EXPLORE DETECTIONS

InstallFix on macOS

The InstallFix query is designed to catch the execution patterns of one-liner stagers or initial access scripts that often masquerade as legitimate system fixes or installers through a high-confidence sequence where a curl command - configured with flags typically used to bypass security or silence output - is executed in close temporal proximity (within 1 minute) to a command involving Base64 decoding.

InstallFix on macOS

The InstallFix query is designed to catch the execution patterns of one-liner stagers or initial access scripts that often masquerade as legitimate system fixes or installers through a high-confidence sequence where a curl command - configured with flags typically used to bypass security or silence output - is executed in close temporal proximity (within 1 minute) to a command involving Base64 decoding.

Inventory of Installed Browser Extensions Across Endpoints

The query lists installed browser (Chrome & Edge) extensions across endpoints, normalizes browser names, counts unique systems per extension, adds a Chrome Web Store link, and sorts results to highlight the most common extensions. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Enumerate%20Chrome%20%2B%20Edge%20Browser%20Extension%20on%20Win%20and%20Mac.md)

Inventory of Installed Browser Extensions Across Endpoints

The query lists installed browser (Chrome & Edge) extensions across endpoints, normalizes browser names, counts unique systems per extension, adds a Chrome Web Store link, and sorts results to highlight the most common extensions. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Enumerate%20Chrome%20%2B%20Edge%20Browser%20Extension%20on%20Win%20and%20Mac.md)

IOC search | PTC Windchill & FlexPLM vulnerability

This query checks for Indicators of Compromise (IOCs) related to a critical Remote Code Execution vulnerability in PTC Windchill and FlexPLM. The query tracks the creation or modification of specific Java source files that an attacker may use to intercept requests, manipulate data streaming, or execute unauthorized system updates. https://support.eacpds.com/hc/en-us/article_attachments/47430019070996 This CQL query is designed to catch an attacker at two different stages of the PTC Windchill/FlexPLM exploitation lifecycle. ### **1. The Two Detection "Stages"** The `case` block splits the search into two specific scenarios: * **Scenario A (Active Execution/Persistence):** Looks for compiled Java files (`.class`) and web shells (`.jsp`). If these appear, the attacker has likely already triggered the exploit and is attempting to run code or maintain a backdoor. * **Scenario B (Staging/Delivery):** Looks for specific Java source files (`.java`) provided by PTC as known Indicators of Compromise. These are "payloads" that an attacker drops to overwrite core system functions. ### **2. Key Commands Used** * **`#event_simpleName = /.*FileWritten/i`**: Monitors the exact moment a file is created or modified on the hard drive. * **`regex /.../i`**: Performs a case-insensitive search for file patterns (like the `dpr_` prefix often used for malicious web shells). * **`in(field="FileName", values=[...])`**: Efficiently checks a list of "Known Bad" filenames against your environment. * **`table`**: Displays the **Timestamp**, **Impacted Host**, and the **Specific File** involved to allow for immediate incident response.

IOC search | PTC Windchill & FlexPLM vulnerability

This query checks for Indicators of Compromise (IOCs) related to a critical Remote Code Execution vulnerability in PTC Windchill and FlexPLM. The query tracks the creation or modification of specific Java source files that an attacker may use to intercept requests, manipulate data streaming, or execute unauthorized system updates. https://support.eacpds.com/hc/en-us/article_attachments/47430019070996 This CQL query is designed to catch an attacker at two different stages of the PTC Windchill/FlexPLM exploitation lifecycle. ### **1. The Two Detection "Stages"** The `case` block splits the search into two specific scenarios: * **Scenario A (Active Execution/Persistence):** Looks for compiled Java files (`.class`) and web shells (`.jsp`). If these appear, the attacker has likely already triggered the exploit and is attempting to run code or maintain a backdoor. * **Scenario B (Staging/Delivery):** Looks for specific Java source files (`.java`) provided by PTC as known Indicators of Compromise. These are "payloads" that an attacker drops to overwrite core system functions. ### **2. Key Commands Used** * **`#event_simpleName = /.*FileWritten/i`**: Monitors the exact moment a file is created or modified on the hard drive. * **`regex /.../i`**: Performs a case-insensitive search for file patterns (like the `dpr_` prefix often used for malicious web shells). * **`in(field="FileName", values=[...])`**: Efficiently checks a list of "Known Bad" filenames against your environment. * **`table`**: Displays the **Timestamp**, **Impacted Host**, and the **Specific File** involved to allow for immediate incident response.

