Blue Team Toolkit | Security Tools & Resources

SIEM & Logging Cross-Platform Command Line

Search for failed authentication attempts across all systems to identify brute force attacks or credential stuffing attempts.

Detect potential brute force attacks by finding source IPs with multiple failed login attempts.

authenticationbrute-forcesplunkhunting

Command/Usage

index=windows EventCode=4625 | stats count by src_ip, user | where count > 10 | sort -count

Installation

Requires Splunk Enterprise or Cloud

Additional Examples

index=windows EventCode=4625 user="admin*" | stats count by src_ip

index=* "failed login" OR "authentication failed" | timechart count by user

Common Options/Flags

EventCode=4625: Windows failed logon event
count > 10: Threshold for alerting
index=windows: Specify Windows event logs

Related Tools

References

SIEM & Logging Cross-Platform Command Line

Detect lateral movement by analyzing authentication events across multiple systems from a single source.

Identify compromised accounts being used to move laterally across the network.

lateral-movementelkauthenticationdetection

Command/Usage

event.dataset: "windows.security" AND event.code: 4624 AND source.ip: * | stats dc(host.name) as unique_hosts by source.ip | where unique_hosts > 3

Installation

Elasticsearch, Logstash, Kibana stack

Additional Examples

event.code: 4624 AND user.name: "admin" | stats count by host.name

source.ip: "10.0.0.100" AND event.code: 4624 | timechart span=1h count by host.name

Related Tools

References

SIEM & Logging Windows Command Line

Query Windows Event Logs for successful authentication events to track user activity and detect anomalies.

Investigate successful logons during suspicious time periods or from unexpected locations.

windowsevent-logauthenticationpowershell

Command/Usage

Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4624} | Select-Object TimeCreated, Message | Format-Table -AutoSize

Installation

Built into Windows

Additional Examples

Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4624; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -like "*admin*"}

wevtutil qe Security /q:"*[System[(EventID=4624)]]" /f:text

Common Options/Flags

EventID=4624: Successful logon
EventID=4625: Failed logon
LogName=Security: Security event log

Related Tools

References

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

SIEM & Logging Linux Command Line

Parse syslog files to identify failed SSH authentication attempts, indicating potential brute force attacks.

Detect SSH brute force attacks by analyzing authentication failures in syslog.

sshlinuxsyslogbrute-force

Command/Usage

grep "Failed password" /var/log/auth.log | awk '{print $1, $2, $3, $11}' | sort | uniq -c | sort -rn

Installation

Built into Linux

Additional Examples

grep "Invalid user" /var/log/auth.log | awk '{print $11}' | sort | uniq -c

journalctl -u ssh | grep "Failed password" | tail -100

Related Tools

References

https://www.man7.org/linux/man-pages/man5/syslog.conf.5.html

Forensics WindowsLinux Command Line

Extract list of running processes from memory dump to identify malicious processes or anomalies.

During incident response, analyze memory dump to find suspicious processes that may have been hidden or terminated.

memory-analysisforensicsvolatilityprocesses

Command/Usage

volatility -f memory.dmp --profile=Win10x64_19041 pslist

Installation

pip install volatility3

Additional Examples

volatility -f memory.dmp --profile=Win10x64_19041 pstree

volatility -f memory.dmp --profile=Win10x64_19041 malfind

volatility -f memory.dmp --profile=Win10x64_19041 cmdline

Common Options/Flags

--profile: OS profile (Win10x64_19041, Win7SP1x64, etc.)
pslist: List processes
pstree: Process tree view
malfind: Find hidden/injected code

Related Tools

References

Forensics WindowsLinux Command Line

Extract network connections from memory dump to identify suspicious network activity and C2 communications.

Identify network connections established by malware or compromised processes in memory.

memory-analysisnetworkvolatilityc2

Command/Usage

volatility -f memory.dmp --profile=Win10x64_19041 netscan

Installation

pip install volatility3

Additional Examples

volatility -f memory.dmp --profile=Win10x64_19041 netstat

volatility -f memory.dmp --profile=Win10x64_19041 connections

Related Tools

References

https://github.com/volatilityfoundation/volatility3

Incident Response Windows Script/Automation

Create a timeline of system activity using multiple Windows artifacts to understand attack timeline.

Build comprehensive timeline of events during incident response to understand attack progression.

timelineforensicsplasoincident-response

Command/Usage

log2timeline.py --logfile timeline.log --parsers '!reg' image.dd

Installation

pip install plaso

Additional Examples

log2timeline.py --parsers win7,winreg image.dd

psort.py -o l2tcsv -w timeline.csv timeline.log

Related Tools

References

https://github.com/log2timeline/plaso

Incident Response Windows Script/Automation

Automated collection of critical Windows artifacts for incident response including registry, event logs, and file system artifacts.

