Narrow Queries

Use these examples that yield low false positives, but may rarely produce results.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Find Trickbot by Module

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "loadedModules"
                                                    }
                            },
                            {
                              "requestedType": "Module",
                              "filters": [
                                          {
                                            "facetName": "moduleName",
                                            "values": [
                                                        "core-dll.dll"
                                                      ],
                                            "filterType":"ContainsIgnoreCase"
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "file",
                                "ownerMachine",
                                "hasAutorun",
                                "isFloating",
                                "notInLoaderDbEvidence",
                                "maliciousClassification",
                                "elementDisplayName"
                              ]
            }'

Find fileless malware persistence via MSHTA

Use this request to search for well-hidden Kovter variants.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName":"commandLine",
                                            "values": [
                                                        "javascript",
                                                        "about"
                                                      ],
                                            "filterType":"ContainsIgnoreCase"
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "parentProcess",
                                "commandLine",
                                "calculatedUser"
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime"
                              ]
            }'