From 2af50101fc3d68d70bdc65bcf7c1bafcda7907fb Mon Sep 17 00:00:00 2001
From: "byteray-cql-hub-bot[bot]"
 <261226166+byteray-cql-hub-bot[bot]@users.noreply.github.com>
Date: Fri, 5 Jun 2026 13:22:18 +0000
Subject: [PATCH] Add query: Process Execution directly from SMB share or
 SMB-mapped path

---
 ...ctly_from_smb_share_or_smb_mapped_path.yml | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 queries/process_execution_directly_from_smb_share_or_smb_mapped_path.yml

diff --git a/queries/process_execution_directly_from_smb_share_or_smb_mapped_path.yml b/queries/process_execution_directly_from_smb_share_or_smb_mapped_path.yml
new file mode 100644
index 0000000..ccc9e60
--- /dev/null
+++ b/queries/process_execution_directly_from_smb_share_or_smb_mapped_path.yml
@@ -0,0 +1,41 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Process Execution directly from SMB share or SMB-mapped path
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1570
+
+# Description of what the query does and its purpose.
+description: |
+  This query detects remote process execution over SMB (Server Message Block) on CrowdStrike Falcon monitored endpoints — a strong indicator of lateral movement, remote code execution, or ransomware spreading across the network.
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Endpoint
+
+# The CrowdStrike modules required to run this query.
+cs_required_modules:
+  - Insight
+
+# Tags for filtering and categorization.
+tags:
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  | #Vendor = crowdstrike
+  | #repo = "base_sensor"
+  | "#event_simpleName"="ProcessExecOnSMBFile"
+  | table([@timestamp,UserName,ComputerName,ClientComputerName,LocalAddressIP4,RemoteAddressIP4])
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  This query detects remote process execution over SMB (Server Message Block) on CrowdStrike Falcon monitored endpoints — a strong indicator of lateral movement, remote code execution, or ransomware spreading across the network.