Find Instances of Lateral Movement
Use the API to find examples of lateral movement.
The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.
Use of credentials for lateral movement
Use these queries to find examples of lateral movement with credentials
Query 1:
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath":[
{
"requestedType":"Process",
"filters":[
{
"facetName":"passTheHashSenderSuspicion",
"values":[true]
}
],
"isResult":true
}
],
"totalResultLimit":1000,
"perGroupLimit":100,
"perFeatureLimit":100,
"templateContext":"SPECIFIC",
"queryTimeout":120000,
"customFields":[
"elementDisplayName",
"creationTime",
"endTime",
"commandLine",
"isImageFileSignedAndVerified",
"imageFile.maliciousClassificationType",
"productType",
"children",
"parentProcess",
"ownerMachine",
"calculatedUser",
"imageFile",
"imageFile.sha1String",
"imageFile.md5String",
"imageFile.companyName",
"imageFile.productName",
"iconBase64",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"isWhiteListClassification",
"matchedWhiteListRuleIds"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{ "queryPath": [ { "requestedType": "Process", "filters": [ { "facetName": "passTheHashSenderSuspicion", "values": [ true ] } ], "isResult": true } ], "totalResultLimit": 1000, "perGroupLimit": 100, "perFeatureLimit": 100, "templateContext": "SPECIFIC", "queryTimeout": 120000, "customFields": [ "elementDisplayName", "creationTime", "endTime", "commandLine", "isImageFileSignedAndVerified", "imageFile.maliciousClassificationType", "productType", "children", "parentProcess", "ownerMachine", "calculatedUser", "imageFile", "imageFile.sha1String", "imageFile.md5String", "imageFile.companyName", "imageFile.productName", "iconBase64", "ransomwareAutoRemediationSuspended", "executionPrevented", "isWhiteListClassification", "matchedWhiteListRuleIds" ] }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Query 2:
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath":[
{
"requestedType":"Process",
"filters":[
{
"facetName":"executedOnPassTheHashLogonSessionSuspicion",
"values":[true]
}
],
"isResult":true
}
],
"totalResultLimit":1000,
"perGroupLimit":100,
"perFeatureLimit":100,
"templateContext":"SPECIFIC",
"queryTimeout":120000,
"customFields":[
"elementDisplayName",
"creationTime",
"endTime",
"commandLine",
"isImageFileSignedAndVerified",
"imageFile.maliciousClassificationType",
"productType",
"children",
"parentProcess",
"ownerMachine",
"calculatedUser",
"imageFile",
"imageFile.sha1String",
"imageFile.md5String",
"imageFile.companyName",
"imageFile.productName",
"iconBase64",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"isWhiteListClassification",
"matchedWhiteListRuleIds"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{ "queryPath": [ { "requestedType": "Process", "filters": [ { "facetName": "executedOnPassTheHashLogonSessionSuspicion", "values": [ true ] } ], "isResult": true } ], "totalResultLimit": 1000, "perGroupLimit": 100, "perFeatureLimit": 100, "templateContext": "SPECIFIC", "queryTimeout": 120000, "customFields": [ "elementDisplayName", "creationTime", "endTime", "commandLine", "isImageFileSignedAndVerified", "imageFile.maliciousClassificationType", "productType", "children", "parentProcess", "ownerMachine", "calculatedUser", "imageFile", "imageFile.sha1String", "imageFile.md5String", "imageFile.companyName", "imageFile.productName", "iconBase64", "ransomwareAutoRemediationSuspended", "executionPrevented", "isWhiteListClassification", "matchedWhiteListRuleIds" ] }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests import json # Login information username = "[email protected]" password = "mypassword" server = "yourserver.com" port = "443" data = { "username": username, "password": password } headers = {"Content-Type": "application/json"} base_url = "https://" + server + ":" + port login_url = base_url + "/login.html" session = requests.session() login_response = session.post(login_url, data=data, verify=True) print (login_response.status_code) print (session.cookies.items() # Request URL endpoint_url = "/rest/visualsearch/query/simple" api_url = base_url + endpoint_url # These are the variables that represent different fields in the request. query_element_1 = "Process" query_element_1_filter = "executedOnPassTheHashLogonSessionSuspicion" query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","isImageFileSignedAndVerified","imageFile.maliciousClassificationType","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","imageFile.sha1String","imageFile.md5String","imageFile.companyName","imageFile.productName","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]}) api_headers = {'Content-Type':'application/json'} api_response = session.request("POST", api_url, data=query, headers=api_headers) your_response = json.loads(api_response.content) print(json.dumps(your_response, indent=4, sort_keys=True))
