EXPLORE DETECTIONS

Find tasks scheduled by user ID

Find tasks scheduled with ComHandler

Firewall Rule Additions

This query correlates processes with Windows Firewall rule modifications they triggered, identifying which executables are creating or modifying firewall rules.

Frequency Analysis via Program Clustering

This query detects potential reconnaissance or lateral movement activity by identifying Windows endpoints where three or more distinct discovery/enumeration tools were executed within 10-minute windows

GenAI Usage

This query identifies DNS requests to GenAI services.

Get Host Zero Trust Assessment Scores

This query outputs a table with hosts including their zero trust scores

Get USB Devices

Retrieving a list of USB Devices plugged to the device

Honeytoken Account Logon Activity

This query detects logon activity associated with a honeytoken account. Honeytokens are decoy accounts designed to lure attackers, and any activity on them is a strong indicator of compromise. ### Honeytoken Account Access Detection This use case is designed to generate an alert when any activity involving a designated **honeytoken account** is observed. Honeytokens serve as decoys; they are accounts that appear valuable to an attacker but have no legitimate purpose and are heavily monitored. Any interaction with them is highly indicative of malicious activity. **Key Objectives:** - **Lure Attackers**: Create accounts that mimic administrator or service accounts to attract adversarial engagement. - **High-Fidelity Alerts**: Since these accounts have no legitimate use, any logon event is a high-confidence signal of a breach. - **Monitor and Safeguard**: Apply Identity Protection policies to monitor these accounts without granting them any actual permissions, making them safe and effective traps. --- #### Query Breakdown: 1. **`#event_simpleName=/UserLogon.*/i`** - This line filters for all logon-related events captured by CrowdStrike Falcon. It serves as the primary data source for the detection. 2. **`| UserSid = /S-1-5-21-\d*-\d*-\d*-500/i`** - This filters the logon events for a specific Security Identifier (SID). The SID `S-1-5-21-...-500` is the well-known SID for the default local administrator account on a Windows domain. - **Crucially**, this value must be replaced with the actual SID(s) of your organization's designated honeytoken accounts. For more details on creating and managing honeytokens within Falcon Identity Protection, please refer to the official CrowdStrike documentation: - [Honeytokens within Falcon Identity Protection](https://supportportal.crowdstrike.com/s/article/ka16T000001MfykQAC)

Hunt for a file name

Hunt for specific Command Line Activity

Hunting Bitsadmin usage

This query implements a multi-hypothesis threat hunting workflow to detect abuse of the Windows Background Intelligent Transfer Service (BITS). It uses a case statement to classify incoming telemetry into four distinct detection hypotheses. H1 catches direct execution of bitsadmin.exe with suspicious command-line arguments (such as /transfer, /addfile, /download, /SetNotifyCmdLine, or URLs) while excluding legitimate parent processes like svchost.exe and msiexec.exe. H2 detects PowerShell-based BITS abuse by scanning script block logging and command history events for cmdlets like Start-BitsTransfer or direct COM object invocation (BITS.IBackgroundCopyManager) combined with network-related parameters. H3 focuses specifically on BITS persistence mechanisms by flagging commands that set notification callbacks (SetNotifyCmdLine), retry delays, or timeout values excluding legitimate Windows Update activity. H4 identifies proxy reconnaissance via bitsadmin /getieproxy, a technique attackers use to discover proxy configurations before exfiltrating data.

Hunting EDR Freeze

Based on the default command line switching behavior found in the EDR-Freeze open source project: https://github.com/TwoSevenOneT/EDR-Freeze?tab=readme-ov-file

Identify Linux Systems Vulnerable to CVE-2025-1146 with Last Logged-On User Information

The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update. It attempts to merge in LogonType 2 and 10 to determine the last logged on user. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/CVE-2025-1146%20System%20Scoping%20(OsVersionInfo%20with%20Logon%20Data).md)

Identify Shadow SaaS

This query identifies SaaS services supported by Falcon Shield and helps detect which SaaS products are actively used within the environment.

Identity Protection - Average Cloud Response Time

Average time (in seconds) the cloud service takes to resolve entity information (e.g., from SID/GUID). Latency above 3 seconds may cause intermittent issues; above 4 seconds can lead to recurring timeouts.

Impossible Travel Time Azure

Tracing Logins from two different countries with impossible travel times between consecutive logins per identity Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Impossible-Travel-Time-Azure.md)

Inspected LDAP / Kerberos / DCE/RCP Traffic

Shows inspected traffic requests over time on the selected domain controller

Installed Browser Extensions (Aggregate by Extension)

This query will output a table with all installed browser extensions.

Installed Browser Extensions (Hunt Extension Name)

This query will output a table with all installed browser extensions. Replace "vpn" with the string you want to hunt for.

InstallFix on macOS

The InstallFix query is designed to catch the execution patterns of one-liner stagers or initial access scripts that often masquerade as legitimate system fixes or installers through a high-confidence sequence where a curl command - configured with flags typically used to bypass security or silence output - is executed in close temporal proximity (within 1 minute) to a command involving Base64 decoding.

Inventory of Installed Browser Extensions Across Endpoints

The query lists installed browser (Chrome & Edge) extensions across endpoints, normalizes browser names, counts unique systems per extension, adds a Chrome Web Store link, and sorts results to highlight the most common extensions. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Enumerate%20Chrome%20%2B%20Edge%20Browser%20Extension%20on%20Win%20and%20Mac.md)

IOC search | PTC Windchill & FlexPLM vulnerability

This query checks for Indicators of Compromise (IOCs) related to a critical Remote Code Execution vulnerability in PTC Windchill and FlexPLM. The query tracks the creation or modification of specific Java source files that an attacker may use to intercept requests, manipulate data streaming, or execute unauthorized system updates. https://support.eacpds.com/hc/en-us/article_attachments/47430019070996 This CQL query is designed to catch an attacker at two different stages of the PTC Windchill/FlexPLM exploitation lifecycle. ### **1. The Two Detection "Stages"** The `case` block splits the search into two specific scenarios: * **Scenario A (Active Execution/Persistence):** Looks for compiled Java files (`.class`) and web shells (`.jsp`). If these appear, the attacker has likely already triggered the exploit and is attempting to run code or maintain a backdoor. * **Scenario B (Staging/Delivery):** Looks for specific Java source files (`.java`) provided by PTC as known Indicators of Compromise. These are "payloads" that an attacker drops to overwrite core system functions. ### **2. Key Commands Used** * **`#event_simpleName = /.*FileWritten/i`**: Monitors the exact moment a file is created or modified on the hard drive. * **`regex /.../i`**: Performs a case-insensitive search for file patterns (like the `dpr_` prefix often used for malicious web shells). * **`in(field="FileName", values=[...])`**: Efficiently checks a list of "Known Bad" filenames against your environment. * **`table`**: Displays the **Timestamp**, **Impacted Host**, and the **Specific File** involved to allow for immediate incident response.

JAR files executed from %AppData%

This query detects if a JAR file was executed from the %AppData% folder

JAR files written to %AppData%

This query detects if a JAR file was written to the %AppData% folder