← Back to Explore
crowdstrike_cqlHunting
MongoDB Processes on Windows & Linux Hosts (CVE-2025-14847)
This query identifies Windows and Linux Hosts running MongoDB processes.
Detection Query
#event_simpleName=ProcessRollup2
| (event_platform=Win AND ImageFileName=/mongod\.exe|mongos\.exe/i) OR (event_platform=Lin AND ImageFileName=/mongod|mongos/i)
| table([@timestamp, aid, ComputerName, UserName, ImageFileName])
Author
ByteRay GmbH
Data Sources
Endpoint
Platforms
windowslinux
Tags
Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: "MongoDB Processes on Windows & Linux Hosts (CVE-2025-14847)"
# Description of what the query does and its purpose.
# Using the YAML block scalar `|` allows for multi-line strings.
description: |
This query identifies Windows and Linux Hosts running MongoDB processes.
# The author or team that created the query.
author: ByteRay GmbH
# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
- Endpoint
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Insight
# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
- Hunting
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=ProcessRollup2
| (event_platform=Win AND ImageFileName=/mongod\.exe|mongos\.exe/i) OR (event_platform=Lin AND ImageFileName=/mongod|mongos/i)
| table([@timestamp, aid, ComputerName, UserName, ImageFileName])