CQL Knowledge Base - Latest Queries

CQL Knowledge Base - Latest Queries https://huntbase.darkreitor.xyz Free LogScale (CQL) detection queries for threat hunting and SOC operations en <![CDATA[Web Browser Spawning a Command Interpreter Process]]> https://huntbase.darkreitor.xyz/queries/browser-spawns-cmd-shell-b1 https://huntbase.darkreitor.xyz/queries/browser-spawns-cmd-shell-b1 Sun, 19 Apr 2026 00:00:00 GMT EDR <![CDATA[PowerShell Remote Download Cradle Detection]]> https://huntbase.darkreitor.xyz/queries/powershell-download-cradle-b1 https://huntbase.darkreitor.xyz/queries/powershell-download-cradle-b1 Sun, 19 Apr 2026 00:00:00 GMT EDR <![CDATA[Basic Detection: Child Processes Spawned by WMI Provider Host]]> https://huntbase.darkreitor.xyz/queries/wmi-provider-host-child-spawn-b2 https://huntbase.darkreitor.xyz/queries/wmi-provider-host-child-spawn-b2 Sun, 19 Apr 2026 00:00:00 GMT EDR <![CDATA[Data Exfiltration via Native FTP or LOLBin Tools]]> https://huntbase.darkreitor.xyz/queries/native-lolbin-ftp-exfil-b1 https://huntbase.darkreitor.xyz/queries/native-lolbin-ftp-exfil-b1 Sat, 18 Apr 2026 00:00:00 GMT EDR <![CDATA[Shell Spawned from PHP Process - WordPress WebShell Detection]]> https://huntbase.darkreitor.xyz/queries/php-webshell-process-spawn-b1 https://huntbase.darkreitor.xyz/queries/php-webshell-process-spawn-b1 Sat, 18 Apr 2026 00:00:00 GMT Malware <![CDATA[Basic PowerShell Base64 Encoded Command Detection]]> https://huntbase.darkreitor.xyz/queries/powershell-encoded-command-baseline-b2 https://huntbase.darkreitor.xyz/queries/powershell-encoded-command-baseline-b2 Sat, 18 Apr 2026 00:00:00 GMT EDR <![CDATA[Basic APT Reconnaissance Tools Detection with Domain Discovery Arguments]]> https://huntbase.darkreitor.xyz/queries/apt-recon-tools-domain-discovery-b2 https://huntbase.darkreitor.xyz/queries/apt-recon-tools-domain-discovery-b2 Fri, 17 Apr 2026 00:00:00 GMT EDR <![CDATA[Basic Detection of PowerShell Encoded Command Execution]]> https://huntbase.darkreitor.xyz/queries/powershell-encoded-command-basic-detect-b1 https://huntbase.darkreitor.xyz/queries/powershell-encoded-command-basic-detect-b1 Fri, 17 Apr 2026 00:00:00 GMT EDR <![CDATA[Basic Windows Token Privilege Enumeration via whoami]]> https://huntbase.darkreitor.xyz/queries/whoami-priv-token-enum-basic-b1 https://huntbase.darkreitor.xyz/queries/whoami-priv-token-enum-basic-b1 Fri, 17 Apr 2026 00:00:00 GMT EDR <![CDATA[Registry Run Key Modification for Persistence]]> https://huntbase.darkreitor.xyz/queries/registry-run-key-persistence-modification-b1 https://huntbase.darkreitor.xyz/queries/registry-run-key-persistence-modification-b1 Thu, 16 Apr 2026 00:00:00 GMT Persistence <![CDATA[Scheduled Task Creation with schtasks.exe for Persistence]]> https://huntbase.darkreitor.xyz/queries/scheduled-task-persistence-schtasks-b1 https://huntbase.darkreitor.xyz/queries/scheduled-task-persistence-schtasks-b1 Thu, 16 Apr 2026 00:00:00 GMT Persistence <![CDATA[Executable Launched from Windows Temp Directory]]> https://huntbase.darkreitor.xyz/queries/executable-from-temp-directory-b1 https://huntbase.darkreitor.xyz/queries/executable-from-temp-directory-b1 Wed, 15 Apr 2026 00:00:00 GMT Malware <![CDATA[Basic Detection: PowerShell Executed with EncodedCommand Parameter]]> https://huntbase.darkreitor.xyz/queries/powershell-encoded-command-b2 https://huntbase.darkreitor.xyz/queries/powershell-encoded-command-b2 Wed, 15 Apr 2026 00:00:00 GMT EDR <![CDATA[Whoami Execution by Any Parent Process]]> https://huntbase.darkreitor.xyz/queries/whoami-execution-baseline-b1 https://huntbase.darkreitor.xyz/queries/whoami-execution-baseline-b1 Wed, 15 Apr 2026 00:00:00 GMT EDR <![CDATA[Browser Spawns Scripting Interpreter — Fake Update Delivery Indicator]]> https://huntbase.darkreitor.xyz/queries/browser-spawns-interpreter-b1 https://huntbase.darkreitor.xyz/queries/browser-spawns-interpreter-b1 Tue, 14 Apr 2026 00:00:00 GMT EDR <![CDATA[CMD.exe Inline APT Reconnaissance — Basic Detection]]> https://huntbase.darkreitor.xyz/queries/cmd-apt-recon-basic-b1 https://huntbase.darkreitor.xyz/queries/cmd-apt-recon-basic-b1 Tue, 14 Apr 2026 00:00:00 GMT EDR <![CDATA[VSS Shadow Copy Deletion - Basic Ransomware Pre-Encryption Indicator]]> https://huntbase.darkreitor.xyz/queries/vssadmin-shadow-delete-basic-b2 