Find Instances of Attacker Foothold

Researching foothold helps you find suspicious behavior associated with the foothold stage of an attack. Use these examples from the Query API to help you with the foothold stage of an attack.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Autorun services

Use this response to locate files that are set to automatically run when the computer starts up, have a binary file that is not signed, and contains what Cybereason defines as rare evidence. This query returns some interesting data, including whether the service triggers the hiddenFile extension or right-to-left evidences.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Service",
                              "filters": [
                                          {
                                            "facetName": "startType",
                                            "values": [
                                                        "SERVICE_START_TYPE_AUTO_START"
                                                      ],
                                            "filterType": "Equals"
                                          },
                                          {
                                            "facetName": "isActive",
                                            "values": [
                                                        true
                                                      ],
                                            "filterType": null
                                          },
                                          {
                                            "facetName": "rareServiceEvidence",
                                            "values": [
                                                        true
                                                      ],
                                            "filterType": null
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Service",
                                                    "featureName": "binaryFile"
                                                   }
                            },
                            {
                              "requestedType": "File",
                              "filters": [
                                          {
                                            "facetName": "isSigned",
                                            "values": [
                                                        false
                                                      ],
                                            "filterType": null
                                          }
                                         ],
                              "isResult": true
                            }
                           ],
              "totalResultLimit": 100,
              "perGroupLimit": 10,
              "perFeatureLimit": 10,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "createdTime",
                                "modifiedTime",
                                "endTime",
                                "comments",
                                "fileVersion",
                                "hiddenFileExtensionEvidence",
                                "rightToLeftFileExtensionEvidence",
                                "classificationLink",
                                "classificationComment",
                                "isDownloadedFromInternet",
                                "hasClassification"
                              ]
            }'

Scheduled tasks executing from the Temp folder

Use this request to identify scheduled tasks executing from the C:Temp folder. Behaviors such as this are often indicative of suspicious behavior as the Temp folder is usually not used for running applications.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "ScheduledTask",
                              "filters": [
                                          {
                                            "facetName": "state",
                                            "values": [
                                                        "TASK_STATE_RUNNING"
                                                      ],
                                            "filterType": "Equals"
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "ScheduledTask",
                                                    "featureName": "executableActions"
                                                   }
                            },
                            {
                              "requestedType": "ExecutableTaskAction",
                              "filters": [
                                          {
                                            "facetName": "executablePath",
                                            "values": [
                                                        "Temp"
                                                      ],
                                            "filterType": "ContainsIgnoreCase"
                                          }
                                         ],
                              "isResult": true
                            }
                           ],
              "totalResultLimit": 100,
              "perGroupLimit": 10,
              "perFeatureLimit": 10,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                               "elementDisplayName",
                               "ransomwareAutoRemediationSuspended",
                               "executionPrevented",
                               "creationTime",
                               "endTime",
                               "commandLine",
                               "decodedCommandLine",
                               "isImageFileSignedAndVerified",
                               "productType",
                               "children",
                               "parentProcess",
                               "ownerMachine",
                               "imageFile",
                               "calculatedUser",
                               "pid"
                              ]
            }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "-1208764281.8567501564444993905": {
        "simpleValues": {
          "isImageFileSignedAndVerified": {
            "totalValues": 1,
            "values": [
              "true"
            ]
          },
          "commandLine": {
            "totalValues": 1,
            "values": [
              "\"cmd\" "
            ]
          },
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1500641612039"
            ]
          },
          "pid": {
            "totalValues": 1,
            "values": [
              "2140"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "cmd.exe"
            ]
          },
          "productType": {
            "totalValues": 1,
            "values": [
              "SHELL"
            ]
          }
        },
        "elementValues": {
          "calculatedUser": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "User",
                "guid": "0.-5441679353483096598",
                "name": "\\",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "ownerMachine": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Machine",
                "guid": "-1208764281.1198775089551518743",
                "name": null,
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "-1208764281.-4813929778986701641",
                "name": "psexesvc.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "imageFile": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "File",
                "guid": "-1208764281.-7927278256478080039",
                "name": "cmd.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "executedByPsexecSuspicion": 1500641710334
        },
        "filterData": {
          "sortInGroupValue": "-1208764281.8567501564444993905",
          "groupByValue": "cmd.exe"
        },
        "isMalicious": false,
        "suspicionCount": 1,
        "guidString": "-1208764281.8567501564444993905",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "executedByPsexecSuspicion": {
        "potentialEvidence": [
          "parentPsexecEvidence",
          "unknownUnsignedEvidence"
        ],
        "firstTimestamp": 1500641710334,
        "totalSuspicions": 2
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 2,
    "queryLimits": {
      "totalResultLimit": 1000,
      "perGroupLimit": 100,
      "perFeatureLimit": 100,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 2
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}