Find Instances of Malicious Process Execution

Use the API to find examples of malicious communication.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Command line process execution

Use this request to find examples of malicious process execution from a command line.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"commandLine",
                                                                                                            "values":["whoami"],
                                                                                                            "filterType":"ContainsIgnoreCase"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "isImageFileSignedAndVerified",
                                                                            "imageFile.maliciousClassificationType",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "imageFile.sha1String",
                                                                            "imageFile.md5String",
                                                                            "imageFile.companyName",
                                                                            "imageFile.productName",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Renamed processes

Use these queries to find examples of processes that have renamed files or binary files.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Process",
                                                                                                                            "featureName":"loadedModules"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"Module",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Module",
                                                                                                                            "featureName":"file"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"File",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"File",
                                                                                                                            "featureName":"fileAccessEvents"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"FileAccessEvent",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"fileEventType",
                                                                                                            "values": ["FET_RENAME"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "ownerProcess",
                                                                            "firstAccessTime",
                                                                            "fileEventType",
                                                                            "path",
                                                                            "newPath"
                                                                    ]
                            }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Process",
                                                                                                                            "featureName":"loadedModules"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"Module",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Module",
                                                                                                                            "featureName":"file"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"File",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"File",
                                                                                                                            "featureName":"fileAccessEvents"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"FileAccessEvent",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"fileEventType",
                                                                                                            "values": ["FET_RENAME"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "ownerProcess",
                                                                            "firstAccessTime",
                                                                            "fileEventType",
                                                                            "path",
                                                                            "newPath"
                                                                    ]
                            }'

Query 3:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"File",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"elementDisplayName",
                                                                                                            "values":["cmd.exe"],
                                                                                                            "filterType":"ContainsIgnoreCase"
                                                                                                    },
                                                                                                    {
                                                                                                            "facetName":"internalName",
                                                                                                            "values":["cmd"],
                                                                                                            "filterType":"ContainsIgnoreCase"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit": 1000,
                                    "perGroupLimit": 100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "ownerMachine",
                                                                            "avRemediationStatus",
                                                                            "isSigned",
                                                                            "signatureVerified",
                                                                            "sha1String",
                                                                            "maliciousClassificationType",
                                                                            "createdTime",
                                                                            "modifiedTime",
                                                                            "size",
                                                                            "correctedPath",
                                                                            "productName",
                                                                            "productVersion",
                                                                            "companyName",
                                                                            "internalName",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Legitimate applications used for malicious purposes

Use these queries to find examples where legitimate applications (such as an operating system process) has been repurposed for malicious use.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"maliciousUseOfWinOSProcessEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "isImageFileSignedAndVerified",
                                                                            "imageFile.maliciousClassificationType",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "imageFile.sha1String",
                                                                            "imageFile.md5String",
                                                                            "imageFile.companyName",
                                                                            "imageFile.productName",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Process",
                                                                                                                            "featureName":"loadedModules"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"Module",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Module",
                                                                                                                            "featureName":"file"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"File",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"File",
                                                                                                                            "featureName":"fileAccessEvents"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"FileAccessEvent",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"fileEventType",
                                                                                                            "values": ["FET_RENAME"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "ownerProcess",
                                                                            "firstAccessTime",
                                                                            "fileEventType",
                                                                            "path",
                                                                            "newPath"
                                                                    ]
                            }'

Process opening a listening connection

Use this request to find instances of a process opening a listening connection.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"hasListeningConnection",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "knownMalwareSuspicion",
                                                                            "hasListeningConnection",
                                                                            "scanningProcessSuspicion",
                                                                            "tid","iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Malicious script execution

Use these queries to find examples of a script running in an unexpected or malicious manner.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"maliciousScriptDropperSuspicion",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "knownMalwareSuspicion",
                                                                            "hasListeningConnection",
                                                                            "scanningProcessSuspicion",
                                                                            "tid",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"maliciousScriptExecutionEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime","endTime",
                                                                            "commandLine",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "knownMalwareSuspicion",
                                                                            "hasListeningConnection",
                                                                            "scanningProcessSuspicion",
                                                                            "tid",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Malicious services associated with a process

Use these queries to find evidence of malicious services associated with a process.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"rareServiceEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"rareActiveServiceEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Query 3:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"rareStartTypeEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Query 4:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"binaryFileChangedEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Query 5:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"serviceStartNameChangedEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'