EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

Hunting EDR Freeze

Based on the default command line switching behavior found in the EDR-Freeze open source project: https://github.com/TwoSevenOneT/EDR-Freeze?tab=readme-ov-file

Detection Query

// Look for process handles opening Falcon
#event_simpleName=FalconProcessHandleOpDetectInfo FileName="WerFaultSecure.exe"

// Check for command line switching signal
| GrandparentCommandLine=/\.exe"?\s+\d+\s+\d+$/ OR ParentCommandLine=/\.exe"?\s+\d+\s+\d+$/ OR CommandLine=/\.exe"?\s+\d+\s+\d+$/

// Create process lineage tree for easier reading
| ProcessLineage:=format(format="%s (%s)\n   └ %s (%s)\n      └ %s (%s)", field=[GrandparentImageFileName, GrandparentCommandLine, ParentImageFileName, ParentCommandLine, ImageFileName, CommandLine])

// Output deatils to table
| table([@timestamp, aid, ComputerName, ContextProcessId, ProcessLineage])

// Create direct link to Process Explorer - Uncomment the rootURL value that matches your cloud
| rootURL  := "https://falcon.crowdstrike.com/" /* US-1 */
//| rootURL  := "https://falcon.us-2.crowdstrike.com/" /* US-2 */
//| rootURL  := "https://falcon.laggar.gcw.crowdstrike.com/" /* Gov */
//| rootURL  := "https://falcon.eu-1.crowdstrike.com/"  /* EU */
| format("[Responsible Process](%sgraphs/process-explorer/tree?id=pid:%s:%s)", field=["rootURL", "aid", "ContextProcessId"], as="Process Explorer") 

// Remove unnecessary fields
| drop([rootURL, ContextProcessId])

Author

CrowdStrike

Data Sources

Endpoint

Platforms

windowslinux

Tags

Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Hunting EDR Freeze

# Description of what the query does and its purpose.
description: |
  Based on the default command line switching behavior found in the EDR-Freeze open source project:
  https://github.com/TwoSevenOneT/EDR-Freeze?tab=readme-ov-file

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Hunting

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  // Look for process handles opening Falcon
  #event_simpleName=FalconProcessHandleOpDetectInfo FileName="WerFaultSecure.exe"
  
  // Check for command line switching signal
  | GrandparentCommandLine=/\.exe"?\s+\d+\s+\d+$/ OR ParentCommandLine=/\.exe"?\s+\d+\s+\d+$/ OR CommandLine=/\.exe"?\s+\d+\s+\d+$/
  
  // Create process lineage tree for easier reading
  | ProcessLineage:=format(format="%s (%s)\n   └ %s (%s)\n      └ %s (%s)", field=[GrandparentImageFileName, GrandparentCommandLine, ParentImageFileName, ParentCommandLine, ImageFileName, CommandLine])
  
  // Output deatils to table
  | table([@timestamp, aid, ComputerName, ContextProcessId, ProcessLineage])
  
  // Create direct link to Process Explorer - Uncomment the rootURL value that matches your cloud
  | rootURL  := "https://falcon.crowdstrike.com/" /* US-1 */
  //| rootURL  := "https://falcon.us-2.crowdstrike.com/" /* US-2 */
  //| rootURL  := "https://falcon.laggar.gcw.crowdstrike.com/" /* Gov */
  //| rootURL  := "https://falcon.eu-1.crowdstrike.com/"  /* EU */
  | format("[Responsible Process](%sgraphs/process-explorer/tree?id=pid:%s:%s)", field=["rootURL", "aid", "ContextProcessId"], as="Process Explorer") 
  
  // Remove unnecessary fields
  | drop([rootURL, ContextProcessId])