EDR

52 queries en esta categoría

K

20 queries in EDR

NEW

FREE

VSS Shadow Copy Deletion - Basic Ransomware Pre-Encryption Indicator

Detects deletion of Windows Volume Shadow Copies via vssadmin.exe or wmic.exe, the most universally performed ransomware preparation step executed by virtually all modern ransomware families including WannaCry, ALPHV, Play, LockBit, and Akira to eliminate local snapshot recovery options before encrypting files — essential beginner detection for any Windows endpoint monitoring program

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(vssadmin\.exe|wmic\.exe)/
| CommandLine=/(?i)(delete\s+shadows|shadowcopy.*delete)/

EDRshadow-copyvssadmin

Beginner

FREE

Basic Detection: cmd.exe Executing whoami (APT3 TTP)

Beginner-level query to detect cmd.exe executions invoking whoami — the first technique documented in the public APT3 profile per T1059.003 and T1033. Ideal for SOC analysts new to threat hunting with CQL who want to get familiar with basic Falcon LogScale syntax using FDR process events.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)cmd\.exe/
| CommandLine=/(?i)\/c\s+whoami/

EDRcmdwhoami

Beginner

PAID

PowerShell LOTL with Base64-Encoded Payload (-EncodedCommand)

Detects PowerShell executions using the -EncodedCommand parameter to conceal the actual payload, a primary LOTL technique documented by CISA where adversaries abuse native PowerShell to evade signature-based detection. Critical for detecting post-initial infection stages in ransomware and APT campaigns that prefer LOTL over custom binaries.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell(\.exe)?/
| CommandLine=/(?i)-[eE][nN][cC]\w*\s+[A-Za-z0-9+\/=]{50,}/

EDRpowershellencoded-command

Intermediate

PAID

Linux Sudo Privilege Escalation Pattern - CVE-2025-32463

Detects suspicious sudo binary invocations originating from command interpreters or network tools with privilege escalation flags. Covers the CVE-2025-32463 (CVSS 7.8) pattern that allows unauthorized escalation to root on Linux by manipulating the sudo command from illegitimate parent processes.

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=sudo
| CommandLine=/(?i)(-s\b|-i\b|--stdin|--shell|LD_PRELOAD=|SUDO_ASKPASS=|\/bin\/(ba)?sh)/

EDRprivilege-escalationsudo

Advanced

FREE

Basic Reconnaissance with Native Windows Tools

Detects execution of common Windows reconnaissance commands such as whoami, ipconfig, net user, and systeminfo, frequently used in the initial phase of a Living Off the Land (LOTL) attack

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Win
| FileName=/(?i)(whoami\.exe|ipconfig\.exe|systeminfo\.exe|net\.exe|hostname\.exe)/

EDRlotlreconnaissance

Beginner

FREE

Windows Executables Making Suspicious Outbound Connections

Basic query to detect Windows executables located in temporary or download directories establishing outbound network connections, useful for identifying newly downloaded malware contacting command and control servers

#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| ImageFileName=/(?i)(\\temp\\|\\tmp\\|\\downloads\\|\\appdata\\local\\temp\\).*\.exe$/
| select([timestamp, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort])

EDRnetwork-connectionsc2

Beginner

FREE

Suspicious Access to Linux Shadow File

Detects read attempts against the /etc/shadow file on Linux systems, a technique used by attackers to extract password hashes and perform offline cracking after gaining initial access to the system

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Lin
| CommandLine=/\/etc\/shadow/

EDRlinuxshadow-file

Beginner

PAID

Linux Privilege Escalation via Suspicious Sudo Execution

Detects suspicious sudo execution patterns on Linux systems that may indicate exploitation of CVE-2025-32463 (CVSS 7.8) or sudoers misconfigurations, including interactive shell spawning and interpreter execution as root

#repo="base_sensor" #event_simpleName=ProcessRollup2
| event_platform=Lin
| ParentBaseFileName=sudo

EDRlinuxsudo

Intermediate

PAID

APT3-Style Remote Execution Pattern via cmd.exe

Detects cmd.exe with the /C parameter executing discovery commands typical of the APT3 profile (whoami, net user, systeminfo, nltest) when the parent process is unusual, indicating possible remote execution or lateral movement via command shell (T1059.003) as documented in APT3 TTP analysis

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)\\cmd\.exe$/
| CommandLine=/(?i)\/[cC]\s+.*(whoami|net\s+(user|group|localgroup|view|share)|systeminfo|ipconfig|tasklist|reg\s+query|nltest|dsquery)/

EDRapt3command-shell

Intermediate

FREE

Basic Windows Net Command Enumeration

Detects use of the net.exe command to enumerate users, groups, and shared resources, one of the most abused native Windows tools in Living-off-the-Land attacks according to multiple CISA and CrowdStrike reports