Rapidly collect forensic artifacts from compromised systems during incident response.

powershellartifact-collectionincident-responsewindows

Command/Usage

Invoke-IRCollection.ps1 -OutputPath C:\IR_Collection -CollectAll

Installation

Download from GitHub

Additional Examples

Invoke-IRCollection.ps1 -OutputPath C:\IR -CollectRegistry -CollectEventLogs

Invoke-IRCollection.ps1 -OutputPath C:\IR -CollectMemoryDump

Related Tools

References

https://github.com/PowerShellMafia/PowerSploit

Network Analysis Cross-Platform GUI Application

Filter network capture to show only HTTP traffic for analysis of web-based attacks or data exfiltration.

Investigate potential data exfiltration by analyzing HTTP POST requests and responses.

wiresharknetworkhttppcap

Command/Usage

http.request or http.response

Installation

Download from wireshark.org

Additional Examples

```
http.request.method == "POST"
```
```
http contains "password"
```
```
http.host contains "malicious"
```
```
http.request.uri contains "/admin"
```

Common Options/Flags

http.request: HTTP requests only
http.response: HTTP responses only
http contains: Search HTTP payload

Related Tools

References

Network Analysis LinuxmacOS Command Line

Capture DNS queries to identify suspicious domain lookups and potential C2 communications.

Monitor DNS traffic to detect malware beaconing or data exfiltration via DNS tunneling.

tcpdumpdnsnetworkcapture

Command/Usage

tcpdump -i eth0 -n 'udp port 53' -w dns_capture.pcap

Installation

Built into most Linux distributions

Additional Examples

```
tcpdump -i any 'udp port 53' -v
```

tcpdump -i eth0 'host 8.8.8.8 and port 53'

tcpdump -r dns_capture.pcap 'udp port 53' | grep -i suspicious

Common Options/Flags

-i: Interface to capture on
-n: Don't resolve hostnames
-w: Write to file
-v: Verbose output

Related Tools

References

https://www.tcpdump.org/manpages/tcpdump.1.html

Network Analysis Linux Command Line

Analyze HTTP traffic using Zeek logs to identify suspicious user agents, unusual HTTP methods, or data exfiltration.

Parse network traffic to extract HTTP metadata and identify malicious web activity.

zeekbrohttpnetwork

Command/Usage

zeek -r capture.pcap http.log

Installation

apt-get install zeek

Additional Examples

cat http.log | zeek-cut id.orig_h id.resp_h method uri | grep POST

zeek -r capture.pcap -C http.log ssl.log

Related Tools

References

Network Analysis Cross-Platform Command Line

Analyze NetFlow data to identify unusual network patterns, large data transfers, or connections to suspicious IPs.

Detect data exfiltration or C2 communications by analyzing network flow data.

netflownetworktraffic-analysis

Command/Usage

nfdump -R /path/to/netflow -n 100 -s ip/bytes

Installation

apt-get install nfdump

Additional Examples

nfdump -R /path/to/netflow 'src ip 10.0.0.100'

nfdump -R /path/to/netflow -s ip/flows -n 20

Related Tools

References

https://github.com/phaag/nfdump

Endpoint Detection Windows Command Line

Investigate running processes, their command lines, and parent processes to identify suspicious activity.

Identify suspicious processes, hidden processes, or processes with unusual command-line arguments.

powershellprocesseswindowsinvestigation

Command/Usage

Get-Process | Select-Object Id, ProcessName, Path, CommandLine, Parent | Format-List

Installation

Built into Windows

Additional Examples

Get-Process | Where-Object {$_.Path -notlike 'C:\Windows\*'} | Format-List

Get-WmiObject Win32_Process | Select-Object ProcessId, Name, CommandLine

Get-Process | Sort-Object CPU -Descending | Select-Object -First 10

Common Options/Flags

Get-Process: List all processes
Where-Object: Filter processes
Select-Object: Choose specific properties

Related Tools

References

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process

Endpoint Detection Windows GUI Application

Analyze all autorun locations in Windows to identify persistence mechanisms used by malware.

Identify malware persistence mechanisms by examining all startup locations and scheduled tasks.

autorunspersistencewindowsmalware

Command/Usage

Autoruns.exe -accepteula -a * -c -h -s -v

Installation

Download from Microsoft Sysinternals

Additional Examples

Autoruns.exe -accepteula -a * -c -h -s -v -t

```
Autoruns.exe -accepteula -m
```

Common Options/Flags

-a: Show all entries
-c: Verify code signatures
-h: Hide Microsoft entries
-s: Verify digital signatures
-v: VirusTotal check

Related Tools

References

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Endpoint Detection Windows Command Line

Query Windows Registry for common persistence locations to identify malware autorun mechanisms.

Identify malware persistence by examining registry autorun keys.

registrypersistencewindowsforensics

Command/Usage

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Installation

Built into Windows

Additional Examples

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

reg query HKLM\SYSTEM\CurrentControlSet\Services

Related Tools

References

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry

Endpoint Detection Windows Command Line

Monitor process creation events using Sysmon to detect suspicious process execution patterns.

