CrowdStrike Queries
I have collected these over the years you should also look at:
https://github.com/BankSecurity/Threat_Hunting
- Suspicious DNS Requests
event_simpleName=SuspiciousDnsRequest | iplocation aip | stats values(ComputerName) values(LocalAddressIP4) values(aip) values(Country) count by DomainName
- Apps running from recycle bin
ImageFileName=*$Recycle.Bin* event_simpleName=ProcessRollup2 | stats values(name) values(MD5HashData) values(ComputerName) values(ImageFileName) count by aid
- Apps running user directories
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\AppData\\*" OR ImageFileName="*\\Desktop\\*" OR ImageFileName="*\\AppData\\Local\\*" OR ImageFileName="*\\AppData\\Local\\Temp\\*" OR ImageFileName="*\\AppData\\Roaming\\*") AND (ImageFileName!=*putty.exe* AND ImageFileName!=*puttytel.exe*) | regex ImageFileName=".*\\\\Desktop\\\\\w+\.exe|.*\\\\AppData\\\\\w+\.exe|.*\\\\AppData\\\\Local\\\\\w+.exe|.*\\\\AppData\\\\Local\\\\Temp\\\\\w+.exe|.*\\\\AppData\\\\Roaming\\\\\w+.exe" |table ComputerName UserName ImageFileName FileName SHA256HashData
- Apps running from Temporary Internet File Locations
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\*" OR ImageFileName="*\\AppData\\Local\\Mozilla\\Firefox\\Profiles*" OR ImageFileName="*\\AppData\\Local\\Google\\Chrome\\*" OR ImageFileName="*\\Downloads\\*") | regex ImageFileName=".*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\Temporary.Internet.Files\\\\\w+\.exe|.*\\\\AppData\\\\Local\\\\Mozilla\\\\Firefox\\\\Profiles\\\\\w+\.exe|.*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\\w+\.exe|.*\\\\Downloads\\\\\w+\.exe" | table ComputerName UserName ImageFileName FileName SHA256HashData
- New users created
event_simpleName=UserAccountCreated | table aid UserName UserRid ComputerName host name
- WMI Create Process
event_simpleName=WmiCreateProcess CommandLine!=*ccmcache* CommandLine!=*\\CCM\\* CommandLine!=*Nessus*| table timestamp ComputerName CommandLine
- Bits Transfers
event_simpleName=ProcessRollup2 FileName=bitsadmin.exe (CommandLine=*/Transfer* OR CommandLine=*/Addfile*) | dedup CommandLine | table _time aid ComputerName UserName ImageFileName CommandLine TargetFileName MD5HashData SHA256HashData | sort -_time
- PowerShell downloads
event_simpleName=ProcessRollup2 FileName=PowerShell.exe (CommandLine=*Invoke-WebRequest* OR CommandLine=*Net.WebClient* OR CommandLine=*Start-BitsTransfer*) | table ComputerName UserName FileName CommandLine
- PowerShell encoded commands
event_simpleName=ProcessRollup2 FileName=PowerShell.exe (CommandLine=*-enc* OR CommandLine=*encoded* AND CommandLine!=*encoding*) | table ComputerName UserName FileName CommandLine
- Powershell executions
event_platform="Win" cid=* aid=* ComputerName=* (ProcessRollup2 OR SyntheticProcessRollup2) FileName="powershell*" | eval _time=ProcessStartTime_decimal
| eval UserName=if(event_platform="Win",upper(UserName),upper(UserPrincipal)) | eval FileName=lower(FileName)
| eval Exec=if(match(lower(CommandLine),"invoke[-\(][^wn][^me][^io]") OR match(lower(CommandLine), "(icm|iex)[ \(|]") OR match(lower(CommandLine), "[^r][^e]start-(service|process)"),4,0)
| eval Dwnld=if(match(lower(CommandLine),"http://") OR match(lower(CommandLine),"web(client|request)") OR match(lower(CommandLine),"sockets") OR match(lower(CommandLine),"download(file|string)") OR match(lower(CommandLine),"bitstransfer"),4,0)
| eval Upld=if(match(lower(CommandLine),"uploadfile"),4,0)
| eval Encode=if(match(lower(CommandLine),"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)") OR match(lower(CommandLine),"frombase64string"),5,0)
| eval ExecPol=if(match(lower(CommandLine),"bypass") OR match(lower(CommandLine),"unrestricted"),1,0)
