EXPLORE

EXPLORE DETECTIONS

πŸ”
308 detections found

LOLBin Mshta

This query detects the use of mshta.exe. Mshta.exe – A Windows utility for executing HTML Applications (`.hta`) β€” often abused to run embedded or remote VBScript, JScript, or download-and-execute payloads via alternate data streams or web URLs. [LOLBAS - Mshta.exe](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)

T1218.005T1105
CrowdStrike

LOLBin Mshta

This query detects the use of mshta.exe. Mshta.exe – A Windows utility for executing HTML Applications (`.hta`) β€” often abused to run embedded or remote VBScript, JScript, or download-and-execute payloads via alternate data streams or web URLs. [LOLBAS - Mshta.exe](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)

T1218.005T1105
CrowdStrike

LOLBin Msiexec

This query detects the use of Msiexec.exe. Msiexec.exe – A Windows Installer utility that executes MSI packages or DLLs (including remote or transformed payloads), frequently misused by attackers for stealthy code execution and application control bypass. [LOLBAS - Msiexec.exe](https://lolbas-project.github.io/lolbas/Binaries/Msiexec/)

T1218.007
CrowdStrike

LOLBin Msiexec

This query detects the use of Msiexec.exe. Msiexec.exe – A Windows Installer utility that executes MSI packages or DLLs (including remote or transformed payloads), frequently misused by attackers for stealthy code execution and application control bypass. [LOLBAS - Msiexec.exe](https://lolbas-project.github.io/lolbas/Binaries/Msiexec/)

T1218.007
CrowdStrike

LOLBin Regsvr32

This query detects the use of Regsvr32 when it has loaded scrobj.dll. Regsvr32.exe – A native Windows tool designed to register DLLs, but frequently misused by attackers to execute remote or local scriptlets (SCT files)β€”often enabling Application Whitelisting bypass and stealthy code execution. [LOLBAS - Regsvr32.exe](https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/)

T1218.010
CrowdStrike

LOLBin Regsvr32

This query detects the use of Regsvr32 when it has loaded scrobj.dll. Regsvr32.exe – A native Windows tool designed to register DLLs, but frequently misused by attackers to execute remote or local scriptlets (SCT files)β€”often enabling Application Whitelisting bypass and stealthy code execution. [LOLBAS - Regsvr32.exe](https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/)

T1218.010
CrowdStrike

LOLBin Rundll32

This query detects the use of Rundll32 from parents that are known for misuse. Rundll32.exe – A native Windows binary that can be abused to execute DLLs, scripts, and other payloads, making it a common technique in Living-off-the-Land attacks. [LOLBAS - Rundll32.exe](https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)

T1218.011T1564.004
CrowdStrike

LOLBin Rundll32

This query detects the use of Rundll32 from parents that are known for misuse. Rundll32.exe – A native Windows binary that can be abused to execute DLLs, scripts, and other payloads, making it a common technique in Living-off-the-Land attacks. [LOLBAS - Rundll32.exe](https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)

T1218.011T1564.004
CrowdStrike

LOLBin WMIC

This query detects the use of WMIC. Wmic.exe – A built-in Windows tool for scripting and remote system management, which adversaries exploit to run commands, load executables via alternate data streams, execute remote or XSL-formatted payloads, and move files stealthily. [LOLBAS - Wmic.exe](https://lolbas-project.github.io/lolbas/Binaries/Wmic/)

T1218T1105T1564.004
CrowdStrike

LOLBin WMIC

This query detects the use of WMIC. Wmic.exe – A built-in Windows tool for scripting and remote system management, which adversaries exploit to run commands, load executables via alternate data streams, execute remote or XSL-formatted payloads, and move files stealthily. [LOLBAS - Wmic.exe](https://lolbas-project.github.io/lolbas/Binaries/Wmic/)

T1218T1105T1564.004
CrowdStrike

Malicious Chrome Extension FreeVPN-One Detection

This Logic detects the presence of the malicious Chrome extension FreeVPN[.]One by identifying its unique extension ID across installed browsers. The logic further correlates this presence with network communications initiated by the extension to suspicious or untrusted domains. By combining extension enumeration with traffic analysis, the detection ensures high fidelity with minimal false positives. This layered approach strengthens visibility into malicious browser add-ons masquerading as VPN tools. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Malicious-Chrome-Extension-FreeVPN.One-Detection.md)

CrowdStrike

Malicious Chrome Extension FreeVPN-One Detection

This Logic detects the presence of the malicious Chrome extension FreeVPN[.]One by identifying its unique extension ID across installed browsers. The logic further correlates this presence with network communications initiated by the extension to suspicious or untrusted domains. By combining extension enumeration with traffic analysis, the detection ensures high fidelity with minimal false positives. This layered approach strengthens visibility into malicious browser add-ons masquerading as VPN tools. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Malicious-Chrome-Extension-FreeVPN.One-Detection.md)

CrowdStrike

MFA Failures

Displays the count of MFA authentication failures caused by service errors or user not being enrolled. A sudden spike in these errors may indicate a service incident requiring immediate investigation and response.

CrowdStrike

MFA Failures

Displays the count of MFA authentication failures caused by service errors or user not being enrolled. A sudden spike in these errors may indicate a service incident requiring immediate investigation and response.

CrowdStrike

MFA Status Monitoring

Displays Multi-Factor Authentication (MFA) status events over time. Monitor for unexpected spikes in denials, errors, or timeouts that may indicate security threats, system issues, or user experience problems requiring investigation.

CrowdStrike

MFA Status Monitoring

Displays Multi-Factor Authentication (MFA) status events over time. Monitor for unexpected spikes in denials, errors, or timeouts that may indicate security threats, system issues, or user experience problems requiring investigation.

CrowdStrike

MongoDB Processes on Windows & Linux Hosts (CVE-2025-14847)

This query identifies Windows and Linux Hosts running MongoDB processes.

CrowdStrike

MongoDB Processes on Windows & Linux Hosts (CVE-2025-14847)

This query identifies Windows and Linux Hosts running MongoDB processes.

CrowdStrike

New API Keys within the Falcon Platform

This query provides a list of newly created API Keys, including relevant details such as Client Name and Client ID.

CrowdStrike

New API Keys within the Falcon Platform

This query provides a list of newly created API Keys, including relevant details such as Client Name and Client ID.

CrowdStrike

New installed Sensors

This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.

CrowdStrike

New installed Sensors

This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.

CrowdStrike

Notepad++ supply chain attack

This query detects a state-sponsored supply chain attack where the legitimate Notepad++ updater (gup.exe) is hijacked to download the Chrysalis backdoor. It identifies the attack by spotting unauthorized network connections from the updater, malicious DLL side-loading (e.g., BluetoothService.exe loading log.dll), and data exfiltration commands involving curl and temp.sh. https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://notepad-plus-plus.org/news/clarification-security-incident/ https://securelist.com/notepad-supply-chain-attack/118708/ https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

CrowdStrike

Notepad++ supply chain attack

This query detects a state-sponsored supply chain attack where the legitimate Notepad++ updater (gup.exe) is hijacked to download the Chrysalis backdoor. It identifies the attack by spotting unauthorized network connections from the updater, malicious DLL side-loading (e.g., BluetoothService.exe loading log.dll), and data exfiltration commands involving curl and temp.sh. https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://notepad-plus-plus.org/news/clarification-security-incident/ https://securelist.com/notepad-supply-chain-attack/118708/ https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

CrowdStrike
PreviousPage 10 of 13Next