Detect suspicious process execution, including processes launched from unusual locations or with suspicious command-line arguments.

sysmonprocess-monitoringwindowsdetection

Command/Usage

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Select-Object TimeCreated, Message

Installation

Download Sysmon from Microsoft Sysinternals

Additional Examples

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Message -like '*powershell*'}

wevtutil qe 'Microsoft-Windows-Sysmon/Operational' /q:'*[System[(EventID=1)]]'

Related Tools

References

Threat Hunting Cross-Platform Script/Automation

Use Sigma rules to detect suspicious process execution patterns across SIEM platforms.

Detect suspicious execution patterns like living-off-the-land techniques or process injection.

sigmathreat-huntingdetection-rules

Command/Usage

sigma convert -t splunk -c config/splunk.yml rules/windows/process_creation/win_susp_execution.yml

Installation

pip install sigma

Additional Examples

sigma convert -t elk rules/windows/process_creation/win_susp_execution.yml

sigma convert -t splunk rules/linux/process_creation/lnx_susp_execution.yml

Related Tools

References

Threat Hunting Cross-Platform Command Line

Scan files and memory using YARA rules to identify known malware families or suspicious patterns.

Identify malware samples or suspicious files using signature-based detection.

yaramalwarescanningsignatures

Command/Usage

yara -r rules.yar /path/to/scan

Installation

apt-get install yara

Additional Examples

```
yara -r -w rules.yar /path/to/files
```
```
yara -s -m rules.yar suspicious.exe
```
```
yara -g -r rules.yar /path/to/scan
```

Common Options/Flags

-r: Recursive scan
-s: Print matching strings
-m: Print metadata
-g: Print tags

Related Tools

References

Threat Hunting Cross-Platform Command Line

Search for Indicators of Compromise (IOCs) like file hashes across systems to identify known threats.

Identify known malicious files by searching for their hashes across the environment.

iochashthreat-intelhunting

Command/Usage

findstr /s /i /m "MD5_HASH" C:\Windows\System32\*.*

Installation

Built into Windows

Additional Examples

Get-ChildItem -Recurse -File | Get-FileHash | Where-Object {$_.Hash -eq 'KNOWN_MALICIOUS_HASH'}

```
grep -r 'SHA256_HASH' /path/to/search
```

Related Tools

References

https://github.com/fireeye/ioc_writer

Threat Hunting Windows Command Line

Detect obfuscated PowerShell execution by searching for common obfuscation patterns and encoded commands.

Identify malicious PowerShell execution that uses obfuscation techniques to evade detection.

powershellobfuscationbehavioralhunting

Command/Usage

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'FromBase64String|EncodedCommand|IEX'}

Installation

Requires PowerShell logging enabled

Additional Examples

Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' | Where-Object {$_.Message -like '*DownloadString*'}

wevtutil qe 'Microsoft-Windows-PowerShell/Operational' /q:'*[System[(EventID=4104)]]'

Related Tools

References

https://attack.mitre.org/techniques/T1027/

Threat Intelligence Cross-Platform API/Integration

Query VirusTotal API to check file hashes, URLs, or IPs against threat intelligence database.

Check suspicious files, URLs, or IPs against VirusTotal's threat intelligence database.

virustotalapithreat-intelhash

Command/Usage

curl -X GET 'https://www.virustotal.com/vtapi/v2/file/report?apikey=API_KEY&resource=HASH'

Installation

Requires VirusTotal API key

Additional Examples

```
vt file HASH
```
```
vt url 'https://suspicious-domain.com'
```
```
vt ip 192.168.1.100
```

Related Tools

References

Threat Intelligence Cross-Platform API/Integration

Query Shodan to gather intelligence about IP addresses, domains, and exposed services.

Investigate external IPs involved in security incidents to gather threat intelligence.

shodanthreat-intelip-intelosint

Command/Usage

shodan host 8.8.8.8

Installation

pip install shodan

Additional Examples

```
shodan search 'apache country:US'
```
```
shodan host --history 8.8.8.8
```
```
shodan domain example.com
```

Related Tools

References

Threat Intelligence Cross-Platform API/Integration

Import Indicators of Compromise into MISP threat intelligence platform for sharing and correlation.

Share threat intelligence indicators with security teams and correlate with existing events.

mispthreat-inteliocsharing

Command/Usage

curl -H 'Authorization: API_KEY' -H 'Content-Type: application/json' -X POST https://misp.example.com/attributes/add -d '{"value":"IOC","type":"md5"}'

Installation

MISP instance required

Additional Examples

misp-import -u https://misp.example.com -k API_KEY -f indicators.json

misp-search -u https://misp.example.com -k API_KEY -q 'tag:malware'

Related Tools

References

Malware Analysis Windows GUI Application

Analyze Portable Executable (PE) files to examine imports, exports, sections, and metadata for malware analysis.

