Skip to content

Instantly share code, notes, and snippets.

@henryd0
Forked from ag-michael/FalconHuntqueries.md
Created December 9, 2022 03:44
Show Gist options
  • Save henryd0/7b313bbd822dc1458d1fdbe324173add to your computer and use it in GitHub Desktop.
Save henryd0/7b313bbd822dc1458d1fdbe324173add to your computer and use it in GitHub Desktop.
Falcon hunt queries

timestamp convert:


 convert ctime(timestamp/1000)

.top,.club,.xyz,.ru domain lookups where the amount of lookup for the domain is more than 1 and less than 4 per computer


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | stats values(ComputerName) count by DomainName| where count <4 | sort – count

.top,.club,.xyz,.ru domain lookups ,rare domainnames and computer names deduplicated by domain name


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$" | rare DomainName,ComputerName limit=50|dedup DomainName| table DomainName,ComputerName

.top,.club,.xyz,.ru and numeric domain lookups,rare domainnames and computer names


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$|.*\.ru$|[0-9]+.*\.\w$" | rare DomainName,ComputerName limit=100 | table DomainName ComputerName

.top,.club,.xyz,.ru domain lookups rare domainnames and computer names process execution details included


aid=* event_simpleName=DnsRequest | regex DomainName=".*\.top$|.*\.club$|.*\.xyz$" | rare DomainName,ComputerName limit=50| rename ContextProcessId as TargetProcessId|join TargetProcessId [search event_simpleName="ProcessRollup2"] | table ComputerName timestamp ImageFileName DomainName CommandLine

dns reqeusts from non-browser processes


event_simpleName="DnsRequest" | rename ContextProcessId as TargetProcessId | join TargetProcessId [search event_simpleName="ProcessRollup2" AND  OR NOT ImageFileName="iexplore.exe" AND NOT ImageFileName="chrome.exe" AND NOT ImageFileName="firefox.exe"] | table ComputerName timestamp ImageFileName DomainName CommandLine

dns requests by a specific process name


event_simpleName="DnsRequest" AND DomainName="*.*" AND NOT DomainName IN ("*.microsoft.com","*.symcb.com","*.symcd.com","*.digicert.com","*.intel.com","*.verisign.com","monitoring*.amazonaws.com","*.live.com","*.virtualearth.net")
|  rename ContextProcessId_decimal as TargetProcessId_decimal | join TargetProcessId_decimal [search event_simpleName="ProcessRollup2" AND  FileName IN ("WmiPrvSE.exe","cscript.exe","svchost.exe","powershell.exe")] 
| dedup DomainName,ComputerName
| table ComputerName DomainName CommandLine

dns reqeusts from unusual processes with command line and process sha256hash included


event_simpleName="DnsRequest" AND DomainName="*.*" AND NOT DomainName IN ("*.adobe.com","*.bing.com","crl.thawte.com","*.youtube.com","*google.com","*rubygems.org","*microsoft.com","*hp.com","*optimizely.com","*opera.com","*boardvantage.com","*certificates.godaddy.com","*dropbox.com","*crl.godaddy.com","*verisign.com","*mcafee.com","*autodesk.com","*scansafe.net","*theice.com","*oracle.com","*microsoftonline.com","*windows.net","*yahoo.com","*ocsp.digicert.com","*ocsp.entrust.net","*ocsp.godaddy.com","*ocsp.intel.com","*ocsp.thawte.com","*live.com","*skype.com","*symcd.com","*symcb.com","*trustedsource.org","*baidu.com","*amazon.co.uk","*anotherhost.com","*boardvantage.com","*cisco.com","*googleapis.com","*intel.com","*logitech.com","*icloud.com","*apple.com","octoshape.net","*office.net") 
| rename ContextProcessId_decimal as TargetProcessId_decimal
|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2" AND NOT ImageFileName IN ("*\opera.exe" ,"*\iexplore.exe" ,"*\chrome.exe" ,"*\firefox.exe" ,"*\SearchProtocolHost.exe")] 
|  table ComputerName timestamp ImageFileName DomainName CommandLine SHA256HashData

cscript,wscript and powershell commands with http/https urls exlcuding some domain names


event_simpleName="ProcessRollup2" AND NOT CommandLine="*site.com*" AND (CommandLine="*bitsadmin*"  OR CommandLine="*wscript*" OR CommandLine="*powershell*" OR CommandLine="*cscript*" )| regex CommandLine=".*\^.*|.*https*:\/\/.*\..*" |dedup CommandLine| table CommandLine ComputerName

