← Back to Explore
crowdstrike_cqlHunting
Phishing - List of links opened from Outlook
Detection Query
#event_simpleName=ProcessRollup2
| aid=?aid ImageFileName=/\\outlook\.exe/i
| regex("(?<FileName>[^\\/|\\\\]*)$", field=ImageFileName, strict=false)
| join(
{
#event_simpleName=ProcessRollup2 ImageFileName=/(chrome|firefox|iexplore)\.exe/i
| MD5:=MD5HashData | ImageFileName=/(\/|\\)(?<ChildFileName>\w*\.?\w*)$/
| ChildCLI:=CommandLine
},
key=ParentProcessId, field=TargetProcessId, include=[MD5, ChildFileName, ChildCLI]
)
| groupBy([aid, FileName, CommandLine, ChildFileName, ChildCLI, MD5], limit=max)
Author
CrowdStrike
Data Sources
Endpoint
Platforms
windowslinux
Tags
Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Phishing - List of links opened from Outlook
# MITRE ATT&CK technique IDs
mitre_ids:
- T1566
# Description of what the query does and its purpose.
#description:
# The author or team that created the query.
author: CrowdStrike
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Endpoint
# Tags for filtering and categorization.
tags:
- Hunting
cs_required_modules:
- Insight
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#event_simpleName=ProcessRollup2
| aid=?aid ImageFileName=/\\outlook\.exe/i
| regex("(?<FileName>[^\\/|\\\\]*)$", field=ImageFileName, strict=false)
| join(
{
#event_simpleName=ProcessRollup2 ImageFileName=/(chrome|firefox|iexplore)\.exe/i
| MD5:=MD5HashData | ImageFileName=/(\/|\\)(?<ChildFileName>\w*\.?\w*)$/
| ChildCLI:=CommandLine
},
key=ParentProcessId, field=TargetProcessId, include=[MD5, ChildFileName, ChildCLI]
)
| groupBy([aid, FileName, CommandLine, ChildFileName, ChildCLI, MD5], limit=max)
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
# explanation: |