Find DMG Files
When Cybereason identifies a malicious file, it is useful to identify the mount point from which the file originated. In Mac environments, DMG files (Apple Disk images) are a type of mount point. When opened, DMG files are mounted to a file system and can be accessed. Once mounted, an attacker can execute a file contained in the DMG or copied to the Applications folder. Every executable file associated with a DMG can be traced back to the DMG file that created it, even if the DMG file created a local instances run from outside the DMG.
The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.
In this topic:
Find files or processes originating from DMG files
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath":[
{
"requestedType":"File",
"connectionFeature": {
"elementInstanceType":"File",
"featureName":"mount"
}
},
{
"requestedType":"MountPoint",
"filters": [
{
"facetName":"mediaType",
"values": [
"Image"
],
"filterType":"Equals"
}
],
"isResult":true
}
],
"totalResultLimit":1000,
"perGroupLimit":100,
"perFeatureLimit":100,
"templateContext":"SPECIFIC",
"queryTimeout":120000,
"customFields": [
"deviceName",
"mediaType",
"volumeName",
"ownerMachine",
"files",
"elementDisplayName"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "File",
"connectionFeature": {
"elementInstanceType": "File",
"featureName": "mount"
}
},
{
"requestedType": "MountPoint",
"filters": [
{
"facetName": "mediaType",
"values": [
"Image"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"deviceName",
"mediaType",
"volumeName",
"ownerMachine",
"files",
"elementDisplayName"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "File"
linking_element = "File"
linking_feature = "mount"
query_element_2 = "MountPoint"
query_element_2_filter = "mediaType"
query_element_2_filter_value = "Image"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[query_element_2_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["deviceName","mediaType","volumeName","ownerMachine","files","elementDisplayName"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Find mount points that mount DMG files
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data ' {
"queryPath":[
{
"requestedType": "MountPoint",
"filters":[
{
"facetName": "mediaType",
"values":
[
"Image"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"deviceName",
"mediaType",
"volumeName",
"ownerMachine",
"files",
"elementDisplayName"
]
}'
Response
{
"data": {
"resultIdToElementDataMap": {
"-1485635450.-1260330527608509961": {
"simpleValues": {
"mediaType": {
"totalValues": 1,
"values": [
"Image"
]
},
"deviceName": {
"totalValues": 1,
"values": [
"/home/disk2s1"
]
},
"elementDisplayName": {
"totalValues": 1,
"values": [
"/Volumes/Funter"
]
}
},
"elementValues": {
"ownerMachine": {
"totalValues": 1,
"elementValues": [
{
"elementType": "Machine",
"guid": "-1485635450.1198775089551518743",
"name": null,
"hasSuspicions": false,
"hasMalops": false
}
],
"totalSuspicious": 0,
"totalMalicious": 0
}
},
"suspicions": {},
"filterData": {
"sortInGroupValue": "-1485635450.-1260330527608509961",
"groupByValue": "MountPointRuntime:-1485635450.-1260330527608509961 name=/Volumes/User , "
},
"isMalicious": false,
"suspicionCount": 0,
"guidString": "-1485635450.-1260330527608509961",
"labelsIds": null,
"malopPriority": null
}
},
"suspicionsMap": {},
"evidenceMap": {},
"totalPossibleResults": 1,
"queryLimits": {
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"groupingFeature": {
"elementInstanceType": "MountPoint",
"featureName": "self"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "MountPoint",
"featureName": null
},
"count": 1
}
]
},
"status": "SUCCESS",
"message": ""
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "MountPoint",
"filters": [
{
"facetName": "mediaType",
"values": [
"Image"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"deviceName",
"mediaType",
"volumeName",
"ownerMachine",
"files",
"elementDisplayName"
]
}
Response
{
"data": {
"resultIdToElementDataMap": {
"-1485635450.-1260330527608509961": {
"simpleValues": {
"mediaType": {
"totalValues": 1,
"values": [
"Image"
]
},
"deviceName": {
"totalValues": 1,
"values": [
"/home/disk2s1"
]
},
"elementDisplayName": {
"totalValues": 1,
"values": [
"/Volumes/Funter"
]
}
},
"elementValues": {
"ownerMachine": {
"totalValues": 1,
"elementValues": [
{
"elementType": "Machine",
"guid": "-1485635450.1198775089551518743",
"name": null,
"hasSuspicions": false,
"hasMalops": false
}
],
"totalSuspicious": 0,
"totalMalicious": 0
}
},
"suspicions": {},
"filterData": {
"sortInGroupValue": "-1485635450.-1260330527608509961",
"groupByValue": "MountPointRuntime:-1485635450.-1260330527608509961 name=/Volumes/User , "
},
"isMalicious": false,
"suspicionCount": 0,
"guidString": "-1485635450.-1260330527608509961",
"labelsIds": null,
"malopPriority": null
}
},
"suspicionsMap": {},
"evidenceMap": {},
"totalPossibleResults": 1,
"queryLimits": {
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"groupingFeature": {
"elementInstanceType": "MountPoint",
"featureName": "self"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "MountPoint",
"featureName": null
},
"count": 1
}
]
},
"status": "SUCCESS",
"message": ""
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "MountPoint"
query_element_1_filter = "mediaType"
query_element_1_filter_value = "Image"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType": "Equals"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["deviceName","mediaType","volumeName","ownerMachine","files","elementDisplayName"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "data": { "resultIdToElementDataMap": { "-1485635450.-1260330527608509961": { "simpleValues": { "mediaType": { "totalValues": 1, "values": [ "Image" ] }, "deviceName": { "totalValues": 1, "values": [ "/home/disk2s1" ] }, "elementDisplayName": { "totalValues": 1, "values": [ "/Volumes/Funter" ] } }, "elementValues": { "ownerMachine": { "totalValues": 1, "elementValues": [ { "elementType": "Machine", "guid": "-1485635450.1198775089551518743", "name": null, "hasSuspicions": false, "hasMalops": false } ], "totalSuspicious": 0, "totalMalicious": 0 } }, "suspicions": {}, "filterData": { "sortInGroupValue": "-1485635450.-1260330527608509961", "groupByValue": "MountPointRuntime:-1485635450.-1260330527608509961 name=/Volumes/User , " }, "isMalicious": false, "suspicionCount": 0, "guidString": "-1485635450.-1260330527608509961", "labelsIds": null, "malopPriority": null } }, "suspicionsMap": {}, "evidenceMap": {}, "totalPossibleResults": 1, "queryLimits": { "totalResultLimit": 1000, "perGroupLimit": 100, "perFeatureLimit": 100, "groupingFeature": { "elementInstanceType": "MountPoint", "featureName": "self" }, "sortInGroupFeature": null }, "queryTerminated": false, "pathResultCounts": [ { "featureDescriptor": { "elementInstanceType": "MountPoint", "featureName": null }, "count": 1 } ] }, "status": "SUCCESS", "message": "" }
Find DMG files that were mounted
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data ' {
"queryPath": [
{
"requestedType":"MountPoint",
"filters": [
{
"facetName": "mediaType",
"values": [
"Image"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"deviceName",
"mediaType",
"volumeName",
"ownerMachine",
"files",
"elementDisplayName"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "MountPoint",
"filters": [
{
"facetName": "mediaType",
"values": [
"Image"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"deviceName",
"mediaType",
"volumeName",
"ownerMachine",
"files",
"elementDisplayName"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "myserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "MountPoint"
query_element_1_filter = "mediaType"
query_element_1_filter_value = "Image"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["deviceName","mediaType","volumeName","ownerMachine","files","elementDisplayName"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))