CrowdStrike LolBin Dashboard
CrowdStrike Query Language (CQL) YAML Dashboard file - Threat Hunting for LolBin Techniques
name: LolBin Threat Hunt
updateFrequency: never
timeSelector: {}
sharedTimeInterval:
enabled: false
isLive: false
start: 1d
widgets:
205c3978-7a34-4707-a953-5ae39a1976c4:
x: 4
description: Import the target .REG file into the Registry.
height: 4
queryString: |-
event_platform=Win FileName=regedit.exe
| CommandLine=/\:[A-Za-z].*\.reg/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date])
| sort(Date)
end: now
start: 7d
width: 4
y: 64
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: REGEDIT - Import .REG
isLive: false
type: query
7e40b6a9-7915-4175-bb4f-ef78ddb9f0c8:
x: 8
description: 'Example command: "Disable-WindowsOptionalFeature -Online -FeatureName
"Windows-Defender" -NoRestart -ErrorAction Ignore"'
height: 4
queryString: |-
event_platform=Win
| CommandLine=/Disable\-WindowsOptionalFeature.*Windows\-Defender|Disable\-WindowsOptionalFeature.*Windows\-Defender\-(GUI|Features|ApplicationGuard)/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date, limit=20000)
end: now
start: 7d
width: 4
y: 80
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: Defender Tampering
isLive: false
type: query
8cba5268-de61-40b2-92b7-79be38545f1d:
x: 4
height: 4
queryString: |-
event_platform=Win FileName="bcdedit.exe"
| ParentBaseFileName=/cmd\.exe|powershell\.exe/i
| CommandLine=/\/set|ingoreallfailures|bootstatuspolicy|recoveryenabled|safeboot/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 16
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: BCDEDIT
isLive: false
type: query
8d3c96b1-616b-476b-a05b-f32e7b20b2e7:
x: 8
description: Installs the target .MSI file silently.
height: 4
queryString: |-
event_platform=Win FileName="msiexec.exe"
| CommandLine=/\/quiet/i
| CommandLine=/\/i/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 24
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: MSIEXEC /quiet /i
isLive: false
type: query
5e299302-4bd1-4f50-9b86-d8744de4d3ae:
x: 0
y: 0
description: File-less malware - stores in memory.
height: 4
queryString: |-
event_platform=Win CommandLine=/powershell\.exe\".*iex|iex.*DownloadString/i OR CommandHistory=/powershell\.exe\".*iex|iex.*DownloadString/i
| CommandLine!=/https\:\/\/.*chocolatey\.org\/|\\Microsoft\ Visual\ Studio\\.*\\BuildTools\\VC\\|iex.*\.tmp\.ps1|\/\/omnitruck\.chef\.io\//
| CommandHistory!=/https\:\/\/.*chocolatey\.org\/|\\Microsoft\ Visual\ Studio\\.*\\BuildTools\\VC\\|iex.*\.tmp\.ps1|\/\/omnitruck\.chef\.io\//
| CommandLine := CommandHistory
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date])
| sort(Date)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns:
CommandLine:
width: 1000
row-numbers-enabled: false
visualization: table-view
title: 'Powershell IEX '
isLive: false
type: query
c8e1e924-e092-4bd0-b7d3-f1c56544245b:
x: 4
description: Dump Lsass.exe process memory to retrieve credential
height: 4
queryString: |-
event_platform="Win" FileName="rundll32.exe"
| CommandLine=/comsvcs\.dll/i
| CommandLine=/MiniDump/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| groupBy([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 56
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: Comsvcs
isLive: false
type: query
55ee4cee-4c77-446e-8a67-50c7d330dc20:
x: 0
description: "Download remote files from SMB shared folders within the network.\n\
\nEX: \n\nC:\\Users\\jack>findstr /V dummystring \\\\MachineName\\ShareFolder\\\
test.exe > c:\\Windows\\Temp\\test.exe\n\n\"/V\" Print out the lines that don't\
\ contain the string provided.\n\n\"dummystring\" Text to be searched for that\
\ must not be found in a file.\n\n\"> c:\\Windows\\Temp\\test.exe\" Redirect\
\ the output to a file on the target machine. "
height: 4
queryString: |-
event_platform=Win FileName="findstr.exe"
| CommandLine=/\v/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 16
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: FINDSTR - Download
isLive: false
type: query
bc0f6f2a-4962-4920-b9de-42b6b40e94a2:
x: 0
description: Commonly used for LolBin to create scheduled tasks.