Analyze malware samples to understand their structure, imports, and potential functionality.

pe-analysismalwarewindowsreverse-engineering

Command/Usage

PE-bear.exe suspicious_file.exe

Installation

Download from GitHub

Additional Examples

```
PE-bear.exe -dump suspicious_file.exe
```
```
PE-bear.exe -imports malware.exe
```

Related Tools

References

https://github.com/hasherezade/pe-bear

Malware Analysis Cross-Platform Command Line

Extract printable strings from binary files to identify URLs, file paths, API calls, and other indicators.

Extract readable strings from malware samples to identify C2 domains, API calls, or other indicators.

stringsmalware-analysisforensics

Command/Usage

strings -a suspicious_file.exe | grep -i 'http\|password\|cmd.exe'

Installation

Built into most Linux distributions, Sysinternals for Windows

Additional Examples

strings -a -n 8 malware.exe > strings.txt

strings -e l suspicious_file.exe | grep -i 'api'

Sysinternals\strings.exe -a malware.exe | findstr /i 'http'

Common Options/Flags

-a: Scan entire file
-n: Minimum string length
-e: Encoding (l=little-endian, b=big-endian)

Related Tools

References

https://docs.microsoft.com/en-us/sysinternals/downloads/strings

Malware Analysis Linux Web-based

Automated malware analysis platform that executes samples in isolated environments and generates detailed reports.

Automatically analyze malware samples in a safe environment to understand their behavior and generate IOCs.

sandboxmalware-analysisautomation

Command/Usage

cuckoo submit suspicious_file.exe

Installation

pip install cuckoo

Additional Examples

cuckoo submit --url 'http://malicious-site.com/file.exe'

cuckoo submit --package exe suspicious_file.exe

Related Tools

References

Cloud Security Cloud (AWS/Azure/GCP) Command Line

Query AWS CloudTrail logs to identify suspicious API calls, unauthorized access, or unusual activity.

Detect unauthorized access or suspicious activity in AWS environment by analyzing CloudTrail logs.

awscloudtrailcloud-securityapi

Command/Usage

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --max-results 50

Installation

AWS CLI required

Additional Examples

aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=admin

aws logs filter-log-events --log-group-name CloudTrail --filter-pattern 'ERROR'

Related Tools

References

https://docs.aws.amazon.com/awscloudtrail/

Cloud Security Cloud (AWS/Azure/GCP) API/Integration

Query Azure AD audit logs to detect suspicious sign-ins, privilege escalations, or unauthorized access.

Investigate suspicious authentication events and privilege escalations in Azure AD.

azureactive-directorycloud-securityaudit

Command/Usage

Get-AzureADAuditDirectoryLogs -Filter "Category eq 'SignInLogs'" -Top 100

Installation

Azure PowerShell module required

Additional Examples

Get-AzureADAuditSignInLogs -Filter "status/errorCode eq 50126"

Get-AzureADAuditDirectoryLogs -Filter "Category eq 'DirectoryManagement'"

Related Tools

References

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/

Cloud Security Cloud (AWS/Azure/GCP) Command Line

Query Google Cloud Platform audit logs to identify suspicious activity, unauthorized access, or policy violations.

Detect security incidents and policy violations in GCP by analyzing audit logs.

gcpgoogle-cloudaudit-logscloud-security

Command/Usage

gcloud logging read 'resource.type=audited_resource AND severity>=ERROR' --limit 50 --format json

Installation

gcloud CLI required

Additional Examples

gcloud logging read 'resource.type=gce_instance AND protoPayload.methodName=compute.instances.delete'

gcloud logging read 'severity=CRITICAL' --limit 100

Related Tools

References

https://cloud.google.com/logging/docs/audit

Active Directory Windows Command Line

Enumerate Active Directory users to identify accounts with excessive privileges or suspicious configurations.

Identify accounts with weak security configurations, disabled accounts, or accounts that haven't logged in recently.

active-directoryuser-enumerationwindowspowershell

Command/Usage

Get-ADUser -Filter * -Properties * | Select-Object Name, Enabled, LastLogonDate, PasswordNeverExpires

Installation

Active Directory PowerShell module required

Additional Examples

Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires

Get-ADUser -Filter {Enabled -eq $false} -Properties Enabled

Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-90)}

Common Options/Flags

-Filter: LDAP filter
-Properties: Additional properties to retrieve
Select-Object: Choose specific properties

Related Tools

References

https://docs.microsoft.com/en-us/powershell/module/activedirectory/

Active Directory WindowsLinux GUI Application

Visualize Active Directory attack paths and identify privilege escalation opportunities.

