EXPLORE DETECTIONS
Active Directory Activity
Table of recent Active Directory activity including disabled, deleted and password reset events.
Applications Spawning CMD or Powershell
Table listing processes that spawned cmd.exe or powershell.exe child processes.
Applications with plaintext passwords
Table of applications identified as potentially handling plaintext passwords. Falcon automatically attempts to redact plain-text passwords in process command lines to prevent sensitive data exposure. When this occurs, the password string is replaced with the marker `/REDACTED/`. Therefore, during analysis we specifically look for the `/REDACTED/` placeholder within command-line arguments as an indicator that Falcon has detected and masked a potential plain-text password. Reference: https://www.reddit.com/r/crowdstrike/comments/u8ji4i/commandline_redacted/
Assigned Sensor Update Policy
This query will output a table with all hosts and their sensor update logic / assigned sensor update policy.
AWS S3 Bucket Policy Updates
This query outputs all S3 buckets where the policy has been modified. AWS PutBucketPolicy: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html
BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)
Detects Bring Your Own Vulnerable Driver (BYOVD) attacks by correlating vulnerable kernel driver loads with security software termination on the same host. This technique has been actively used by the Medusa ransomware group to disable EDR/AV tooling before encryption. Covers both known-bad driver names and anomalous driver loads from user writable paths. This technique has been actively observed in Medusa ransomware campaigns, where the group drops a signed but vulnerable kernel driver (commonly repurposed anti-cheat or AV drivers) to gain kernel-level access and forcibly terminate endpoint protection before deploying the ransomware payload. CISA issued advisory AA25-071A covering Medusa's BYOVD usage. The query is not Medusa-specific β it will detect any BYOVD campaign following the same pattern, including BlackByte, Scattered Spider, Cuba, and AvosLocker, all of which have used similar techniques.
Calculate Last Windows Boot Time
Outputs the last reboot timestamp and calculates the time elapsed since then.
Calculate Next-Gen SIEM Ingestion Total
Calculates total NG-SIEM ingest by each Vendor (connector) Calculates total NG-SIEM ingest by each Vendor (connector) Can be altered to trim to a single vendor and assist in locating areas of large ingestion usage, such as singular firewall policies. See [this](https://www.reddit.com/r/crowdstrike/comments/1nhuu6g/mediocre_query_monday_calculating_ngsiem/) post for more information about doing this. No modules are required, but the NG-SIEM module is what facilitates the need for this query. EDR/Endpoint/CrowdStrike native log sources are not included in this, as those are not counted against NG-SIEM ingest from a pricing perspective.
Charon Ransomware Detection and Correlation
The query chain detects and correlates multiple indicators of the Charon ransomware attack lifecycle, including ransomware package writes, malicious DLL sideloading, process execution triggers (notably via svchost.exe), creation of ransom notes, and suspicious service creation (WWC.sys). It merges these findings across several event types to confirm successful ransomware deployment. [Charon Ransomware](https://www.trendmicro.com/en_dk/research/25/h/new-ransomware-charon.html) Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Charon-Ransomware.md)
Check Domain Controller for NSX Driver
This query helps to determine if NSX drivers are installed on Domain Controllers to investigate limited Identity Protection functionality. ## Related CrowdStrike KBs 1. [Resolving Falcon Identity Protection conflicting with VMware tools and NSX Driver](https://supportportal.crowdstrike.com/s/article/ka16T000001Mle7QAC) 2. [Verify NSX driver installation on Domain Controllers](https://supportportal.crowdstrike.com/s/article/ka16T000001tkTHQAY)
Chromium-Based Browser Hunting via DLL Load
This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although itβs important to note that not all Chromium-based browsers necessarily load chrome.dll.
Cloud Credential Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to credentials.
Cloud Data Exfiltration IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.
Cloud Least Privilege IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to least privilege.
Cloud MFA Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to MFA violations.
Connections to Tor Exit Nodes
Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.
Count Windows Discovery Commands
This query counts the execution of discovery / reconnaissance commands.
Created Local User Accounts
Table of all created local user accounts including UserName, ComputerName, aid, aip, and LocalIP.
Credential Dumping Detection
This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations. This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities: 1. **Process Monitoring**: `#event_simpleName=ProcessRollup2` - Monitors process execution events across endpoints 2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)` - Detects known credential dumping tools and LSASS access patterns 3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - Excludes common legitimate parent processes to reduce noise 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Adds user account information for attribution 5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")` - Includes file hash for threat intelligence correlation 6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])` - Displays process details, user context, and file hash information
CVE-2025-1146 - System Scoping using aid_master
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.
CVE-2025-1146 - System Scoping using OsVersionInfo
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update.
CVE-2025-1146 - System Scoping using OsVersionInfo & Logon Data
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update. It attempts to merge in LogonType 2 and 10 to determine the last logged on user.
CVE-2025-53770 - SharePoint ToolShell
WebShell Discovery from w3wp.exe Falcon has native detection/prevention capabilities for this attack sequence. The following looks for: ``` w3wp.exe --> cmd.exe --> powershell.exe --> .aspx file write ```
CVE-2025-59287 - WSUS Identification+Vulnerability Query
The query below outputs a list of your Windows servers with a Falcon sensor, tells you if they need to be patched for the CVE or not, when the data was last updated, and if WSUS was "detected". https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlnti7p/