height: 4
queryString: |-
event_platform=Win FileName="at.exe"
| CommandLine=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date])
| sort(Date)
end: now
start: 7d
width: 4
y: 48
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: AT - Depricated Scheduled Task Command
isLive: false
type: query
b4dcc0de-b5b9-4c0b-a54c-a59a0a44d74e:
x: 4
description: Create a child process of explorer.exe parent
height: 4
queryString: |-
event_platform=Win FileName="explorer.exe"
| CommandLine=/\/root/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 20
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: EXPLORER - Child Process
isLive: false
type: query
46040a26-8051-4781-bd9a-ff26c31c26d9:
x: 4
height: 4
queryString: |-
event_platform=Win
| CommandLine=/bcdedit.*set.*loadoptions.*DDISABLE/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 68
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: BCDEDIT - Disable Integrity Checks
isLive: false
type: query
79f8f7c5-8fa8-4efa-85ff-0b19d278a573:
x: 4
description: Runs and loads DLLs through HTTP calling to external IP address
height: 4
queryString: |-
event_platform=Win FileName="rundll32.exe"
| CommandLine=/http\:\/\/((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}|https\:\/\/((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}/i
| CommandLine!=/10\.*\.|194\.216\.28\.|192\.168\.|127\.0\.0\.1/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 60
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: 'RUNDLL32 (HTTP/IP) '
isLive: false
type: query
c402af6e-3dd3-4b20-bfa8-4f4973f01ba5:
x: 8
description: Block or Sinkhole EDR domain for Evasion
height: 4
queryString: |-
event_platform=Win /Add\-Content.*\-Path.*System32\\drivers\\etc\\hosts/i
| CommandLine=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 72
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: ETC HOSTS
isLive: false
type: query
4b5e4102-3609-4e01-af82-34e7f7b37ff6:
x: 4
description: Download payloads
height: 4
queryString: |-
event_platform=Win FileName="powershell.exe"
| CommandLine=/DownloadFile/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 0
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: Powershell (DownloadFile)
isLive: false
type: query
42463098-fb30-42ef-9332-b20a880b0558:
x: 8
description: Create a scheduled task on a remote computer for persistence/lateral
movement
height: 4
queryString: |-
event_platform=Win FileName="schtasks.exe"
| CommandLine=/\/create/
| CommandLine=/\/s\ /
| CommandLine=/\/tn\ /
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 44
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: SCHTASKS
isLive: false
type: query
8188927b-0e8c-4c4d-9bbe-4bc9d310195d:
x: 8
height: 4
queryString: |-
event_platform=/Win/ /powershell/i
| CommandLine=/(http|https)\:\/\/[0-9]{2,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]{2,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/
| CommandLine!=/10\.*|172\.*|127\.0\.0\.1|192.168.*|0\.0\.0\.0|[0-9]{2,3}\.[0-9]{1}\.[0-9]{1}\.[0-9]{1}|PING\.EXE|TRACERT\.EXE|Resolve\-DnsName.*\-ErrorAction/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 76
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: Powershell - Remote IP
isLive: false
type: query
d5996e55-82d5-4f43-8d82-066c9c4628f1:
x: 0
description: Execute commands and manages processes remotely
height: 4
queryString: |-
event_platform=Win FileName="WMIC.exe"
| CommandLine=/call\ create|get\ brief|datafile/i
| CommandLine!=/get\ version/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 8
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: WMIC
isLive: false
type: query
0aa91ff8-0add-4409-ac39-79719389581c:
x: 8
description: msedge will launch suspicious or malicious window to external URL
or IP.
