EXPLORE DETECTIONS
Chromium-Based Browser Hunting via DLL Load
This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although it’s important to note that not all Chromium-based browsers necessarily load chrome.dll.
Chromium-Based Browser Hunting via DLL Load
This query identifies Chromium-based browsers by detecting the loading of chrome.dll into running processes. Unlike simple process name checks, this method helps uncover browsers that may not be named chrome.exe but still rely on Chromium components. The query excludes known chrome.exe processes to highlight less obvious Chromium-based browsers, although it’s important to note that not all Chromium-based browsers necessarily load chrome.dll.
Cloud Credential Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to credentials.
Cloud Credential Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to credentials.
Cloud Data Exfiltration IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.
Cloud Data Exfiltration IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to data exfiltration.
Cloud Least Privilege IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to least privilege.
Cloud Least Privilege IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to least privilege.
Cloud MFA Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to MFA violations.
Cloud MFA Violation IOMs
This query outputs all identified indicators of misconfigurations (IOMs) related to MFA violations.
Connections to Tor Exit Nodes
Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.
Connections to Tor Exit Nodes
Detects network connections to or from known Tor exit nodes by matching endpoint telemetry against a curated lookup file of Tor exit node IPs.
Count Windows Discovery Commands
This query counts the execution of discovery / reconnaissance commands.
Count Windows Discovery Commands
This query counts the execution of discovery / reconnaissance commands.
Created Local User Accounts
Table of all created local user accounts including UserName, ComputerName, aid, aip, and LocalIP.
Created Local User Accounts
Table of all created local user accounts including UserName, ComputerName, aid, aip, and LocalIP.
Credential Dumping Detection
This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations. This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities: 1. **Process Monitoring**: `#event_simpleName=ProcessRollup2` - Monitors process execution events across endpoints 2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)` - Detects known credential dumping tools and LSASS access patterns 3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - Excludes common legitimate parent processes to reduce noise 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Adds user account information for attribution 5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")` - Includes file hash for threat intelligence correlation 6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])` - Displays process details, user context, and file hash information
Credential Dumping Detection
This query detects potential credential dumping activities by monitoring process access to LSASS and suspicious memory operations. This query uses CrowdStrike Query Language (CQL) to detect credential dumping activities: 1. **Process Monitoring**: `#event_simpleName=ProcessRollup2` - Monitors process execution events across endpoints 2. **Suspicious Indicators**: `(CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)` - Detects known credential dumping tools and LSASS access patterns 3. **Parent Process Filter**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - Excludes common legitimate parent processes to reduce noise 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Adds user account information for attribution 5. **Process Hash**: `join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")` - Includes file hash for threat intelligence correlation 6. **Output**: `table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])` - Displays process details, user context, and file hash information
Credentials Validation Burst (Microsoft Defender for Identity)
Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated. Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated.
CVE-2025-1146 - System Scoping using aid_master
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.
CVE-2025-1146 - System Scoping using aid_master
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the lookup file aid_master_main.csv which is automatically updated every 4 hours.
CVE-2025-1146 - System Scoping using OsVersionInfo
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update.
CVE-2025-1146 - System Scoping using OsVersionInfo
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update.
CVE-2025-1146 - System Scoping using OsVersionInfo & Logon Data
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update. It attempts to merge in LogonType 2 and 10 to determine the last logged on user.