network connections to unusual ports by unusual processes


event_simpleName=NetworkConnectIP4 AND NOT  RemoteAddressIP4 IN ("127.0.0.1","10.0.0.0/8","130.201.*","161.*",,"239.*","129.23*","172.*","192.168.*") AND NOT RemotePort_decimal IN (80,88,22,443,389,8081,135,445,1433) 
|  rename ContextProcessId_decimal as TargetProcessId_decimal 
|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2" AND NOT CommandLine IN ("C:\Program Files*" ,"C:\Program Files \(x86\)*","*ovdeploy*") AND NOT ImageFileName IN ("*\recline.exe","*\chrome.exe","*\iexplore.exe","*\firefox.exe","*\site_server.exe" ,"*\pmdtm.exe" ,"*\ovc.exe" ,"*\erl.exe" ,"*\hasys.exe" ,"*\rtmd.exe" ,"*\dm_agent_exec.exe" ,"*\hagrp.exe")] 
| dedup CommandLine SHA256HashData
|  table ComputerName TargetProcessId_decimal timestamp ImageFileName RemotePort_decimal RemoteAddressIP4 Protocol_decimal CommandLine,SHA256HashData 

simple domain name count search by computer (to see which computer is making the most dns lookups)


aid=* event_simpleName=DnsRequest AND NOT DomainName IN ("*mcafee.com","*windows.net","*microsoft.com","*.coupahost.com")| chart count by ComputerName limit=100

powershell/cscript/wscript started by office processes


event_simpleName=ProcessRollup2 FileName IN ("powershell.exe","cscript.exe","wscript.exe")
| rename CommandLine as ParentCmd
| rename FileName as ParentFileName
| rename SHA256HashData as ParentSHA256
|  dedup ParentCmd
|  join  TargetProcessId_decimal,aid [search  FileName IN ("WINWORD.EXE","OUTLOOK.EXE","EXCEL.EXE","ACRORD*.EXE","POWERPNT.EXE") ] 
| table ComputerName TargetProcessId_decimal ParentFileName FileName ParentCmd  ParentSHA256 

Browser processes with commandline containing suspicious extensions


event_simpleName="ProcessRollup*" AND FileName IN ("iexplore.exe","chrome.exe","firefox.exe") AND CommandLine IN ("*.jar*","*.exe*","*.scr*","*.vbs*","*.bat*","*.cmdline*")
| regex CommandLine=".*/\w+\.(jar|exe|scr|vbs|bat|cmdline)[^\w\?].*"
|  rex field=CommandLine "https?://.*/(?<document>.*\.[a-zA-Z]+)" 
| rex field=CommandLine "(?<url>https?://.*)"
|  dedup url
| dedup document
| table ComputerName document url CommandLine 

browsers that were started by outlook with suspiCIOus URLs


event_simpleName=ProcessRollup2 FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe")
| rename CommandLine as ParentCmd
| rename FileName as ParentFileName
| rename SHA256HashData as ParentSHA256
|  join max=1000 TargetProcessId [search  FileName IN ("OUTLOOK.EXE")] 
| rex field=ParentCmd " (?<url>https?://.*)"
| dedup url
| search NOT url IN ("*atmgr.exe*","*mercator:*","*lync.exe*","*officeredir.microsoft.com*")
| regex url=".*(\.exe|\.rar\|.zip|\.jar|\.vbs).*"
|   rex field=CommandLine "https?://.*/(?<document>.*\.[a-zA-Z]+)" 
| table ComputerName document url ParentCmd ParentFileName ParentSHA256

commandline with .vbs and a parent outlook process


event_simpleName=ProcessRollup2 AND CommandLine="*.vbs*" AND FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe") 
| rename CommandLine as ParentCmd
| rename FileName as ParentFileName
| rename SHA256HashData as ParentSHA256
|  join  TargetProcessId [search  FileName IN ("OUTLOOK.EXE")] 
| rex field=ParentCmd " (?<url>https?://.*)"
| dedup url
| search url="*.*" AND NOT url IN ("*delldisplaymanager.com*","*mercator:*")
| table ComputerName url ParentCmd ParentFileName ParentSHA256 