height: 4
queryString: |-
event_platform=Win FileName=/msedge\_proxy\.exe|msedge\.exe/
| CommandLine=/\-new\-window/i
| CommandLine=/http\:.*\:.*\.[A-Za-z]{1,4}|https\:.*\:.*\.[A-Za-z]{1,4}|http\:.*\:.*\/.*[A-Za-z]|https\:.*\:.*\/.*[A-Za-z]/i
| CommandLine!=/localhost/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 64
interactions:
- name: Investigate Host
urlEncodeArgs: true
titleTemplate: Investigate Host
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: MSEDGE - Launch Window
isLive: false
type: query
56ab9969-61f2-461d-b44d-b6a17248c2b6:
x: 8
description: "Register and unregister Dynamic Link Libraries (DLLs) in the Windows\
\ Registry. \n\"/s\": Silent mode.\n\"/n\": Not call the DLL register server.\n\
\"/i\":Use another server since /n was used.\n\"/u\": Run with unregister method."
height: 4
queryString: |-
event_platform=Win FileName="regsvr32.exe"
| ParentBaseFileName!="McInst.exe"
| CommandLine=/\/s/i
| CommandLine=/\/n/i
| CommandLine=/\/u/i
| CommandLine=/\/i/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 12
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: REGSVR32 - (Un)Register DLL
isLive: false
type: query
967282f6-593b-482f-a372-6aa7e75dfdf3:
x: 4
description: Runs and loads DLLs through Javascript
height: 4
queryString: |-
event_platform=Win FileName="rundll32.exe"
| CommandLine=/Javascript/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 8
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: RUNDLL32 (Javascript)
isLive: false
type: query
b7faae53-87ed-4cba-b103-da07b48302ab:
x: 8
description: PowerLessShell relies on abusing the Microsoft Build Engine (MSBuild),
a platform for building Windows applications, to execute remote code.
height: 4
queryString: |-
event_platform=Win FileName="MSBuild.exe"
| CommandLine=/\.csproj$/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 16
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: MSBUILD - PowerLessShell
isLive: false
type: query
ff2a91da-3151-4431-8df6-dacf5316b60b:
x: 4
description: CMDLET likely associated with attempt to add new entries to redirect
MS Defender DNS queries
height: 4
queryString: |-
event_platform=Win
| CommandLine=/Add\-DnsClientNrptRule/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 76
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: Add DnsClient
isLive: false
type: query
a7b00266-3ad5-4ef4-a948-9bb3f727d88a:
x: 0
description: Export the target Registry key to the specified .REG file
height: 4
queryString: |-
event_platform=Win FileName=regedit.exe
| CommandLine=/\/E/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date])
| sort(Date)
end: now
start: 7d
width: 4
y: 60
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: REGEDIT /E
isLive: false
type: query
e9ee511c-f316-4875-abaf-ecf48e7735c4:
x: 0
description: Indirect Command execution technique where attackers abuse the Windows
tools utility to obtain command executions.
height: 4
queryString: |-
event_platform=Win FileName="bash.exe"
| CommandLine=/\-c/i
| CommandLine=/\.exe$|\.exe\"$/i
| CommandLine!=/chocolatey/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 20
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: BASH
isLive: false
type: query
eed3bf7d-122d-444f-974f-8038aea928d9:
x: 8
description: Installs the target .MSI file from a remote URL, the file can be
signed by vendor. Additional to the file a transformation file will be used,
which can contains malicious code or binaries. The /qb will skip user input.
height: 4
queryString: |-
event_platform=Win FileName="msiexec.exe"
| CommandLine=/\/i/i
| CommandLine=/\/qb/i
| CommandLine=/http\:\/\/|https\:\/\//i
| CommandLine=/TRANSFORM/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 20
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: MSIEXEC TRANSFORM
isLive: false
type: query
842935e3-946e-4aa5-aa95-19946674c691:
x: 8
description: Launch an executable by calling FileProtocolHandler.
