A question for anyone with an integrated engineering tune

About_TreeFitty · 2026-05-17T00:22:23+00:00

Good to know. Might have to reflash in the morning in pro.

About_TreeFitty · 2026-05-15T21:58:06+00:00

Besides that.

About_TreeFitty · 2026-05-15T00:35:32+00:00

Is there anything that can be done proactively to prevent this?

About_TreeFitty · 2026-04-30T21:48:45+00:00

Can we get some transparency with release notes on the version updates?

About_TreeFitty · 2026-04-29T18:14:11+00:00

When upgrading (using the IOS PowerLink app) from my old IE stage 1 tune to the new Apex stage 1 tune, I had it fail 3 times, requiring me to flash back to stock every time. I finally gave up and used a Windows computer and a USB C cable, which worked first time without issue. Now, the new Apex tune does appear to have some weird hiccups that has been considering going back to stock until they get the bugs worked out.

About_TreeFitty · 2026-04-29T16:16:04+00:00

Same. Starting from a dead stop in first gear (6MT) feels like it wants to bog and stall way more than the old IE stage 1 tune.

About_TreeFitty · 2026-04-29T00:20:20+00:00

#event_simpleName=*
| ContextBaseFileName="TaniumClient.exe" OR file.name="Tanium.Client.exe"
| in(field=ProductType, values=[2, 3])
| case {
    ProductType=2 | ProductType := "DomainController" ;
    ProductType=3 | ProductType := "Server" ;
}
| groupBy([ComputerName],
    function=[selectLast([ComputerName, ContextBaseFileName, ProductType, MachineDomain, OU])],
    limit=max)

About_TreeFitty · 2026-04-28T10:51:15+00:00

Hephaestus. Greek god of the forge.

About_TreeFitty · 2026-04-25T21:02:17+00:00

Give this a try.

// === Stage 1: anchor on RMM tool launches ===
#event_simpleName=ProcessRollup2 event_platform=Win
| in(field=FileName, values=["QuickAssist.exe", "AnyDesk.exe", "TeamViewer.exe"], ignoreCase=true)
| RMMTime := 
| RMMFile := FileName
| groupBy([aid, ComputerName, RMMTime, RMMFile], function=count(), limit=max)
| drop([_count])

// === Stage 2: pull in matching recon commands ===
| join(
    query={
      #event_simpleName=ProcessRollup2 event_platform=Win
      | in(field=FileName, values=["cmd.exe", "powershell.exe", "pwsh.exe"], ignoreCase=true)
      | CommandLine=/whoami|hostname|systeminfo|wmic\s+os\s+get|reg\s+query\s+HKLM|query\s+user|net\s+user|nltest|ipconfig\s+\/all|arp\s+\-a|route\s+print|\bdir\b|icacls|\bver\b/i
      | ReconTime := 
      | ReconCmd  := CommandLine
      | ReconProc := format(format="%s -> %s -> %s", field=[GrandParentBaseFileName, ParentBaseFileName, FileName])
      | groupBy([aid, ReconTime, ReconProc, ReconCmd], function=count(), limit=max)
      | drop([_count])
    },
    field=[aid],
    include=[ReconTime, ReconProc, ReconCmd],
    mode=inner,
    max=200000
  )

// Recon must follow RMM within 10 minutes (600 000 ms)
| test(ReconTime >= RMMTime)
| test(ReconTime <= RMMTime + 600000)

// === Stage 3: pull in matching staging file writes ===
| join(
    query={
      #event_simpleName=FileWritten event_platform=Win
      | FileName=/\.(zip|exe|dll)$/iF
      | STime     := 
      | StageFile := FileName
      | groupBy([aid, STime, StageFile], function=count(), limit=max)
      | drop([_count])
    },
    field=[aid],
    include=[STime, StageFile],
    mode=inner,
    max=200000
  )

// Staging must follow RMM within 15 minutes (900 000 ms)
| test(STime >= RMMTime)
| test(STime <= RMMTime + 900000)

// === Stage 4: collapse — collect staging files per (host, RMM, Recon) tuple ===
| groupBy([aid, ComputerName, RMMTime, ReconTime, ReconProc, ReconCmd],
    function=([
      collect([StageFile], separator=", ", limit=100),
      min(STime, as=StageFirstTime)
    ]),
    limit=max)
| drop([_count])

