EXPLORE DETECTIONS
Rare windows shell parent process
This hunting query is designed to detect rare shell parent processes. This hunting query is designed to detect rare shell parent processes: 1. **Filter for Windows Events**: `#event_simpleName=ProcessRollup2``event_platform=Win` 2. **Classify Processes**: `(case { in(field=FileName, values=["powershell.exe", "cmd.exe", "pwsh.exe"]) | IsChild := "1";)` - If the FileName matches a shell (powershell.exe, cmd.exe, pwsh.exe), the process is marked as a child process - Otherwise, it is marked as not a child process 3. **Assign Process Information**: `ParentImageFileName!=/\\(powershell|cmd)\.exe$/i` - For child processes (`IsChild = "1"`), the `ProcId` is set to the `ParentProcessId` - For non-child processes (`IsChild = "0"`), the `ProcId` is set to the `TargetProcessId` 4. **Group by Computer and Process**: - The query groups events by `ComputerName` and `ProcId` to analyze process relationships. - Calculation of the distinct count of `ParentProcessId` as `EventCount`
Recent RTR Sessions
List of the recent Real Time Response sessions that were started.
Remediation - Host Contained
This query lists all isolated devices and identifies who initiated the isolation.
Remote Interactive Logons (RDP)
Identifies remote interactive logons on a specific endpoint. The query filters UserIdentity events for LogonType=10, which typically indicates Remote Desktop or similar remote access sessions. Results are scoped by the provided aid and display up to 1,000 events, including timestamp, username, user principal, and the logon server. Useful for detecting and reviewing remote access activity during investigations or routine monitoring. **Use Cases** - Review RDP usage on a host - Investigate potential unauthorized remote access - Support incident response and access audits LogonType=10 corresponds to remote interactive logons. The aid parameter must be set to the target endpoint.
Remote Port Forwarding via Plink - Unauthorized RDP Tunneling Detection
Detects the use of Plink (PuTTY Link) to establish remote port forwarding tunnels, specifically targeting traffic redirected to port 3389 (RDP). This technique is frequently used by threat actors for lateral movement or to bypass firewall restrictions by tunneling RDP over SSH. Attackers use `plink.exe` the command-line SSH client from PuTTY to create encrypted SSH tunnels that forward RDP traffic (port 3389) through firewall boundaries. This allows an attacker with an existing foothold to RDP into internal systems even when direct RDP is blocked. ## Forwarding Flags * **-R (Remote Forward):** Attacker binds a port on their server and pulls traffic back to an internal RDP target. * **-L (Local Forward):** Victim machine forwards a local port outbound to an RDP target via the SSH server. ## Why It's Dangerous Because the tunnel rides over SSH (typically port 22 or 443), it blends with legitimate encrypted traffic and often bypasses firewall and DLP controls. The resulting RDP session appears to originate from inside the network. ## Testing the Detection You can safely validate this detection on an enrolled endpoint without establishing an actual tunnel. The connection will fail immediately, but the EDR will still capture the `ProcessRollup2` event. ### 1. Download and Execute (PowerShell) ```powershell Invoke-WebRequest -Uri "[https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe](https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe)" -OutFile "$env:TEMP\plink.exe" # Test -R (remote forward) & "$env:TEMP\plink.exe" -R 4444:localhost:3389 user@192.168.1.1 # Test -L (local forward) & "$env:TEMP\plink.exe" -L 4444:localhost:3389 user@192.168.1.1
ROKRAT Malware APT 37
RoKRAT Malware – Injection & Steganography 🛠 High‑Level TTPs - Initial Access: Malicious .lnk files within compressed archives. - Execution & Persistence: PowerShell/BAT‑driven staged loaders with XOR decryption. Defense Evasion: Process injection into trusted Windows binaries & payload concealment via steganography. - Command & Control: Abuse of pCloud, Yandex Disk, and Dropbox APIs with embedded tokens to blend with legitimate traffic. [Genians Blog - RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies](https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic) Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/ROKRAT-Malware-APT-37.md)
Search for oldest devices
A query to get the age of devices that have the falcon sensor installed.
