← Back to Explore
crowdstrike_cqlHunting
Applications Spawning CMD or Powershell
Table listing processes that spawned cmd.exe or powershell.exe child processes.
Detection Query
"#event_simpleName" = ProcessRollup2 event_platform="Win" FileName=/(cmd.exe|powershell.exe)/i
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| groupBy([ParentBaseFileName], function=[count(aid, distinct=true, as="DistinctHosts")])
| sort(DistinctHosts)
| rename(field="ParentBaseFileName", as="FileName")
Author
ByteRay GmbH
Data Sources
Endpoint
Platforms
windows
Tags
Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Applications Spawning CMD or Powershell
# MITRE ATT&CK technique IDs
mitre_ids:
- T1059
# Description of what the query does and its purpose.
description: Table listing processes that spawned cmd.exe or powershell.exe child processes.
# The author or team that created the query.
author: ByteRay GmbH
# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
- Endpoint
# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
- Hunting
cs_required_modules:
- Insight
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
"#event_simpleName" = ProcessRollup2 event_platform="Win" FileName=/(cmd.exe|powershell.exe)/i
| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true)
| groupBy([ParentBaseFileName], function=[count(aid, distinct=true, as="DistinctHosts")])
| sort(DistinctHosts)
| rename(field="ParentBaseFileName", as="FileName")