CrowdStrike Queries
CrowdStrike Query Language (CQL) searches
AWS IAM AccessDenied
#Vendor=aws error.code="AccessDenied" Vendor.userIdentity.type="IAMUser" user_agent.original!=/.amazonaws.com/
| error.message!=/-dev|dev|.dev/
| Vendor.userIdentity.arn!=/-dev|.dev/
| Methods := Vendor.eventName
| Sources := Vendor.eventSource
| IP := source.ip
| ARN := Vendor.userIdentity.arn
| UserAgent := Vendor.userAgent
| Methods=*
| Sources=*
| bucket(60min, field=[#event.outcome,ARN,UserAgent,IP], limit=50, function=([count(#event.outcome, as="AccessDenied Per Hour"), collect([Methods, Sources]), max(@timestamp, as=LastSeen), min(@timestamp, as=FirstSeen)]))
| FirstSeen:=formatTime(format="%F %T", field="FirstSeen")
| LastSeen:=formatTime(format="%F %T", field="LastSeen")
| FirstSeen=*
| "AccessDenied Per Hour">=5
| table([IP,ARN,Methods,"AccessDenied Per Hour",FirstSeen,UserAgent,LastSeen,Sources], limit=20000)
Follow ProcessId
//Enter filename in ProcessId form to get started, then use the presented process id's to proceed
event_platform=Win ComputerName=?ComputerName
| regex(?ProcessId, field="@rawstring")
| CommandLine=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| ExecutionChain:=format(format="%s\n\t└ %s\n\t\t└ %s (%s)", field=[GrandParentBaseFileName,ParentBaseFileName,FileName,RawProcessId])
| table([ComputerName,UserName,ExecutionChain,CommandLine,TargetProcessId,GrandparentCommandLine,ParentBaseFileName,ParentProcessId,Date], limit=20000)
| sort(Date, limit=20000)
DLL Sideloading //DLL & EXE written in same directory in short amount of time
#event_simpleName=FileCreateInfo event_platform=Win FileName=/(?:exe|dll)$/i
| FileName!=/DismHost.exe/
| FilePath=/\Windows\Temp\|\Downloads\|\Public\/
| case{ FileName=/.exe$/i
| FileType := "exe"; FileName=/.dll$/i
| FileType := "dll"; }
| bucket(field=[aid, FilePath], function=([count(FileType, distinct=true, as=distinctFileTypes), count(FileType, as=fileCount), collect([ComputerName, FileName, FileType])]), span=10min, limit=500)
| test(distinctFileTypes == 2)
| table([ComputerName, FilePath, FileName, distinctFileTypes, fileCount, FileType])
Okta Auth via VPN
#Vendor=okta user.name=/@/
| user.name!="system@okta.com"
| Vendor.client.device="Computer"
| Vendor.debugContext.debugData.tunnels=*
| Vendor.debugContext.debugData.tunnels!=/ICLOUD_RELAY_PROXY|\:null\,/
| #event.outcome=*
| Vendor.AppInstance.displayName=*
| Risk := Vendor.debugContext.debugData.risk
| Target := Vendor.AppInstance.displayName
| Device := Vendor.client.device
| Reason := Vendor.outcome.reason
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| "User Name":=format(format="%s\n\t└ %s", field=[user.name,user.full_name])
| "Outcome":=format(format="%s\n\t└ %s", field=[message,#event.outcome])
| Source:=format(format="%s\n\t└ %s\n\t\t└ %s\n\t\t└ %s", field=[client.geo.country_name,client.geo.region_name,Vendor.securityContext.isp,Vendor.request.ipChain[0].ip])
| regex("(?[^"]+)","type":"VPN"", field="Vendor.debugContext.debugData.tunnels")
| table(["User Name",VPN,Device,Source,Target,Outcome,Reason,Risk,Date], limit=20000)
PasswordLastChanged
#event_simpleName=UserIdentity name=UserIdentityV3
| UserPrincipal=* PasswordLastSet=*
| UserPrincipal!="" PasswordLastSet!=""
| PasswordChangedTime := PasswordLastSet * 1000
| PasswordLastChanged := formatTime("%Y-%m-%d %H:%M:%S", field=PasswordChangedTime, locale=en_US, timezone=Z)
| groupBy([UserPrincipal,PasswordLastChanged], limit=20000)
| table([UserPrincipal,PasswordLastChanged], limit=20000)
| sort(field=PasswordLastChanged, order=ascending, limit=20000)
| PasswordLastChanged!=*2024*
Suspicious LDAP search //Matched LDAP signature: Impacket (GetUserSPNs)/CrackMapExec (Kerberoasting)
LdapSearchFilterSample=/servicePrincipalName=*/i TargetServiceAccessIdentifier=/^cifs/i
| Source:=format(format="%s\n\t└ %s\n\t\t└ %s", field=[SourceEndpointAddressIP4,SourceAccountUserName,SourceEndpointHostName])
| Alert:=format("GetUserSPNs\n\t└ %s", field="name")
| Attributes:=format(format="%s\n\t└ %s\n\t└ %s", field=[LdapSearchAttributes,LdapSearchBaseObjectSample,LdapSearchFilterSample])
| Destionation:=format(format="%s\n\t└ %s", field=[LocalIP,TargetServiceAccessIdentifier])
| select([Source,Alert,Attributes,Destionation,@timestamp])
lookup_file
// To utilize a lookup file within CQL, first export a comma separated value list (CSV).
