← Back to Explore
kqlHunting
Hanada Group Crowdstrike Impersonation Detection
This query detects activity from Hanada group malware impersonating Crowdstrike updates
Detection Query
//This query detects activity from Hanada group malware impersonating Crowdstrike updates
//Looks for attempts to identify installed antiviruses and create specific files/folders
DeviceProcessEvents
| where ProcessCommandLine has_any("avastui.exe","avgui.exe","bdservicehost.exe","nswscsvc.exe","sophoshealth.exe","Carroll Carroll","champion.pif",@"564784\L","locatedflattrendsoperating")Data Sources
DeviceProcessEvents
Platforms
windows
Tags
defender
Raw Content
//This query detects activity from Hanada group malware impersonating Crowdstrike updates
//Looks for attempts to identify installed antiviruses and create specific files/folders
DeviceProcessEvents
| where ProcessCommandLine has_any("avastui.exe","avgui.exe","bdservicehost.exe","nswscsvc.exe","sophoshealth.exe","Carroll Carroll","champion.pif",@"564784\L","locatedflattrendsoperating")