| eval NonI=if(match(lower(CommandLine),"-noni"),1,0)
| eval NoProf=if(match(lower(CommandLine),"-nop"),1,0)
| eval Hidden=if(match(lower(CommandLine)," hidden") OR match(lower(CommandLine),"-windowstyle") OR match(lower(CommandLine), "-nonewwindow"),1,0)
| eval Domain=if(match(lower(CommandLine),"add-ad") OR match(lower(CommandLine),"get-ad"),3,0)
| eval VM=if(match(lower(CommandLine),"vbox") OR match(lower(CommandLine),"prl_") OR match(lower(CommandLine),"vm(tool|ware)") OR match(lower(CommandLine),"vmu*srvc"),3,0)
| eval Prxy=if(match(lower(CommandLine),"proxy"),4,0)
|eval obf1=if(match(lower(CommandLine),"join[^-]") OR match(lower(CommandLine),"\[char\][^3][^4]") OR match(lower(CommandLine),"reverse") OR match(lower(CommandLine),"BXOR"),4,0)
| eval NewCommand = CommandLine
| rex field=NewCommand mode=sed "s/`[0abfnrtv#$\"]//g"
| eval numTicks = mvcount(split(NewCommand,"`"))-1
| eval numPluses = mvcount(split(NewCommand,"+"))-1
| eval obf2 = if(numTicks > 5 OR numPluses > 5,4,0)
| addtotals fieldname=Score Exec Dwnld Upld Encode ExecPol NonI NoProf Hidden Domain VM Prxy obf1 obf2
| stats values(_time) AS Timestamp, values(UserName) AS "User Name", values(ParentProcessId_decimal) AS "Parent Process ID", values(RawProcessId_decimal) AS PID, values(Score) AS Score, values(Exec) AS Exec, values(Dwnld) AS Dwnld, values(Encode) AS Encode, values(ExecPol) AS ExecPol, values(NonI) AS NonI, values(NoProf) AS NoProf, values(Hidden) AS Hidden, values(Domain) AS Domain, values(Prxy) AS Prxy, values(VM) AS VM, values(obf1) AS obf1, values(obf2) AS obf2, values(CommandLine) AS "Command Line", values(aid) AS aid by ComputerName TargetProcessId_decimal
| eval fStart=Timestamp-3600
| eval fEnd=Timestamp+3600
| rename TargetProcessId_decimal AS "Process ID", ComputerName AS "Host Name", Timestamp AS "Time (UTC)"
| fieldformat "Time (UTC)"=strftime('Time (UTC)', "%Y-%m-%d %H:%M.%S")
| sort 0 -Score, -"Time (UTC)"
- Psexec usage
event_simpleName=CreateService ServiceDisplayName=PSEXESVC | table timestamp ClientComputerName ServiceDisplayName ServiceImagePath
- New executables created
(event_simpleName=NewExecutableWritten) AND (TargetFileName="*\\AppData\\*" OR TargetFileName="*\\Desktop\\*" OR TargetFileName="*\\AppData\\Local\\*" OR TargetFileName="*\\AppData\\Local\\Temp\\*" OR TargetFileName="*\\AppData\\Roaming\\*") | stats dc(FileIdentifier) AS Count, values(TargetFileName) AS TargetFileName by ComputerName | sort ComputerName
- Social Media
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*spotify*" OR ImageFileName="*facebook*" OR ImageFileName="*hootsuite*" OR ImageFileName="*hubspot*" OR ImageFileName="*meetedgar*" OR ImageFileName="*tweetdeck*" OR ImageFileName="*ifttt*" OR ImageFileName="*buffer*" OR ImageFileName="*sprout*" OR ImageFileName="*raven*" OR ImageFileName="*agorapulse*" OR ImageFileName="*sendible*" OR ImageFileName="*iconsquare*" OR ImageFileName="*sprinklr*" OR ImageFileName="*drumup*" OR ImageFileName="*tailwind*" OR ImageFileName="*eclincher*" OR ImageFileName="*kontentino*" OR ImageFileName="*publer*" OR ImageFileName="*yala*")|table ComputerName UserName ImageFileName FileName SHA256HashData
- File sharing program usage
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\FDM*" OR ImageFileName="*\\OneDrive*" OR ImageFileName="*DropBox.exe*" OR ImageFileName="*\\Box\\*" OR ImageFileName="*icloud*" OR ImageFileName="*egnyte*" OR ImageFileName="*dropsend*" OR ImageFileName="*Hightail*" OR ImageFileName="*justcloud*" OR ImageFileName="*Onehub*" OR ImageFileName="*OpenDrive*" OR ImageFileName="*sharedfile*" OR ImageFileName="*SugarSync*" OR ImageFileName="*4shared*" OR ImageFileName="*Googledrivesync.exe*" OR ImageFileName="*owncloud*" OR ImageFileName="*efile*" OR ImageFileName="*masv*" OR ImageFileName="*wire*" OR ImageFileName="*wetransfer*" OR ImageFileName="*filecloud*")|table ComputerName UserName ImageFileName FileName SHA256HashData
