
FREE

Basic APT Reconnaissance Tools Detection with Domain Discovery Arguments

Introductory query for analysts learning threat hunting in CrowdStrike LogScale. Detects execution of classic APT reconnaissance tools (whoami, nltest, systeminfo) with specific domain and Active Directory discovery arguments, fundamental technique documented in APT TTP profiles.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|nltest\.exe|systeminfo\.exe)/
| CommandLine=/(?i)(\/all|\/domain|\/dclist|\/trusted_domains|\/domain_trusts)/
EDRaptreconnaissance
Beginner
NEW
PAID

Linux Sudo Misconfiguration Exploitation for Privilege Escalation

Detects exploitation attempts of insecure sudo configurations on Linux hosts, including use of dangerous environment variables (LD_PRELOAD, LD_LIBRARY_PATH) and execution of shells or commands with unexpected root context

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(sudo|pkexec|su)$/
| CommandLine=/(?i)(LD_PRELOAD|LD_LIBRARY_PATH|PYTHONPATH|PERL5LIB|env\s+-E|--preserve-env|NOPASSWD|ALL=\(ALL\))/
EDRlinuxsudo
Intermediate
NEW
FREE

Basic Detection of PowerShell Encoded Command Execution

Beginner-level query to detect PowerShell executions with base64 encoding or profile suppression parameters, a fundamental technique used by attackers to obfuscate malicious scripts in Windows environments

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(powershell\.exe|pwsh\.exe)$/
| CommandLine=/(?i)(-enc|-encodedcommand|-ec\s)/
EDRpowershellencoded-command
Beginner
NEW
FREE

Basic Windows Token Privilege Enumeration via whoami

Introductory query to detect whoami.exe usage with privilege and group enumeration parameters, the typical first step of an attacker after gaining initial access to understand the privilege level available on the compromised host

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)whoami\.exe$/
| CommandLine=/(?i)(\/priv|\/groups|\/all|\/logonid|\/fo csv)/
EDRwhoamitoken-enumeration
Beginner
NEW
PAID

Kernel Driver Loaded from Non-Standard Path — BYOVD Attack

Detects the loading of kernel drivers (.sys) from non-standard paths such as Temp, AppData, or ProgramData. The BYOVD (Bring Your Own Vulnerable Driver) technique enables escalation to kernel level and EDR evasion, particularly relevant given the landscape of critical Windows driver vulnerabilities documented in 2025.

#repo="base_sensor" #event_simpleName=DriverLoad
| ImageFileName=/(?i)\.sys$/
| ImageFileName=/(?i)(\\temp\\|\\tmp\\|\\appdata\\|\\programdata\\|users\\public|\\downloads\\)/
EDRbyovdvulnerable-driver
Intermediate
NEW
FREE

Basic Detection: PowerShell Executed with EncodedCommand Parameter

Fundamental detection query that identifies PowerShell executions with the -EncodedCommand parameter or its abbreviation -enc. A basic but consistent indicator of malicious obfuscation present in most modern ransomware campaigns (LeakNet/ClickFix) and in post-exploitation stages of critical 2025 vulnerabilities. Ideal as a first query for analysts new to CrowdStrike LogScale.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell(\.exe)?$/
| CommandLine=/(?i)(-EncodedCommand|-enc\b)/
EDRpowershellencoded-command
Beginner
NEW
FREE

Whoami Execution by Any Parent Process

Basic detection of whoami.exe execution across all endpoints — one of the most common post-compromise enumeration commands used by attackers to identify current user context after initial access. Ideal for beginner threat hunters and SOC analysts building a baseline of identity enumeration activity in LogScale

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)whoami\.exe/
| groupBy([ComputerName, UserName, ParentBaseFileName], function=count(as=whoami_count))
EDRwhoamienumeration
Beginner
NEW
FREE

Browser Spawns Scripting Interpreter — Fake Update Delivery Indicator

Detects when a web browser directly spawns a scripting interpreter such as PowerShell, cmd.exe, or wscript.exe. This execution chain does not occur during normal user activity and is the primary delivery mechanism used by SocGholish and FakeUpdates campaigns distributing ransomware and banking trojans through compromised websites presenting fake browser update prompts.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe)/
| FileName=/(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe)/
EDRfake-updatebrowser-spawn
Beginner
NEW
FREE

CMD.exe Inline APT Reconnaissance — Basic Detection

Detects cmd.exe executing common APT reconnaissance commands inline via the /C flag, including whoami, hostname, net user, net group, systeminfo, ipconfig /all, and nltest. A beginner-friendly detection rule aligned with APT3 T1059.003 tradecraft and suitable as a baseline for new analysts building their first Falcon detection queries.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)cmd\.exe/
| CommandLine=/(?i)\/[cC]\s+(whoami|hostname|net\s+(user|group|localgroup)|systeminfo|ipconfig\s*\/all|nltest|quser)/
EDRaptcmd-exe
Beginner