Query 3:
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath":[
{
"requestedType":"Process",
"filters":[
{
"facetName":"commandLine",
"values":["RunAs"],
"filterType":"ContainsIgnoreCase"
}
],
"isResult":true
}
],
"totalResultLimit":1000,
"perGroupLimit":100,
"perFeatureLimit":100,
"templateContext":"SPECIFIC",
"queryTimeout":120000,
"customFields":[
"elementDisplayName",
"creationTime",
"endTime",
"commandLine",
"isImageFileSignedAndVerified",
"imageFile.maliciousClassificationType",
"productType",
"children",
"parentProcess",
"ownerMachine",
"calculatedUser",
"imageFile",
"imageFile.sha1String",
"imageFile.md5String",
"imageFile.companyName",
"imageFile.productName",
"iconBase64",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"isWhiteListClassification",
"matchedWhiteListRuleIds"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{ "queryPath": [ { "requestedType": "Process", "filters": [ { "facetName": "commandLine", "values": [ "RunAs" ], "filterType": "ContainsIgnoreCase" } ], "isResult": true } ], "totalResultLimit": 1000, "perGroupLimit": 100, "perFeatureLimit": 100, "templateContext": "SPECIFIC", "queryTimeout": 120000, "customFields": [ "elementDisplayName", "creationTime", "endTime", "commandLine", "isImageFileSignedAndVerified", "imageFile.maliciousClassificationType", "productType", "children", "parentProcess", "ownerMachine", "calculatedUser", "imageFile", "imageFile.sha1String", "imageFile.md5String", "imageFile.companyName", "imageFile.productName", "iconBase64", "ransomwareAutoRemediationSuspended", "executionPrevented", "isWhiteListClassification", "matchedWhiteListRuleIds" ] }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests import json # Login information username = "[email protected]" password = "mypassword" server = "yourserver.com" port = "443" data = { "username": username, "password": password } headers = {"Content-Type": "application/json"} base_url = "https://" + server + ":" + port login_url = base_url + "/login.html" session = requests.session() login_response = session.post(login_url, data=data, verify=True) print (login_response.status_code) print (session.cookies.items()) # Request URL endpoint_url = "/rest/visualsearch/query/simple" api_url = base_url + endpoint_url # These are the variables that represent different fields in the request. query_element_1 = "Process" query_element_1_filter = "commandLine" query_element_1_filter_value = "RunAs" query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"ContainsIgnoreCase"}],"isResult":true}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","isImageFileSignedAndVerified","imageFile.maliciousClassificationType","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","imageFile.sha1String","imageFile.md5String","imageFile.companyName","imageFile.productName","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]}) api_headers = {'Content-Type':'application/json'} api_response = session.request("POST", api_url, data=query, headers=api_headers) your_response = json.loads(api_response.content) print(json.dumps(your_response, indent=4, sort_keys=True))
Query 4:
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath":[
{
"requestedType":"Process",
"filters":[
{
"facetName":"hasChildren",
"values":[true]
}
],
"isResult":true
}
],
"totalResultLimit":1000,
"perGroupLimit":100,
"perFeatureLimit":100,
"templateContext":"SPECIFIC",
"queryTimeout":120000,
"customFields":[
"elementDisplayName",
"creationTime",
"endTime",
"commandLine",
"productType",
"children",
"parentProcess",
"ownerMachine",
"calculatedUser",
"imageFile",
"knownMalwareSuspicion",
"hasListeningConnection",
"scanningProcessSuspicion",
"tid",
"iconBase64",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"isWhiteListClassification",