FDM - https://www.freedownloadmanager.org/
DropBox - https://www.dropbox.com/
Box - https://www.box.com/
Egnyte - https://www.egnyte.com/
Dropsend - https://www.dropsend.com/
Hightail - https://www.hightail.com/
Justcloud - https://www.justcloud.com/
Onehub - https://www.onehub.com/
OpenDrive - https://www.opendrive.com/
SugarSync - https://www1.sugarsync.com/
4shared - https://www.4shared.com/
Google drive - https://www.google.com/drive/
Owncloud - https://owncloud.com/
Efile - https://www.efilecabinet.com/
masv - https://massive.io/
Wetransfer - https://wetransfer.com/
Filecloud - https://www.getfilecloud.com/
- Torrent program usage
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\qBittorrent*" OR ImageFileName="*Vuze*" OR ImageFileName="*\\Deluge*" OR ImageFileName="*utorrent*" OR ImageFileName="*bittorrent*" OR ImageFileName="*tixati*" OR ImageFileName="*transmission*" OR ImageFileName="*tribler*" OR ImageFileName="*bitcomet*" OR ImageFileName="*halite*" OR ImageFileName="*frostwire*" OR ImageFileName="*bitlord*")|table ComputerName UserName ImageFileName FileName SHA256HashData
- Tor and proxy program usage
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*\\tor*" OR ImageFileName="*i2p*" OR ImageFileName="*\\psiphon*" OR ImageFileName="*anonymizer*" OR ImageFileName="*freegate*" OR ImageFileName="*vidalia*" OR ImageFileName="*freeproxy*")|table ComputerName UserName ImageFileName FileName SHA256HashData
- Screen sharing – remote desktop program usage
(event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2) AND (ImageFileName="*remoting_host*" OR ImageFileName="*bomgar*" OR ImageFileName="*logmein*" OR ImageFileName="*LMI_Rescue*" OR ImageFileName="*LMIIgnition*" OR ImageFileName="*teamviewer*" OR ImageFileName="*RemotePC*" OR ImageFileName="*gotomypc*" OR ImageFileName="*Anyplace*" OR ImageFileName="*showmypc*" OR ImageFileName="*Splashtop*" OR ImageFileName="*radmin*" OR ImageFileName="*joinme*" OR ImageFileName="*anymeeting*" OR ImageFileName="*discord*" OR ImageFileName="*anydesk*" OR ImageFileName="*mingleview*" OR ImageFileName="*vnc*")|table _time ComputerName UserName LocalAddressIP4 ImageFileName FileName
Remoting_host
Bomgar
Logmein
LMI_Rescue
LMIIgnition
Teamviewer
RemotePC
Gotomypc
Anyplace
Showmypc
Splashtop
Radmin
Joinme
Anymeeting
Discord
Anydesk
Mingleview
vnc
- Common reconnaissance tool usage
event_simpleName=ProcessRollup2 (FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe OR FileName=quser.exe OR FileName=ping.exe OR FileName=netstat.exe OR FileName=tasklist.exe OR FileName=Hostname.exe OR FileName=at.exe) | table ComputerName UserName FileName CommandLine
- Binaries running as a service not in system32
event_simpleName=ServiceStarted ImageFileName!="*\\System32\\*" CommandLine!="C:\\Windows\\servicing\\TrustedInstaller.exe" | table aid ServiceDisplayName ImageFileName CommandLine ClientComputerName RemoteAddressIP4 RemoteAddressIP6
- Svchost.exe not running from system32
event_simpleName=ServiceStarted ImageFileName="*\\svchost.exe" ImageFileName!="*\\System32\\*" | table aid ServiceDisplayName ImageFileName CommandLine ClientComputerName RemoteAddressIP4 RemoteAddressIP6
- Service events created
event_simpleName=CreateService ServiceImagePath!="C:\\WINDOWS\\system32\\svchost.exe*" | table RemoteAddressIP4 ClientComputerName ServiceDisplayName ServiceImagePath
- Non-system32 binaries running as a hosted service