// Upload the lookup to CrowdStrike from the Advanced Event Search page (Be mindful which customer ID this is uploaded to).
// Once uploaded, use the example command below to look for any events that match the strings in the CSV.
// In the example below, the uploaded CSV is called Old_Hosts.csv and matches are being searched within the CQL event field "ComputerName".
// The column in the CSV is called "Old_Device". If there is no column name, create one before uploading the CSV or try using "column=column1" in the search.
| match(file="Old_Hosts.csv", field=[ComputerName], column=Old_Device)
| groupBy([ComputerName])
// To use multiple input files, create a search such as shown below:
| match(file="spider.csv", field=[DomainName], column=Domains)
| match(file="sha_spider.csv", field=[SHA256HashData], column=Hash)
| groupBy([ComputerName,DomainName,SHA256HashData])
ServiceAccessRequestFailure - Sharphound #event_simpleName=ActiveDirectoryServiceAccessRequestFailure
| KerberosErrorCode=7
| Source:=format(format="%s\n\t└ %s\n\t\t└ %s", field=[SourceEndpointAddressIP4,SourceEndpointNetworkTag,SourceEndpointHostName])
| name=/ServiceAccessRequestFailure/i
| Alert:="ServiceAccessRequestFailure"
| ServiceAccessRquestFailure := ActiveDirectoryServiceAccessRequestFailureV8
| DestIP := LocalIP
| SrcIP := SourceEndpointAddressIP4
| bucket(span=15m, function=([count(TargetServiceAccessIdentifier, as=Targets), groupBy("SrcIP"), collect([Alert,DestIP])]), limit=500)
| _count >= 450
| test(length(Targets) == length(_count))
| table([SrcIP, Alert, DestIP, Targets])
IncomingLdapSearchRequest - Sharphound #event_simpleName=ActiveDirectoryIncomingLdapSearchRequest
| LdapSearchFilterSample=/samaccountname=/
| Source:=format(format="%s\n\t└ %s\n\t\t└ %s", field=[SourceEndpointAddressIP4,SourceAccountUserName,SourceEndpointHostName])
| LocalIP=*
| TargetServiceAccessIdentifier=*
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| rename(field="SourceAccountSamAccountName", as="SourceSamAccount")
| groupBy([SourceSamAccount], function=([count(LdapSearchFilterSample, distinct=true, as=Target), collect([TargetServiceAccessIdentifier,LdapSearchFilterSample])]))
| Target >=50
| sort(Target, order=asc)
Tor Connection Seen
event_platform=/Win|Mac/ ComputerName=* ContextBaseFileName=tor
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| #event_simpleName=NetworkConnectIP4 NOT /^10.|^192.|^172./
| groupBy([ComputerName,UserName,event_platform,RemoteAddressIP4,RemotePort,ContextBaseFileName,Date], limit=20000)
MOTW EXE Download - FileName Not Matching OriginalFileName
event_platform=Win #event_simpleName=/MotwWritten/
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| FileName=/.exe$/i
| ReferrerUrl!=/.zip$/
| ReferrerUrl!=""
| join( {#event_simpleName=/FileWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| TargetFileName=/.exe$/i
| OriginalFilename=*
| table([TargetFileName,OriginalFilename,SHA256HashData], limit=20000)}, field=TargetFileName, include=[OriginalFilename,SHA256HashData] )
| URL:=format(format="%s\n\t└ %s", field=[ReferrerUrl,HostUrl])
| File:=format(format="%s\n\t└ %s", field=[FileName,OriginalFilename])
| HostUrl!=""
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,File,URL,SHA256HashData,TargetFileName,Date], limit=20000)
MOTW EXE Download
#event_simpleName=/MotwWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| FileName=/.exe$/i
| ReferrerUrl!=/.zip$/
| ReferrerUrl!=""
| join( {#event_simpleName=/FileWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| TargetFileName=/.exe$/i
| OriginalFilename!=*
| table([TargetFileName,OriginalFilename,SHA256HashData], limit=20000)}, field=TargetFileName, include=[OriginalFilename,SHA256HashData] )
| URL:=format(format="%s\n\t└ %s", field=[ReferrerUrl,HostUrl])
| HostUrl!=""
| File:=format(format="%s", field=[FileName])
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,File,URL,SHA256HashData,TargetFileName,Date], limit=20000)
EXE Download from ZIP - FileName Not Matching OriginalFileName #event_simpleName=/MotwWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| FileName=/.exe$/i
