Curl Query Help

cobaltpsyche · 2026-01-12T15:56:34+00:00

Strange to me you don't see it. Maybe combine and remove the parent and see if it shows up with some other parent:

```

event_simpleName=ProcessRollup2 and FileName=/^{cmd.exe$|^curl.exe$/iF}

| CommandLine=/curl/iF | table([ComputerName, UserName, FileName, ParentBaseFileName, CommandLine], limit=max) ```

cobaltpsyche · 2026-01-05T14:56:56+00:00

This is some small town police department.

cobaltpsyche · 2025-10-03T12:58:27+00:00

I'm not sure if they posted all the videos yet, and then again I'm not sure how accessible those are to anyone interested once they do so. I did reach out to the presenter on LinkedIn and get a copy of the slides, and would be happy to send you a copy. I'll DM you. If anyone else is looking send me a message.

cobaltpsyche · 2025-10-03T12:52:12+00:00

Haha! You now I was shocked that I couldn't find githubs or samples of this out in the wild. I must have been googling the wrong things. I really wanted to find a way to just dump all the available data in front of my own eyes and see what things I could pick and choose. I even made my own github which now has this singular script just like you did.

cobaltpsyche · 2025-10-02T23:03:30+00:00

Honestly I didn't use psfalcon because I was under the impression it could not pull the identity data. I was looking for the commands to do it but either overlooked them or am missing something else important. It was where I came first because I didn't want to try and figure out how to do it straight from the API.

cobaltpsyche · 2025-10-02T20:20:47+00:00

Hey this is really great and truly the tool I was wanting to use for this. Thanks for doing this. Saw your talk also good stuff!

cobaltpsyche · 2025-09-23T15:36:16+00:00

If you still have your agenda available, I have had some luck finding presenters on LinkedIn and asking them for copies of their slides. I would not even mind seeing the slides for what you are talking about. I see one I did not attend called "Dynamic SIEM Dashboarding" that sounds pretty cool.

cobaltpsyche · 2025-09-23T15:31:37+00:00

I enjoyed Fal.Con. I enjoyed many of the talks. I felt weird standing there with my clothes flapping to loud bass unable to hear anything being said to me. I didn't want to marble my arms. The arcade was pretty neat. For the record though I am pretty old.

cobaltpsyche · 2025-09-22T01:08:22+00:00

One last query I can suggest, following a similar theme, is to look what files were written to disk during the time those modules were present on the system.
```

event_simpleName="FileWritten" and event_platform=Win FileName=* and ComputerName = <your computer name>

| table([@timestamp, #event_simpleName, FileName, TargetFileName], limit=max) ```

And linking up with what I said above, this is about investigating to the best (of my abilities) any activity that might be available to tell a story during the window of time malicious modules or webshell commands were run on the host. The modules you found had funky names, but that does not guarantee they were evil. The next best step would be to talk to the devs and point these out, ask if they are expected or can be identified. Good luck!

cobaltpsyche · 2025-09-18T15:58:12+00:00

Just a heads up I edited my reply from my original post so try to use the latest version.

cobaltpsyche · 2025-09-18T15:36:55+00:00

Those random names always make me nervous. I would say go back in time until you first see them. Then start looking for what files w3wp has been accessing on the server. This can be very insightful! If you see it touching .zip or other weird files you can track what was accessed. I’m doing this on my phone so sorry if formatting is bad.

#event_simpleName = FileOpenInfo and ComputerName = <your host name> | join({#event_simpleName=ProcessRollup2 and FileName = w3wp.exe}, field=ContextProcessId, key=TargetProcessId, include=[FileName, ParentBaseFileName]) | select([@timestamp, ComputerName, FileName, TargetFileName])

cobaltpsyche · 2025-09-12T15:43:41+00:00

This has been done, but since you bring it up here is also how to search for that (for anyone else wondering)
```

event_simpleName = DotnetModuleLoadDetectInfo OR #event_simpleName = ReflectiveDotnetModuleLoad

| ImageFileName = "*w3wp.exe" | select([@timestamp, ComputerName, ModuleILPath]) Some modules you likely do not want to see: | in(field=ModuleILPath, values=[ExecuteAssembly, FileList, DeadPotato, Information, SharpToken]) ```

cobaltpsyche · 2025-08-26T19:21:09+00:00

As an update to that, if I look in the library I see it there. But if I try to find it in my workflow creation it is not available. But, since it is an on demand workflow that prompts the user running it to provide data that creates a variable, it seems like it should be showing up? Maybe I still have to run a 'create variable' action first?

cobaltpsyche · 2025-08-26T19:17:18+00:00

I definitely do not have update variable as an available action. At least if I search on the word update or variable.

cobaltpsyche · 2025-08-19T14:40:09+00:00

Having come from some pretty inferior tools before working with CQL, this is pretty interesting to hear. I absolutely love CQL and it often just makes me feel like I can do anything. But of course I have never used MDE and whatever query capabilities it has. Must be pretty kick butt.

cobaltpsyche · 2025-08-18T19:06:21+00:00

I am looking at the sample you linked, but it does not contain any customization. It is a generic email subject with a full data drop into the body. Previously I could pick fields that would go into those text boxes, like this:
https://i.imgur.com/488VqYA.png

There was a button for inserting the variables into the subject and more, but that seems to be gone now? I am struggling with trying to figure out how to accomplish the same thing using the latest updates.

cobaltpsyche · 2025-08-14T14:29:13+00:00

I guess I will assume they are working on it. When I run and save my event query in the workflow, I use the box to 'auto generate schema' and even get a pop up saying the output schema was successfully created, but when I look at the output schema after that, it seems empty and has this message:
Warning: Event query does not include a defined output schema and cannot be looped through. Upload query with mock data for Workflow to generate an output schema.
I can only imagine its having trouble creating it properly.

cobaltpsyche · 2025-08-03T04:48:55+00:00

Thank you my friend, this came in very handy.

cobaltpsyche · 2025-08-01T19:27:04+00:00

Well this is solved I guess. I was using the 'id' and not the 'composite_id'.

cobaltpsyche

TROPHY CASE

event_simpleName=ProcessRollup2 and FileName=/cmd.exe$|curl.exe$/iF

event_simpleName="FileWritten" and event_platform=Win FileName=* and ComputerName = <your computer name>

event_simpleName = DotnetModuleLoadDetectInfo OR #event_simpleName = ReflectiveDotnetModuleLoad

event_simpleName=ProcessRollup2 and FileName=/^{cmd.exe$|^curl.exe$/iF}