height: 4
queryString: |-
event_platform=Win
| CommandLine=/url\.dll\,FileProtocolHandler/i
| CommandLine=/\.exe$/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 40
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: URL.DLL - FileProtocolHandler
isLive: false
type: query
a798ade4-42db-4e43-ade7-be928a4b7cc5:
x: 4
description: Decompress a compressed file from an alternate data stream (ADS).
height: 4
queryString: |-
event_platform=Win FileName="tar.exe"
| CommandLine=/\-xf/
| CommandLine=/\:ads/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 36
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: TAR Decompress ADS
isLive: false
type: query
0f3fc413-e42d-4bfb-a247-91da6028572a:
x: 8
description: PowerLessShell is a Python-based tool that generates malicious code
to run on a target machine without showing an instance of the PowerShell process.
PowerLessShell relies on abusing the Microsoft Build Engine (MSBuild), a platform
for building Windows applications, to execute remote code.
height: 4
queryString: |-
event_platform=Win FileName=/PowerLessShell/i OR CommandLine=/PowerLessShell/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 28
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: PowerLessShell
isLive: false
type: query
0ce70fa5-c7b8-4e9f-b012-1df899e04bfd:
x: 4
y: 80
height: 4
queryString: |-
event_platform=Win
| CommandLine=/copy.*\.exe.*\\/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date, limit=20000)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: COPY - Needs Tuning
isLive: false
type: query
f18f2e42-fb5c-48c5-b50d-6212ffd6b4b2:
x: 8
description: Runs and loads DLLs through HTTP/EXE
height: 4
queryString: |-
event_platform=Win FileName="rundll32.exe"
| CommandLine=/http\:\/\/((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}|https\:\/\/((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}/i
| CommandLine!=/10\.*\.|192\.168\.|127\.0\.0\.1/i
| CommandLine=/\.exe$/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 56
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: RUNDLL32 (HTTP/EXE)
isLive: false
type: query
72b804d0-29c6-4a3d-bc80-9efe6138efa8:
x: 0
y: 80
description: 'Command "cipher /W:\\?\C:" overwrites all free disc space to make
deleted data unretrievable. Used in Medua Ransomware. '
height: 4
queryString: |-
event_platform=Win
| FileName=/^cipher\.exe$/i OR CommandLine=/cipher.*\/W/i OR CommandHistory=/cipher.*\/W/i
| CommandLine!=/jspawnhelper|java/
| CommandLine := CommandHistory
| CommandLine=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date, limit=20000)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: CIPHER
isLive: false
type: query
5e079637-aec4-49b0-97f2-f8082ca572ca:
x: 4
height: 4
queryString: |-
event_platform=Win FileName="msiexec.exe"
| CommandLine=/\/package/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 24
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: MSIEXEC /package
isLive: false
type: query
43473661-8d91-4cb6-9b1c-b303c74d1576:
x: 4
height: 4
queryString: |-
event_platform=Win FileName="whoami.exe"
| CommandLine=/priv/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 12
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: WHOAMI /PRIV
isLive: false
type: query
2e4c3063-73ec-4127-a29d-b79cfafe1578:
x: 0
description: Redirect EDR management traffic to decoy address
height: 4
queryString: |-
event_platform=Win
| CommandLine=/New\-NetRoute.*\-DestinationPrefix.*\-NextHop/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 72
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: NETROUTE
isLive: false
type: query
caa78195-3781-4446-8403-a7000b81407c:
x: 8
y: 0
description: Configure Windows Defender settings
height: 4
queryString: |-
event_platform=Win CommandLine=/Add\-MpPreference/i OR CommandHistory=/Add\-MpPreference/i
| CommandLine := CommandHistory
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns:
CommandLine:
width: 720
row-numbers-enabled: false
visualization: table-view
title: Add-MpPreference
isLive: false
type: query
20719420-6cc3-4f73-9303-2cf70fd7fc00:
x: 4
description: Launch an executable by calling OpenURL.
height: 4
queryString: |-
event_platform=Win
| CommandLine=/url\.dll/i
| CommandLine=/file\:\/\/C\:\/|file\:\/\/\/C\:\//i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 44
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: URL.DLL - Launch EXE or HTA
isLive: false
type: query
72ff2ab3-2189-456f-acfe-2b31e066a369:
x: 8
description: |-
Uses hardcoded offsets in order to reliably perform kernel monitoring bypass operations.
