EXPLORE DETECTIONS
NTLM authentication where Kerberos is expected (Baseline)
This query identifies NTLM authentications observed by Active Directory in service‑based authentication contexts where Kerberos is the default and normally preferred mechanism. It filters for NTLM (v1/v2) usage during access to domain services (such as SMB, LDAP, or RPC) by leveraging the presence of a service identifier, which indicates that Kerberos should typically be available. The query aggregates events to highlight recurring NTLM fallback patterns across users, machines, and servers, and is intended for baseline exposure tracking and hygiene monitoring, not direct incident alerting. This query is designed to identify NTLM authentications occurring in Active Directory service contexts where Kerberos is the default and normally preferred authentication mechanism. Important: This query does not prove malicious activity. It provides visibility into architectural exposure and authentication fallback behavior.
OAuth2 Token Burst — Token Harvesting (Microsoft Defender for Identity)
Detects a sudden surge in OAuth2 token requests or acquisitions within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate token harvesting activity, where an attacker attempts to obtain multiple access tokens to abuse authentication sessions and maintain unauthorized access. Detects a sudden surge in OAuth2 token requests or acquisitions within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate token harvesting activity, where an attacker attempts to obtain multiple access tokens to abuse authentication sessions and maintain unauthorized access.
OS Platform ratio
This query aggregates SensorHeartbeat events by operating system platform to show the relative distribution of endpoints per OS. It is well suited for visualization as a pie chart, providing a quick overview of platform coverage and identifying imbalances or unexpected OS presence in the environment.
OS Platform ratio
This query aggregates SensorHeartbeat events by operating system platform to show the relative distribution of endpoints per OS. It is well suited for visualization as a pie chart, providing a quick overview of platform coverage and identifying imbalances or unexpected OS presence in the environment.
Packages in Container Images - Match Lookup File
Parses packages from ImageVulnerabilityEvents and cross-references it with a lookup file to identify matching entries. A lookup file with a list of packages needs to be uploaded first. Example: |PackageName|Version| |---|---| |Package|1.0.0|
Packages in Container Images - Match Lookup File
Parses packages from ImageVulnerabilityEvents and cross-references it with a lookup file to identify matching entries. A lookup file with a list of packages needs to be uploaded first. Example: |PackageName|Version| |---|---| |Package|1.0.0|
Packages in Container Images - Match Parameter
Searches packages using the provided parameter and returns the corresponding image repository.
Packages in Container Images - Match Parameter
Searches packages using the provided parameter and returns the corresponding image repository.
Packed Binary Detected
This query hunts for packed executable files written to disk on CrowdStrike Falcon monitored endpoints, classifies them by risk based on write location, and groups results by computer to identify the most affected/suspicious hosts. This query hunts for packed executable files written to disk on CrowdStrike Falcon monitored endpoints, classifies them by risk based on write location, and groups results by computer to identify the most affected/suspicious hosts.
Password Spray Many Users from Same IP Microsoft Defender for Identity
Detects multiple authentication failures across several user accounts originating from a single IP address, as identified by Microsoft Defender for Identity. This pattern is indicative of a password spraying attack where an attacker attempts common passwords against multiple users to gain unauthorized access. Detects multiple authentication failures across several user accounts originating from a single IP address, as identified by Microsoft Defender for Identity. This pattern is indicative of a password spraying attack where an attacker attempts common passwords against multiple users to gain unauthorized access.
Phishing - List of links opened from Outlook
Phishing - List of links opened from Outlook
Possible DC Replication (DCSync)
Detects suspicious attempts to replicate Active Directory data from a Domain Controller using the DCSync technique based on the Defender for identity module. This behavior may indicate an attacker attempting to extract sensitive credentials (such as password hashes) by mimicking domain replication requests
Potential Lateral Movement through RDP
Detects when a user account initiates Remote Desktop Protocol (RDP) sessions across multiple systems within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate potential lateral movement by an attacker or unauthorized use of administrative access This query detects potential lateral movement activity by analyzing Kerberos/NTLM remote desktop logon events from Microsoft Defender for Identity. It groups authentication events by username and flags users who logged into more than one unique device within a 60-minute window.