DAta urI hunt


event_simpleName=ProcessRollup2 AND CommandLine="*data:*" AND NOT CommandLine="*aka.ms*" AND FileName IN ("iexplore.exe","firefox.exe","chrome.exe","opera.exe") 
| rex field=CommandLine "(?<dataurl>data:.*)"
| dedup dataurl
| table _time ComputerName dataurl CommandLine 

file written events where the target file is under a user's downloads folder


event_simpleName IN (BZip2FileWritten,DmpFileWritten,DwgFileWritten,IdwFileWritten,JarFileWritten,MachOFileWritten,NetworkCapableAsepWrite,NewEecutableWritten,NewScriptWritten,OleFileWritten,OomlFileWritten,PdfFileWritten,PeFileWritten,RarFileWritten,RtfFileWritten,SevenZipFileWritten,TarFileWritten,XarFileWritten,ZipFileWritten)  AND TargetFileName="*\Users\*\Downloads\*"  AND NOT FileName IN ("*.crdownload","*.partial")
|  dedup SHA256HashData 
| dedup TargetFileName
|  table ComputerName FileName TargetFileName  SHA256HashData 

hunt for a specific powershell command pattern


FileName IN ("cmd.exe","powershell.exe") AND CommandLine="*`*`*"  AND NOT CommandLine IN ("*Get-AppvClientPackage*")
|  table ComputerName CommandLine

links opened from outlook


aid=* event_simpleName=ProcessRollup2  FileName=outlook.exe 
|  dedup aid TargetProcessId_decimal 
|  rename FileName as Parent 
|  rename CommandLine as ParentCmd 
|  table ComputerName aid TargetProcessId_decimal Parent ParentCmd 
|  join max=0 aid TargetProcessId_decimal [search name=ProcessRollup* FileName=chrome.exe OR FileName=firefox.exe OR FileName=iexplore.exe  AND CommandLine="*http*"
    |  rename ParentProcessId_decimal as TargetProcessId_decimal 
    |  rename MD5HashData as MD5 
    |  rename FilePath as ChildPath 
    |  dedup aid TargetProcessId_decimal MD5 
    |  fields aid TargetProcessId_decimal FileName CommandLine] 
|  rex field=CommandLine "(?<url>https?://.*)"
|  table ComputerName UserName Parent ParentCmd FileName url CommandLine aid

outlook attachments


event_simpleName="ProcessRollup*" AND CommandLine="*content.outlook*" AND FileName IN ("*zip*","*java*","explorer.exe","*rundll32*","*powershell*","*cscript.exe*","*wscript.exe*")
|  table ComputerName FileName CommandLine TargetFileName  SHA256HashData 

Falcon "custom" timeline suffix


aid=*
|rename ParentProcessId_decimal as "Parent Process ID" 
|rename _time as Timestamp
|rename TargetProcessId_decimal as "Process ID"
|rename event_simpleName as "Event"
|rename FileName as "File Loaded/Executed"
|rename DomainName as "Domain"
|rename RemoteAddressIP4 as DestIP
|rename LocalAddressIP4 as LocalIP
| rename RemotePort_decimal as RemotePort
|rename TargetFileName as "File Accessed/Written"
| table Timestamp "Parent Process ID" "Process ID" Event "File Loaded/Executed" CommandLine SHA256HashData Domain  "File Accessed/Written" LocalIP DestIP RemotePort UserSid_readable UserName aid 


rare commands of wmic.exe (replace with suspect exe)


FileName=wmic.exe 
| dedup CommandLine
|  rare limit=50 _time ComputerName UserName  by CommandLine showcount=true 
|  table _time ComputerName UserName CommandLine 

rare powershell commands


 FileName=powershell.exe event_simpleName=ProcessRollup* 
| dedup CommandLine 
|  rare limit=50 _time ComputerName UserName  by CommandLine showcount=true 
|  table _time ComputerName UserName CommandLine 

suspicious network connections by unusual processes


event_simpleName="NetworkConnect*" AND NOT  RemoteAddressIP4 IN ("127.0.0.0/8","10.0.0.0/8","239.*","172.16.0.0/12","192.168.0.0/16","169.254.0.0/16","23.*","13.*","52.*")
|   rename ContextProcessId_decimal as TargetProcessId_decimal 
|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2" FileName IN ("WINWORD.EXE","EXCEL.EXE","ACRORD*.EXE","WSCRIPT.EXE") AND CommandLine IN ("*:\\Users\\*\\Downloads\\*")
    | dedup CommandLine]
| rex field=CommandLine ".*\\\\(?<shortname>.*)"
| dedup shortname 
| table count ComputerName UserName RemoteAddressIP4 RemotePort_decimal FileName CommandLine

