EDR

54 queries en esta categoría

K
20queries in EDR
PAID

Malicious Deep Link: Messaging App Spawning Command Interpreters

Detects exploitation of URI scheme handlers in Electron-based messaging apps (WhatsApp, Telegram, Discord, Signal) that spawn OS command interpreters — behavioral pattern consistent with CVE-2025-55177 and malicious deep-link attacks.

// ──────────────────────────────────────────────────────────
// Messaging App Deep Link Exploitation Detection
// Inspired by CVE-2025-55177: malicious WhatsApp sync URLs
EDRdeep-linkelectron
Intermediate
FREE

Web Server Spawning Unexpected Shell Processes — Basic Detection

Basic detection of web server RCE exploitation patterns: any application runtime (Node.js, Python, PHP, Ruby, Java) spawning OS shells or recon utilities such as bash, curl, wget, or whoami — the foundational indicator behind CVE-2025-55182 (React2Shell).

// ──────────────────────────────────────────────────────────
// Web Server Anomalous Child Process Detection — Beginner Tier
//
EDRrceweb-server
Beginner
PAID

APT Lateral Movement via Remote Administrative Protocols

Detects APT lateral movement using remote administration protocols (SMB, WMI, WinRM) initiated from command-line tools on end-user hosts. Correlates administrative processes with outbound connections to management ports.

#repo="base_sensor" event_simpleName=NetworkConnectIP4
| RemotePort in [135, 139, 445, 5985, 5986, 47001]
| FileName in ["wmic.exe", "powershell.exe", "cmd.exe", "sc.exe", "net.exe", "net1.exe", "wbemtest.exe", "mmc.exe"]
EDRaptlateral-movement
Advanced
FREE

Web Browser Spawning a Command Interpreter Process

Detects when a web browser process directly spawns a command interpreter or scripting engine. Highly anomalous behavior associated with browser exploitation, advanced social engineering, or drive-by download attacks.

#repo="base_sensor" event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|MicrosoftEdge\.exe)$/i
| FileName = /^(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)$/i
EDRbrowsercmd
Beginner
PAID

CMD Shell Reconnaissance Commands APT-3 Style

Detects cmd.exe executions with system enumeration commands associated with APT-3 group, including whoami, net user, ipconfig, systeminfo, and nltest for domain trust reconnaissance.

#repo="base_sensor" event_simpleName=ProcessRollup2
| FileName = /^cmd\.exe$/i
| CommandLine = /(?i)(whoami|net user|net group|net localgroup|ipconfig|systeminfo|tasklist|netstat|nltest)/
EDRapt3cmd
Intermediate
FREE

PowerShell Remote Download Cradle Detection

Identifies PowerShell executions containing typical remote download patterns (IEX, Net.WebClient, BitsTransfer), techniques used in early APT compromise stages to download and execute in-memory payloads without touching disk.

#repo="base_sensor" event_simpleName=ProcessRollup2
| FileName = /^powershell(\.exe)?$/i
| CommandLine = /(?i)(IEX|Invoke-Expression|New-Object Net\.WebClient|DownloadString|DownloadFile|WebRequest|Start-BitsTransfer|Invoke-WebRequest)/
EDRpowershelldownload-cradle
Beginner
FREE

Basic Detection: Child Processes Spawned by WMI Provider Host

Basic query to detect any process spawned by WmiPrvSE.exe. Unexpected child process generation from the WMI Provider Host may indicate remote command execution or persistence. Ideal for SOC analysts starting with threat hunting in CrowdStrike Falcon.

#repo="base_sensor" event_simpleName=ProcessRollup2
| ParentBaseFileName="WmiPrvSE.exe"
| FileName!="WmiPrvSE.exe"
EDRwmiprocess-creation
Beginner
PAID

Lateral Movement Scoring via SMB + Process Correlation

Detects lateral movement by correlating outbound SMB connections with remote process execution on the destination host, assigning a composite risk score per behavior.

// ──────────────────────────────────────────────────────────
// Stage 1: Find hosts making outbound SMB connections (port 445)
// to non-RFC1918 targets OR internal hosts they've never connected to before
EDRlateral-movementsmb
Advanced
PAID

Process Injection Chain Detection with Risk Scoring

Identifies process injection chains by correlating CreateRemoteThread, WriteProcessMemory, and post-injection behavior using correlate() to link the 3-step sequence.

// ──────────────────────────────────────────────────────────
// APPROACH: Use correlate() to link a 3-step injection sequence:
//   1. Suspicious process spawns (known injection parents)
EDRprocess-injectiondefense-evasion
Advanced
PAID

Shell Spawned from Browser Renderer Process - CVE-2025-10585 Pattern

Detects shell or scripting processes spawned as children of popular browsers (Chrome, Edge, Firefox, Brave), a pattern associated with JavaScript engine type confusion exploits like CVE-2025-10585 (Chrome V8 zero-day). A compromised renderer can escape the browser sandbox and execute arbitrary OS commands.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| ParentBaseFileName=/(?i)(chrome\.exe|msedge\.exe|firefox\.exe|brave\.exe|chromium\.exe)$/
| FileName=/(?i)(cmd\.exe|powershell\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)$/
EDRbrowser-exploitv8
Intermediate
FREE