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)net1?\.exe/
| CommandLine=/(?i)net1?\s+(user|group|localgroup|share|view|session|accounts|use)\s/

EDRnet-commandenumeration

Beginner

FREE

Basic PowerShell Encoded Command Detection

Query for junior SOC analysts that detects PowerShell executions with the -EncodedCommand flag, a common LotL technique for obfuscating malicious commands and evading plaintext signature-based detections

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)powershell\.exe/
| CommandLine=/(?i)(-enc|-encodedcommand|-ec\s)/

EDRpowershellencoded-command

Beginner

FREE

Basic whoami.exe Execution Monitor

Simple query to detect any whoami.exe execution on endpoints, a tool frequently used as the first command by attackers after gaining initial access to verify user context and privileges, referenced in multiple APT profiles including APT3 and APT28

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)\\whoami\.exe$/
| select([timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName])

EDRwhoamidiscovery

Beginner

PAID

Linux Privilege Escalation via Sudo - CVE-2025-32463 Pattern

Detects privilege escalation attempts on Linux systems via sudo manipulation, inspired by CVE-2025-32463 which allows unauthorized elevation to root by tricking the sudo command (CVSS 7.8)

#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)sudo$/
| CommandLine=/(?i)(sudo\s+(-u|--user|EDITOR|VISUAL|sudoedit|\.\.\/|\$\(|`|;|\|))/

EDRlinuxprivilege-escalation

Intermediate

FREE

Native Windows Tools with External Internet Connections (FDR)

Detects connections to external IPs (non-RFC1918) originating from native Windows administration and scripting tools, a basic LOTL pattern for payload download or C2 communication

#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| regex(field=ImageFileName, regex="(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|bitsadmin|certutil|regsvr32|rundll32)\.exe$")
| not regex(field=RemoteAddressIP4, regex="^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.|::1|fd)")

EDRlotlc2

Beginner

FREE

PowerShell with Base64-Encoded Commands (FDR)

Detects PowerShell executions using the EncodedCommand parameter, a basic LOTL technique used to obfuscate malicious payloads and evade command-line detection

#repo="base_sensor" #event_simpleName=ProcessRollup2
| regex(field=ImageFileName, regex="(?i)(powershell|pwsh)\.exe$")
| regex(field=CommandLine, regex="(?i)(-EncodedCommand|-enc\s|-e\s+[A-Za-z0-9+/]{20,}|FromBase64String)")

EDRpowershellencoded-command

Beginner

PAID

Lateral Movement via SMB

Detects lateral movement using SMB protocol by correlating process events with network connections on port 445.

FileName = "cmd.exe" OR FileName = "powershell.exe"
| join(
    { NetworkEvent

EDRlateral-movementsmb

Intermediate

PAID

AMSI Bypass Attempt

Detects AMSI bypass attempts via PowerShell reflection or string obfuscation techniques used to evade AV/EDR scanning.

#event_simpleName=ProcessRollup2 CommandLine=/(amsiInitFailed|AmsiUtils|amsi\.dll|SetValue.*amsiContext|Reflection\.Assembly.*amsi)/i | groupBy([ComputerName, UserName, CommandLine], function=count()) | sort(_count, limit=20)

EDRsofisticdefense-evasion

Advanced

PAID

Credential Dumping Tools

Detects execution of known credential dumping tools (Mimikatz, fgdump, gsecdump, pwdump) on Windows endpoints.

#event_simpleName=ProcessRollup2 FileName=/(mimikatz|procdump|pwdump|wce|lazagne|gsecdump|secretsdump)/i | groupBy([ComputerName, UserName, FileName], function=count()) | _count > 2 | sort(_count, limit=20)

EDRsofisticcredential-access

Advanced

FREE

Data Staging via Archive Tools

Detects use of compression utilities (7z, rar, zip) to package large volumes of data — a pre-exfiltration staging indicator.

#event_simpleName=ProcessRollup2 FileName=/(7z|7za|rar|winrar|zip|tar|makecab)\.exe/i CommandLine=/(\\Users\\|\\Shares\\|\\Documents\\|\\Desktop\\|-p|-r)/i | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 3 | sort(_count, limit=20)

EDRsofisticexfiltration

Beginner

PAID

LSASS Memory Access

Detects direct access to LSASS process memory — a common technique for credential extraction via tools like Mimikatz or ProcDump.

#event_simpleName=ProcessRollup2 CommandLine=*lsass* FileName!=lsass.exe | groupBy([ComputerName, UserName, FileName, CommandLine], function=count()) | _count > 2 | sort(_count, limit=20)

EDRsofisticcredential-access

Advanced