Powershell Command Length Anomaly Detection
This query establishes a 7-day baseline of average PowerShell command lengths for each host. It then compares this baseline to the average command length of the last 24 hours. The query identifies hosts with a significant percentage increase in command length, which can be an indicator for obfuscation, fileless execution, or other malicious activities associated with "Living off the Land" techniques. ## Why Powershell is a Target for Attackers Powershell is an integral part of modern Windows systems and offers powerful automation capabilities through its .NET integration. These features also make it attractive to attackers: - **Pre-installed:** Available on every Windows system (no additional code needed). - **Powerful Access:** Direct access to Windows APIs and network resources. - **In-Memory Execution:** Capable of running code directly from memory (fileless execution). - **Often Under-Monitored:** Frequently lacks sufficient monitoring or restrictions. Attackers use **"Living off the Land"** tactics to leverage PowerShell for stealthy attacks without deploying additional tools. ## Why Command Length Deviations Indicate Threats Attackers often employ methods that result in unusually long command lines. Monitoring deviations from normal command length is a valuable approach for detecting suspicious activity. Unusually long commands can indicate: * **Obfuscation:** * **Encoding:** Using Base64 (`-EncodedCommand`), hexadecimal, or ASCII to hide commands. * **Escape Characters:** Using backticks (`) to impair readability. * **Embedding Payloads:** Inserting entire scripts or binary payloads directly into the command line. * **Fileless Execution & LotL:** Complex one-liners are used to download and execute payloads from remote sources, leading to longer commands. * **Offensive Frameworks:** Tools like Empire, PowerSploit, or Cobalt Strike often generate long, obfuscated commands for their payloads. Unusually long commands are a strong indicator because they directly correlate with common attacker techniques for evasion and execution (e.g., [T1027.010 Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/010/)). Legitimate administrative tasks rarely require the extreme lengths produced by these methods. | Technique | Impact on Length | Description | | :--- | :--- | :--- | | Base64 (`-EncodedCommand`)| Significant Increase | Hides script content; very common for payload delivery. | | String Concatenation | Moderate/Variable Increase | Used to break up keywords and evade simple string matching. | | Remote Download Cradles | Variable (Often Long) | Commands like `IEX (New-Object Net.WebClient).DownloadString(...)` can be long. | | Embedded Scripts/Payloads | Significant Increase | Entire scripts or binaries are passed in the command line, nearing max length. | ## The Power of Baselining: Establishing "Normal" This query is based on the core idea of baselining "normal" activity for PowerShell command lengths and then identifying significant deviations from that norm. ### Creating the Baseline The query analyzes historical PowerShell executions over a defined period (7 days) to calculate statistical measures (the average) for command lengths. This establishes the expected range. By comparing the last day's average length against this historical baseline, the query can flag anomalous increases. A **7-day baseline** is chosen to: - Capture weekly operational cycles (e.g., weekend maintenance scripts). - Balance stability and adaptability, smoothing out daily fluctuations while remaining responsive to real changes.
