EXPLORE
← Back to Explore
crowdstrike_cqlHunting

Suspicious DLL / Module loads

This query will show all the suspicious DLL/module loads that CrowdStrike has flagged as detections, where all the endpoint are involved, along with the process and parent process details This query will show all the suspicious DLL/module loads that CrowdStrike has flagged as detections, where all the endpoint are involved, along with the process and parent process details

MITRE ATT&CK

defense-evasion

Detection Query

| #Vendor = crowdstrike
| #repo = "base_sensor"
| "#event_simpleName" = "ModuleLoadV3DetectInfo"
| aid=?aid
//| ComputerName="XXXXX"//Enter computer name to check for specific endpoint
| groupBy([ComputerName,aid], function=[collect(FileName),collect(FilePath),collect(ImageFileName),collect(ParentCommandLine),count(as=total_module_loads)])
| sort(total_module_loads, order=desc)

Author

Kundan Kumar

Data Sources

Endpoint

Platforms

windowslinux

Tags

Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Suspicious DLL / Module loads

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1036

# Description of what the query does and its purpose.
description: |
  This query will show all the suspicious DLL/module loads that CrowdStrike has flagged as detections, where all the endpoint are involved, along with the process and parent process details

# The author or team that created the query.
author: Kundan Kumar

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  | #Vendor = crowdstrike
  | #repo = "base_sensor"
  | "#event_simpleName" = "ModuleLoadV3DetectInfo"
  | aid=?aid
  //| ComputerName="XXXXX"//Enter computer name to check for specific endpoint
  | groupBy([ComputerName,aid], function=[collect(FileName),collect(FilePath),collect(ImageFileName),collect(ParentCommandLine),count(as=total_module_loads)])
  | sort(total_module_loads, order=desc)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  This query will show all the suspicious DLL/module loads that CrowdStrike has flagged as detections, where all the endpoint are involved, along with the process and parent process details