EXPLORE DETECTIONS
Suspicious PowerShell Execution
This query identifies suspicious PowerShell execution patterns, including encoded commands and unusual parent processes, which could indicate malicious activity. This query uses CrowdStrike Query Language (CQL) to detect suspicious PowerShell activity: 1. **Event Filtering**: `#event_simpleName=ProcessRollup2 ImageFileName=/\\powershell\\.exe/i` - Searches ProcessRollup2 events for any PowerShell executable (case-insensitive) 2. **Command Line Analysis**: `CommandLine=/\s-[eE^]{1,2}[nN][cC][oO][dD][eE][mM][aA][nN][dD^]+\s/i` - Uses regex to find encoded command parameters (-EncodedCommand, -enc, etc.) 3. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 4. **Output**: `table([aid, UserName, ParentImageFileName, ImageFileName, CommandLine])` - Displays key fields for analysis
Suspicious PowerShell Execution
This query identifies suspicious PowerShell execution patterns, including encoded commands and unusual parent processes, which could indicate malicious activity. This query uses CrowdStrike Query Language (CQL) to detect suspicious PowerShell activity: 1. **Event Filtering**: `#event_simpleName=ProcessRollup2 ImageFileName=/\\powershell\\.exe/i` - Searches ProcessRollup2 events for any PowerShell executable (case-insensitive) 2. **Command Line Analysis**: `CommandLine=/\s-[eE^]{1,2}[nN][cC][oO][dD][eE][mM][aA][nN][dD^]+\s/i` - Uses regex to find encoded command parameters (-EncodedCommand, -enc, etc.) 3. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 4. **Output**: `table([aid, UserName, ParentImageFileName, ImageFileName, CommandLine])` - Displays key fields for analysis
Suspicious Registry Modifications
This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers. This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications: 1. **Event Filtering**: `#event_simpleName=RegGenericValue` - Searches for registry value modification events 2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i` - Focuses on common persistence and execution registry locations 3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i` - Filters out known legitimate applications 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])` - Displays registry path, value, and modifying process
Suspicious Registry Modifications
This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers. This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications: 1. **Event Filtering**: `#event_simpleName=RegGenericValue` - Searches for registry value modification events 2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i` - Focuses on common persistence and execution registry locations 3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i` - Filters out known legitimate applications 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])` - Displays registry path, value, and modifying process
Suspicious Scheduled Task Creation
Surfaces newly registered Windows scheduled tasks whose execution command or arguments match patterns commonly abused for persistence and remote code execution: encoded PowerShell combined with download/exec intent, LOLBin proxy execution, payloads launched from user-writable paths, embedded web URLs, and chained cmd one-liners. Tasks created remotely (RemoteAddressIP4/IP6 populated) are flagged as a higher-priority lateral-movement signal. A commented author filter lets analysts suppress their own validated software-deployment / RMM accounts after baselining. ## Detection Logic The query inspects every newly registered task (`ScheduledTaskRegistered`), combines `TaskExecCommand` and `TaskExecArguments` into one string, and classifies it against five high-signal patterns: | Reason | What it catches | | :--- | :--- | | Encoded PowerShell w/ download or exec intent | `-EncodedCommand` **combined with** a download cradle, `IEX`, `FromBase64String`, or hidden window | | LOLBin proxy execution | `mshta`, `rundll32`, `regsvr32`, `certutil`, `bitsadmin`, `installutil`, script hosts | | Payload in user-writable/temp path | Actions running from `AppData`, `Temp`, `Windows\Temp`, `Users\Public` | | Web URL in task action | HTTP/FTP URL embedded directly in the action | | Chained cmd one-liner | `cmd /c` with `&&` or pipe chaining | Tasks matching none of these are dropped. The encoded-PowerShell rule deliberately requires a **second** signal, because legitimate monitoring and management tools (e.g. update sensors) routinely use `-EncodedCommand` on its own; encoding alone is not an indicator. ## The Remote-Creation Signal When `RemoteAddressIP4` or `RemoteAddressIP6` is populated, the task was registered from another host rather than locally. Legitimate task creation is overwhelmingly local, so a **REMOTE** origin layered on top of any suspicious pattern should be triaged first. ## Tuning - To suppress recurring known-good automation after establishing your benign baseline, add an explicit author filter in the query body (see the commented line), e.g. `| TaskAuthor!