Identify attack paths in Active Directory that could lead to domain compromise.

bloodhoundactive-directoryattack-pathsprivilege-escalation

Command/Usage

bloodhound-python -d DOMAIN -u USERNAME -p PASSWORD -gc DC -c all

Installation

pip install bloodhound

Additional Examples

bloodhound-python -d example.com -u user -p pass -gc dc.example.com -c all

bloodhound-python -d example.com -u user -hashes LMHASH:NTHASH -gc dc.example.com

Related Tools

References

Active Directory Windows Command Line

Analyze Active Directory group memberships to identify users with excessive privileges or identify privilege escalation paths.

Identify users with administrative privileges and understand group membership hierarchies.

active-directorygroupsprivilegespowershell

Command/Usage

Get-ADGroupMember -Identity 'Domain Admins' -Recursive | Select-Object Name, DistinguishedName

Installation

Active Directory PowerShell module required

Additional Examples

Get-ADGroup -Filter * | Get-ADGroupMember | Select-Object Name, Group

Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive

Get-ADUser -Identity USERNAME -Properties MemberOf | Select-Object -ExpandProperty MemberOf

Related Tools

References

https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroupmember

Active Directory Windows Command Line

Detect potential Kerberoasting attacks by identifying service accounts with weak encryption or monitoring for suspicious ticket requests.

Detect Kerberoasting attacks by monitoring for service ticket requests using weak encryption types.

kerberoastingactive-directorydetectionwindows

Command/Usage

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Message -match '0x17|0x18'} | Select-Object TimeCreated, Message

Installation

Built into Windows

Additional Examples

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Message -like '*RC4*'}

wevtutil qe Security /q:'*[System[(EventID=4769)]]' /f:text | findstr /i '0x17 0x18'

Related Tools

References

https://attack.mitre.org/techniques/T1558/003/

Forensics Windows Command Line

Query Sysmon Event ID 11 to identify all files created by processes, useful for tracking malware payloads and dropped files.

During DFIR investigations, identify all files created by malicious processes to understand the attack lifecycle and locate additional payloads.

sysmonfile-creationforensicsdfirevent-id-11

Command/Usage

Get-WinEvent -Path 'Microsoft-Windows-Sysmon-Operational.evtx' | Where-Object { $_.Id -eq 11 } | Select-Object TimeCreated, Message

Installation

Requires Sysmon installed

Additional Examples

(Get-WinEvent -Path '.\Microsoft-Windows-Sysmon-Operational.evtx' | Where-Object { $_.Id -eq 11 }).count

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 11 -and $_.Message -like '*malicious*' }

Common Options/Flags

Event ID 11: File creation events
Filter by process name, file path, or timestamp
Count events to quantify file creation activity

Related Tools

References

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Forensics Windows Command Line

Detect timestomping attacks using Sysmon Event ID 2, which logs when file creation times are modified to evade detection.

Identify when attackers modify file timestamps to hide evidence or make malicious files appear legitimate.

sysmontimestompingforensicsanti-forensicsevent-id-2

Command/Usage

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 2 } | Select-Object TimeCreated, Message

Installation

Requires Sysmon installed

Additional Examples

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 2 -and $_.Message -like '*suspicious*' }

Common Options/Flags

Event ID 2: File creation time changed
Compares current vs previous creation time
Critical for detecting T1070.006 technique

Related Tools

References

Network Analysis Windows Command Line

Analyze DNS queries logged by Sysmon Event ID 22 to identify suspicious domain lookups and potential C2 communications.

Detect malware beaconing, data exfiltration via DNS, or C2 communications by analyzing DNS query patterns.

sysmondnsnetwork-analysisc2-detectionevent-id-22

Command/Usage

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 22 } | Select-Object TimeCreated, Message

Installation

Requires Sysmon installed

Additional Examples

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 22 -and $_.Message -like '*suspicious-domain*' }

Common Options/Flags

Event ID 22: DNS query events
Filter by domain name, process, or timestamp
Correlate with network connection events

Related Tools

References

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Network Analysis Windows Command Line

Track network connections using Sysmon Event ID 3 to identify C2 communications, data exfiltration, and lateral movement.

Identify exact destination IP addresses and ports used for C2 communication or data exfiltration during incident response.

sysmonnetworkc2-detectionlateral-movementevent-id-3

Command/Usage

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 3 } | Select-Object TimeCreated, Message

Installation

Requires Sysmon installed

Additional Examples

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 3 -and $_.Message -like '*external-ip*' }

Common Options/Flags

Event ID 3: Network connection events
Filter by source/destination IP, port, or process
Correlate with DNS query events

Related Tools

References

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Forensics Windows Command Line

Track process termination events using Sysmon Event ID 5 to understand the complete lifecycle of malicious processes.

