Skip to main content
Search the CrowdStrike malware repository using YARA rules, exact searches, and fuzzy searches to identify and analyze malicious files.

Cmdlets

Get-FalconMalQuery

Verify the status and results of an asynchronous Falcon MalQuery request, such as a hunt or exact-search. Permissions: MalQuery: Read
Id
string
required
Request identifier (UUID format)
Example
# Check the status of a MalQuery hunt
Get-FalconMalQuery -Id 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'

Get-FalconMalQueryQuota

Retrieve Falcon MalQuery search and download quotas. Permissions: MalQuery: Read
Example
# Check your MalQuery quota usage
Get-FalconMalQueryQuota

Get-FalconMalQuerySample

Retrieve Falcon MalQuery indexed file metadata. Permissions: MalQuery: Read
Id
string[]
required
SHA256 hash value
Example
# Get metadata for a specific sample
Get-FalconMalQuerySample -Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

# Get metadata for multiple samples
$Hashes = @(
    'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
    'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2'
)
Get-FalconMalQuerySample -Id $Hashes

Group-FalconMalQuerySample

Schedule MalQuery samples for download. Permissions: MalQuery: Write
Id
string[]
required
SHA256 hash value
Example
# Schedule samples for batch download
$Samples = @(
    'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
    'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2'
)
Group-FalconMalQuerySample -Id $Samples

Invoke-FalconMalQuery

Initiate a Falcon MalQuery YARA hunt, exact search, or fuzzy search. Permissions: MalQuery: Write
YaraRule
string
Schedule a YARA-based search
Type
string
Search pattern type. Valid values: hex, ascii, wide
Value
string
Search pattern value
FilterFiletype
string[]
File type to include with the result. Valid values:
  • cdf, cdfv2, cjava, dalvik
  • doc, docx, elf32, elf64
  • email, html, hwp, java.arc
  • lnk, macho, pcap, pdf
  • pe32, pe64, perl, ppt, pptx
  • python, pythonc, rtf, swf
  • text, xls, xlsx
FilterMeta
string[]
Subset of metadata fields to include in the result. Valid values: sha256, md5, type, size, first_seen, label, family
MinSize
string
Minimum file size specified in bytes or multiples of KB/MB/GB
MaxSize
string
Maximum file size specified in bytes or multiples of KB/MB/GB
MinDate
string
Limit results to files first seen after this date (format: YYYY/MM/DD)
MaxDate
string
Limit results to files first seen before this date (format: YYYY/MM/DD)
Limit
int32
Maximum number of results per request
Fuzzy
switch
Search MalQuery quickly but with more potential for false positives
Example
# Execute a YARA hunt
$YaraRule = @'
rule RansomwareDetection {
    strings:
        $s1 = "encrypted" nocase
        $s2 = "payment" nocase
        $s3 = "bitcoin" nocase
    condition:
        2 of them
}
'@
Invoke-FalconMalQuery -YaraRule $YaraRule -FilterMeta sha256,type,family -FilterFiletype pe32,pe64

# Exact search for ASCII string
Invoke-FalconMalQuery -Type ascii -Value 'MZ' -FilterFiletype pe32,pe64 -Limit 100

# Fuzzy search for hex pattern
Invoke-FalconMalQuery -Type hex -Value '4D5A' -Fuzzy -FilterMeta sha256,md5,size

# Search with date and size filters
Invoke-FalconMalQuery -Type ascii -Value 'malicious_string' -MinDate '2024/01/01' -MaxDate '2024/12/31' -MinSize '1KB' -MaxSize '5MB'

Receive-FalconMalQuerySample

Download a sample or sample archive from Falcon MalQuery. Permissions: MalQuery: Read
Downloaded sample archives are password-protected with the password: infected
Path
string
required
Destination path
Id
string
required
SHA256 hash value or MalQuery sample archive identifier
Force
switch
Overwrite an existing file when present
Example
# Download a single sample by SHA256
Receive-FalconMalQuerySample -Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' -Path './sample.bin'

# Download a sample archive
Receive-FalconMalQuerySample -Id 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' -Path './samples.zip' -Force

Search-FalconMalQueryHash

Perform a simple Falcon MalQuery YARA Hunt for a SHA256 hash. Permissions: MalQuery: Write
This cmdlet performs a YARA Hunt for the given hash, then checks every 5 seconds—for up to 60 seconds—for a result.
Sha256
string
required
SHA256 hash value
Example
# Quick search for a specific hash
Search-FalconMalQueryHash -Sha256 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

MalQuery Hunting Workflow

1

Check Quota

Use Get-FalconMalQueryQuota to verify available search and download quota.
2

Initiate Search

Use Invoke-FalconMalQuery to start a YARA hunt, exact search, or fuzzy search. Save the request ID returned.
3

Poll for Results

Use Get-FalconMalQuery with the request ID to check search status. Repeat until status is complete.
4

Analyze Metadata

Use Get-FalconMalQuerySample with SHA256 hashes from results to retrieve detailed file metadata.
5

Download Samples

Use Group-FalconMalQuerySample to schedule samples, then Receive-FalconMalQuerySample to download them.

YARA Hunt Examples

# Hunt for PE files with suspicious characteristics
$YaraRule = @'
rule SuspiciousPE {
    meta:
        description = "Detects PE files with suspicious characteristics"
    condition:
        uint16(0) == 0x5A4D and
        uint32(uint32(0x3C)) == 0x00004550 and
        filesize < 50KB
}
'@

$Hunt = Invoke-FalconMalQuery -YaraRule $YaraRule -FilterFiletype pe32,pe64 -FilterMeta sha256,size,family

# Wait and check results
Start-Sleep -Seconds 10
$Results = Get-FalconMalQuery -Id $Hunt.reqid

Exact Search

Use when: You need precise matches with no false positivesCharacteristics:
  • Slower execution
  • Higher accuracy
  • Consumes more quota
  • Best for known indicators

Fuzzy Search

Use when: You need quick results for broad huntingCharacteristics:
  • Faster execution
  • Potential false positives
  • Consumes less quota
  • Best for exploratory hunting

Tips and Best Practices

MalQuery searches consume quota. Always check your quota with Get-FalconMalQueryQuota before starting large hunts.
Use FilterMeta to limit returned metadata fields and reduce result size. Only request fields you need for analysis.
For hash-based searches, use Search-FalconMalQueryHash which automatically handles polling for results.

Falcon Intelligence

Access threat intelligence indicators

Sandbox Analysis

Submit samples for dynamic analysis

Sample Uploads

Upload samples to CrowdStrike

Build docs developers (and LLMs) love

Get started for freeTalk to us