=/sccm-svc|rmm-deploy/i`. ## Limitations & False Positives (read before relying on this) - **User-scope auto-updaters.** Consumer apps such as Zoom, Teams, and Slack legitimately register per-user tasks that run from `AppData`. Expect a thin, steady stream of these on the "user-writable/temp path" rule. Validate the binary's signer and the task author before dismissing - the *same* rule is what catches a malicious binary auto-running from `AppData`, so do not remove it to silence the updaters. - **TaskAuthor is spoofable.** `TaskAuthor` is a free-text field in the task XML and can be set to any value by whoever creates the task. Do not treat it as trustworthy, and be aware that any author-based exclusion you configure is an evasion path: an adversary who mimics an excluded author bypasses that filter. - **Evasion surface.** This detection inspects task *content at registration time*. An adversary who stages payloads outside the flagged paths, avoids the listed LOLBins, or splits encoding from execution intent can evade it. - **Coverage trade-off.** To keep noise low, bare `-EncodedCommand` (without a second signal) and UNC-path actions are intentionally **not** flagged. A real attack using only those techniques in isolation would not surface here.
Systems Initiating Connections to a High Number of Ports
Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.
Systems Initiating Connections to a High Number of Ports
Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.
Torrent Website Access Detected
Detects users successfully accessing peer-to-peer (P2P) or torrent websites through the network where the Palo Alto firewall generated an alert but did not block the traffic.
User Logoff Activity
Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.
User Logoff Activity
Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.
User Logon Activity
Table of all user logons.
User Logon Activity
Table of all user logons.
User Logon Details (Time, Type, Location, Last Password Change)
This query will output a table including recent user logons with context information: - Timestamp - UserName - SID - LogonType - UserIsAdmin (Y/N) - PasswordLastSet - Location
User Logon Details (Time, Type, Location, Last Password Change)
This query will output a table including recent user logons with context information: - Timestamp - UserName - SID - LogonType - UserIsAdmin (Y/N) - PasswordLastSet - Location
Users creating Network Shares
The Query shows all new created Network Shares.
Users creating Network Shares
The Query shows all new created Network Shares.
Windows authentication traffic metrics
Displays Windows-collected authentication traffic metrics from your domain controllers, including Kerberos authentications, NTLM authentications, LDAP binds, and LDAP searches per second. These are native Windows performance counters and do not represent traffic inspected by Identity Protection - they provide baseline visibility into overall domain controller activity.
Windows authentication traffic metrics
Displays Windows-collected authentication traffic metrics from your domain controllers, including Kerberos authentications, NTLM authentications, LDAP binds, and LDAP searches per second. These are native Windows performance counters and do not represent traffic inspected by Identity Protection - they provide baseline visibility into overall domain controller activity.
Windows Store Installs
This query displays all applications installed from the Microsoft Store on a machine. It extracts the package name from the file path and groups the results by computer name and package base. Also features the ability to filter out known good file paths and packages to reduce noise in the results. Takes the filepath and pulls out those files loaded into the \Program Files\WindowsApps directory. Then performs a regex to grab just the package name as it should appear if you did a 'Get-AppxPackage on the machine. Outputs a report using computername and PackageBase
Windows Store Installs
This query displays all applications installed from the Microsoft Store on a machine. It extracts the package name from the file path and groups the results by computer name and package base. Also features the ability to filter out known good file paths and packages to reduce noise in the results. Takes the filepath and pulls out those files loaded into the \Program Files\WindowsApps directory. Then performs a regex to grab just the package name as it should appear if you did a 'Get-AppxPackage on the machine. Outputs a report using computername and PackageBase