Track when malicious processes exit to understand execution timelines and identify self-terminating malware.

sysmonprocess-terminationforensicsevent-id-5

Command/Usage

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 5 } | Select-Object TimeCreated, Message

Installation

Requires Sysmon installed

Additional Examples

Get-WinEvent -Path 'Sysmon.evtx' | Where-Object { $_.Id -eq 5 -and $_.Message -like '*malicious-process*' }

Common Options/Flags

Event ID 5: Process terminated events
Correlate with process creation events
Track complete process lifecycle

Related Tools

References

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Endpoint Detection Windows Command Line

Detect Alternate Data Streams (ADS) in NTFS file systems using PowerShell to identify hidden malicious payloads.

Identify hidden data streams that attackers use to hide malicious payloads within legitimate files, evading traditional file scanning.

powershelladsntfsfile-forensicsdata-hiding

Command/Usage

Get-Item .\file.txt -Stream *

Installation

Built into Windows PowerShell

Additional Examples

Get-ChildItem -Recurse -File | ForEach-Object { Get-Item $_.FullName -Stream * | Where-Object { $_.Stream -ne ':$DATA' } }

```
dir /r
```
```
streams.exe -s C:\path
```

Common Options/Flags

-Stream *: List all streams
dir /r: Windows command to show streams
streams.exe: Sysinternals tool for ADS detection

Related Tools

References

Endpoint Detection Windows Command Line

Verify SMBv1 is disabled to comply with ISM-1962 and prevent EternalBlue-style attacks. Check server configuration, Windows feature state, and client settings.

Ensure SMBv1 is completely disabled across the environment to prevent exploitation of legacy protocol vulnerabilities like EternalBlue.

smbism-1962compliancewindowseternalblue

Command/Usage

Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol

Installation

Built into Windows PowerShell

Additional Examples

$serverConfig = Get-SmbServerConfiguration; Write-Host 'SMB1 Server Enabled:' $serverConfig.EnableSMB1Protocol

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

Common Options/Flags

Get-SmbServerConfiguration: Check server SMBv1 status
Get-WindowsOptionalFeature: Check if feature is installed
Disable-WindowsOptionalFeature: Remove SMBv1 feature

Related Tools

References

Forensics Windows Command Line

Detect cipher.exe /w usage which overwrites deleted file data to prevent forensic recovery, indicating anti-forensics activity.

Identify when attackers use cipher.exe /w to destroy forensic evidence by overwriting deleted file data on disk.

cipheranti-forensicssysmonfile-deletiont1070.004

Command/Usage

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Message -like '*cipher.exe*' -and $_.Message -like '*/w*'}

Installation

Requires Sysmon installed

Additional Examples

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Message -match 'cipher\.exe.*\/w'}

Correlate with file deletion events (Event ID 11)

Common Options/Flags

Event ID 1: Process creation
Filter for cipher.exe with /w flag
Correlate with file deletion timeline

Related Tools

References

Endpoint Detection WindowsLinuxmacOS Web-based

Query CrowdStrike Falcon for process execution events to detect suspicious process launches, command-line arguments, and parent-child relationships.

Detect suspicious process execution patterns, including processes launched from unusual locations, with suspicious command-line arguments, or from unexpected parent processes.

crowdstrikecqlprocess-executionedrdetection

Command/Usage

event_platform=Win event_simpleName=ProcessRollup2 | search CommandLine="*suspicious*" | stats count by ComputerName, UserName, FileName, CommandLine

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=ProcessRollup2 | search FileName="powershell.exe" CommandLine="*encodedcommand*" | table ComputerName, UserName, CommandLine

event_platform=Win event_simpleName=ProcessRollup2 | search ParentBaseFileName="cmd.exe" FileName="*.exe" | stats count by FileName, ParentBaseFileName

event_platform=Win event_simpleName=ProcessRollup2 | search FileName="regsvr32.exe" CommandLine="*/s*" | table ComputerName, UserName, CommandLine

Common Options/Flags

event_platform: Filter by OS (Win, Mac, Lin)
event_simpleName=ProcessRollup2: Process execution events
search: Filter by command line, filename, or other fields
stats: Aggregate results
table: Display specific fields

Related Tools

References

Forensics WindowsLinuxmacOS Web-based

Query CrowdStrike Falcon for file creation events to identify dropped files, malware payloads, and suspicious file activity.

Identify files created in suspicious locations like AppData, Temp folders, or system directories that may indicate malware activity.

crowdstrikecqlfile-creationforensicsedr

Command/Usage

event_platform=Win event_simpleName=FileWritten | search FileName="*.exe" TargetFileName="*AppData*" | stats count by ComputerName, UserName, TargetFileName

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=FileWritten | search TargetFileName="*Temp*" FileName="*.ps1" | table ComputerName, UserName, TargetFileName

event_platform=Win event_simpleName=FileWritten | search TargetFileName="*Startup*" | stats count by ComputerName, TargetFileName

event_platform=Win event_simpleName=FileWritten | search FileName="*.dll" TargetFileName="*System32*" | table ComputerName, UserName, TargetFileName

Common Options/Flags

event_simpleName=FileWritten: File creation/write events
search: Filter by filename, path, or extension
TargetFileName: Destination file path
FileName: Source file name

Related Tools

References

https://www.reddit.com/r/crowdstrike/?f=flair_name%3A%22CQF%22

Network Analysis WindowsLinuxmacOS Web-based

Query CrowdStrike Falcon for network connection events to identify C2 communications, data exfiltration, and suspicious network activity.

