Find Instances of Lateral Movement

Use the API to find examples of lateral movement.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Use of credentials for lateral movement

Use these queries to find examples of lateral movement with credentials

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"passTheHashSenderSuspicion",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "isImageFileSignedAndVerified",
                                                                    "imageFile.maliciousClassificationType",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "imageFile.sha1String",
                                                                    "imageFile.md5String",
                                                                    "imageFile.companyName",
                                                                    "imageFile.productName",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"executedOnPassTheHashLogonSessionSuspicion",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "isImageFileSignedAndVerified",
                                                                    "imageFile.maliciousClassificationType",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "imageFile.sha1String",
                                                                    "imageFile.md5String",
                                                                    "imageFile.companyName",
                                                                    "imageFile.productName",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Query 3:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"commandLine",
                                                                                                            "values":["RunAs"],
                                                                                                            "filterType":"ContainsIgnoreCase"
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "isImageFileSignedAndVerified",
                                                                            "imageFile.maliciousClassificationType",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "imageFile.sha1String",
                                                                            "imageFile.md5String",
                                                                            "imageFile.companyName",
                                                                            "imageFile.productName",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Query 4:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"hasChildren",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "knownMalwareSuspicion",
                                                                    "hasListeningConnection",
                                                                    "scanningProcessSuspicion",
                                                                    "tid",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Many processes opened from the same process

Use this query to examine results and find cases where many processes have the same parent process.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Process",
                                                                                                                            "featureName":"parentProcess"
                                                                                                                    }
                                                                    },
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "knownMalwareSuspicion",
                                                                    "hasListeningConnection",
                                                                    "scanningProcessSuspicion",
                                                                    "tid",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'