FalconFriday — Process injection and malicious CPL files

We believe there isn’t enough content available to detect advanced adversary techniques. That’s why every two weeks on “FalconFriday”, we will release hunting queries to detect offensive techniques. Today: part four!

Today’s content:

-> Process injection using the CreateRemoteThread API. -> Suspicious CPL files being loaded (

Cross post from, please read the full article here:

Direct link to our Github page: