EXPLORE DETECTIONS
Remote Port Forwarding via Plink - Unauthorized RDP Tunneling Detection
Detects the use of Plink (PuTTY Link) to establish remote port forwarding tunnels, specifically targeting traffic redirected to port 3389 (RDP). This technique is frequently used by threat actors for lateral movement or to bypass firewall restrictions by tunneling RDP over SSH. Attackers use `plink.exe` the command-line SSH client from PuTTY to create encrypted SSH tunnels that forward RDP traffic (port 3389) through firewall boundaries. This allows an attacker with an existing foothold to RDP into internal systems even when direct RDP is blocked. ## Forwarding Flags * **-R (Remote Forward):** Attacker binds a port on their server and pulls traffic back to an internal RDP target. * **-L (Local Forward):** Victim machine forwards a local port outbound to an RDP target via the SSH server. ## Why It's Dangerous Because the tunnel rides over SSH (typically port 22 or 443), it blends with legitimate encrypted traffic and often bypasses firewall and DLP controls. The resulting RDP session appears to originate from inside the network. ## Testing the Detection You can safely validate this detection on an enrolled endpoint without establishing an actual tunnel. The connection will fail immediately, but the EDR will still capture the `ProcessRollup2` event. ### 1. Download and Execute (PowerShell) ```powershell Invoke-WebRequest -Uri "[https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe](https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe)" -OutFile "$env:TEMP\plink.exe" # Test -R (remote forward) & "$env:TEMP\plink.exe" -R 4444:localhost:3389 user@192.168.1.1 # Test -L (local forward) & "$env:TEMP\plink.exe" -L 4444:localhost:3389 user@192.168.1.1
ROKRAT Malware APT 37
RoKRAT Malware – Injection & Steganography 🛠 High‑Level TTPs - Initial Access: Malicious .lnk files within compressed archives. - Execution & Persistence: PowerShell/BAT‑driven staged loaders with XOR decryption. Defense Evasion: Process injection into trusted Windows binaries & payload concealment via steganography. - Command & Control: Abuse of pCloud, Yandex Disk, and Dropbox APIs with embedded tokens to blend with legitimate traffic. [Genians Blog - RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies](https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic) Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/ROKRAT-Malware-APT-37.md)
ROKRAT Malware APT 37
RoKRAT Malware – Injection & Steganography 🛠 High‑Level TTPs - Initial Access: Malicious .lnk files within compressed archives. - Execution & Persistence: PowerShell/BAT‑driven staged loaders with XOR decryption. Defense Evasion: Process injection into trusted Windows binaries & payload concealment via steganography. - Command & Control: Abuse of pCloud, Yandex Disk, and Dropbox APIs with embedded tokens to blend with legitimate traffic. [Genians Blog - RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies](https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic) Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/ROKRAT-Malware-APT-37.md)
SAMR Burst (BloodHound/PowerView)
Detects abnormal or high‑volume Security Account Manager (SAMR) queries against Active Directory, often associated with tools like BloodHound or PowerView. This behavior typically indicates reconnaissance activity where an attacker is rapidly enumerating users, groups, and permissions to map the environment. This query detects potential Active Directory enumeration by identifying users and source addresses that perform a high volume of SAMR (Security Account Manager Remote) queries against multiple destinations. It flags accounts that exceed 100 SAMR queries within a 10-minute window, which is a common indicator of tools like BloodHound or net.exe being used to enumerate AD objects
Search for oldest devices
A query to get the age of devices that have the falcon sensor installed.
Search for oldest devices
A query to get the age of devices that have the falcon sensor installed.
Security Group Created (Microsoft Defender for Identity)
Detects the creation of a new security group in Active Directory as identified by Microsoft Defender for Identity. While often legitimate, this activity may indicate preparation for privilege escalation or unauthorized access management and should be reviewed. Detects the creation of a new security group in Active Directory as identified by Microsoft Defender for Identity. While often legitimate, this activity may indicate preparation for privilege escalation or unauthorized access management and should be reviewed.
Sensor Version Adoption Trend
Visualizes the daily distribution of Sensor versions across the environment. It groups versions by Major and Minor releases (e.g., 6.45) to monitor the rollout of updates and identify legacy versions.
Sensor Version Adoption Trend
Visualizes the daily distribution of Sensor versions across the environment. It groups versions by Major and Minor releases (e.g., 6.45) to monitor the rollout of updates and identify legacy versions.
SMB Enumeration | Defender for Identity
This detection query will detect SMB Enumeration based on the Microsoft defender for Identity Module
SMB Enumeration | Defender for Identity
This detection query will detect SMB Enumeration based on the Microsoft defender for Identity Module
SMB File Copy to Multiple Devices (Microsoft Defender for Identity)
Detects instances where files are copied over SMB to multiple devices within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate lateral movement where an attacker distributes tools or payloads across systems to expand access and establish control. Detects instances where files are copied over SMB to multiple devices within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate lateral movement where an attacker distributes tools or payloads across systems to expand access and establish control.