JAR files executed from %AppData%

This query detects if a JAR file was executed from the %AppData% folder

JAR files executed from %AppData%

This query detects if a JAR file was executed from the %AppData% folder

JAR files written to %AppData%

This query detects if a JAR file was written to the %AppData% folder

JAR files written to %AppData%

This query detects if a JAR file was written to the %AppData% folder

Lateral Movement Detection

This query identifies potential lateral movement activities by detecting remote connections and credential usage patterns across multiple hosts. This query uses CrowdStrike Query Language (CQL) to detect lateral movement activities: 1. **Network Connections**: `#event_simpleName=NetworkConnect` - Monitors outbound network connections from endpoints 2. **Target Ports**: `(RemotePort=445 OR RemotePort=3389 OR RemotePort=5985)` - Focuses on SMB (445), RDP (3389), and WinRM (5985) connections 3. **External Targets**: `!cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"])` - Excludes internal network ranges to focus on external connections 4. **Process Context**: `join({#event_simpleName=ProcessRollup2}, field=[aid, RawProcessId], include=[ImageFileName, CommandLine])` - Adds process information for the connecting application 5. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches with user account information 6. **Output**: `table([aid, UserName, ImageFileName, RemoteAddressIP4, RemotePort, CommandLine])` - Shows user, process, target IP, and connection details

Lateral Movement Detection

This query identifies potential lateral movement activities by detecting remote connections and credential usage patterns across multiple hosts. This query uses CrowdStrike Query Language (CQL) to detect lateral movement activities: 1. **Network Connections**: `#event_simpleName=NetworkConnect` - Monitors outbound network connections from endpoints 2. **Target Ports**: `(RemotePort=445 OR RemotePort=3389 OR RemotePort=5985)` - Focuses on SMB (445), RDP (3389), and WinRM (5985) connections 3. **External Targets**: `!cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"])` - Excludes internal network ranges to focus on external connections 4. **Process Context**: `join({#event_simpleName=ProcessRollup2}, field=[aid, RawProcessId], include=[ImageFileName, CommandLine])` - Adds process information for the connecting application 5. **User Context**: `join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])` - Enriches with user account information 6. **Output**: `table([aid, UserName, ImageFileName, RemoteAddressIP4, RemotePort, CommandLine])` - Shows user, process, target IP, and connection details

LDAP Enumeration

Detects suspicious or excessive LDAP queries performed against Active Directory, as identified by Microsoft Defender for Identity. This behavior may indicate reconnaissance activity where an attacker attempts to gather information about users, groups, and domain structure for further exploitation Detects suspicious or excessive LDAP queries performed against Active Directory, as identified by Microsoft Defender for Identity. This behavior may indicate reconnaissance activity where an attacker attempts to gather information about users, groups, and domain structure for further exploitation

LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection

Detects indicators of the LeakNet campaign (analyzed by ReliaQuest, March 2026), which uses ClickFix a social engineering tactic where compromised websites display fake error dialogs that coerce users into manually pasting and executing a malicious PowerShell/CMD command. This delivers a portable Deno (JavaScript runtime) binary to user-writable directories that runs malicious payloads entirely in memory, avoiding disk-based detection. The query targets the post-delivery kill chain: Deno execution from AppData/Temp/ProgramData paths, klist.exe usage from interactive shells indicating Kerberos ticket harvesting, Deno spawning reconnaissance and living-off-the-land binaries, and dangerous Deno runtime flags or remote code fetch patterns. A noise reduction filter excludes Deno running from standard developer or Program Files paths. This query detects post-exploitation activity associated with the LeakNet campaign, which was publicly analyzed by ReliaQuest in March 2026. LeakNet uses ClickFix — a social engineering technique where compromised websites present fake browser or application error dialogs that instruct users to copy a malicious command and paste it into a Run dialog or terminal. The pasted command downloads and executes a portable Deno binary, which then runs JavaScript payloads entirely in memory to evade traditional file-based detection. The query monitors CrowdStrike Falcon EDR `ProcessRollup2` telemetry and applies four detection clauses covering distinct stages of the LeakNet kill chain, followed by a noise reduction filter. CAMPAIGN DETAILS: Campaign: LeakNet Reference: ReliaQuest Threat Research, March 2026 Delivery: ClickFix social engineering → user-pasted PowerShell/CMD command Payload: Portable Deno binary dropped to AppData/Temp Execution: In-memory JavaScript payloads via Deno runtime Post-Exploitation: Credential enumeration (klist), host discovery, C2 callbacks VULNERABILITY DETAILS: CVE: N/A (Campaign-Specific TTPs / Living off the Land) Type: Initial Access, Execution, Credential Access, Discovery, Lateral Movement Status: ACTIVE CAMPAIGN — MONITORING FOR ANOMALOUS USAGE MITRE ATT&CK MAPPING: T1204.001 - User Execution: Malicious Link (ClickFix) T1059.007 - Command and Scripting Interpreter: JavaScript/TypeScript T1059.001 - Command and Scripting Interpreter: PowerShell T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1082 - System Information Discovery T1033 - System Owner/User Discovery T1016 - System Network Configuration Discovery T1087 - Account Discovery Tactics: Initial Access, Execution, Credential Access, Discovery, Lateral Movement EXPLOITATION REQUIREMENTS: - User interaction required (ClickFix paste-and-execute social engineering) - Deno binary present on disk (often portable/non-installed) - Execution within user-writable context (AppData/Temp) - Network access for remote script fetching (--allow-net) USE CASES: - Detect Deno-based malware or C2 stagers - Identify Kerberos ticket enumeration via klist.exe - Track post-exploitation discovery commands spawned by script runtimes - Flag dangerous Deno permission flags and remote code execution patterns DATA SOURCE: Event Type: ProcessRollup2 Required Fields: ImageFileName, CommandLine, ComputerName, UserName, ParentBaseFileName Sensor: CrowdStrike Falcon EDR AFFECTED SYSTEMS: - Windows 10/11 - Windows Server 2016/2019/2022 FALSE POSITIVES: - Legitimate developer activity (Deno used in IDE/Repos) - Automated IT scripts using klist for troubleshooting - Deno-based internal tools running from standard Program Files paths - DevOps pipelines that invoke Deno with --allow-net against internal registries INVESTIGATION NOTES: 1. Check if the Deno binary is signed and from a known developer location. 2. Review the CommandLine for --allow-all or remote URLs (http/https). 3. Correlate klist usage with recent logins or network connections to Domain Controllers. 4. Inspect the parent process of klist.exe; interactive shells are higher risk. 5. Verify if the user is a known developer or DevOps engineer. 6. Cross-reference SHA256HashData against known-good Deno release hashes. TUNING RECOMMENDATIONS: - Add specific exclusion for local 'dev' or 'git' directories. - Filter out known-good service accounts that use klist for health checks. - Baseline Deno usage by SHA256 if a standard version is deployed. - Add UserName exclusions for known developer accounts if discovery clause is noisy. REMEDIATION: Priority: MEDIUM (Context Dependent) Action: Quarantine suspicious Deno binaries found in AppData/Temp. Patches: Ensure Deno is updated to the latest version to prevent engine exploits. QUERY LOGIC: 1. Filters for ProcessRollup2 events. 2. Checks for Deno in writable paths (Local/Roaming/Temp/ProgramData). 3. Flags klist.exe when spawned by common shells or script hosts. 4. Monitors Deno spawning living-off-the-land and discovery binaries. 5. Identifies dangerous Deno flags or remote fetch commands in the command line. 6. Applies a global noise reduction for standard Program Files or developer paths.