(EDRsandblast)
height: 4
queryString: |-
event_platform="Win" /NtosKrnlOffsets\.zip|NtosKrnlOffsets\.csv/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| groupBy([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 52
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: NtosKrnlOffsets
isLive: false
type: query
55835a17-319a-4ba5-9f49-fd92106b306d:
x: 0
description: Edge will silently download the file.
height: 4
queryString: |-
event_platform=Win FileName="msedge_proxy.exe"
| CommandLine=/cmd\.exe|\/c\ curl/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| groupBy([CommandLine,ParentBaseFileName], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 36
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: MSEDGE PROXY - Silent File Download
isLive: false
type: query
439a7ed3-c4e9-4b9e-bc6d-7d449ef56254:
x: 0
y: 12
description: Enumeration of process(es)
height: 4
queryString: |-
event_platform=Win FileName="tasklist.exe"
| CommandLine=/\/nh\ \/fi/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: Tasklist Enum
isLive: false
type: query
2dfd36f4-332f-4ac6-aa71-fbad67df3962:
x: 0
height: 4
queryString: |-
event_platform=Win
| CommandLine=/reg.*add.*HKEY.*Terminal\ Server.*\/v.*fDenyTSConnections.*\/t.*REG\_DWORD.*0/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 64
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: REG ADD - Allow RDP to Host
isLive: false
type: query
e7b0f872-1f56-471e-beea-2b1135a2a17e:
x: 4
y: 4
height: 4
queryString: |-
event_platform=Win
| CommandLine=/Invoke\-WebRequest/i OR CommandHistory=/Invoke\-WebRequest/i
| CommandLine := CommandHistory
| CommandLine=*
| CommandLine!=/github\.com.*chrisant996/
| ParentBaseFileName=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date, limit=20000)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: Invoke-WebRequest
isLive: false
type: query
d4073223-0573-424a-a79d-2cb1c2d1d59a:
x: 0
y: 56
description: VBS files ran out of TEMP & Public folder
height: 4
queryString: |-
event_platform=Win FileName=wscript.exe
| CommandLine=/\.vbs/i
| CommandLine=/\\TEMP\\|\\Public\\/i
| ParentBaseFileName=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: WSCRIPT - VBS
isLive: false
type: query
885c2e5a-164a-45fa-9ffe-f3ae8254438c:
x: 0
height: 4
queryString: |-
event_platform=Win FileName=mshta.exe
| CommandLine=/mshta/i OR CommandHistory=/mshta/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 4
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns:
CommandLine:
width: 699
row-numbers-enabled: false
visualization: table-view
title: MSHTA
isLive: false
type: query
57090191-edb9-4095-bcd8-89314921e8dd:
x: 8
y: 48
description: Allows the session owner, and other users, to take control of otherwise
inactive sessions
height: 4
queryString: |
event_platform=Win FileName="tscon.exe"
| "#event_simpleName"!=PeVersionInfo
| CommandLine=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: TSCON
isLive: false
type: query
aca5b265-4c05-4d5d-b768-0570b8b33bf6:
x: 4
height: 4
queryString: |-
event_platform=Win
| CommandLine=/.\$Recycle.*\.(exe|ps1|dll|cmd|bat)/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 72
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: EXE - run from Recycle
isLive: false
type: query
66ed0233-c66f-4d81-985d-5b19568df1cc:
x: 4
description: Installs the target remotely & renamed .MSI file silently.
