EXPLORE

EXPLORE DETECTIONS

🔍
308 detections found

Suspicious PowerShell Execution

This query identifies suspicious PowerShell execution patterns, including encoded commands and unusual parent processes, which could indicate malicious activity. This query uses CrowdStrike Query Language (CQL) to detect suspicious PowerShell activity: 1. **Event Filtering**: `#event_simpleName=ProcessRollup2 ImageFileName=/\\powershell\\.exe/i` - Searches ProcessRollup2 events for any PowerShell executable (case-insensitive) 2. **Command Line Analysis**: `CommandLine=/\s-[eE^]{1,2}[nN][cC][oO][dD][eE][mM][aA][nN][dD^]+\s/i` - Uses regex to find encoded command parameters (-EncodedCommand, -enc, etc.) 3. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 4. **Output**: `table([aid, UserName, ParentImageFileName, ImageFileName, CommandLine])` - Displays key fields for analysis

T1059.001T1070.005
CrowdStrike

Suspicious PowerShell Execution

This query identifies suspicious PowerShell execution patterns, including encoded commands and unusual parent processes, which could indicate malicious activity. This query uses CrowdStrike Query Language (CQL) to detect suspicious PowerShell activity: 1. **Event Filtering**: `#event_simpleName=ProcessRollup2 ImageFileName=/\\powershell\\.exe/i` - Searches ProcessRollup2 events for any PowerShell executable (case-insensitive) 2. **Command Line Analysis**: `CommandLine=/\s-[eE^]{1,2}[nN][cC][oO][dD][eE][mM][aA][nN][dD^]+\s/i` - Uses regex to find encoded command parameters (-EncodedCommand, -enc, etc.) 3. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 4. **Output**: `table([aid, UserName, ParentImageFileName, ImageFileName, CommandLine])` - Displays key fields for analysis

T1059.001T1070.005
CrowdStrike

Suspicious Registry Modifications

This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers. This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications: 1. **Event Filtering**: `#event_simpleName=RegGenericValue` - Searches for registry value modification events 2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i` - Focuses on common persistence and execution registry locations 3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i` - Filters out known legitimate applications 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])` - Displays registry path, value, and modifying process

T1112T1547.001
CrowdStrike

Suspicious Registry Modifications

This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers. This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications: 1. **Event Filtering**: `#event_simpleName=RegGenericValue` - Searches for registry value modification events 2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i` - Focuses on common persistence and execution registry locations 3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i` - Filters out known legitimate applications 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])` - Displays registry path, value, and modifying process

T1112T1547.001
CrowdStrike

Suspicious Scheduled Task Creation

Surfaces newly registered Windows scheduled tasks whose execution command or arguments match patterns commonly abused for persistence and remote code execution: encoded PowerShell combined with download/exec intent, LOLBin proxy execution, payloads launched from user-writable paths, embedded web URLs, and chained cmd one-liners. Tasks created remotely (RemoteAddressIP4/IP6 populated) are flagged as a higher-priority lateral-movement signal. A commented author filter lets analysts suppress their own validated software-deployment / RMM accounts after baselining. ## Detection Logic The query inspects every newly registered task (`ScheduledTaskRegistered`), combines `TaskExecCommand` and `TaskExecArguments` into one string, and classifies it against five high-signal patterns: | Reason | What it catches | | :--- | :--- | | Encoded PowerShell w/ download or exec intent | `-EncodedCommand` **combined with** a download cradle, `IEX`, `FromBase64String`, or hidden window | | LOLBin proxy execution | `mshta`, `rundll32`, `regsvr32`, `certutil`, `bitsadmin`, `installutil`, script hosts | | Payload in user-writable/temp path | Actions running from `AppData`, `Temp`, `Windows\Temp`, `Users\Public` | | Web URL in task action | HTTP/FTP URL embedded directly in the action | | Chained cmd one-liner | `cmd /c` with `&&` or pipe chaining | Tasks matching none of these are dropped. The encoded-PowerShell rule deliberately requires a **second** signal, because legitimate monitoring and management tools (e.g. update sensors) routinely use `-EncodedCommand` on its own; encoding alone is not an indicator. ## The Remote-Creation Signal When `RemoteAddressIP4` or `RemoteAddressIP6` is populated, the task was registered from another host rather than locally. Legitimate task creation is overwhelmingly local, so a **REMOTE** origin layered on top of any suspicious pattern should be triaged first. ## Tuning - To suppress recurring known-good automation after establishing your benign baseline, add an explicit author filter in the query body (see the commented line), e.g. `| TaskAuthor!=/sccm-svc|rmm-deploy/i`. ## Limitations & False Positives (read before relying on this) - **User-scope auto-updaters.** Consumer apps such as Zoom, Teams, and Slack legitimately register per-user tasks that run from `AppData`. Expect a thin, steady stream of these on the "user-writable/temp path" rule. Validate the binary's signer and the task author before dismissing - the *same* rule is what catches a malicious binary auto-running from `AppData`, so do not remove it to silence the updaters. - **TaskAuthor is spoofable.** `TaskAuthor` is a free-text field in the task XML and can be set to any value by whoever creates the task. Do not treat it as trustworthy, and be aware that any author-based exclusion you configure is an evasion path: an adversary who mimics an excluded author bypasses that filter. - **Evasion surface.** This detection inspects task *content at registration time*. An adversary who stages payloads outside the flagged paths, avoids the listed LOLBins, or splits encoding from execution intent can evade it. - **Coverage trade-off.** To keep noise low, bare `-EncodedCommand` (without a second signal) and UNC-path actions are intentionally **not** flagged. A real attack using only those techniques in isolation would not surface here.