Detect C2 communications, data exfiltration, or lateral movement by analyzing network connections to external IPs or unusual ports.

crowdstrikecqlnetworkc2-detectionedr

Command/Usage

event_platform=Win event_simpleName=NetworkConnectIP4 | search RemoteIP="*" | stats count by ComputerName, RemoteIP, RemotePort, LocalPort

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=NetworkConnectIP4 | search RemotePort=4444 OR RemotePort=8080 | table ComputerName, RemoteIP, RemotePort, LocalPort

event_platform=Win event_simpleName=NetworkConnectIP4 | search RemoteIP="10.0.0.*" | stats count by ComputerName, RemoteIP

event_platform=Win event_simpleName=NetworkConnectIP4 | search LocalPort=53 | table ComputerName, RemoteIP, FileName

Common Options/Flags

event_simpleName=NetworkConnectIP4: IPv4 network connection events
RemoteIP: Destination IP address
RemotePort: Destination port
LocalPort: Source port
search: Filter by IP ranges, ports, or other criteria

Related Tools

References

https://www.reddit.com/r/crowdstrike/?f=flair_name%3A%22CQF%22

Endpoint Detection Windows Web-based

Query CrowdStrike Falcon for registry modification events to detect persistence mechanisms, configuration changes, and suspicious registry activity.

Detect malware persistence mechanisms by monitoring registry autorun keys, service registrations, and other persistence locations.

crowdstrikecqlregistrypersistencewindows

Command/Usage

event_platform=Win event_simpleName=RegKeyValueWritten | search RegKeyPath="*Run*" | table ComputerName, UserName, RegKeyPath, RegValueData

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=RegKeyValueWritten | search RegKeyPath="*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*" | table ComputerName, RegKeyPath, RegValueData

event_platform=Win event_simpleName=RegKeyValueWritten | search RegKeyPath="*Services*" RegValueData="*.exe" | stats count by ComputerName, RegKeyPath

event_platform=Win event_simpleName=RegKeyValueWritten | search RegKeyPath="*Winlogon*" | table ComputerName, UserName, RegKeyPath, RegValueData

Common Options/Flags

event_simpleName=RegKeyValueWritten: Registry value write events
RegKeyPath: Registry key path
RegValueData: Registry value data
search: Filter by specific registry paths or values

Related Tools

References

https://www.reddit.com/r/crowdstrike/?f=flair_name%3A%22CQF%22

Network Analysis WindowsLinuxmacOS Web-based

Query CrowdStrike Falcon for DNS query events to identify suspicious domain lookups, C2 communications, and DNS tunneling attempts.

Detect malware beaconing, C2 communications, or data exfiltration via DNS by analyzing DNS query patterns and suspicious domains.

crowdstrikecqldnsc2-detectionnetwork

Command/Usage

event_platform=Win event_simpleName=DnsRequest | search DomainName="*suspicious*" | stats count by ComputerName, DomainName, FileName

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=DnsRequest | search DomainName="*.tk" OR DomainName="*.ml" | table ComputerName, DomainName, FileName

event_platform=Win event_simpleName=DnsRequest | stats count by DomainName | sort -count | head 20

event_platform=Win event_simpleName=DnsRequest | search FileName="powershell.exe" | table ComputerName, DomainName, FileName

Common Options/Flags

event_simpleName=DnsRequest: DNS query events
DomainName: Queried domain name
FileName: Process making the DNS query
search: Filter by domain patterns or process names

Related Tools

References

https://www.reddit.com/r/crowdstrike/?f=flair_name%3A%22CQF%22

Forensics WindowsLinuxmacOS Web-based

Query CrowdStrike Falcon for file deletion events to detect anti-forensics activity, evidence destruction, or suspicious file cleanup.

Detect anti-forensics activity when attackers delete log files, event logs, or other forensic artifacts to cover their tracks.

crowdstrikecqlfile-deletionanti-forensicsedr

Command/Usage

event_platform=Win event_simpleName=FileDeleted | search FileName="*.log" OR FileName="*.evtx" | table ComputerName, UserName, FileName

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=FileDeleted | search FileName="*Security.evtx" OR FileName="*System.evtx" | table ComputerName, UserName, FileName

event_platform=Win event_simpleName=FileDeleted | search FileName="*.log" | stats count by ComputerName, FileName

event_platform=Win event_simpleName=FileDeleted | search FileName="*Temp*" | table ComputerName, UserName, FileName

Common Options/Flags

event_simpleName=FileDeleted: File deletion events
FileName: Name of deleted file
search: Filter by file extensions or paths

Related Tools

References

https://www.reddit.com/r/crowdstrike/?f=flair_name%3A%22CQF%22

Threat Hunting Windows Web-based

Query CrowdStrike Falcon for PowerShell execution events to detect obfuscated commands, encoded scripts, and suspicious PowerShell activity.

