EXPLORE

EXPLORE DETECTIONS

🔍
308 detections found

Check Domain Controller for NSX Driver

This query helps to determine if NSX drivers are installed on Domain Controllers to investigate limited Identity Protection functionality. ## Related CrowdStrike KBs 1. [Resolving Falcon Identity Protection conflicting with VMware tools and NSX Driver](https://supportportal.crowdstrike.com/s/article/ka16T000001Mle7QAC) 2. [Verify NSX driver installation on Domain Controllers](https://supportportal.crowdstrike.com/s/article/ka16T000001tkTHQAY)

CrowdStrike

Chromium-Based Browser Hunting via DLL Load

This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although it’s important to note that not all Chromium-based browsers necessarily load chrome.dll.

CrowdStrike

Chromium-Based Browser Hunting via DLL Load

This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although it’s important to note that not all Chromium-based browsers necessarily load chrome.dll.

CrowdStrike

Cisco Duo - Atypical Travel (Impossible Travel)

Cisco Duo Impossible Travel detects simultaneous logins from geographically distant locations, indicating potential credential compromise or unauthorized account usage leveraging valid credentials. Cisco Duo Impossible Travel detects simultaneous logins from geographically distant locations, indicating potential credential compromise or unauthorized account usage leveraging valid credentials.

T1078
CrowdStrike

Cisco Duo - Failed MFA Login within 5 mins

Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts. Cisco Duo Failed MFA Login within 5 minutes highlights repeated authentication failures that may indicate MFA fatigue attacks, credential abuse, or ongoing account takeover attempts.

T1621
CrowdStrike

Cloud Credential Violation IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to credentials.

CrowdStrike

Cloud Credential Violation IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to credentials.

CrowdStrike

Cloud Data Exfiltration IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.

CrowdStrike

Cloud Data Exfiltration IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.

CrowdStrike

Cloud Least Privilege IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to least privilege.

CrowdStrike

Cloud Least Privilege IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to least privilege.

CrowdStrike

Cloud MFA Violation IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to MFA violations.

CrowdStrike

Cloud MFA Violation IOMs

This query outputs all identified indicators of misconfigurations (IOMs) related to MFA violations.

CrowdStrike

Connections to Tor Exit Nodes

Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.

T1090.003
CrowdStrike

Connections to Tor Exit Nodes

Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.

T1090.003
CrowdStrike

Count Windows Discovery Commands

This query counts the execution of discovery / reconnaissance commands.

CrowdStrike

Count Windows Discovery Commands

This query counts the execution of discovery / reconnaissance commands.

CrowdStrike

Created Local User Accounts

Table of all created local user accounts including UserName, ComputerName, aid, aip, and LocalIP.

T1098
CrowdStrike

Created Local User Accounts

Table of all created local user accounts including UserName, ComputerName, aid, aip, and LocalIP.

T1098
CrowdStrike

Credential Dumping Detection

This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations. This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities: 1. **Process Monitoring**: `#event_simpleName=ProcessRollup2` - Monitors process execution events across endpoints 2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)` - Detects known credential dumping tools and LSASS access patterns 3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - Excludes common legitimate parent processes to reduce noise 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Adds user account information for attribution 5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")` - Includes file hash for threat intelligence correlation 6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])` - Displays process details, user context, and file hash information

T1003.001T1003.002T1558.003
CrowdStrike

Credential Dumping Detection

This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations. This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities: 1. **Process Monitoring**: `#event_simpleName=ProcessRollup2` - Monitors process execution events across endpoints 2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)` - Detects known credential dumping tools and LSASS access patterns 3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - Excludes common legitimate parent processes to reduce noise 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Adds user account information for attribution 5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")` - Includes file hash for threat intelligence correlation 6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])` - Displays process details, user context, and file hash information

T1003.001T1003.002T1558.003
CrowdStrike

Credentials Validation Burst (Microsoft Defender for Identity)

Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated. Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated.

T1110
CrowdStrike

CVE-2025-1146 - System Scoping using aid_master

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.

CrowdStrike

CVE-2025-1146 - System Scoping using aid_master

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.

CrowdStrike
PreviousPage 2 of 13Next