Sensor Version Adoption Trend
Visualizes the daily distribution of Sensor versions across the environment. It groups versions by Major and Minor releases (e.g., 6.45) to monitor the rollout of updates and identify legacy versions.
SMB Enumeration | Defender for Identity
This detection query will detect SMB Enumeration based on the Microsoft defender for Identity Module
SOC Efficiency Metrics
Summarizes CrowdStrike Falcon detections across hosts, showing key lifecycle metrics such as tactic, technique, severity, detection state, and resolution time. Useful for SOC performance tracking, identifying detection patterns, and monitoring time-to-close for incidents.
Suspicious PowerShell Execution
This query identifies suspicious PowerShell execution patterns, including encoded commands and unusual parent processes, which could indicate malicious activity. This query uses CrowdStrike Query Language (CQL) to detect suspicious PowerShell activity: 1. **Event Filtering**: `#event_simpleName=ProcessRollup2 ImageFileName=/\\powershell\\.exe/i` - Searches ProcessRollup2 events for any PowerShell executable (case-insensitive) 2. **Command Line Analysis**: `CommandLine=/\s-[eE^]{1,2}[nN][cC][oO][dD][eE][mM][aA][nN][dD^]+\s/i` - Uses regex to find encoded command parameters (-EncodedCommand, -enc, etc.) 3. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 4. **Output**: `table([aid, UserName, ParentImageFileName, ImageFileName, CommandLine])` - Displays key fields for analysis
Suspicious Registry Modifications
This query detects suspicious registry modifications that could indicate persistence mechanisms or system configuration tampering by attackers. This query uses CrowdStrike Query Language (CQL) to detect suspicious registry modifications: 1. **Event Filtering**: `#event_simpleName=RegGenericValue` - Searches for registry value modification events 2. **High-Risk Keys**: `RegObjectName=/\\(Run|RunOnce|Winlogon|AppInit_DLLs|Image File Execution Options)/i` - Focuses on common persistence and execution registry locations 3. **Exclude Legitimate**: `RegValueName!=/^(ctfmon|SecurityHealth|OneDrive)$/i` - Filters out known legitimate applications 4. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches results with username information 5. **Output**: `table([aid, UserName, RegObjectName, RegValueName, RegStringValue, ProcessImageFileName])` - Displays registry path, value, and modifying process
Systems Initiating Connections to a High Number of Ports
Detects hosts that establish network connections across a large number of unique ports within a given period. This behavior may indicate port scanning, network reconnaissance, or potentially malicious enumeration activity originating from a compromised host or unauthorized tool. The query aggregates by host and process, listing associated filenames, command lines, and user context to assist with triage.
User Logoff Activity
Table of all UserLogoff events including UserName, ComputerName, aip, LocalIP and Domain.
User Logon Activity
Table of all user logons.
User Logon Details (Time, Type, Location, Last Password Change)
This query will output a table including recent user logons with context information: - Timestamp - UserName - SID - LogonType - UserIsAdmin (Y/N) - PasswordLastSet - Location
Users creating Network Shares
The Query shows all new created Network Shares.
Windows authentication traffic metrics
Displays Windows-collected authentication traffic metrics from your domain controllers, including Kerberos authentications, NTLM authentications, LDAP binds, and LDAP searches per second. These are native Windows performance counters and do not represent traffic inspected by Identity Protection - they provide baseline visibility into overall domain controller activity.
Windows Store Installs
This query displays all applications installed from the Microsoft Store on a machine. It extracts the package name from the file path and groups the results by computer name and package base. Also features the ability to filter out known good file paths and packages to reduce noise in the results. Takes the filepath and pulls out those files loaded into the \Program Files\WindowsApps directory. Then performs a regex to grab just the package name as it should appear if you did a 'Get-AppxPackage on the machine. Outputs a report using computername and PackageBase