event_simpleName=HostedServiceStarted ImageFileName!="*\\System32\\*" | table aid ServiceDisplayName ImageFileName CommandLine ClientComputerName RemoteAddressIP4 RemoteAddressIP6
- Services that were stopped
event_simpleName=*ProcessRollup2 [search event_simpleName=ServiceStopped | fields cid aid TargetProcessId_decimal] | table aid ComputerName ImageFileName
- Outlook attachments opened by office documents
event_simpleName=ProcessRollup2 CommandLine=*content.outlook* FileName=winword.exe OR Filename=excel.exe OR POWERPNT.exe | eval splitter=split(CommandLine,"Outlook\\") | eval ShortFile=mvindex(splitter,-1) | table timestamp aid TargetProcessId ComputerName ShortFile CommandLine | sort – timestamp
- Find processes spawned as a child of excel/word
event_simpleName=processrollup2 [search event_simpleName=processrollup2 FileName IN (excel.exe, winword.exe) | rename TargetProcessId_decimal AS ParentProcessId_decimal | fields aid ParentProcessId_decimal] | stats count by ParentBaseFileName FileName CommandLine | sort - count
- Links opened from Outlook
event_simpleName=ProcessRollup2 FileName=outlook.exe | dedup aid TargetProcessId | rename FileName as Parent | rename CommandLine as ParentCmd | table aid TargetProcessId Parent ParentCmd | join max=0 aid TargetProcessId [search name=ProcessRollup* FileName=chrome.exe OR FileName=firefox.exe OR FileName=iexplore.exe | rename ParentProcessId as TargetProcessId | rename MD5HashData as MD5 | rename FilePath as ChildPath | dedup aid TargetProcessId MD5 | fields aid TargetProcessId FileName CommandLine] | table Parent ParentCmd FileName CommandLine aid
- Web servers or databases running under local system
event_simpleName="ProcessRollup2" (FileName=w3wp.exe OR FileName=sqlservr.exe OR FileName=httpd.exe OR FileName=nginx.exe) UserName="LOCAL SYSTEM" | dedup aid | table ComputerName UserName ImageFileName CommandLine
-User accounts added to administrator group
event_simpleName=UserAccountAddedToGroup DomainSid="S-1-5-21-*" | stats dc(ComputerName) AS "Host Count", values(ComputerName) AS "Host Name" by DomainSid, UserRid | eval UserRid_dec=tonumber(UserRid, 16) | fillnull UserRid | eval UserSid_readable=DomainSid."-".UserRid_dec | lookup usersid_username.csv UserSid_readable OUTPUT UserName | rename UserSid_readable AS UserSid, UserName AS "User Name" | table UserSid, "User Name", "Host Count", "Host Name"
- RDP connections
event_simpleName=UserIdentity LogonType_decimal=10 | table timestamp ComputerName UserName UserPrincipal LogonServer
- Deleted user accounts
event_simpleName=UserAccountDeleted | table aid UserName UserRid
- Scheduled tasks registered
event_simpleName=ScheduledTaskRegistered | stats values(TaskName) as TaskName values(TaskExecCommand) as TaskExecCommand values(TaskAuthor) as TaskAuthor values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4 values(RemoteAddressIP6) as RemoteAddressIP6 by aid
- Remote tasks
event_simpleName=ScheduledTaskRegistered ClientComputerName!="" | stats values(TaskName) as TaskName values(TaskExecCommand) as TaskExecCommand values(TaskAuthor) as TaskAuthor values(ClientComputerName) as ClientComputerName values(RemoteAddressIP4) as RemoteAddressIP4 values(RemoteAddressIP6) as RemoteAddressIP6 by aid
- Registry persistence
Run | Search event_simpleName=RegRemoteRegistry | table RemoteAddressIP4 ClientComputerName event_simpleName RegObjectName ImageFileName
- DNS requests spawning form javaw.exe
event_simpleName="DnsRequest" | rename ContextProcessId as TargetProcessId | join TargetProcessId [search event_simpleName="ProcessRollup2" ImageFileName="*javaw.exe"] | table ComputerName timestamp ImageFileName DomainName CommandLine