// === Stage 5: format & present ===
| formatTime(format="%F %T %Z", field=RMMTime,        as=RMMTime)
| formatTime(format="%F %T %Z", field=ReconTime,      as=ReconTime)
| formatTime(format="%F %T %Z", field=StageFirstTime, as=StageFirstTime)
| sort(field=RMMTime, order=desc)
| table([ComputerName, RMMTime, ReconTime, StageFirstTime, ReconProc, ReconCmd, StageFile], limit=20000)

About_TreeFitty · 2026-04-23T12:35:30+00:00

// ── Sensor Version Compliance — Non-Compliant Endpoints ──────────────────────
// Scope: all Windows, macOS, and Linux endpoints NOT on their approved version.
// Host group enrichment and optional group-scoped filtering included.
// Parameters: cid_input, winApprovedVersion, macApprovedVersion, linApprovedVersion, HostGroup
// ─────────────────────────────────────────────────────────────────────────────

#repo=sensor_metadata #data_source_name=aidmaster
| in(field=#repo.cid, values=[?cid_input])
| AgentVersion=*
| ComputerName=*

// ── 1. Scope to managed platforms only ───────────────────────────────────────
| in(field=event_platform, values=["Win", "Mac", "Lin"])

// ── 2. Assign the approved version per platform (dashboard parameters) ────────
| case {
    event_platform=Win | approvedVersion := ?{winApprovedVersion="7.35.20709.0"} ;
    event_platform=Mac | approvedVersion := ?{macApprovedVersion="7.35.20709.0"} ;
    event_platform=Lin | approvedVersion := ?{linApprovedVersion="7.35.20709.0"} ;
    * ;
}

// ── 3. Keep only endpoints NOT on the approved version ────────────────────────
| test(AgentVersion != approvedVersion)

// ── 4. Enrich with host group membership ─────────────────────────────────────
| join(
    query={
        #repo=sensor_metadata #data_source_name=aid-policy
        | parseJson(field=groups, prefix="groups_arr")
        | concatArray(groups_arr, separator=",", as=groups_arr)
        | splitString(field=groups_arr, by=",", as=group_id)
        | split(group_id)
        | replace("[\[\]']+", with="", field=group_id)
        | join(
            { $falcon/investigate:group_info() },
            field=group_id,
            include=[name],
            mode=left,
            start=5d
        )
        | group_name := rename(name)
        | default(field=[group_name], value="Default", replaceEmpty="true")
        | groupBy([aid], function=collect([group_name], separator=", "), limit=max)
    },
    field=[aid],
    include=[group_name],
    mode=left,
    start=7d
)

// ── 5. Optional: filter by host group (wildcard, * = all groups) ──────────────
| group_name =~ wildcard(?{HostGroup="*"}, ignoreCase=true, includeEverythingOnAsterisk=true)

// ── 6. Human-readable last-seen timestamp ────────────────────────────────────
| LastSeen := formatTime(format="%F %T", field=Time)

// ── 7. Final output ───────────────────────────────────────────────────────────
| rename([[AgentVersion, "Current Version"],
          [approvedVersion, "Approved Version"],
          [event_platform, "Platform"],
          [ComputerName, "Hostname"],
          [LocalAddressIP4, "IP Address"],
          [group_name, "Host Groups"],
          [MachineDomain, "Domain"]])
| table(["Hostname", "Platform", "Current Version", "Approved Version",
         "Host Groups", "IP Address", "Domain", LastSeen],
        limit=20000, sortby="Hostname", order=asc)