T1053T1053.005
CrowdStrike

Systems Initiating Connections to a High Number of Ports

Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.

T1595T1046
CrowdStrike

Systems Initiating Connections to a High Number of Ports

Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.

T1595T1046
CrowdStrike

Torrent Website Access Detected

Detects users successfully accessing peer-to-peer (P2P) or torrent websites through the network where the Palo Alto firewall generated an alert but did not block the traffic.

CrowdStrike

User Logoff Activity

Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.

T1078
CrowdStrike

User Logoff Activity

Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.

T1078
CrowdStrike

User Logon Activity

Table of all user logons.

T1078
CrowdStrike

User Logon Activity

Table of all user logons.

T1078
CrowdStrike

User Logon Details (Time, Type, Location, Last Password Change)

This query will output a table including recent user logons with context information: - Timestamp - UserName - SID - LogonType - UserIsAdmin (Y/N) - PasswordLastSet - Location

CrowdStrike

User Logon Details (Time, Type, Location, Last Password Change)

This query will output a table including recent user logons with context information: - Timestamp - UserName - SID - LogonType - UserIsAdmin (Y/N) - PasswordLastSet - Location

CrowdStrike

Users creating Network Shares

The Query shows all new created Network Shares.

CrowdStrike

Users creating Network Shares

The Query shows all new created Network Shares.

CrowdStrike

Windows authentication traffic metrics

Displays Windows-collected authentication traffic metrics from your domain controllers, including Kerberos authentications, NTLM authentications, LDAP binds, and LDAP searches per second. These are native Windows performance counters and do not represent traffic inspected by Identity Protection - they provide baseline visibility into overall domain controller activity.

CrowdStrike

Windows authentication traffic metrics

Displays Windows-collected authentication traffic metrics from your domain controllers, including Kerberos authentications, NTLM authentications, LDAP binds, and LDAP searches per second. These are native Windows performance counters and do not represent traffic inspected by Identity Protection - they provide baseline visibility into overall domain controller activity.

CrowdStrike

Windows Store Installs

This query displays all applications installed from the Microsoft Store on a machine. It extracts the package name from the file path and groups the results by computer name and package base. Also features the ability to filter out known good file paths and packages to reduce noise in the results. Takes the filepath and pulls out those files loaded into the \Program Files\WindowsApps directory. Then performs a regex to grab just the package name as it should appear if you did a 'Get-AppxPackage on the machine. Outputs a report using computername and PackageBase

CrowdStrike

Windows Store Installs

This query displays all applications installed from the Microsoft Store on a machine. It extracts the package name from the file path and groups the results by computer name and package base. Also features the ability to filter out known good file paths and packages to reduce noise in the results. Takes the filepath and pulls out those files loaded into the \Program Files\WindowsApps directory. Then performs a regex to grab just the package name as it should appear if you did a 'Get-AppxPackage on the machine. Outputs a report using computername and PackageBase

CrowdStrike
PreviousPage 13 of 13