- JAR files written to AppData
event_simpleName=NewExecutableWritten TargetFileName="*\\AppData\\Roaming\\*\\*\.jar" | table ComputerName timestamp ImageFileName DomainName CommandLine
- JAR files executed from App data
event_simpleName=ProcessRollup2 FileName=javaw.exe CommandLine=*appdata* CommandLine=*-jar*| table event_simpleName ComputerName timestamp ImageFileName DomainName CommandLine
- ASEP for Java executables
event_simpleName=AsepValueUpdate RegObjectName=*\\Run (RegValueName=*\.jar OR ImageFileName=*\.jar OR CommandLineParameters=*\.jar) | table _time event_simpleName ContextImageFileName RegPostObjectName RegObjectName RegStringValue RegValueName CommandLineParameters ImageFileName | sort by -_time
=============================================================
- Event Search Full Query
ComputerName="NAME" | table _time ComputerName UserName event_simpleName FileName FilePath DomainName Severity CommandLine MD5HashData SHA256HashData TargetFileName ImageFileName TargetProcessId ParentProcessId ParentProcessId_decimal RawProcessId_decimal LocalAddressIP4 LocalPort_decimal RemoteAddressIP4 name TaskAuthor TaskName TaskXml RemotePort_decimal DetectName DetectDescription DetectSeverity DetectScenario ImageFileName sourcetype raw
- Event Search Full user Query
UserName="Name*" | table _time ComputerName UserName event_simplename DomainName Severity Commandline RemoteAddressIP4 RemotePort_decimal
event_simpleName="NetworkConnectIP4" OR event_simpleName="DnsRequest" AND RemoteAddressIP4!="127.0.0.1" AND RemoteAddressIP4!="192.168.*" AND RemoteAddressIP4!="172.16.*" AND RemoteAddressIP4!="172.17.*" AND RemoteAddressIP4!="172.18.*" AND RemoteAddressIP4!="172.19.*" AND RemoteAddressIP4!="172.20.*" AND RemoteAddressIP4!="172.21.*" AND RemoteAddressIP4!="172.22.*" AND RemoteAddressIP4!="172.23.*" AND RemoteAddressIP4!="172.24.*" AND RemoteAddressIP4!="172.25.*" AND RemoteAddressIP4!="172.26.*" AND RemoteAddressIP4!="172.27.*" AND RemoteAddressIP4!="172.28.*" AND RemoteAddressIP4!="172.29.*" AND RemoteAddressIP4!="172.30.*" AND RemoteAddressIP4!="172.31.*" AND RemoteAddressIP4!="10.*" AND RemotePort_decimal!="80" AND RemotePort_decimal!="443" AND RemotePort_decimal!="8008" AND RemotePort_decimal!="880*" | rename ContextProcessId as TargetProcessId | join TargetProcessId[search ExternalApiType="Event_DetectionSummaryEvent"] | table_time ComputerName UserName FileName FilePath LocalIP LPort RemoteAddressIP4 RemotePort_decimal DomainName CommandLine IOCType SHA256String MD5String SeverityName Severity DetectName DetectDescription
event_simpleName="NetworkConnectIP4" OR event_simpleName="DnsRequest" AND RemoteAddressIP4!="127.0.0.1" AND RemoteAddressIP4!="192.168.0.0/24" AND RemoteAddressIP4!="172.16.0.0/12" AND RemoteAddressIP4!="10.0.0.0/8" AND RemotePort_decimal!="80" AND RemotePort_decimal!="443" AND RemotePort_decimal!="8008" AND RemotePort_decimal!="880*" | rename ContextProcessId as TargetProcessId | join TargetProcessId[search ExternalApiType="Event_DetectionSummaryEvent"] | table_time ComputerName UserName FileName FilePath LocalIP LPort RemoteAddressIP4 RemotePort_decimal DomainName CommandLine IOCType SHA256String MD5String SeverityName Severity DetectName DetectDescription
event_simpleName="NetworkConnectIP4" OR event_simpleName="DnsRequest" AND RemoteAddressIP4!="127.0.0.1" AND RemoteAddressIP4!="192.168.0.0/24" AND RemoteAddressIP4!="172.16.0.0/12" AND RemoteAddressIP4!="10.0.0.0/8" AND LocalPort_decimal="3389" | rename ContextProcessId as TargetProcessId | join TargetProcessId[search ExternalApiType="Event_DetectionSummaryEvent"] | table_time ComputerName UserName FileName FilePath LocalIP LPort RemoteAddressIP4 RemotePort_decimal DomainName CommandLine IOCType SHA256String MD5String SeverityName Severity DetectName DetectDescription