Powershell Command Length Anomaly Detection
This query establishes a 7-day baseline of average PowerShell command lengths for each host. It then compares this baseline to the average command length of the last 24 hours. The query identifies hosts with a significant percentage increase in command length, which can be an indicator for obfuscation, fileless execution, or other malicious activities associated with "Living off the Land" techniques. ## Why Powershell is a Target for Attackers Powershell is an integral part of modern Windows systems and offers powerful automation capabilities through its .NET integration. These features also make it attractive to attackers: - **Pre-installed:** Available on every Windows system (no additional code needed). - **Powerful Access:** Direct access to Windows APIs and network resources. - **In-Memory Execution:** Capable of running code directly from memory (fileless execution). - **Often Under-Monitored:** Frequently lacks sufficient monitoring or restrictions. Attackers use **"Living off the Land"** tactics to leverage PowerShell for stealthy attacks without deploying additional tools. ## Why Command Length Deviations Indicate Threats Attackers often employ methods that result in unusually long command lines. Monitoring deviations from normal command length is a valuable approach for detecting suspicious activity. Unusually long commands can indicate: * **Obfuscation:** * **Encoding:** Using Base64 (`-EncodedCommand`), hexadecimal, or ASCII to hide commands. * **Escape Characters:** Using backticks (`) to impair readability. * **Embedding Payloads:** Inserting entire scripts or binary payloads directly into the command line. * **Fileless Execution & LotL:** Complex one-liners are used to download and execute payloads from remote sources, leading to longer commands. * **Offensive Frameworks:** Tools like Empire, PowerSploit, or Cobalt Strike often generate long, obfuscated commands for their payloads. Unusually long commands are a strong indicator because they directly correlate with common attacker techniques for evasion and execution (e.g., [T1027.010 Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/010/)). Legitimate administrative tasks rarely require the extreme lengths produced by these methods. | Technique | Impact on Length | Description | | :--- | :--- | :--- | | Base64 (`-EncodedCommand`)| Significant Increase | Hides script content; very common for payload delivery. | | String Concatenation | Moderate/Variable Increase | Used to break up keywords and evade simple string matching. | | Remote Download Cradles | Variable (Often Long) | Commands like `IEX (New-Object Net.WebClient).DownloadString(...)` can be long. | | Embedded Scripts/Payloads | Significant Increase | Entire scripts or binaries are passed in the command line, nearing max length. | ## The Power of Baselining: Establishing "Normal" This query is based on the core idea of baselining "normal" activity for PowerShell command lengths and then identifying significant deviations from that norm. ### Creating the Baseline The query analyzes historical PowerShell executions over a defined period (7 days) to calculate statistical measures (the average) for command lengths. This establishes the expected range. By comparing the last day's average length against this historical baseline, the query can flag anomalous increases. A **7-day baseline** is chosen to: - Capture weekly operational cycles (e.g., weekend maintenance scripts). - Balance stability and adaptability, smoothing out daily fluctuations while remaining responsive to real changes.
Powershell Downloads
This query detects powershell downloads using `Start-BitsTransfer`, `Invoke-WebRequest`, or `System.Net.WebClient`.
Powershell Downloads
This query detects powershell downloads using `Start-BitsTransfer`, `Invoke-WebRequest`, or `System.Net.WebClient`.
Process Execution directly from SMB share or SMB-mapped path
This query detects remote process execution over SMB (Server Message Block) on CrowdStrike Falcon monitored endpoints — a strong indicator of lateral movement, remote code execution, or ransomware spreading across the network. This query detects remote process execution over SMB (Server Message Block) on CrowdStrike Falcon monitored endpoints — a strong indicator of lateral movement, remote code execution, or ransomware spreading across the network.
