Skip to main content
Search the CrowdStrike malware repository using YARA rules, exact searches, and fuzzy searches to identify and analyze malicious files.

Cmdlets

Get-FalconMalQuery

Verify the status and results of an asynchronous Falcon MalQuery request, such as a hunt or exact-search. Permissions: MalQuery: Read
Id
string
required
Request identifier (UUID format)
Example
# Check the status of a MalQuery hunt
Get-FalconMalQuery -Id 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'

Get-FalconMalQueryQuota

Retrieve Falcon MalQuery search and download quotas. Permissions: MalQuery: Read
Example
# Check your MalQuery quota usage
Get-FalconMalQueryQuota

Get-FalconMalQuerySample

Retrieve Falcon MalQuery indexed file metadata. Permissions: MalQuery: Read
Id
string[]
required
SHA256 hash value
Example
# Get metadata for a specific sample
Get-FalconMalQuerySample -Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

# Get metadata for multiple samples
$Hashes = @(
    'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
    'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2'
)
Get-FalconMalQuerySample -Id $Hashes

Group-FalconMalQuerySample

Schedule MalQuery samples for download. Permissions: MalQuery: Write
Id
string[]
required
SHA256 hash value
Example
# Schedule samples for batch download
$Samples = @(
    'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
    'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2'
)
Group-FalconMalQuerySample -Id $Samples

Invoke-FalconMalQuery

Initiate a Falcon MalQuery YARA hunt, exact search, or fuzzy search. Permissions: MalQuery: Write
YaraRule
string
Schedule a YARA-based search
Type
string
Search pattern type. Valid values: hex, ascii, wide
Value
string
Search pattern value
FilterFiletype
string[]
File type to include with the result. Valid values:
  • cdf, cdfv2, cjava, dalvik
  • doc, docx, elf32, elf64
  • email, html, hwp, java.arc
  • lnk, macho, pcap, pdf
  • pe32, pe64, perl, ppt, pptx
  • python, pythonc, rtf, swf
  • text, xls, xlsx
FilterMeta
string[]
Subset of metadata fields to include in the result. Valid values: sha256, md5, type, size, first_seen, label, family
MinSize
string
Minimum file size specified in bytes or multiples of KB/MB/GB
MaxSize
string
Maximum file size specified in bytes or multiples of KB/MB/GB
MinDate
string
Limit results to files first seen after this date (format: YYYY/MM/DD)
MaxDate
string
Limit results to files first seen before this date (format: YYYY/MM/DD)
Limit
int32
Maximum number of results per request
Fuzzy
switch
Search MalQuery quickly but with more potential for false positives
Example
# Execute a YARA hunt
$YaraRule = @'
rule RansomwareDetection {
    strings:
        $s1 = "encrypted" nocase
        $s2 = "payment" nocase
        $s3 = "bitcoin" nocase
    condition:
        2 of them
}
'@
Invoke-FalconMalQuery -YaraRule $YaraRule -FilterMeta sha256,type,family -FilterFiletype pe32,pe64

# Exact search for ASCII string
Invoke-FalconMalQuery -Type ascii -Value 'MZ' -FilterFiletype pe32,pe64 -Limit 100

# Fuzzy search for hex pattern
Invoke-FalconMalQuery -Type hex -Value '4D5A' -Fuzzy -FilterMeta sha256,md5,size

# Search with date and size filters
Invoke-FalconMalQuery -Type ascii -Value 'malicious_string' -MinDate '2024/01/01' -MaxDate '2024/12/31' -MinSize '1KB' -MaxSize '5MB'

Receive-FalconMalQuerySample

Download a sample or sample archive from Falcon MalQuery. Permissions: MalQuery: Read
Downloaded sample archives are password-protected with the password: infected
Path
string
required
Destination path
Id
string
required
SHA256 hash value or MalQuery sample archive identifier
Force
switch
Overwrite an existing file when present
Example
# Download a single sample by SHA256
Receive-FalconMalQuerySample -Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' -Path './sample.bin'

# Download a sample archive
Receive-FalconMalQuerySample -Id 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' -Path './samples.zip' -Force

Search-FalconMalQueryHash

Perform a simple Falcon MalQuery YARA Hunt for a SHA256 hash. Permissions: MalQuery: Write
This cmdlet performs a YARA Hunt for the given hash, then checks every 5 seconds—for up to 60 seconds—for a result.
Sha256
string
required
SHA256 hash value
Example
# Quick search for a specific hash
Search-FalconMalQueryHash -Sha256 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

MalQuery Hunting Workflow

1

Check Quota

Use Get-FalconMalQueryQuota to verify available search and download quota.
2

Initiate Search

Use Invoke-FalconMalQuery to start a YARA hunt, exact search, or fuzzy search. Save the request ID returned.
3

Poll for Results

Use Get-FalconMalQuery with the request ID to check search status. Repeat until status is complete.
4

Analyze Metadata

Use Get-FalconMalQuerySample with SHA256 hashes from results to retrieve detailed file metadata.
5

Download Samples

Use Group-FalconMalQuerySample to schedule samples, then Receive-FalconMalQuerySample to download them.

YARA Hunt Examples

# Hunt for PE files with suspicious characteristics
$YaraRule = @'
rule SuspiciousPE {
    meta:
        description = "Detects PE files with suspicious characteristics"
    condition:
        uint16(0) == 0x5A4D and
        uint32(uint32(0x3C)) == 0x00004550 and
        filesize < 50KB
}
'@

$Hunt = Invoke-FalconMalQuery -YaraRule $YaraRule -FilterFiletype pe32,pe64 -FilterMeta sha256,size,family

# Wait and check results
Start-Sleep -Seconds 10
$Results = Get-FalconMalQuery -Id $Hunt.reqid

Exact Search

Use when: You need precise matches with no false positivesCharacteristics:
  • Slower execution
  • Higher accuracy
  • Consumes more quota
  • Best for known indicators

Fuzzy Search

Use when: You need quick results for broad huntingCharacteristics:
  • Faster execution
  • Potential false positives
  • Consumes less quota
  • Best for exploratory hunting

Tips and Best Practices

MalQuery searches consume quota. Always check your quota with Get-FalconMalQueryQuota before starting large hunts.
Use FilterMeta to limit returned metadata fields and reduce result size. Only request fields you need for analysis.
For hash-based searches, use Search-FalconMalQueryHash which automatically handles polling for results.

Falcon Intelligence

Access threat intelligence indicators

Sandbox Analysis

Submit samples for dynamic analysis

Sample Uploads

Upload samples to CrowdStrike