height: 4
queryString: |-
event_platform=Win FileName="msiexec.exe"
| CommandLine=/\/q/i
| CommandLine=/\/i/i
| CommandLine=/http\:\/\//i
| ParentBaseFileName!=MDMAppInstaller.exe
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 28
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: MSIEXEC /q /i http
isLive: false
type: query
13940937-8e4d-47a1-b174-894a9552baed:
x: 0
height: 4
queryString: |-
event_platform=Win FileName="cmd.exe"
| CommandLine=/echo/i
| CommandLine=/\.vbs/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 24
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: CMD - Echo > .vbs
isLive: false
type: query
9e95a45f-091e-4c4d-93a2-f31b1cab95c6:
x: 0
description: Compress one or more files to an alternate data stream (ADS).
height: 4
queryString: |-
event_platform=Win FileName="tar.exe"
| CommandLine=/\-cf/
| CommandLine=/\:ads/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 32
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: TAR Compress ADS
isLive: false
type: query
702d984c-47cc-4731-b865-69d3c64062df:
x: 0
description: |+
Command used to add RDP shadowing to take over sessions
height: 4
queryString: |-
event_platform=Win
| CommandLine=/reg\ add/i
| CommandLine=/HKEY\_LOCAL\_MACHINE/
| CommandLine=/\\Terminal\ Services/
| CommandLine=/\/v\ Shadow/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 52
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: Reg Add /Shadow
isLive: false
type: query
ff155e91-2091-4f28-9f05-a067a05a5706:
x: 0
description: Launch an executable payload via proxy through a(n) URL (information)
file by calling OpenURL.
height: 4
queryString: |-
event_platform=Win
| CommandLine=/url\.dll/i
| CommandLine=/\.url|\.url$/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 40
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: URL.DLL -Launch .url
isLive: false
type: query
ee49ae8a-4fb9-4e13-942c-fb5ada46721d:
x: 8
description: |-
Low-bandwidth and asynchronous method to download and upload files from HTTP webservers and SMB servers.
"/Transfer" Use the transfer option
"/Download" Specifying transfer using download type
"/Priority" Setting the priority of the job to be running in the foreground
height: 4
queryString: |-
event_platform=Win FileName="bitsadmin.exe"
| CommandLine=/transfer|download|priority/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 8
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: BITSADMIN
isLive: false
type: query
a756c2ea-1ab3-484a-a12a-40b6206739ae:
x: 8
height: 4
queryString: |-
event_platform=Win
| CommandLine=/sc\ create\ .*/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 68
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: SC CREATE
isLive: false
type: query
cc836f6a-1694-43d7-a1fc-2d2e2eda6101:
x: 0
description: Retrieval of Clipboard Data - possible data exfil
height: 4
queryString: |-
event_platform=Win //FileName=/cmd|powershell/i
| CommandLine=/c\ Get\-Clipboard/ OR ScriptContent=/Windows\.Forms\.Clipboard/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,FileName,CommandLine,Parent,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date, limit=20000)
end: now
start: 7d
width: 4
y: 76
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: CLIPBOARD
isLive: false
type: query
1f3c8c55-568c-466a-a5df-596ba4957c40:
x: 4
description: Shadow, or steal, a RDP session
height: 4
queryString: |-
event_platform=Win FileName="mstsc.exe"
| CommandLine=/\/shadow/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 52
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: MSTSC /shadow
isLive: false
type: query
c143f949-7345-4cb2-9ea5-a7e4332559f1:
x: 0
description: Downloads payload from remote server
height: 4
queryString: |-
event_platform=Win FileName="WINWORD.EXE"
| CommandLine=/http\:\/\/|https\:\/\//i
| ParentBaseFileName=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 44
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: WINWORD
isLive: false
type: query
34a7934a-dccc-4e68-928d-b90c8ad8ce40:
x: 0
height: 4
queryString: |-
event_platform=Win
| CommandLine=/svhost\.exe/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,GrandparentCommandLine,TargetProcessId,ParentProcessId,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 68
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: SVHOST USAGE - REVERSE SHELL
isLive: false
type: query
be5efbf4-e54e-4ffa-babf-e29aa4fe0f9a:
x: 8
description: Extracts archive.tar from the remote (internal) host (\\host\*.tar)
to the current host.