https://huntbase.darkreitor.xyz/queries/vssadmin-shadow-delete-basic-b2 Tue, 14 Apr 2026 00:00:00 GMT EDR <![CDATA[Basic Detection: cmd.exe Executing whoami (APT3 TTP)]]> https://huntbase.darkreitor.xyz/queries/apt3-cmd-whoami-basic-b2 https://huntbase.darkreitor.xyz/queries/apt3-cmd-whoami-basic-b2 Mon, 13 Apr 2026 00:00:00 GMT EDR <![CDATA[Archive Tool Shell Spawn - Code Execution via Compressed File]]> https://huntbase.darkreitor.xyz/queries/archive-shell-spawn-detection-b1 https://huntbase.darkreitor.xyz/queries/archive-shell-spawn-detection-b1 Mon, 13 Apr 2026 00:00:00 GMT Malware <![CDATA[CMD Discovery Recon - APT3 Basic Enumeration Detection]]> https://huntbase.darkreitor.xyz/queries/cmd-basic-discovery-recon-b1 https://huntbase.darkreitor.xyz/queries/cmd-basic-discovery-recon-b1 Mon, 13 Apr 2026 00:00:00 GMT Threat Hunting <![CDATA[Basic Reconnaissance with Native Windows Tools]]> https://huntbase.darkreitor.xyz/queries/basic-lotl-reconnaissance-windows-b1 https://huntbase.darkreitor.xyz/queries/basic-lotl-reconnaissance-windows-b1 Sun, 12 Apr 2026 00:00:00 GMT EDR <![CDATA[Windows Executables Making Suspicious Outbound Connections]]> https://huntbase.darkreitor.xyz/queries/basic-windows-executable-outbound-connections-b2 https://huntbase.darkreitor.xyz/queries/basic-windows-executable-outbound-connections-b2 Sun, 12 Apr 2026 00:00:00 GMT EDR <![CDATA[Suspicious Access to Linux Shadow File]]> https://huntbase.darkreitor.xyz/queries/linux-shadow-file-access-detection-b1 https://huntbase.darkreitor.xyz/queries/linux-shadow-file-access-detection-b1 Sun, 12 Apr 2026 00:00:00 GMT EDR <![CDATA[Basic Windows Net Command Enumeration]]> https://huntbase.darkreitor.xyz/queries/basic-net-command-enumeration-b1 https://huntbase.darkreitor.xyz/queries/basic-net-command-enumeration-b1 Sat, 11 Apr 2026 00:00:00 GMT EDR <![CDATA[Basic PowerShell Encoded Command Detection]]> https://huntbase.darkreitor.xyz/queries/basic-powershell-encoded-command-b1 https://huntbase.darkreitor.xyz/queries/basic-powershell-encoded-command-b1 Sat, 11 Apr 2026 00:00:00 GMT EDR <![CDATA[Basic whoami.exe Execution Monitor]]> https://huntbase.darkreitor.xyz/queries/basic-whoami-execution-monitor-b2 https://huntbase.darkreitor.xyz/queries/basic-whoami-execution-monitor-b2 Sat, 11 Apr 2026 00:00:00 GMT EDR <![CDATA[Native Windows Tools with External Internet Connections (FDR)]]> https://huntbase.darkreitor.xyz/queries/sofistic-lolbin-external-network-connection-b1 https://huntbase.darkreitor.xyz/queries/sofistic-lolbin-external-network-connection-b1 Tue, 07 Apr 2026 00:00:00 GMT EDR <![CDATA[PowerShell with Base64-Encoded Commands (FDR)]]> https://huntbase.darkreitor.xyz/queries/sofistic-powershell-encoded-command-b1 https://huntbase.darkreitor.xyz/queries/sofistic-powershell-encoded-command-b1 Tue, 07 Apr 2026 00:00:00 GMT EDR <![CDATA[Web/VPN Server Spawning Shell (Fortinet CVE-2025)]]> https://huntbase.darkreitor.xyz/queries/webserver-shell-spawn-rce-b2 https://huntbase.darkreitor.xyz/queries/webserver-shell-spawn-rce-b2 Tue, 07 Apr 2026 00:00:00 GMT Vulnerability <![CDATA[Failed Authentication Spike]]> https://huntbase.darkreitor.xyz/queries/failed-auth-spike https://huntbase.darkreitor.xyz/queries/failed-auth-spike Identity <![CDATA[CSPM Policy Violations]]> https://huntbase.darkreitor.xyz/queries/sofistic-cspm-policy-violations https://huntbase.darkreitor.xyz/queries/sofistic-cspm-policy-violations Cloud <![CDATA[Data Staging via Archive Tools]]> https://huntbase.darkreitor.xyz/queries/sofistic-data-staging-archive-tools https://huntbase.darkreitor.xyz/queries/sofistic-data-staging-archive-tools EDR <![CDATA[Network Share Enumeration]]> https://huntbase.darkreitor.xyz/queries/sofistic-network-share-enumeration https://huntbase.darkreitor.xyz/queries/sofistic-network-share-enumeration Threat Hunting <![CDATA[Reconnaissance Commands Burst]]> https://huntbase.darkreitor.xyz/queries/sofistic-reconnaissance-commands-burst https://huntbase.darkreitor.xyz/queries/sofistic-reconnaissance-commands-burst Threat Hunting <![CDATA[Timestomping Detection]]> https://huntbase.darkreitor.xyz/queries/sofistic-timestomping-detection https://huntbase.darkreitor.xyz/queries/sofistic-timestomping-detection EDR