Find Actions on a Target

Use the API to find execution of specific attacks on a given target.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Kovter and Poweliks Detection

Use this request to search for processes with JavaScript in the command line, running Powershell and Windows processes with injected code

Request

curl --request POST \
  --url https://12.34.56.78/rest/visualsearch/query/simple \
  --header 'Content-Type: application/json' \
  --data '{
            "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "isPowerShellProcess",
                                            "values": [
                                                        true
                                                      ],
                                            "filterType": null
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "parentProcess"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "commandLine",
                                            "values": [
                                                        "javascript"
                                                      ],
                                            "filterType": "ContainsIgnoreCase"
                                          }
                                         ],
                              "isResult": true
                            }
                         ],
            "totalResultLimit": 100,
            "perGroupLimit": 10,
            "perFeatureLimit": 10,
            "templateContext": "SPECIFIC",
            "queryTimeout": 120000,
            "customFields": [
                              "elementDisplayName",
                              "parentProcess",
                              "hasSuspicions",
                              "creationTime",
                              "ransomwareAutoRemediationSuspended",
                              "executionPrevented",
                              "endTime"
                            ]
          }'

Response

{
   "data": {
     "resultIdToElementDataMap": {
       "923810613.-3599489590504944098": {
         "simpleValues": {
           "creationTime": {
             "totalValues": 1,
             "values": [
               "1506331710323"
             ]
           },
           "endTime": {
             "totalValues": 1,
             "values": [
               "1506331798071"
             ]
           },
           "hasSuspicions": {
             "totalValues": 1,
             "values": [
               "false"
             ]
           },
           "executionPrevented": {
             "totalValues": 1,
             "values": [
               "false"
             ]
           },
           "elementDisplayName": {
             "totalValues": 1,
             "values": [
               "powershell.exe"
             ]
           }
         },
         "elementValues": {
           "parentProcess": {
             "totalValues": 1,
             "elementValues": [
               {
                 "elementType": "Process",
                 "guid": "923810613.-3086126652240771255",
                 "name": "cmd.exe",
                 "hasSuspicions": false,
                 "hasMalops": false
               }
             ],
             "totalSuspicious": 0,
             "totalMalicious": 0
           }
         },
         "suspicions": {},
         "filterData": {
           "sortInGroupValue": "923810613.-3599489590504944098",
           "groupByValue": "powershell.exe"
         },
         "isMalicious": false,
         "suspicionCount": 0,
         "guidString": "923810613.-3599489590504944098",
         "labelsIds": null,
         "malopPriority": null
       }
     },
     "suspicionsMap": {},
     "evidenceMap": {},
     "totalPossibleResults": 3,
     "queryLimits": {
       "totalResultLimit": 100,
       "perGroupLimit": 10,
       "perFeatureLimit": 10,
       "groupingFeature": {
         "elementInstanceType": "Process",
         "featureName": "imageFileHash"
       },
       "sortInGroupFeature": null
     },
     "queryTerminated": false,
     "pathResultCounts": [
       {
         "featureDescriptor": {
           "elementInstanceType": "Process",
           "featureName": null
         },
         "count": 3
       },
       {
         "featureDescriptor": {
           "elementInstanceType": "Process",
           "featureName": "parentProcess"
         },
         "count": 3
       }
     ]
   },
   "status": "SUCCESS",
   "message": ""
 }

Injected by a browser

Use this request to find processes injected by a browser. Since browsers often inject into legitimate computer processes, you should review the result set for this query and filter out legitimate items.

Request

curl --request POST \
  --url https://12.34.56.78/rest/visualsearch/query/simple \
  --header 'Content-Type: application/json' \
  --data '{
            "queryPath": [
                          {
                            "requestedType": "Process",
                            "filters": [
                                        {
                                          "facetName": "productType",
                                          "values": [
                                                      "BROWSER"
                                                    ],
                                          "filterType": "Equals"
                                        },
                                        {
                                          "facetName": "detectedInjectingEvidence",
                                          "values": [
                                                      true
                                                    ],
                                          "filterType": null
                                        }
                                       ],
                                     "isResult": true
                          }
                         ],
            "totalResultLimit": 100,
            "perGroupLimit": 10,
            "perFeatureLimit": 10,
            "templateContext": "SPECIFIC",
            "queryTimeout": 120000,
            "customFields": [
                              "elementDisplayName",
                              "parentProcess",
                              "hasSuspicions",
                              "creationTime",
                              "ransomwareAutoRemediationSuspended",
                              "executionPrevented",
                              "endTime"
                            ]
          }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "1464859087.-8196079988746161145": {
        "simpleValues": {
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1522651245051"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "hasSuspicions": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "chrome.exe"
            ]
          }
        },
        "elementValues": {
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "1464859087.6965238414721080829",
                "name": "explorer.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {},
        "filterData": {
          "sortInGroupValue": "1464859087.-8196079988746161145",
          "groupByValue": "chrome.exe"
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "1464859087.-8196079988746161145",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {},
    "evidenceMap": {},
    "totalPossibleResults": 2,
    "queryLimits": {
      "totalResultLimit": 100,
      "perGroupLimit": 10,
      "perFeatureLimit": 10,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 2
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}