Network connections by specific processes to specific networks


event_simpleName="NetworkConnect*" AND   RemoteAddressIP4 IN ("127.0.0.0/8","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","169.254.0.0/16","23.*","13.*","52.*","40.*")
|   rename ContextProcessId_decimal as TargetProcessId_decimal 
|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2"  AND FileName IN ("PSEXEC.EXE","WINRM.EXE","MSTSC.EXE")
    ]
| dedup UserName,RemoteAddressIP4
| table  ComputerName UserName RemoteAddressIP4 FileName CommandLine

Network connections by specific processes to specific networks and specific port



event_simpleName="NetworkConnect*"   AND RemotePort_decimal=135 AND RemoteAddressIP4  IN ("127.0.0.0/8","10.0.0.0/8","130.201.*","161.*","149.*","239.*","129.23*","172.16.0.0/12","192.168.0.0/16","138.*","169.254.0.0/16","104.*","23.*","13.*","52.*","40.*")
|   rename ContextProcessId_decimal as TargetProcessId_decimal 
|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2"  AND FileName IN ("PSEXEC.EXE","WINRM.EXE","POWERSHELL.EXE","WSCRIPT.EXE")
    ]
| dedup UserName,RemoteAddressIP4
| table  ComputerName UserName RemoteAddressIP4 FileName CommandLine

unusual executions of wscript/wmic/bitsadmin,etc... by productivity apps


event_simpleName="ProcessRollup*" AND FileName IN ("powershell.exe","wscript.exe","wmic.exe","bitsadmin.exe","certutil.exe") 
|   rename ContextProcessId_decimal as TargetProcessId_decimal 
|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup2" FileName IN ("WINWORD.EXE","EXCEL.EXE","ACRORD*.EXE","plugincontainer.exe")
    | dedup CommandLine]
| table  ComputerName UserName RemoteAddressIP4 RemotePort_decimal FileName CommandLine

dNs hunt for unuusal domain lookups by specific processes


event_simpleName="DnsRequest*" AND DomainName="*.*" AND NOT DomainName IN ("*.adobe.com","*.bing.com","crl.thawte.com","*.youtube.com","*google.com","*rubygems.org","*microsoft.com","*hp.com","*optimizely.com","*opera.com","*boardvantage.com","*certificates.godaddy.com","*dropbox.com","*crl.godaddy.com","*verisign.com","*mcafee.com","*autodesk.com","*scansafe.net","*theice.com","*oracle.com","*microsoftonline.com","*windows.net","*yahoo.com","*ocsp.digicert.com","*ocsp.entrust.net","*ocsp.godaddy.com","*ocsp.intel.com","*ocsp.thawte.com","*live.com","*skype.com","*symcd.com","*symcb.com","*trustedsource.org","*baidu.com","*amazon.co.uk","*anotherhost.com","*boardvantage.com","*cisco.com","*googleapis.com","*intel.com","*logitech.com","*icloud.com","*apple.com","octoshape.net","*office.net","*.sharepoint.com","*.azure.com","*knetz.net","*live.net","*.amazonaws.com","*.local","*.dll","*.microsoftonline-p.net","*.outlook.com","*.msedge.net","*.office.com","*.office365.com","*.aadrm.com","*.sci-us.com","*.svccorp.com","*.dignitymemorial.com","*.coupahost.com") 
|   rename ContextProcessId_decimal as TargetProcessId_decimal 
|  join max=1000 TargetProcessId_decimal [search event_simpleName="ProcessRollup*" AND FileName IN ("WINWORD.EXE","EXCEL.EXE","ACRORD*.EXE","plugincontainer.exe","powershell.exe","wscript.exe","java*.exe")
    ]
| dedup CommandLine,DomainName
| table  DomainName ComputerName UserName  FileName CommandLine

logon hunt



event_simpleName IN ("UserLogon*", "Login*") 
|  table _time AuthenticationId_decimal AuthenticationPackage ComputerName ConfigStateHash_decimal ContextProcessId_decimal ContextThreadId_decimal ContextTimeStamp_decimal EffectiveTransmissionClass_decimal EnabledPrivilegesBitmask_decimal Entitlements_decimal LinkedAuthenticationId_decimal LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal UserFlags_decimal UserGroupsBitmask_decimal UserIsAdmin_decimal UserLogonFlags_decimal UserName UserPrincipal UserSid_readable 

