Here we share practical, field-tested content such as SIEM queries from our comprehensive use-case catalog, which we have successfully validated across a wide range of customer environments.
Our goal is to simplify the daily work of security teams and enhance the effectiveness of CrowdStrike NG-SIEM and Falcon LogScale in real-world scenarios. We focus on Detection Engineering and Threat Hunting.
As part of our work with CrowdStrike NextGen SIEM, we have published a set of specialized PowerShell hunting queries. These help identify and assess suspicious activity involving PowerShell effectively.
The released queries cover the following scenarios:
- PowerShell Downloads: Detecting file downloads initiated via PowerShell scripts.
- PowerShell Obfuscation: Identifying obfuscated PowerShell commands intended to bypass detection mechanisms.
- Rare PowerShell Parents: Analyzing uncommon parent processes that launch PowerShell.
- Suspicious PowerShell Command Length: Detecting unusually long command lines that may indicate malicious behavior.
All queries are based on realistic use cases and have been successfully tested in different customer environments. They provide a fast and effective entry point for threat hunting focused on PowerShell misuse.
In addition to sharing our knowledge freely here on GitHub, we also offer Professional & Managed Services.
Our services include:
- SIEM strategy consulting & architecture design
- Custom use-case development
- Onboarding & enablement
- Detection engineering and threat hunting
- Managed SIEM operations
Visit us at: www.byteray.com