EXPLORE DETECTIONS
Account Enabled (Microsoft Defender for Identity)
Detects when a previously disabled user account is re‑enabled in Active Directory. While this may be part of normal administrative activity, it can also indicate an attempt to restore access to an account for unauthorized use and should be reviewed. Detects when a previously disabled user account is re‑enabled in Active Directory. While this may be part of normal administrative activity, it can also indicate an attempt to restore access to an account for unauthorized use and should be reviewed.
Account Password Not Required Changed (UAC Bypass) – Microsoft Defender for Identity
Detects when the “Password Not Required” flag is set or modified on a user account in Active Directory. This change weakens authentication controls and may allow account access without enforcing a password, potentially indicating misuse or attempts to bypass security policies and should be investigated. Detects when the “Password Not Required” flag is set or modified on a user account in Active Directory. This change weakens authentication controls and may allow account access without enforcing a password, potentially indicating misuse or attempts to bypass security policies and should be investigated.
Active Directory Activity
Table of recent Active Directory activity including disabled, deleted and password reset events.
Active Directory Activity
Table of recent Active Directory activity including disabled, deleted and password reset events.
Application Consent Grant (Microsoft Entra ID)
Detects when a user or administrator grants consent to an application in Microsoft Entra ID, allowing it to access organizational data via delegated or application permissions. While often legitimate, this action can indicate potential abuse if a malicious application is granted excessive permissions and should be reviewed. Detects when a user or administrator grants consent to an application in Microsoft Entra ID, allowing it to access organizational data via delegated or application permissions. While often legitimate, this action can indicate potential abuse if a malicious application is granted excessive permissions and should be reviewed.
Applications Spawning CMD or Powershell
Table listing processes that spawned cmd.exe or powershell.exe child processes.
Applications Spawning CMD or Powershell
Table listing processes that spawned cmd.exe or powershell.exe child processes.
Applications with plaintext passwords
Table of applications identified as potentially handling plaintext passwords. Falcon automatically attempts to redact plain-text passwords in process command lines to prevent sensitive data exposure. When this occurs, the password string is replaced with the marker `/REDACTED/`. Therefore, during analysis we specifically look for the `/REDACTED/` placeholder within command-line arguments as an indicator that Falcon has detected and masked a potential plain-text password. Reference: https://www.reddit.com/r/crowdstrike/comments/u8ji4i/commandline_redacted/
Applications with plaintext passwords
Table of applications identified as potentially handling plaintext passwords. Falcon automatically attempts to redact plain-text passwords in process command lines to prevent sensitive data exposure. When this occurs, the password string is replaced with the marker `/REDACTED/`. Therefore, during analysis we specifically look for the `/REDACTED/` placeholder within command-line arguments as an indicator that Falcon has detected and masked a potential plain-text password. Reference: https://www.reddit.com/r/crowdstrike/comments/u8ji4i/commandline_redacted/
Assigned Sensor Update Policy
This query will output a table with all hosts and their sensor update logic / assigned sensor update policy.
Assigned Sensor Update Policy
This query will output a table with all hosts and their sensor update logic / assigned sensor update policy.
AWS S3 Bucket Policy Updates
This query outputs all S3 buckets where the policy has been modified. AWS PutBucketPolicy: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html
AWS S3 Bucket Policy Updates
This query outputs all S3 buckets where the policy has been modified. AWS PutBucketPolicy: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html
Brute Force based on Microsoft Defender for Identity
Detects multiple failed authentication attempts against a user account as identified by Microsoft Defender for Identity. This behavior may indicate brute‑force or password‑guessing activity aimed at compromising credentials and gaining unauthorized access Detects multiple failed authentication attempts against a user account as identified by Microsoft Defender for Identity. This behavior may indicate brute‑force or password‑guessing activity aimed at compromising credentials and gaining unauthorized access
BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)
Detects Bring Your Own Vulnerable Driver (BYOVD) attacks by correlating vulnerable kernel driver loads with security software termination on the same host. This technique has been actively used by the Medusa ransomware group to disable EDR/AV tooling before encryption. Covers both known-bad driver names and anomalous driver loads from user writable paths. This technique has been actively observed in Medusa ransomware campaigns, where the group drops a signed but vulnerable kernel driver (commonly repurposed anti-cheat or AV drivers) to gain kernel-level access and forcibly terminate endpoint protection before deploying the ransomware payload. CISA issued advisory AA25-071A covering Medusa's BYOVD usage. The query is not Medusa-specific — it will detect any BYOVD campaign following the same pattern, including BlackByte, Scattered Spider, Cuba, and AvosLocker, all of which have used similar techniques.
BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)
Detects Bring Your Own Vulnerable Driver (BYOVD) attacks by correlating vulnerable kernel driver loads with security software termination on the same host. This technique has been actively used by the Medusa ransomware group to disable EDR/AV tooling before encryption. Covers both known-bad driver names and anomalous driver loads from user writable paths. This technique has been actively observed in Medusa ransomware campaigns, where the group drops a signed but vulnerable kernel driver (commonly repurposed anti-cheat or AV drivers) to gain kernel-level access and forcibly terminate endpoint protection before deploying the ransomware payload. CISA issued advisory AA25-071A covering Medusa's BYOVD usage. The query is not Medusa-specific — it will detect any BYOVD campaign following the same pattern, including BlackByte, Scattered Spider, Cuba, and AvosLocker, all of which have used similar techniques.
Calculate Last Windows Boot Time
Outputs the last reboot timestamp and calculates the time elapsed since then.
Calculate Last Windows Boot Time
Outputs the last reboot timestamp and calculates the time elapsed since then.
Calculate Next-Gen SIEM Ingestion Total
Calculates total NG-SIEM ingest by each Vendor (connector) Calculates total NG-SIEM ingest by each Vendor (connector) Can be altered to trim to a single vendor and assist in locating areas of large ingestion usage, such as singular firewall policies. See [this](https://www.reddit.com/r/crowdstrike/comments/1nhuu6g/mediocre_query_monday_calculating_ngsiem/) post for more information about doing this. No modules are required, but the NG-SIEM module is what facilitates the need for this query. EDR/Endpoint/CrowdStrike native log sources are not included in this, as those are not counted against NG-SIEM ingest from a pricing perspective.
Calculate Next-Gen SIEM Ingestion Total
Calculates total NG-SIEM ingest by each Vendor (connector) Calculates total NG-SIEM ingest by each Vendor (connector) Can be altered to trim to a single vendor and assist in locating areas of large ingestion usage, such as singular firewall policies. See [this](https://www.reddit.com/r/crowdstrike/comments/1nhuu6g/mediocre_query_monday_calculating_ngsiem/) post for more information about doing this. No modules are required, but the NG-SIEM module is what facilitates the need for this query. EDR/Endpoint/CrowdStrike native log sources are not included in this, as those are not counted against NG-SIEM ingest from a pricing perspective.
Charon Ransomware Detection and Correlation
The query chain detects and correlates multiple indicators of the Charon ransomware attack lifecycle, including ransomware package writes, malicious DLL sideloading, process execution triggers (notably via svchost.exe), creation of ransom notes, and suspicious service creation (WWC.sys). It merges these findings across several event types to confirm successful ransomware deployment. [Charon Ransomware](https://www.trendmicro.com/en_dk/research/25/h/new-ransomware-charon.html) Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Charon-Ransomware.md)
Charon Ransomware Detection and Correlation
The query chain detects and correlates multiple indicators of the Charon ransomware attack lifecycle, including ransomware package writes, malicious DLL sideloading, process execution triggers (notably via svchost.exe), creation of ransom notes, and suspicious service creation (WWC.sys). It merges these findings across several event types to confirm successful ransomware deployment. [Charon Ransomware](https://www.trendmicro.com/en_dk/research/25/h/new-ransomware-charon.html) Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/Charon-Ransomware.md)
Check Domain Controller for NSX Driver
This query helps to determine if NSX drivers are installed on Domain Controllers to investigate limited Identity Protection functionality. ## Related CrowdStrike KBs 1. [Resolving Falcon Identity Protection conflicting with VMware tools and NSX Driver](https://supportportal.crowdstrike.com/s/article/ka16T000001Mle7QAC) 2. [Verify NSX driver installation on Domain Controllers](https://supportportal.crowdstrike.com/s/article/ka16T000001tkTHQAY)
Check Domain Controller for NSX Driver
This query helps to determine if NSX drivers are installed on Domain Controllers to investigate limited Identity Protection functionality. ## Related CrowdStrike KBs 1. [Resolving Falcon Identity Protection conflicting with VMware tools and NSX Driver](https://supportportal.crowdstrike.com/s/article/ka16T000001Mle7QAC) 2. [Verify NSX driver installation on Domain Controllers](https://supportportal.crowdstrike.com/s/article/ka16T000001tkTHQAY)