Find Instances of Credential Theft

Use the API to find examples of credential theft.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Processes accessing system resources with credential information

Use these queries to find evidence of processes accessing system resources that contain credential information.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"unexpectedAuditObjectAccessLsassEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "knownMalwareSuspicion",
                                                                    "hasListeningConnection",
                                                                    "scanningProcessSuspicion",
                                                                    "tid",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"unexpectedAuditObjectAccessNtdsFileEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "knownMalwareSuspicion",
                                                                    "hasListeningConnection",
                                                                    "scanningProcessSuspicion",
                                                                    "tid","iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Query 3:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"unexpectedAuditObjectAccessSamKeyEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "knownMalwareSuspicion",
                                                                    "hasListeningConnection",
                                                                    "scanningProcessSuspicion",
                                                                    "tid",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'