New Query: Suspicious DLL / Module loads

queries/suspicious_dll_module_loads.yml

@@ -0,0 +1,44 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Suspicious DLL / Module loads
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1036
+
+# Description of what the query does and its purpose.
+description: |
+  This query will show all the suspicious DLL/module loads that CrowdStrike has flagged as detections, where all the endpoint are involved, along with the process and parent process details
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Endpoint
+
+# The CrowdStrike modules required to run this query.
+cs_required_modules:
+  - Insight
+
+# Tags for filtering and categorization.
+tags:
+  - Hunting
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  | #Vendor = crowdstrike
+  | #repo = "base_sensor"
+  | "#event_simpleName" = "ModuleLoadV3DetectInfo"
+  | aid=?aid
+  //| ComputerName="XXXXX"//Enter computer name to check for specific endpoint
+  | groupBy([ComputerName,aid], function=[collect(FileName),collect(FilePath),collect(ImageFileName),collect(ParentCommandLine),count(as=total_module_loads)])
+  | sort(total_module_loads, order=desc)
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  This query will show all the suspicious DLL/module loads that CrowdStrike has flagged as detections, where all the endpoint are involved, along with the process and parent process details