height: 4
queryString: |-
event_platform=Win FileName="tar.exe"
| CommandLine=/\-xf/
| CommandLine=/\\\\.*\\/
| CommandLine=/\.tar/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 32
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: TAR Remote(Internal) Extract
isLive: false
type: query
a540a719-8065-40cd-86b2-f536544f2d96:
x: 8
y: 60
description: Shell32 initiating file(s) from AppData, Downloads, Public, or Temp
height: 4
queryString: |-
event_platform=Win FileName="rundll32.exe"
| CommandLine=/Shell32\.dll/i
| CommandLine=/AppData|Downloads|Public|Temp/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: 'RUNDLL32 (Shell32) '
isLive: false
type: query
60a8d5ef-9d31-4365-bbee-a9c5e6a57add:
x: 4
description: msedge_proxy will download malicious file.
height: 4
queryString: |-
event_platform=Win FileName="msedge_proxy.exe"
| CommandLine=/http\:\/\/|https\:\/\//i
| CommandLine=/\.zip$|\.exe$/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| groupBy([CommandLine,ParentBaseFileName], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 40
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
columns:
- fieldName: '@timestamp'
format: datetime
type: field
width: 200
- groupByPrefix: false
header: Field List
type: fieldList
newestAtBottom: true
showOnlyFirstLine: false
visualization: list-view
title: MSEDGE PROXY - File Download
isLive: false
type: query
71436778-9716-44c3-9dc3-715eabd3ca1b:
x: 0
description: Calls DllRegisterServer to register the target DLL.
height: 4
queryString: |-
event_platform=Win FileName="msiexec.exe"
| CommandLine=/\/y/i
| CommandLine=/\.dll/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 28
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: MSIEXEC /y
isLive: false
type: query
804fff84-c232-43ec-a894-0bd2548302bf:
x: 8
description: Download file from Internet. Save file to an Alternate Data Stream
(ADS). Decode or encode a file.
height: 4
queryString: |-
event_platform=Win FileName="certutil.exe"
| CommandLine=/encode|decode|urlcache|verifyctl/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 4
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: CERTUTIL
isLive: false
type: query
6c431b25-cc97-4496-b29d-7b641bee7d77:
x: 8
description: Launch a HTML application payload by calling OpenURL.
height: 4
queryString: |-
event_platform=Win
| CommandLine=/url\.dll/i
| CommandLine=/\.hta$|\.htm/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 36
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns:
CommandLine:
width: 594
row-numbers-enabled: false
visualization: table-view
title: URL.DLL - HTML
isLive: false
type: query
9f2188f2-3fbc-4adb-99f1-46b17f9c6cbf:
x: 4
description: Calls DllUnregisterServer to un-register the target DLL.
height: 4
queryString: |-
event_platform=Win FileName="msiexec.exe"
| CommandLine=/\/z/i
| CommandLine=/\.dll/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 32
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: MSIEXEC /z
isLive: false
type: query
058a8297-ec35-49db-8cdd-929c4a2afcc2:
x: 4
description: Create a recurring task to execute every minute.
height: 4
queryString: |-
event_platform=Win FileName="schtasks.exe"
| CommandLine=/\/create/
| CommandLine=/\/sc/
| CommandLine=/minute/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,CommandLine,ParentBaseFileName,Date], limit=20000)
| sort(Date)
end: now
start: 7d
width: 4
y: 48
interactions:
- name: Investigate Host
urlEncodeArgs: true
urlTemplate: https://falcon.crowdstrike.com/search/?term=_all%3A~'{{fields.ComputerName}}'
openInNewTab: true
type: customlink
options:
cell-overflow: wrap-text
configured-columns: {}
row-numbers-enabled: false
visualization: table-view
title: SCHTASKS
isLive: false
type: query
$schema: https://schemas.humio.com/dashboard/v0.20.0
Last updated
Was this helpful?