"matchedWhiteListRuleIds"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{ "queryPath": [ { "requestedType": "Process", "filters": [ { "facetName": "hasChildren", "values": [ true ] } ], "isResult": true } ], "totalResultLimit": 1000, "perGroupLimit": 100, "perFeatureLimit": 100, "templateContext": "SPECIFIC", "queryTimeout": 120000, "customFields": [ "elementDisplayName", "creationTime", "endTime", "commandLine", "productType", "children", "parentProcess", "ownerMachine", "calculatedUser", "imageFile", "knownMalwareSuspicion", "hasListeningConnection", "scanningProcessSuspicion", "tid", "iconBase64", "ransomwareAutoRemediationSuspended", "executionPrevented", "isWhiteListClassification", "matchedWhiteListRuleIds" ] }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests import json # Login information username = "[email protected]" password = "mypassword" server = "yourserver.com" port = "443" data = { "username": username, "password": password } headers = {"Content-Type": "application/json"} base_url = "https://" + server + ":" + port login_url = base_url + "/login.html" session = requests.session() login_response = session.post(login_url, data=data, verify=True) print (login_response.status_code) print (session.cookies.items()) # Request URL endpoint_url = "/rest/visualsearch/query/simple" api_url = base_url + endpoint_url # These are the variables that represent different fields in the request. query_element_1 = "Process" query_element_1_filter = "hasChildren" query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","knownMalwareSuspicion","hasListeningConnection","scanningProcessSuspicion","tid","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]}) api_headers = {'Content-Type':'application/json'} api_response = session.request("POST", api_url, data=query, headers=api_headers) your_response = json.loads(api_response.content) print(json.dumps(your_response, indent=4, sort_keys=True))
Many processes opened from the same process
Use this query to examine results and find cases where many processes have the same parent process.
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath":[
{
"requestedType":"Process",
"filters":[],
"connectionFeature": {
"elementInstanceType":"Process",
"featureName":"parentProcess"
}
},
{
"requestedType":"Process",
"filters":[],
"isResult":true
}
],
"totalResultLimit":1000,
"perGroupLimit":100,
"perFeatureLimit":100,
"templateContext":"SPECIFIC",
"queryTimeout":120000,
"customFields":[
"elementDisplayName",
"creationTime",
"endTime",
"commandLine",
"productType",
"children",
"parentProcess",
"ownerMachine",
"calculatedUser",
"imageFile",
"knownMalwareSuspicion",
"hasListeningConnection",
"scanningProcessSuspicion",
"tid",
"iconBase64",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"isWhiteListClassification",
"matchedWhiteListRuleIds"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{ "queryPath": [ { "requestedType": "Process", "filters": [], "connectionFeature": { "elementInstanceType": "Process", "featureName": "parentProcess" } }, { "requestedType": "Process", "filters": [], "isResult": true } ], "totalResultLimit": 1000, "perGroupLimit": 100, "perFeatureLimit": 100, "templateContext": "SPECIFIC", "queryTimeout": 120000, "customFields": [ "elementDisplayName", "creationTime", "endTime", "commandLine", "productType", "children", "parentProcess", "ownerMachine", "calculatedUser", "imageFile", "knownMalwareSuspicion", "hasListeningConnection", "scanningProcessSuspicion", "tid", "iconBase64", "ransomwareAutoRemediationSuspended", "executionPrevented", "isWhiteListClassification", "matchedWhiteListRuleIds" ] }
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests import json # Login information username = "[email protected]" password = "mypassword" server = "yourserver.com" port = "443" data = { "username": username, "password": password } headers = {"Content-Type": "application/json"} base_url = "https://" + server + ":" + port login_url = base_url + "/login.html" session = requests.session() login_response = session.post(login_url, data=data, verify=True) print (login_response.status_code) print (session.cookies.items()) # Request URL endpoint_url = "/rest/visualsearch/query/simple" api_url = base_url + endpoint_url # These are the variables that represent different fields in the request. query_element_1 = "Process" linking_element = "Process" linking_feature = "parentProcess" query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_1,"filters":[],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","knownMalwareSuspicion","hasListeningConnection","scanningProcessSuspicion","tid","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]}) api_headers = {'Content-Type':'application/json'} api_response = session.request("POST", api_url, data=query, headers=api_headers) your_response = json.loads(api_response.content) print(json.dumps(your_response, indent=4, sort_keys=True))