- Process creating accounts
event_simpleName=*ProcessRolllup2 [search event_simpleName="UserAccountCreated" | rename RpcClientProcessId as TargetProcessId | fields aid TargetProcessId]
- network information
Eventtype=eam NetworkConnectIP4 cid=* ComputerName=* RemoteAddressIP4!=127.0.0.0/8 RemoteAddressIP4!=10.0.0.0/8 RemoteAddressIP4!=172.16.0.0/12 RemoteAddressIP4!=192.168.0.0/16 | iplocation RemoteAddressIP4 | table Country RemoteAddressIP4, RemotePort_decimal ComputerName LocalAddressIP4 event_platform LocalPort_decimal Protocol_decimal ConnectionDirection ConnectionFlags
- Event Search Complete
ComputerName=MB30-DOMCS002 | table _time ComputerName UserName event_simpleName FileName FilePath DomainName Severity CommandLine MD5HashData SHA256HashData TargetFileName ImageFileName TargetProcessId ParentProcessId LocalAddressIP4 LocalPort_decimal RemoteAddressIP4 RemotePort_decimal aip
- Remote to local IP
RemoteAddressIP4=0.0.0.0 | table_time LocalAddressIP4 event_platform RemoteAddressIP4
- Looking for local computers reaching out to a specific IP
RemoteAddressIP4=192.0.1.8 |table_time LocalIP LocalAddressIP4 event_platform RemoteAddressIP4 ComputerName RPort host source name
- Export all AV detections with a Score > 3
eventtype=eam_summary report="av_hits" detectionCount>3 | table_time ComputerName LocalIP FileName ImageFileName detectionCount nameString engineString MD5HashData SHA256HashData
- Pull all Scheduled Tasks and Related Fields
event_simpleName="Scheduled*" AND (TaskXml!="*SoftwareProtectionPlatform*" OR TaskXml!="*NET Framework*") | table _time ComputerName UserName event_simpleName FileName FilePath DomainName Severity CommandLine MD5HashData SHA256HashData TargetFileName ImageFileName TargetProcessId ParentProcessId LocalAddressIP4 LocalPort_decimal RemoteAddressIP4 name TaskAuthor TaskName TaskXml RemotePort_decimal aip
- Look at External Connections and the Executing Process
event_simpleName="NetworkConnectIP4" OR event_simpleName="DnsRequest" AND RemoteAddressIP4!="127.0.0.1" AND RemoteAddressIP4!="192.168.0.0/16" AND RemoteAddressIP4!="172.16.0.0/12" AND RemoteAddressIP4!="10.0.0.0/8" AND RemotePort_decimal!="80" AND RemotePort_decimal!="443" AND RemotePort_decimal!="8008" AND RemotePort_decimal!="880*" | rename ContextProcessId as TargetProcessId | join TargetProcessId[search ExternalApiType="Event_DetectionSummaryEvent"] | table_time ComputerName UserName FileName FilePath LocalIP LPort RemoteAddressIP4 RemotePort_decimal DomainName CommandLine IOCType SHA256String MD5String SeverityName Severity DetectName DetectDescription
- CrowdStrike Query for Lower Detections
search event_simpleName="CloudAssociateTreeId" OR event_simpleName="CloudAssociateTreeIdWithRoot" OR event_simpleName="AssociateIndicator" OR event_simpleName="AssociateTreeIdWithRoot" OR event_simpleName="AssociateTreeId"| dedup id, PatternId_decimal | table timestamp, ComputerName, FileName, CommandLine, SHA256HashData, PatternId_decimal, DetectName, DetectScenario, DetectDescription
- Linking FIleName to Process ID
event_simpleName="ProcessRollUp2" OR event_simpleName="SyntheticProcessRollUp2" | join TargetProcessId_decimal, aid [search event_simpleName="CloudAssociateTreeId" OR event_simpleName="CloudAssociateTreeIdWithRoot" OR event_simpleName="AssociateIndicator" OR event_simpleName="AssociateTreeIdWithRoot" OR event_simpleName="AssociateTreeId"]| dedup id, PatternId_decimal | table timestamp, ComputerName, FileName, CommandLine, SHA256HashData, PatternId_decimal, DetectName, DetectScenario, DetectDescription
