EXPLORE DETECTIONS
Check Domain Controller for NSX Driver
This query helps to determine if NSX drivers are installed on Domain Controllers to investigate limited Identity Protection functionality. ## Related CrowdStrike KBs 1. [Resolving Falcon Identity Protection conflicting with VMware tools and NSX Driver](https://supportportal.crowdstrike.com/s/article/ka16T000001Mle7QAC) 2. [Verify NSX driver installation on Domain Controllers](https://supportportal.crowdstrike.com/s/article/ka16T000001tkTHQAY)
Chromium-Based Browser Hunting via DLL Load
This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although it’s important to note that not all Chromium-based browsers necessarily load chrome.dll.
Chromium-Based Browser Hunting via DLL Load
This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although it’s important to note that not all Chromium-based browsers necessarily load chrome.dll.
Cisco Duo - Atypical Travel (Impossible Travel)
Cisco Duo Impossible Travel detects simultaneous logins from geographically distant locations, indicating potential credential compromise or unauthorized account usage leveraging valid credentials. Cisco Duo Impossible Travel detects simultaneous logins from geographically distant locations, indicating potential credential compromise or unauthorized account usage leveraging valid credentials.
Cisco Duo - Failed MFA Login within 5 mins
Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts. Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts.
Cloud Credential Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to credentials.
Cloud Credential Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to credentials.
Cloud Data Exfiltration IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.
Cloud Data Exfiltration IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.
Cloud Least Privilege IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to least privilege.
Cloud Least Privilege IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to least privilege.
Cloud MFA Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to MFA violations.
Cloud MFA Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to MFA violations.
Connections to Tor Exit Nodes
Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.
Connections to Tor Exit Nodes
Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.
Count Windows Discovery Commands
This query counts the execution of discovery / reconnaissance commands.
Count Windows Discovery Commands
This query counts the execution of discovery / reconnaissance commands.
Created Local User Accounts
Table of all created local user accounts including UserName, ComputerName, aid, aip, and LocalIP.
Created Local User Accounts
Table of all created local user accounts including UserName, ComputerName, aid, aip, and LocalIP.
Credential Dumping Detection
This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations. This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities: 1. **Process Monitoring**: `#event_simpleName=ProcessRollup2` - Monitors process execution events across endpoints 2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)` - Detects known credential dumping tools and LSASS access patterns 3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - Excludes common legitimate parent processes to reduce noise 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Adds user account information for attribution 5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")` - Includes file hash for threat intelligence correlation 6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])` - Displays process details, user context, and file hash information
Credential Dumping Detection
This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations. This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities: 1. **Process Monitoring**: `#event_simpleName=ProcessRollup2` - Monitors process execution events across endpoints 2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)` - Detects known credential dumping tools and LSASS access patterns 3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - Excludes common legitimate parent processes to reduce noise 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Adds user account information for attribution 5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")` - Includes file hash for threat intelligence correlation 6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])` - Displays process details, user context, and file hash information
Credentials Validation Burst (Microsoft Defender for Identity)
Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated. Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated.
CVE-2025-1146 - System Scoping using aid_master
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.
CVE-2025-1146 - System Scoping using aid_master
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.