Snowman
This query detects potential exploitation of the April 2026 Adobe Reader zero-day vulnerability by identifying suspicious network connections originating from Adobe Reader processes shortly after they start. The exploit abuses legitimate Adobe JavaScript APIs (util.readFileIntoStream() and RSS.addFeed()) to exfiltrate system information to attacker-controlled servers. # How it works The query operates in two stages, joined together: ## Stage 1 — Process Detection Searches for ProcessRollup2 events (process executions) where the image file name matches any of the three Adobe Reader binaries: Acrobat.exe (modern), AcroRd32.exe (legacy 32-bit), or AcroRd64.exe (64-bit). It captures the process ID and start time for correlation. ## Stage 2 — Network Connection Correlation Joins against NetworkConnectIP4 and NetworkConnectIP6 events to find outbound network connections made by Adobe Reader or its known helper processes (AdobeCollabSync.exe, Synchronizer.exe). The join matches on process ID so connections are attributed to the correct Adobe session. ## Filtering - Connections to ports 80 and 443 are excluded — these are normal Adobe update/cloud traffic and would generate excessive false positives. - Only connections occurring within 60 seconds of the process starting are retained, since the exploit initiates C2 communication shortly after the PDF is opened. ## Confidence Scoring Results are triaged into three tiers: #### HIGH: Connection to a known C2 IP (169.40.2.68 or 188.214.34.20) #### MEDIUM Connection to a known C2 port (45191 or 34123) on any IP #### LOW Any other non-HTTP/S outbound connection from Adobe within the time window
SOC Efficiency Metrics
Summarizes CrowdStrike Falcon detections across hosts, showing key lifecycle metrics such as tactic, technique, severity, detection state, and resolution time. Useful for SOC performance tracking, identifying detection patterns, and monitoring time-to-close for incidents.
SOC Efficiency Metrics
Summarizes CrowdStrike Falcon detections across hosts, showing key lifecycle metrics such as tactic, technique, severity, detection state, and resolution time. Useful for SOC performance tracking, identifying detection patterns, and monitoring time-to-close for incidents.
Suspicious PowerShell Execution
This query identifies suspicious PowerShell execution patterns, including encoded commands and unusual parent processes, which could indicate malicious activity. This query uses CrowdStrike Query Language (CQL) to detect suspicious PowerShell activity: 1. **Event Filtering**: `#event_simpleName=ProcessRollup2 ImageFileName=/\\powershell\\.exe/i` - Searches ProcessRollup2 events for any PowerShell executable (case-insensitive) 2. **Command Line Analysis**: `CommandLine=/\s-[eE^]{1,2}[nN][cC][oO][dD][eE][mM][aA][nN][dD^]+\s/i` - Uses regex to find encoded command parameters (-EncodedCommand, -enc, etc.) 3. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 4. **Output**: `table([aid, UserName, ParentImageFileName, ImageFileName, CommandLine])` - Displays key fields for analysis
Suspicious PowerShell Execution
This query identifies suspicious PowerShell execution patterns, including encoded commands and unusual parent processes, which could indicate malicious activity. This query uses CrowdStrike Query Language (CQL) to detect suspicious PowerShell activity: 1. **Event Filtering**: `#event_simpleName=ProcessRollup2 ImageFileName=/\\powershell\\.exe/i` - Searches ProcessRollup2 events for any PowerShell executable (case-insensitive) 2. **Command Line Analysis**: `CommandLine=/\s-[eE^]{1,2}[nN][cC][oO][dD][eE][mM][aA][nN][dD^]+\s/i` - Uses regex to find encoded command parameters (-EncodedCommand, -enc, etc.) 3. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 4. **Output**: `table([aid, UserName, ParentImageFileName, ImageFileName, CommandLine])` - Displays key fields for analysis
Suspicious Registry Modifications
This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers. This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications: 1. **Event Filtering**: `#event_simpleName=RegGenericValue` - Searches for registry value modification events 2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i` - Focuses on common persistence and execution registry locations 3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i` - Filters out known legitimate applications 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])` - Displays registry path, value, and modifying process
Suspicious Registry Modifications
This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers. This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications: 1. **Event Filtering**: `#event_simpleName=RegGenericValue` - Searches for registry value modification events 2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i` - Focuses on common persistence and execution registry locations 3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i` - Filters out known legitimate applications 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])` - Displays registry path, value, and modifying process
Systems Initiating Connections to a High Number of Ports
Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.
Systems Initiating Connections to a High Number of Ports
Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.
Torrent Website Access Detected
Detects users successfully accessing peer-to-peer (P2P) or torrent websites through the network where the Palo Alto firewall generated an alert but did not block the traffic.
User Logoff Activity
Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.
User Logoff Activity
Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.