- Remote IP to Local FIle w/ Detections
event_simpleName="NetworkConnectIP4" OR event_simpleName="DnsRequest" | rename ContextProcessId as TargetProcessId | join TargetProcessId[search ExternalApiType="Event_DetectionSummaryEvent"] | table_time ComputerName UserName FileName FilePath LocalIP LPort RemoteAddressIP4 RemotePort_decimal DomainName CommandLine IOCType SHA256String MD5String SeverityName Severity DetectName DetectDescription
- Remote IP to Local File on Host
event_simpleName="NetworkConnectIP4" OR event_simpleName="DnsRequest" | rename ContextProcessId as TargetProcessId | join TargetProcessId[search ExternalApiType="Event_DetectionSummaryEvent"] | table_time ComputerName UserName FileName FilePath LocalIP LPort RemoteAddressIP4 RemotePort_decimal DomainName CommandLine IOCType SHA256String MD5String SeverityName Severity DetectName DetectDescription
- Search All Domains
DomainName!="" | table time ComputerName ContextProcessId_decimal DomainName event_platform eventtype event_simpleName event_version sourcetype RequestType_decimal DnsRequestCount_decimal name source sourcetype "Agent IP"
- Program Name Search WildCard
event_simpleName=ProcessRollup2 & FileName="*torrent*" | table ComputerName UserName event_simpleName FileName FilePath CommandLine MD5HashData SHA256HashData TargetFileName ImageFileName TargetProcessId ParentProcessId LocalAddressIP4
- Pull back all System Information
event_simpleName=OsVersionInfo | eval ProductType=case(ProductType="1","Workstation", ProductType="2","Domain Controller", ProductType="3","Server", event_platform="Mac", "Workstation") | eval ServicePack=ServicePackMajor.".".ServicePackMinor | eval timestamp=strftime(_time, "%m/%d/%y %I:%M%p") | iplocation allfields=true aip | stats values(ComputerName) AS ComputerName values(LocalAddressIP4) AS "Local IP" first(aip) AS "External IP" values(event_platform) AS "OS" values(WinOSVersion) AS "WinVersion" values(OSXVersion) AS "OSXVersion" values(ServicePack) AS ServicePack values(ProductType) AS ProductType values(Country) AS Country values(Timezone) AS TimeZone by aid
- All Detection Events
EventType=Event_ExternalApiEvent Severity>0 | table_time ComputerName CommandLine DetectDescription DetectName EventType FileName FilePath IOCType MD5String MachineDomain ParentProcessId ProcessId ProcessStartTime SHA1String SHA256String Severity SeverityName UTCTimestamp timestamp
- Unmanaged Hosts
| inputlookup notmanaged.csv
| where now()-_time<86401
| stats max(_time) AS "Last Discovered Date", latest(CurrentLocalIP) AS CurrentLocalIP, values(MACPrefix) AS MACPrefix, latest(FirstDiscoveredDate) AS "First Discovered Date", latest(LastDiscoveredBy) AS "Last Discovered By" by MAC, cid
| lookup aid_master aid AS "Last Discovered By" OUTPUT ComputerName
| rename ComputerName AS "Last Discovered By"
| search
[ | inputlookup aid_master
| search ComputerName=* ComputerName!="none" aid=* cid=*
| join aid
[ | inputlookup managedassets.csv
| search
[ | inputlookup aid_master
| search ComputerName=* ComputerName!="none" aid=* cid=*
| fields aid ]
| stats latest(LocalAddressIP4) AS LocalAddressIP4 by aid
| eval CurrentLocalIP=LocalAddressIP4."/24" ]
| fields CurrentLocalIP ]
| fields MAC, CurrentLocalIP, MACPrefix, "First Discovered Date", "Last Discovered Date", "Last Discovered By"
| lookup macprefix.csv MACPrefix OUTPUT Manufacturer
| eval CurrentLocalIP=CurrentLocalIP."/24"
| rename CurrentLocalIP AS "Neighbor IP", MAC AS "Neighbor MAC"
| convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime("Last Discovered Date")
| convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime("First Discovered Date")
| sort 0 +"Neighbor IP"
| fields - MACPrefix