Data Exfiltration via Native FTP or LOLBin Tools

Detects use of native Windows tools such as ftp.exe, bitsadmin.exe, and certutil.exe with parameters associated with file transfer and data encoding to external destinations. These LOLBin techniques are commonly used by threat actors to exfiltrate compromised data while evading perimeter security controls.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(ftp\.exe|bitsadmin\.exe|certutil\.exe)$/
| CommandLine=/(?i)(open\s+\d{1,3}|put\s+|urlcache|base64|-encode|-transfer|\/transfer)/
EDRexfiltrationlolbin
Beginner
FREE

Basic PowerShell Base64 Encoded Command Detection

Beginner-level query to detect the use of Base64 encoding parameters in PowerShell (-EncodedCommand, -enc), a technique widely used by attackers to obfuscate malicious scripts and evade plain-text detection. Ideal starting point for EDR threat hunting

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell\.exe$/
| CommandLine=/(?i)(-enc\s|-encodedcommand\s|-e\s+[A-Za-z0-9+\/=]{20,})/
EDRpowershellbase64
Beginner
PAID

PEASS Privilege Escalation Tool Execution Detection

Identifies execution of WinPEAS and LinPEAS, automated privilege escalation audit tools widely used by attackers after initial compromise to map available escalation vectors on Windows and Linux systems

#repo="base_sensor" #event_simpleName=ProcessRollup2
| (FileName=/(?i)(winpeas|linpeas|peass)/ OR CommandLine=/(?i)(winpeas|linpeas|peass\.bat|peass\.sh|peass\.exe)/)
| groupBy([ComputerName, UserName, FileName, SHA256HashData, CommandLine], function=count(as=execution_count), limit=max)
EDRwinpeaslinpeas
Intermediate
FREE

Basic APT Reconnaissance Tools Detection with Domain Discovery Arguments

Introductory query for analysts learning threat hunting in CrowdStrike LogScale. Detects execution of classic APT reconnaissance tools (whoami, nltest, systeminfo) with specific domain and Active Directory discovery arguments, fundamental technique documented in APT TTP profiles.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|nltest\.exe|systeminfo\.exe)/
| CommandLine=/(?i)(\/all|\/domain|\/dclist|\/trusted_domains|\/domain_trusts)/
EDRaptreconnaissance
Beginner
PAID

Linux Sudo Misconfiguration Exploitation for Privilege Escalation

Detects exploitation attempts of insecure sudo configurations on Linux hosts, including use of dangerous environment variables (LD_PRELOAD, LD_LIBRARY_PATH) and execution of shells or commands with unexpected root context

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(sudo|pkexec|su)$/
| CommandLine=/(?i)(LD_PRELOAD|LD_LIBRARY_PATH|PYTHONPATH|PERL5LIB|env\s+-E|--preserve-env|NOPASSWD|ALL=\(ALL\))/
EDRlinuxsudo
Intermediate
FREE

Basic Detection of PowerShell Encoded Command Execution

Beginner-level query to detect PowerShell executions with base64 encoding or profile suppression parameters, a fundamental technique used by attackers to obfuscate malicious scripts in Windows environments

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(powershell\.exe|pwsh\.exe)$/
| CommandLine=/(?i)(-enc|-encodedcommand|-ec\s)/
EDRpowershellencoded-command
Beginner
FREE

Basic Windows Token Privilege Enumeration via whoami

Introductory query to detect whoami.exe usage with privilege and group enumeration parameters, the typical first step of an attacker after gaining initial access to understand the privilege level available on the compromised host

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)whoami\.exe$/
| CommandLine=/(?i)(\/priv|\/groups|\/all|\/logonid|\/fo csv)/
EDRwhoamitoken-enumeration
Beginner
PAID

Kernel Driver Loaded from Non-Standard Path — BYOVD Attack

Detects the loading of kernel drivers (.sys) from non-standard paths such as Temp, AppData, or ProgramData. The BYOVD (Bring Your Own Vulnerable Driver) technique enables escalation to kernel level and EDR evasion, particularly relevant given the landscape of critical Windows driver vulnerabilities documented in 2025.

#repo="base_sensor" #event_simpleName=DriverLoad
| ImageFileName=/(?i)\.sys$/
| ImageFileName=/(?i)(\\temp\\|\\tmp\\|\\appdata\\|\\programdata\\|users\\public|\\downloads\\)/
EDRbyovdvulnerable-driver
Intermediate
FREE

Basic Detection: PowerShell Executed with EncodedCommand Parameter

Fundamental detection query that identifies PowerShell executions with the -EncodedCommand parameter or its abbreviation -enc. A basic but consistent indicator of malicious obfuscation present in most modern ransomware campaigns (LeakNet/ClickFix) and in post-exploitation stages of critical 2025 vulnerabilities. Ideal as a first query for analysts new to CrowdStrike LogScale.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell(\.exe)?$/
| CommandLine=/(?i)(-EncodedCommand|-enc\b)/
EDRpowershellencoded-command
Beginner
FREE

Whoami Execution by Any Parent Process

Basic detection of whoami.exe execution across all endpoints — one of the most common post-compromise enumeration commands used by attackers to identify current user context after initial access. Ideal for beginner threat hunters and SOC analysts building a baseline of identity enumeration activity in LogScale

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)whoami\.exe/
| groupBy([ComputerName, UserName, ParentBaseFileName], function=count(as=whoami_count))
EDRwhoamienumeration
Beginner