EXPLORE
Sign In
← Back to Explore
crowdstrike_cql

Detect RTR High Risk Commands

Detects the execution of high risk commands such as - get - put - memdump - xmemdump - run - put-and-run

Detection Query

// Get UI Audit Events
#repo="detections" ExternalApiType=/Remote/

// Check commands for "get", "put", "memdump", "xmemdump", "run", "put-and-run"
| array:regex("Commands[]", regex="get|put|memdump|xmemdump|run|put-and-run")

// Create unified "Commands" field
| concatArray("Commands", separator="; ", as=Commands)

// Check to make sure Commands is populated
| Commands=*

// Aggregate results
| groupBy([UserName, AgentIdString], function=([collect([Commands])]))
| groupBy([UserName], function=([count(AgentIdString, as=SystemsAccssed), collect([Commands])]))

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

windowslinux

Tags

Monitoringcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Detect RTR High Risk Commands

# Description of what the query does and its purpose.
description: |
  Detects the execution of high risk commands such as
  - get
  - put 
  - memdump
  - xmemdump
  - run
  - put-and-run

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  // Get UI Audit Events
  #repo="detections" ExternalApiType=/Remote/
  
  // Check commands for "get", "put", "memdump", "xmemdump", "run", "put-and-run"
  | array:regex("Commands[]", regex="get|put|memdump|xmemdump|run|put-and-run")
  
  // Create unified "Commands" field
  | concatArray("Commands", separator="; ", as=Commands)
  
  // Check to make sure Commands is populated
  | Commands=*
  
  // Aggregate results
  | groupBy([UserName, AgentIdString], function=([collect([Commands])]))
  | groupBy([UserName], function=([count(AgentIdString, as=SystemsAccssed), collect([Commands])]))