Detect malicious PowerShell execution that uses obfuscation techniques like Base64 encoding, download strings, or encoded commands.

crowdstrikecqlpowershellobfuscationthreat-hunting

Command/Usage

event_platform=Win event_simpleName=ProcessRollup2 | search FileName="powershell.exe" CommandLine="*encodedcommand*" | table ComputerName, UserName, CommandLine

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=ProcessRollup2 | search FileName="powershell.exe" CommandLine="*downloadstring*" | table ComputerName, UserName, CommandLine

event_platform=Win event_simpleName=ProcessRollup2 | search FileName="powershell.exe" CommandLine="*frombase64string*" | table ComputerName, UserName, CommandLine

event_platform=Win event_simpleName=ProcessRollup2 | search FileName="powershell.exe" CommandLine="*iex*" OR CommandLine="*invoke-expression*" | table ComputerName, UserName, CommandLine

Common Options/Flags

event_simpleName=ProcessRollup2: Process execution events
FileName="powershell.exe": Filter for PowerShell
CommandLine: Search command-line arguments
search: Filter by obfuscation patterns

Related Tools

References

Threat Hunting Windows Web-based

Query CrowdStrike Falcon to detect lateral movement by analyzing authentication events, network connections, and process execution across multiple systems.

Identify compromised accounts being used to move laterally across the network by detecting logons to multiple systems from a single user account.

crowdstrikecqllateral-movementauthenticationthreat-hunting

Command/Usage

event_platform=Win event_simpleName=UserLogon | stats dc(ComputerName) as unique_hosts by UserName | search unique_hosts>3

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=UserLogon | search UserName="admin" | stats count by ComputerName, UserName

event_platform=Win event_simpleName=NetworkConnectIP4 | search RemoteIP="10.0.0.*" | stats count by ComputerName, RemoteIP

event_platform=Win event_simpleName=ProcessRollup2 | search FileName="psexec.exe" OR FileName="wmic.exe" | table ComputerName, UserName, CommandLine

Common Options/Flags

event_simpleName=UserLogon: User authentication events
stats dc(): Distinct count function
search: Filter by threshold values
NetworkConnectIP4: Network connection events

Related Tools

References

Endpoint Detection Windows Web-based

Query CrowdStrike Falcon for Alternate Data Stream (ADS) activity to detect hidden malicious payloads stored in NTFS file streams.

Detect when attackers hide malicious payloads in Alternate Data Streams to evade traditional file scanning and detection.

crowdstrikecqladsntfsfile-forensics

Command/Usage

event_platform=Win event_simpleName=FileWritten | search TargetFileName="*:*" | table ComputerName, UserName, TargetFileName

Installation

CrowdStrike Falcon Console access required

Additional Examples

event_platform=Win event_simpleName=FileWritten | search TargetFileName="*:*" | stats count by ComputerName, TargetFileName

event_platform=Win event_simpleName=ProcessRollup2 | search CommandLine="*:stream*" | table ComputerName, UserName, CommandLine

Common Options/Flags

event_simpleName=FileWritten: File write events
TargetFileName="*:*": Pattern matching ADS syntax
search: Filter for colon in filename (ADS indicator)

Splunk - Failed Authentication Hunt

Command/Usage

Installation

Additional Examples

Common Options/Flags

Related Tools

References

ELK - Lateral Movement Detection

Command/Usage

Installation

Additional Examples

Related Tools

References

Windows Event Log - Successful Logon Analysis

Command/Usage

Installation

Additional Examples

Common Options/Flags

Related Tools

References

Syslog Parsing - Failed SSH Attempts

Command/Usage

Installation

Additional Examples

Related Tools

References

Volatility - List Running Processes

Command/Usage

Installation

Additional Examples

Common Options/Flags

Related Tools

References

Volatility - Network Connections

Command/Usage

Installation

Additional Examples

Related Tools

References

Live Response - Timeline Creation

Command/Usage

Installation

Additional Examples

Related Tools

References

Windows Artifact Collection Script

Command/Usage

Installation

Additional Examples

Related Tools

References

Wireshark - HTTP Traffic Filter

Command/Usage

Installation

Additional Examples

Common Options/Flags

Related Tools

Related Blog Posts

References

tcpdump - DNS Query Capture

Command/Usage

Installation

Additional Examples

Common Options/Flags

Related Tools

Related Blog Posts

References

Zeek - HTTP Analysis

Command/Usage

Installation

Additional Examples

Related Tools

References

NetFlow Analysis - Suspicious Connections

Command/Usage

Installation

Additional Examples

Related Tools

References

PowerShell - Process Investigation