| ReferrerUrl=/.zip$/
| ReferrerUrl!=""
| join( {#event_simpleName=/FileWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| TargetFileName=/.exe$/i
| OriginalFilename=*
| table([TargetFileName,OriginalFilename,SHA256HashData], limit=20000)}, field=TargetFileName, include=[OriginalFilename,SHA256HashData] )
| Origin:=format(format="%s", field=[ReferrerUrl])
| File:=format(format="%s\n\t└ %s", field=[FileName,OriginalFilename])
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,File,Origin,SHA256HashData,TargetFileName,Date], limit=20000)
EXE Download from ZIP
#event_simpleName=/MotwWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| FileName=/.exe$/i
| ReferrerUrl=/.zip$/
| ReferrerUrl!=""
| join( {#event_simpleName=/FileWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| TargetFileName=/.exe$/i
| OriginalFilename!=*
| table([TargetFileName,OriginalFilename,SHA256HashData], limit=20000)}, field=TargetFileName, include=[OriginalFilename,SHA256HashData] )
| Origin:=format(format="%s", field=[ReferrerUrl])
| File:=format(format="%s", field=[FileName])
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,File,Origin,SHA256HashData,TargetFileName,Date], limit=20000)
MOTW MSI Download
#event_simpleName=/MotwWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| FileName=/.msi$/i
| ReferrerUrl!=/.zip$/
| ReferrerUrl!=""
| join( {#event_simpleName=/FileWritten/ event_platform=Win
| FilePath=/\Users\\.*\\Downloads\\|\\Users\\.*\\Public\\/
| TargetFileName=/.msi$/i
| OriginalFilename!=*
| table([TargetFileName,OriginalFilename,SHA256HashData], limit=20000)}, field=TargetFileName, include=[OriginalFilename,SHA256HashData] )
| URL:=format(format="%s\n\t└ %s", field=[ReferrerUrl,HostUrl])
| HostUrl!=""
| File:=format(format="%s", field=[FileName])
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,File,URL,SHA256HashData,TargetFileName,Date], limit=20000)
Mac - Base64 Decode Command
event_platform=Mac
| FileName=*
| CommandLine=/base64\ -d/i
| CommandLine!=/^base64\ -d$|^base64\ -D$/
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,ParentBaseFileName,CommandLine,RawProcessId,SourceProcessId,TargetProcessId,ParentProcessId,ResponsiblePid,Date], limit=20000)
Mac - Possible Malicious Apple Plist
event_platform=Mac ParentBaseFileName=launchd ASEPFilePath=//Library/LaunchDeamons|/Library/LaunchAgents/
| ASEPFilePath!=/^/System/|^/Library/Apple//
| ASEPFilePath=/com.apple.*.plist/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,ParentBaseFileName,ASEPFilePath,Date], limit=20000)
Mac - MOTW DMG download
event_platform=Mac #event_simpleName=FileExtendedAttrOperation FileName=/.dmg/i | Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z) |
| URL:=format(format="%s", field=[ExtendedAttributeValueReadable]) | URL!="null"
| URL=/http/
| File:=format(format="%s\n\t└ %s", field=[FilePath,FileName])
| table([ComputerName,UserName,File,URL,Date], limit=20000)
Mac - DmgFileWritten
#event_simpleName=/DmgFileWritten/ event_platform=Mac FileName=/.dmg$/i FilePath=//Users/.*/Downloads//
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,#event_simpleName,Date], limit=20000)
| join( {event_platform=Mac #event_simpleName=FileExtendedAttrOperation FileName=/.dmg$/i FilePath=//Users/.*/Downloads//
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,UserName,FileName,#event_simpleName,ExtendedAttributeValueReadable,Date], limit=20000)},
field=FileName, include=[ExtendedAttributeValueReadable])
| URL:=format(format="%s", field=[ExtendedAttributeValueReadable])
| URL!=""
| File:=format(format="%s", field=[FileName])
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([#event_simpleName,ComputerName,File,URL,Date], limit=20000)
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| table([ComputerName,File,URL,Date], limit=20000)
Mac - DMG Volume Mount
event_platform=Mac #event_simpleName=/Volume/ VolumeName=/.dmg$/i
| Date := formatTime("%Y-%m-%d %H:%M:%S", field=@timestamp, locale=en_US, timezone=Z)
| select([ComputerName, VolumeName, ContextProcessId, name, Date, SHA256HashData])
Last updated
Was this helpful?