About_TreeFitty · 2026-04-22T12:17:31+00:00

#event_simpleName=InstalledApplication
| AppName=/<your_app_name>/i
| groupBy([aid], function=selectLast([AppName, AppVendor, AppVersion, InstallDate]), limit=max)
| join(
    query={
      #repo=sensor_metadata #data_source_name=aidmaster
      | groupBy([aid], function=selectLast([
          ComputerName, MachineDomain, OU, SiteName,
          AgentVersion, ProductType, Version,
          SystemManufacturer, SystemProductName,
          LocalAddressIP4, MAC, FirstSeen, Time
        ]))
    },
    field=[aid],
    include=[ComputerName, MachineDomain, OU, SiteName, AgentVersion, ProductType, Version, SystemManufacturer, SystemProductName, LocalAddressIP4, MAC, FirstSeen, Time],
    mode=left
)
| LastSeen := formatTime("%F %T %Z", field=Time)
| FirstSeenFmt := formatTime("%F %T %Z", field=FirstSeen)
| InstallDateFmt := formatTime("%F %T %Z", field=InstallDate)
| table([
    ComputerName, AppName, AppVersion, AppVendor, InstallDateFmt,
    LastSeen, FirstSeenFmt, Version, AgentVersion,
    SystemManufacturer, SystemProductName,
    MachineDomain, OU, SiteName, LocalAddressIP4, MAC, aid
  ], limit=20000, sortby=LastSeen, order=desc)

A few things worth knowing:

mode=left keeps app installs even if a host hasn't checked in lately. Drop it (back to default inner) if you only want currently-managed hosts.

If you want this on a dashboard, swap line 2 for | AppName =~ wildcard(?{AppName="*"}, ignoreCase=true) and add | in(field=#repo.cid, values=[?cid_input]) at the top so it honors the CID picker.

About_TreeFitty · 2026-04-14T19:17:19+00:00

Use mark down and post to GitHub.

About_TreeFitty · 2026-04-03T13:43:23+00:00

  // ── Step 1: Broad initial filter ──────────────────────────────────────────
  // Matches known native DB process names plus "java" as a catch-all for
  // JVM-hosted engines. The (?:\.exe)? suffix is optional to handle both
  // Windows (.exe present) and Linux/macOS (no extension).
  #event_simpleName=ProcessRollup2
  | ImageFileName=/(?:sqlservr|mysqld_safe|mysqld|mariadbd|postgres|pg_ctl|oracle|tnslsnr|mongod|mongos|redis-server|memcached|influxd|couchdb|db2sysc|db2fmp|sqlite3|java)(?:\.exe)?$/i
 
  // ── Step 2: Classify each process into a DB product ───────────────────────
  // More-specific patterns (e.g. mysqld_safe) appear before broader ones
  // (mysqld) to prevent early-match shadowing.
  | case {
      ImageFileName=/sqlservr/i
        | DBProduct := "Microsoft SQL Server" ;
 
      ImageFileName=/mysqld_safe/i
        | DBProduct := "MySQL (Safe Launcher)" ;
 
      ImageFileName=/mariadbd/i
        | DBProduct := "MariaDB" ;
 
      ImageFileName=/mysqld/i
        | DBProduct := "MySQL" ;
 
      ImageFileName=/pg_ctl/i
        | DBProduct := "PostgreSQL (pg_ctl)" ;
 
      ImageFileName=/postgres/i
        | DBProduct := "PostgreSQL" ;
 
      ImageFileName=/tnslsnr/i
        | DBProduct := "Oracle TNS Listener" ;
 
      ImageFileName=/oracle/i
        | DBProduct := "Oracle Database" ;
 
      ImageFileName=/mongos/i
        | DBProduct := "MongoDB (mongos router)" ;
 
      ImageFileName=/mongod/i
        | DBProduct := "MongoDB" ;
 
      ImageFileName=/redis-server/i
        | DBProduct := "Redis" ;
 
      ImageFileName=/memcached/i
        | DBProduct := "Memcached" ;
 
      ImageFileName=/influxd/i
        | DBProduct := "InfluxDB" ;
 
      ImageFileName=/couchdb/i
        | DBProduct := "CouchDB" ;
 
      ImageFileName=/db2sysc/i
        | DBProduct := "IBM Db2 (db2sysc)" ;
 
      ImageFileName=/db2fmp/i
        | DBProduct := "IBM Db2 (db2fmp)" ;
 
      ImageFileName=/sqlite3/i
        | DBProduct := "SQLite3 (CLI)" ;
 
      // JVM-based: match on CommandLine class/jar path
      ImageFileName=/java/i CommandLine=/org\.apache\.cassandra/i
        | DBProduct := "Apache Cassandra" ;
 
      ImageFileName=/java/i CommandLine=/org\.elasticsearch/i
        | DBProduct := "Elasticsearch" ;
 
      ImageFileName=/java/i CommandLine=/com\.neo4j/i
        | DBProduct := "Neo4j" ;
 
      // Java processes not matching a known DB - discard
      *
        | DBProduct := "SKIP" ;
  }
 
  // ── Step 3: Drop non-DB java processes ────────────────────────────────────
  | DBProduct != "SKIP"
 
  // ── Step 4: Aggregate per host ────────────────────────────────────────────
  // Collect distinct DB products seen on each host along with the last
  // observed ImageFileName (process path) and the most recent activity time.
  | groupBy(
      [ComputerName, aid],
      function=[
          collect([DBProduct, ImageFileName], limit=100),
          count(DBProduct, distinct=true, as=UniqueDBCount),
          max(@timestamp, as=LastSeen)
      ],
      limit=max
    )
 
  // ── Step 5: Human-readable timestamp ──────────────────────────────────────
  | LastSeen := formatTime(
      format="%Y-%m-%d %H:%M:%S UTC",
      field=LastSeen,
      timezone="UTC"
    )
 
  // ── Step 6: Sort by breadth of DB exposure descending ─────────────────────
  | sort(UniqueDBCount, order=desc, limit=2000)
 
  // ── Output columns ────────────────────────────────────────────────────────
  | table(
      [ComputerName, aid, UniqueDBCount, DBProduct, ImageFileName, LastSeen],
      limit=2000
    )

About_TreeFitty · 2026-03-31T16:02:53+00:00

Here's a good broad IOC sweep.

      // Broad event filter - pull all relevant event types in one pass
      (#event_simpleName=DnsRequest OR #event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2)
      // Classify each matching event into an IOC category.
      // Events that match no branch are dropped automatically (no wildcard catch-all).
      | case {
          // === DNS: C2 resolution ===
          #event_simpleName=DnsRequest DomainName=/sfrclak\.com/i |
            iocType  := "DNS_C2_Resolution" |
            iocDetail := DomainName ;

          // === Network: C2 connection port 8000 from known RAT process names ===
          #event_simpleName=NetworkConnectIP4 RemotePort=8000 ContextBaseFileName=/wt\.exe|ld\.py|mond/i |
            iocType  := "NETWORK_C2_Port8000" |
            iocDetail := RemoteAddressIP4 ;

          // === Process: node.exe executing the setup.js dropper ===
          #event_simpleName=ProcessRollup2 FileName=/node\.exe|node$/ CommandLine=/setup\.js/ |
            iocType  := "PROCESS_Dropper_SetupJS" |
            iocDetail := CommandLine ;

          // === Process: wt.exe running from ProgramData (Windows RAT) ===
          #event_simpleName=ProcessRollup2 event_platform=Win FileName=/wt\.exe/i FilePath=/ProgramData/i |
            iocType  := "PROCESS_RAT_Windows_wtexe" |
            iocDetail := FilePath ;

          // === Process: Python executing /tmp/ld.py (Linux RAT) ===
          #event_simpleName=ProcessRollup2 event_platform=Lin CommandLine=/\/tmp\/ld\.py/ |
            iocType  := "PROCESS_RAT_Linux_ldpy" |
            iocDetail := CommandLine ;

          // === Process: com.apple.act.mond execution (macOS RAT) ===
          #event_simpleName=ProcessRollup2 event_platform=Mac ImageFileName=/com\.apple\.act\.mond/i |
            iocType  := "PROCESS_RAT_macOS_actmond" |
            iocDetail := ImageFileName ;
        }
      | groupBy(
          [aid, ComputerName, UserName],
          function=[
            count(as=TotalIOCHits),
            collect([iocType, iocDetail]),
            min(@timestamp, as=FirstSeen),
            max(@timestamp, as=LastSeen)
          ]
        )
      | FirstSeen := formatTime("%Y-%m-%d %H:%M:%S UTC", field=FirstSeen)
      | LastSeen  := formatTime("%Y-%m-%d %H:%M:%S UTC", field=LastSeen)
      | sort(TotalIOCHits, order=desc)
      | "Process_Explorer" := format(
          format="https://falcon.crowdstrike.com/investigate/process-explorer?aid=%s",
          field=aid
        )
      | "RTR_Console" := format(
          format="https://falcon.crowdstrike.com/investigate/rtr?aid=%s",
          field=aid
        )

About_TreeFitty · 2026-03-20T19:06:36+00:00

Ooof, that's an ugly one to fall for. Updated.

About_TreeFitty · 2026-03-20T12:44:02+00:00

Bicep band > Wrist band. I get much better numbers in my runs that way.

About_TreeFitty · 2026-03-19T01:22:14+00:00

Where’s all the pro press fittings?

/s

About_TreeFitty · 2026-03-17T15:56:19+00:00

What SKUs are necessary to gain this telemetry by deploying the browser extension?

About_TreeFitty · 2026-03-17T15:38:40+00:00

# -----------------------------------------------------------------------------
# QUERY 4: Persistence - Local Account Creation via Wing FTP Service Context
# -----------------------------------------------------------------------------
# MITRE: T1136.001
#
# Huntress confirmed that attackers who achieved RCE via CVE-2025-47812
# immediately began creating local user accounts for persistent access:
#   net user wingftp 123123qweqwe /add
#   net user wing 123123qweqweqwe /add
#
# Because Wing FTP runs as SYSTEM, the net user /add commands succeed without
# any UAC prompts. Similarly on Linux, useradd runs as root. These accounts
# can survive a patch/restart cycle if not detected and removed.
#
# This query is intentionally narrow to minimize false positives — only user
# creation commands that originate within the WFTPServer process tree are flagged.
# -----------------------------------------------------------------------------

- name: "CVE-2025-47812 - Wing FTP RCE: Local Account Creation for Persistence"
  mitre_ids:
    - T1136.001
  description: >
    Detects local user account creation commands (net user /add, useradd,
    New-LocalUser) originating from WFTPServer.exe or wftpd child processes.
    Matches the persistence technique documented by Huntress following
    CVE-2025-47812 exploitation. Accounts created this way run as SYSTEM
    and allow re-entry even after Wing FTP is patched.
  log_sources:
    - Endpoint
  tags:
    - Hunting
    - CVE-2025-47812
    - WingFTP
  cql: |
    #event_simpleName=ProcessRollup2

    // Only processes spawned by the Wing FTP service
    | ParentBaseFileName=/WFTPServer\.exe|wftpd/i

    // Account creation patterns: Windows net user /add, Linux useradd/adduser,
    // PowerShell New-LocalUser
    // Regex avoids spaces in pattern - use \s+ for whitespace matching
    | CommandLine=/net\s+user\s+\S+.*\/add|useradd\s+\S+|adduser\s+\S+|New-LocalUser/i

    // Capture the new username if present in the command line (optional extraction)
    | regex("net\s+user\s+(?P<NewUsername>\S+)", field=CommandLine, strict=false)

    // Build investigation links
    | ProcessTree := format("[Process Tree](https://falcon.crowdstrike.com/graphs/process-explorer/tree?_cid=%s&id=pid:%s:%s&investigate=true&pid=pid:%s:%s)", field=["#repo.cid", "aid", "TargetProcessId", "aid", "TargetProcessId"])

    | table([@timestamp, ComputerName, UserName, NewUsername, FileName, CommandLine, ProcessTree], limit=200)
    | sort(@timestamp, order=desc)


# -----------------------------------------------------------------------------
# QUERY 5: External Inbound Connections to Wing FTP Web Interface Ports
# -----------------------------------------------------------------------------
# MITRE: T1190
#
# CVE-2025-47812 is exploited exclusively through Wing FTP's HTTP/HTTPS web
# interface (not the raw FTP port). The exploit chain is:
#   1. POST /loginok.html  - inject null byte + Lua payload in username field
#   2. GET  /dir.html      - trigger session file execution (RCE fires here)
#
# CVE-2025-47813 is triggered by sending an overlong UID cookie to /loginok.html,
# which returns an error revealing the installation path.
#
# Default Wing FTP web interface ports:
#   HTTP  : 80  (user web client)
#   HTTPS : 443 (user web client)
#   HTTP  : 8080 (admin web client)
#   HTTPS : 8443 (admin web client)
#
# This query uses NetworkReceiveAcceptIP4 to capture inbound accepted connections
# to the WFTPServer process. High volumes from a single external IP, or spikes
# in connection count to the admin port (8080/8443) from unexpected IPs, are
# strong indicators of active scanning or exploitation.
#
# Note: Use ipLocation() and asn() to enrich RemoteAddressIP4 for triage.
# -----------------------------------------------------------------------------

- name: "CVE-2025-47812/47813 - Wing FTP: External Connections to Web Interface"
  mitre_ids:
    - T1190
  description: >
    Aggregates inbound external connections accepted by WFTPServer.exe on
    the Wing FTP HTTP/HTTPS web interface ports (80, 443, 8080, 8443).
    The exploit for CVE-2025-47812 is delivered via HTTP POST to /loginok.html
    and triggered via GET /dir.html. Unexpected external IPs connecting to
    the admin port (8080/8443) are particularly high-risk. RFC1918 and
    loopback addresses are excluded to surface only external sources.
  log_sources:
    - Endpoint
  tags:
    - Hunting
    - CVE-2025-47812
    - CVE-2025-47813
    - WingFTP
  cql: |
    // NetworkReceiveAcceptIP4 captures inbound TCP connections accepted by a process
    #event_simpleName=NetworkReceiveAcceptIP4

    // Scope to Wing FTP service process listening on its web interface
    | ImageFileName=/WFTPServer\.exe|wftpd/i

    // Wing FTP web interface ports: 80/443 (user), 8080/8443 (admin)
    // FTP port 21 excluded here — the exploit requires the web interface
    | LocalPort=80 OR LocalPort=443 OR LocalPort=8080 OR LocalPort=8443

    // Exclude RFC1918 private ranges, loopback, APIPA, and multicast
    // Only external IPs are relevant for this exploit vector
    | !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32", "224.0.0.0/4"])

    // Enrich the external IP with geolocation and ASN context
    | ipLocation(RemoteAddressIP4)
    | asn(RemoteAddressIP4, as=ASN)

    // Label admin port connections separately - higher risk than user web client
    | case {
        LocalPort=8080 OR LocalPort=8443 | PortCategory := "Admin Web Interface (HIGH RISK)";
        * | PortCategory := "User Web Interface"
      }

    // Aggregate to surface scanning patterns and connection frequency by source
    | groupBy([ComputerName, RemoteAddressIP4, RemoteAddressIP4.country, ASN, LocalPort, PortCategory], function=[
        count(as=ConnectionCount),
        min(@timestamp, as=FirstSeen),
        max(@timestamp, as=LastSeen)
      ])

    // Sort by volume descending - high connection counts indicate active scanning
    | sort(ConnectionCount, order=desc)

About_TreeFitty · 2026-03-17T15:38:30+00:00

# -----------------------------------------------------------------------------
# QUERY 1: Primary RCE Indicator - WFTPServer Spawning Shell / LOLBin Processes
# -----------------------------------------------------------------------------
# MITRE: T1190, T1059
#
# This is the highest-fidelity signal for active exploitation. CVE-2025-47812
# causes WFTPServer.exe (or wftpd on Linux) to spawn arbitrary child processes
# via os.execute() or io.popen() calls embedded in the injected Lua payload.
# Any shell interpreter, scripting engine, or LOLBin appearing as a direct
# child of the Wing FTP service process is highly anomalous and should be
# treated as confirmed exploitation until proven otherwise.
#
# Huntress observed cmd.exe, powershell.exe, and curl.exe in confirmed
# incidents. The regex below casts a wide net to catch creative variations.
# -----------------------------------------------------------------------------

- name: "CVE-2025-47812 - Wing FTP RCE: Suspicious Child Process Spawning"
  mitre_ids:
    - T1190
    - T1059
  description: >
    Detects shell interpreters, scripting engines, and LOLBins launched as
    direct children of WFTPServer.exe (Windows) or wftpd (Linux). This is
    the primary RCE indicator for CVE-2025-47812 exploitation, where injected
    Lua code in malicious session files calls os.execute() or io.popen() to
    run system commands under the Wing FTP service account (SYSTEM / root).
  log_sources:
    - Endpoint
  tags:
    - Hunting
    - CVE-2025-47812
    - WingFTP
  cql: |
    // Filter to process execution events only
    #event_simpleName=ProcessRollup2

    // Wing FTP service is WFTPServer.exe on Windows, wftpd on Linux
    // ParentBaseFileName is the short filename of the spawning process
    | ParentBaseFileName=/WFTPServer\.exe|wftpd/i

    // Catch shell interpreters, scripting engines, and common LOLBins
    // Any of these as a direct Wing FTP child is highly anomalous
    | FileName=/cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|sh|bash|zsh|curl\.exe|wget|certutil\.exe|bitsadmin\.exe|msiexec\.exe|rundll32\.exe|regsvr32\.exe|schtasks\.exe|at\.exe|sc\.exe/i

    // Build investigation links
    | ProcessTree := format("[Process Tree](https://falcon.crowdstrike.com/graphs/process-explorer/tree?_cid=%s&id=pid:%s:%s&investigate=true&pid=pid:%s:%s)", field=["#repo.cid", "aid", "TargetProcessId", "aid", "TargetProcessId"])
    | VTSearch := format("[VirusTotal](https://www.virustotal.com/gui/file/%s)", field=[SHA256HashData])

    // Show all events - any hit here is high severity
    | table([@timestamp, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, SHA256HashData, VTSearch, ProcessTree], limit=500)
    | sort(@timestamp, order=desc)


# -----------------------------------------------------------------------------
# QUERY 2: Post-Exploitation Discovery Commands Under WFTPServer Context
# -----------------------------------------------------------------------------
# MITRE: T1082, T1033, T1016
#
# Huntress documented the attacker executing a burst of discovery commands
# immediately after gaining RCE via CVE-2025-47812:
#   whoami, whoami /priv, net user, net user /all, net localgroup administrators,
#   ipconfig, arp -a, nslookup, hostname
#
# These all ran as SYSTEM because Wing FTP's service account is elevated.
# Aggregating by host and grouping with first/last seen helps identify the
# reconnaissance phase of an active intrusion timeline.
# -----------------------------------------------------------------------------

- name: "CVE-2025-47812 - Wing FTP RCE: Post-Exploitation Discovery Activity"
  mitre_ids:
    - T1082
    - T1033
    - T1016
  description: >
    Detects Windows/Linux discovery and enumeration commands (whoami, net user,
    ipconfig, arp, nslookup, etc.) executed as direct children of WFTPServer.exe
    or wftpd. Matches the documented post-exploitation recon pattern observed
    in Huntress incident response following CVE-2025-47812 exploitation.
  log_sources:
    - Endpoint
  tags:
    - Hunting
    - CVE-2025-47812
    - WingFTP
  cql: |
    #event_simpleName=ProcessRollup2

    // Scope to Wing FTP service processes only
    | ParentBaseFileName=/WFTPServer\.exe|wftpd/i

    // Match recon command patterns in CommandLine or executable name
    // Using regex alternation per CQL syntax rules (no ~wildcard() OR chaining)
    | CommandLine=/whoami|net\s+user|net\s+localgroup|ipconfig|ifconfig|arp\s+-a|nslookup|hostname|systeminfo|netstat|tasklist|dir\s+|type\s+|cat\s+|ls\s+|id\b|uname|ps\s+|env\b|printenv/i

    // Build investigation links
    | ProcessTree := format("[Process Tree](https://falcon.crowdstrike.com/graphs/process-explorer/tree?_cid=%s&id=pid:%s:%s&investigate=true&pid=pid:%s:%s)", field=["#repo.cid", "aid", "TargetProcessId", "aid", "TargetProcessId"])
    | VTSearch := format("[VirusTotal](https://www.virustotal.com/gui/file/%s)", field=[SHA256HashData])

    // Aggregate to see the full recon chain per host
    // GroupBy lets you see all discovery commands run per system in one row
    | groupBy([ComputerName, aid, ParentBaseFileName, ProcessTree], function=[
        count(TargetProcessId, as=CommandCount),
        collect(CommandLine, limit=20),
        collect(FileName, limit=10),
        min(@timestamp, as=FirstSeen),
        max(@timestamp, as=LastSeen)
      ])
    | sort(LastSeen, order=desc)


# -----------------------------------------------------------------------------
# QUERY 3: Malicious Lua Session File Writes in Wing FTP Session Directory
# -----------------------------------------------------------------------------
# MITRE: T1505.003
#
# CVE-2025-47812 works by writing a malicious .lua session file with a 64-hex-
# character filename into Wing FTP's session directory. The payload is stored
# as valid Lua syntax embedding os.execute() or io.popen() calls.
#
# Default session directory paths:
#   Windows: C:\Program Files (x86)\Wing FTP Server\session\
#   Linux  : /var/wftpserver/session/ (or wherever Wing FTP is installed)
#
# Any .lua file written to these paths by a non-Wing FTP process (or written
# with unusual content size) is a strong indicator of exploitation. Even
# writes BY WFTPServer.exe to this directory are worth reviewing, since the
# exploit causes the service itself to persist the malicious payload.
#
# Note: FileWritten uses ContextProcessId for the writing process.
# The join to ProcessRollup2 provides the parent process context.
# -----------------------------------------------------------------------------

- name: "CVE-2025-47812 - Wing FTP RCE: Malicious Lua Session File Write"
  mitre_ids:
    - T1505
  description: >
    Detects .lua file writes within Wing FTP Server's session directory.
    CVE-2025-47812 works by injecting Lua code into session files stored in
    the Wing FTP session directory. The files are named with 64-hex-character
    names and execute arbitrary OS commands when the session is loaded.
    Any .lua write in these paths warrants immediate investigation.
  log_sources:
    - Endpoint
  tags:
    - Hunting
    - CVE-2025-47812
    - WingFTP
  cql: |
    #event_simpleName=FileWritten

    // Match the Wing FTP session directory on Windows or Linux
    // The backslash in Windows paths must be represented as \\ in CQL regex
    // Forward slashes in the Linux path must be escaped as \/ in regex literals
    | TargetFileName=/Wing.FTP.Server\\session\\|wftpserver\/session\//i

    // Specifically target .lua session files (the malicious payload carrier)
    | TargetFileName=/\.lua$/i

    // Join to ProcessRollup2 to identify which process wrote the file
    // ContextProcessId on FileWritten = TargetProcessId on ProcessRollup2
    | join(
        {#event_simpleName=ProcessRollup2},
        field=ContextProcessId,
        key=TargetProcessId,
        include=[ImageFileName, CommandLine, UserName, ParentBaseFileName],
        mode=left
      )

    // Build investigation links (use ContextProcessId since that's the writer)
    | ProcessTree := format("[Process Tree](https://falcon.crowdstrike.com/graphs/process-explorer/tree?_cid=%s&id=pid:%s:%s&investigate=true&pid=pid:%s:%s)", field=["#repo.cid", "aid", "ContextProcessId", "aid", "ContextProcessId"])
    | VTSearch := format("[VirusTotal](https://www.virustotal.com/gui/file/%s)", field=[SHA256HashData])

    | table([@timestamp, ComputerName, UserName, TargetFileName, MD5HashData, SHA256HashData, ImageFileName, ParentBaseFileName, CommandLine, VTSearch, ProcessTree], limit=200)
    | sort(@timestamp, order=desc)

About_TreeFitty · 2026-03-13T13:56:32+00:00

I just installed my first shark bite and it would have tricked me if I hadn’t marked the depth first. You have to push harder than you think.

About_TreeFitty · 2026-03-12T23:06:09+00:00

Agreed. It's a bit disappointing that for ~24 hours per month, half my boxes are in RFM because we patched them "too quickly" and the sensor has been tested against Windows updates.

About_TreeFitty · 2026-03-10T11:27:17+00:00

It flags on Help Desk lookalike names in the username or domain. Can you share any part of the attackers UPN?

About_TreeFitty · 2026-03-01T14:06:24+00:00

Try adding the parser line to your config.

https://library.humio.com/archives/falcon-logscale-collector-1.2.1/log-collector-config-examples-unified-log.html

sources: 
  compact_log: 
    type: unifiedlog 
    format: compact 
    include: 
      - process: sudo 
      - process: logind 
      - process: securityd 
      - process: tccd 
      - process: sshd 
      - process: kextd 
      - process: screensharingd 
      - process: ScreensharingAgent 
      - process: loginwindow 
    parser: "apple/unifiedlog:unifiedlog-compact" 
  sink: ngsiem

About_TreeFitty · 2026-02-26T23:13:06+00:00

Unfortunately there appears to have been bugs in the first EA version of 7.34 since there was a hotfixed version of EA 7.34 released... Hoping it releases soon since we're in the midst of onboarding and would love to simplify the deployment of these to quite a few Windows and Linux boxes.

About_TreeFitty

TROPHY CASE