Ransomware Precursors
Detects command patterns that ransomware operators execute immediately before encryption to prevent recovery: Volume Shadow Copy deletion (vssadmin, WMIC, PowerShell WMI/CIM), backup catalog destruction (wbadmin), Windows Recovery Environment tampering (bcdedit), USN journal deletion (fsutil), and mass shadow storage resizing. Each event is classified into a named hypothesis so analysts can triage by technique. These commands are rare in legitimate day-to-day operation and their appearance - especially several within a short window on the same host - is one of the strongest early-warning signals of an imminent ransomware detonation. ## Why this matters Before deploying an encryptor, virtually every major ransomware family (LockBit, BlackCat/ALPHV, Akira, Conti descendants, Ryuk, and others) runs a near-identical "recovery inhibition" playbook so victims cannot restore from local snapshots or backups. Because these commands are executed **minutes before encryption begins**, detecting them provides one of the last actionable intervention windows in a ransomware intrusion. ## Detection hypotheses | Hypothesis | Command pattern | Notes | | :--- | :--- | :--- | | H1 | `vssadmin delete shadows /all /quiet` | The single most common ransomware precursor | | H2 | `vssadmin resize shadowstorage /maxsize=401MB` | Forces Windows to silently purge shadow copies; used to evade "delete shadows" detections | | H3 | `wmic shadowcopy delete` | WMIC-based variant | | H4 | PowerShell `Win32_ShadowCopy` / `Get-CimInstance ... \| Remove` | Script-based variant | | H5 | `wbadmin delete catalog -quiet` | Destroys the Windows Backup catalog | | H6 | `bcdedit /set {default} recoveryenabled no` + `bootstatuspolicy ignoreallfailures` | Prevents booting into WinRE for repair/restore | | H7 | `fsutil usn deletejournal /D C:` | Anti-forensics; wipes the NTFS change journal | ## Triage guidance - **`Priority = CRITICAL`** (2+ distinct techniques on one host): treat as active ransomware staging. Network-contain the host immediately and pivot on `ParentBaseFileName` and sibling processes. - **Single H1/H3/H5/H6 events**: still high-signal. Legitimate occurrences are rare and usually tied to storage administration or imaging/backup software - check the parent process and the executing user. - **Known false-positive sources**: backup agents (Veeam, Commvault), disk-cloning tools, and some VDI provisioning workflows may resize shadow storage (H2) or manage snapshots. Baseline these and add an exclusion on `ParentBaseFileName` or `UserName` rather than removing the hypothesis.
Rare Remote Ports in Network Connections
The query analyzes IPv4 network connection events, counts occurrences per remote port, calculates their percentage of total connections, and lists only ports representing less than 10% of the traffic. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Bottom%2010%25%20of%20NetworkConnct%20Port%20Values.md)
Rare Remote Ports in Network Connections
The query analyzes IPv4 network connection events, counts occurrences per remote port, calculates their percentage of total connections, and lists only ports representing less than 10% of the traffic. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Bottom%2010%25%20of%20NetworkConnct%20Port%20Values.md)
Rare windows shell parent process
This hunting query is designed to detect rare shell parent processes. This hunting query is designed to detect rare shell parent processes: 1. **Filter for Windows Events**: `#event_simpleName=ProcessRollup2``event_platform=Win` 2. **Classify Processes**: `(case { in(field=FileName, values=["powershell.exe", "cmd.exe", "pwsh.exe"]) | IsChild := "1";)` - If the FileName matches a shell (powershell.exe, cmd.exe, pwsh.exe), the process is marked as a child process - Otherwise, it is marked as not a child process 3. **Assign Process Information**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - For child processes (`IsChild = "1"`), the `ProcId` is set to the `ParentProcessId` - For non-child processes (`IsChild = "0"`), the `ProcId` is set to the `TargetProcessId` 4. **Group by Computer and Process**: - The query groups events by `ComputerName` and `ProcId` to analyze process relationships. - Calculation of the distinct count of `ParentProcessId` as `EventCount`
Rare windows shell parent process
This hunting query is designed to detect rare shell parent processes. This hunting query is designed to detect rare shell parent processes: 1. **Filter for Windows Events**: `#event_simpleName=ProcessRollup2``event_platform=Win` 2. **Classify Processes**: `(case { in(field=FileName, values=["powershell.exe", "cmd.exe", "pwsh.exe"]) | IsChild := "1";)` - If the FileName matches a shell (powershell.exe, cmd.exe, pwsh.exe), the process is marked as a child process - Otherwise, it is marked as not a child process 3. **Assign Process Information**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - For child processes (`IsChild = "1"`), the `ProcId` is set to the `ParentProcessId` - For non-child processes (`IsChild = "0"`), the `ProcId` is set to the `TargetProcessId` 4. **Group by Computer and Process**: - The query groups events by `ComputerName` and `ProcId` to analyze process relationships. - Calculation of the distinct count of `ParentProcessId` as `EventCount`