LeakNet Campaign: Deno Runtime & Klist Suspicious Execution Detection

Detects indicators of the LeakNet campaign (analyzed by ReliaQuest, March 2026), which uses ClickFix a social engineering tactic where compromised websites display fake error dialogs that coerce users into manually pasting and executing a malicious PowerShell/CMD command. This delivers a portable Deno (JavaScript runtime) binary to user-writable directories that runs malicious payloads entirely in memory, avoiding disk-based detection. The query targets the post-delivery kill chain: Deno execution from AppData/Temp/ProgramData paths, klist.exe usage from interactive shells indicating Kerberos ticket harvesting, Deno spawning reconnaissance and living-off-the-land binaries, and dangerous Deno runtime flags or remote code fetch patterns. A noise reduction filter excludes Deno running from standard developer or Program Files paths. This query detects post-exploitation activity associated with the LeakNet campaign, which was publicly analyzed by ReliaQuest in March 2026. LeakNet uses ClickFix — a social engineering technique where compromised websites present fake browser or application error dialogs that instruct users to copy a malicious command and paste it into a Run dialog or terminal. The pasted command downloads and executes a portable Deno binary, which then runs JavaScript payloads entirely in memory to evade traditional file-based detection. The query monitors CrowdStrike Falcon EDR `ProcessRollup2` telemetry and applies four detection clauses covering distinct stages of the LeakNet kill chain, followed by a noise reduction filter. CAMPAIGN DETAILS: Campaign: LeakNet Reference: ReliaQuest Threat Research, March 2026 Delivery: ClickFix social engineering → user-pasted PowerShell/CMD command Payload: Portable Deno binary dropped to AppData/Temp Execution: In-memory JavaScript payloads via Deno runtime Post-Exploitation: Credential enumeration (klist), host discovery, C2 callbacks VULNERABILITY DETAILS: CVE: N/A (Campaign-Specific TTPs / Living off the Land) Type: Initial Access, Execution, Credential Access, Discovery, Lateral Movement Status: ACTIVE CAMPAIGN — MONITORING FOR ANOMALOUS USAGE MITRE ATT&CK MAPPING: T1204.001 - User Execution: Malicious Link (ClickFix) T1059.007 - Command and Scripting Interpreter: JavaScript/TypeScript T1059.001 - Command and Scripting Interpreter: PowerShell T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1082 - System Information Discovery T1033 - System Owner/User Discovery T1016 - System Network Configuration Discovery T1087 - Account Discovery Tactics: Initial Access, Execution, Credential Access, Discovery, Lateral Movement EXPLOITATION REQUIREMENTS: - User interaction required (ClickFix paste-and-execute social engineering) - Deno binary present on disk (often portable/non-installed) - Execution within user-writable context (AppData/Temp) - Network access for remote script fetching (--allow-net) USE CASES: - Detect Deno-based malware or C2 stagers - Identify Kerberos ticket enumeration via klist.exe - Track post-exploitation discovery commands spawned by script runtimes - Flag dangerous Deno permission flags and remote code execution patterns DATA SOURCE: Event Type: ProcessRollup2 Required Fields: ImageFileName, CommandLine, ComputerName, UserName, ParentBaseFileName Sensor: CrowdStrike Falcon EDR AFFECTED SYSTEMS: - Windows 10/11 - Windows Server 2016/2019/2022 FALSE POSITIVES: - Legitimate developer activity (Deno used in IDE/Repos) - Automated IT scripts using klist for troubleshooting - Deno-based internal tools running from standard Program Files paths - DevOps pipelines that invoke Deno with --allow-net against internal registries INVESTIGATION NOTES: 1. Check if the Deno binary is signed and from a known developer location. 2. Review the CommandLine for --allow-all or remote URLs (http/https). 3. Correlate klist usage with recent logins or network connections to Domain Controllers. 4. Inspect the parent process of klist.exe; interactive shells are higher risk. 5. Verify if the user is a known developer or DevOps engineer. 6. Cross-reference SHA256HashData against known-good Deno release hashes. TUNING RECOMMENDATIONS: - Add specific exclusion for local 'dev' or 'git' directories. - Filter out known-good service accounts that use klist for health checks. - Baseline Deno usage by SHA256 if a standard version is deployed. - Add UserName exclusions for known developer accounts if discovery clause is noisy. REMEDIATION: Priority: MEDIUM (Context Dependent) Action: Quarantine suspicious Deno binaries found in AppData/Temp. Patches: Ensure Deno is updated to the latest version to prevent engine exploits. QUERY LOGIC: 1. Filters for ProcessRollup2 events. 2. Checks for Deno in writable paths (Local/Roaming/Temp/ProgramData). 3. Flags klist.exe when spawned by common shells or script hosts. 4. Monitors Deno spawning living-off-the-land and discovery binaries. 5. Identifies dangerous Deno flags or remote fetch commands in the command line. 6. Applies a global noise reduction for standard Program Files or developer paths.

List all Identity Protection Detections

List of all IDP detections.

List all Identity Protection Detections

List of all IDP detections.

List of attachments sent from Outlook

List of attachments sent from Outlook

LOLBin Certutil

This query detects the use of certutil.exe. Certutil.exe – A Windows certificate-management tool that attackers often misuse to download executables or script files (even into alternate data streams), as well as encode or decode payloads, aiding stealthy file delivery and evasion techniques. [LOLBAS - Certutil.exe](https://lolbas-project.github.io/lolbas/Binaries/Certutil/)

LOLBin Certutil

This query detects the use of certutil.exe. Certutil.exe – A Windows certificate-management tool that attackers often misuse to download executables or script files (even into alternate data streams), as well as encode or decode payloads, aiding stealthy file delivery and evasion techniques. [LOLBAS - Certutil.exe](https://lolbas-project.github.io/lolbas/Binaries/Certutil/)

LOLBin Mshta

This query detects the use of mshta.exe. Mshta.exe – A Windows utility for executing HTML Applications (`.hta`) — often abused to run embedded or remote VBScript, JScript, or download-and-execute payloads via alternate data streams or web URLs. [LOLBAS - Mshta.exe](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)

LOLBin Mshta

This query detects the use of mshta.exe. Mshta.exe – A Windows utility for executing HTML Applications (`.hta`) — often abused to run embedded or remote VBScript, JScript, or download-and-execute payloads via alternate data streams or web URLs. [LOLBAS - Mshta.exe](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)

LOLBin Msiexec

This query detects the use of Msiexec.exe. Msiexec.exe – A Windows Installer utility that executes MSI packages or DLLs (including remote or transformed payloads), frequently misused by attackers for stealthy code execution and application control bypass. [LOLBAS - Msiexec.exe](https://lolbas-project.github.io/lolbas/Binaries/Msiexec/)