logon hunt speciifc auth package and type



event_simpleName IN ("UserLogon*", "Login*") AND LogonType_decimal=2 AND AuthenticationPackage=NTLM
| chart count by UserName limit=100

command history hunt


event_simpleName=CommandHistory 
|   join aid TargetProcessId_decimal [search UserName="*"
     ] 
| table _time ComputerName UserName WindowsTtitle WindowsStation  LocalAddressIP4 FileName ApplicationName CommandCount_decimal CommandHistory


command history hunt



event_simpleName=CommandHistory 
|   join aid  [search UserName="*svc*" ] 
| table _time ComputerName UserName    LocalAddressIP4 FileName ApplicationName  CommandHistory 



filename versions


event_simpleName=PeVersion* AND FileName="iexplore.exe" 
| dedup SHA256HashData
| table ComputerName SHA256HashData VersionInfo

connections to a specific subnet and port counted by the REmote iP where the count is low


RemoteAddressIP4=10.0.0.0/8 RemotePort_decimal=445 
| stats values(LocalAddressIP4) count by RemoteAddressIP4| where count <4 | sort – count

CommandHistory


event_simpleName=CommandHistory
| eval Commands=split(CommandHistory,"¶")
|    join aid  [search UserName="*" ] 
| table _time ComputerName ApplicationName UserName CommandCount_decimal Commands CommandHistory LocalAddressIP4 aip aid


usb enumerate



| table _time ComputerName aip event_simpleName DeviceDescriptorSetHash    DeviceDescriptorUniqueIdentifier    DeviceProtocol_decimal       DeviceUsbClass_decimal    DeviceUsbSubclass_decimal MAC     LocalAddressIP4

lnk on removable drive root


LinkName="*lnk"
| regex LinkName="[d-zD-Z]:\\\[\\w\\d -_]*\\.lnk"

lnk exeuction from external drives hunt


event_simpleName=ProcessRollup* AND LinkName="*.lnk" AND NOT FileName IN ("WINWORD.EXE","EXCEL.EXE","MSACCESS.EXE","AcroRd32.exe")| regex LinkName="[d-zD-Z]:\\\[\w\d -_]*\\.lnk"
| table _time ComputerName LinkName FileName CommandLine

DEV -> prod logins


event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svc*") AND ComputerName IN ("*prd*","*PROD*")
| regex UserName=".*[sS][vV][cC][dDtT][Ee][vVsS].*" 
|  table _time UserName ComputerName AuthenticationId_decimal AuthenticationPackage          LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal   UserIsAdmin_decimal   UserPrincipal UserSid_readable 

above for any machine


event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svc*") 
| regex UserName=".*[sS][vV][cC][dDtT][Ee][vVsS].*" 
|  table _time UserName ComputerName AuthenticationId_decimal AuthenticationPackage          LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal   UserIsAdmin_decimal   UserPrincipal UserSid_readable 

event_simpleName IN ("UserLogon*", "Login*") AND UserName IN ("*svcdev*","*svctes*","*svcstg*") AND ComputerName IN ("*prd*","*prod*")
|  table _time UserName ComputerName AuthenticationId_decimal AuthenticationPackage          LocalAddressIP4 LogonDomain LogonServer LogonTime_decimal LogonType_decimal MAC PasswordLastSet_decimal PrivilegesBitmask_decimal RemoteAccount_decimal   UserIsAdmin_decimal   UserPrincipal UserSid_readable 

look for processes started by powershell excluding specific processes and specific powershell command patterns


event_simpleName=ProcessRollup* AND NOT FileName IN ("gpupdate.exe","winmgmt.exe","sc.exe","attrib.exe","reg.exe","schtasks.exe","wermgr.exe","msbuild.exe","csc.exe")
| dedup CommandLine
| rename ParentProcessId_decimal as TargetProcessId_decimal
| rename CommandLine as ChildCommandLine
| rename FileName as ChildFileName
| join  TargetProcessId_decimal    
    [search event_simpleName=ProcessRollup* FileName="powershell.exe" AND NOT CommandLine IN ("*sccm*","*gpclient*")]
| table ComputerName FileName CommandLine ChildFileName ChildCommandLine

Look for processes and users starting powershell

FileName="powershell.exe" 
|  dedup CommandLine
| rename CommandLine as ChildCommandLine
| join    ParentProcessId_decimal 
    [search event_simpleName=ProcessRollup*]
| table ComputerName UserName FileName CommandLine ChildCommandLine 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment