QueryCrush
by BlueTeamBlake
Querycrush explicitly hunts Indicators of compromise across an environment
provides analyst queires that are precise, allowing for faster and more accurate hunts
Minimizes ingest volume and compute power resulting in lower operational costs
Hunt thousands of the major iocs across the cyber space in one query
Supports tuning and configuration for additional data points (continuously growing)
Features
Supports multiple Domain languages at a time
cleans and defangs URLs and IP addresses
multiple file hashes supported (md5, sha1, sha256)
Supports custom keep fields
keyword recognition for more accurate results
editable text field to make adjustments on the fly
authentication available
IoC input
6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5
c2c1fec7856e8d49f5d49267e69993837575dbbec99cd702c5be134a85b2c139
6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619
5d41402abc4b2a76b9719d911017c592
62881359e75c9e8899c4bc9f452ef9743e68ce467f8b3e4398bebacde9550dea
www.google.com/login
https://www.viruswebsite.com/defavirus.php
131[.]226[.]2[.]6
134[.]199[.]202[.]205
104.238.159.149
188.130.206.168
65.38.121.198
badvirus.exe
\Local\Temp\updater.exe
\Programs\Startup\backdoor.bat
powershell -nop -w hidden -enc <base64string>
cmd.exe /c start C:\Users\Public\malware.exe
schtasks /create /tn "Updater"
reg add \Windows\CurrentVersion\Run
Generated Query
supported tools
Cortex
Defender
Elastic
Exabeam
Netwitness
Sentinel
Sentinel One
Splunk