Find Penetration Vectors
Researching penetration vectors helps you find suspicious behavior associated with the penetration stage of an attack. Use these examples from the API to help you with the penetration stage of an attack.
The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.
In this topic:
Child Shell processes
Use the following request to locate suspicious behavior from child shell processes, such as initiating connections, creation of additional children, and so forth.
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "productType",
"values": [
"MS_OFFICE"
],
"filterType": "Equals"
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "children"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "productType",
"values": [
"shell"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"parentProcess",
"hasSuspicions",
"creationTime",
"endTime"
]
}'
Response
{
"data": {
"resultIdToElementDataMap": {
"-1417547681.9114014601243363792": {
"simpleValues": {
"creationTime": {
"totalValues": 1,
"values": [
"1495442695230"
]
},
"endTime": {
"totalValues": 1,
"values": [
"1495442696368"
]
},
"hasSuspicions": {
"totalValues": 1,
"values": [
"true"
]
},
"elementDisplayName": {
"totalValues": 1,
"values": [
"powershell.exe"
]
}
},
"elementValues": {
"parentProcess": {
"totalValues": 1,
"elementValues": [
{
"elementType": "Process",
"guid": "-1417547681.-8191079222435001861",
"name": "excel.exe",
"hasSuspicions": false,
"hasMalops": false
}
],
"totalSuspicious": 0,
"totalMalicious": 0
}
},
"suspicions": {
"shellOfNonShellRunnerSuspicion": 1495442710604
},
"filterData": {
"sortInGroupValue": "-1417547681.9114014601243363792",
"groupByValue": "powershell.exe"
},
"isMalicious": true,
"suspicionCount": 1,
"guidString": "-1417547681.9114014601243363792",
"labelsIds": null,
"malopPriority": null
}
},
"suspicionsMap": {
"hostingInjectedThreadSuspicion": {
"potentialEvidence": [
"hostingInjectedThreadEvidence"
],
"firstTimestamp": 1506424896610,
"totalSuspicions": 2
},
"shellOfNonShellRunnerSuspicion": {
"potentialEvidence": [
"shellOfNonShellRunnerEvidence"
],
"firstTimestamp": 1495442710604,
"totalSuspicions": 6
},
"maliciousScriptExecutionSuspicion": {
"potentialEvidence": [
"maliciousScriptExecutionEvidence"
],
"firstTimestamp": 1495449698176,
"totalSuspicions": 3
}
},
"evidenceMap": {},
"totalPossibleResults": 6,
"queryLimits": {
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"groupingFeature": {
"elementInstanceType": "Process",
"featureName": "imageFileHash"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": null
},
"count": 6
},
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": "children"
},
"count": 6
}
]
},
"status": "SUCCESS",
"message": ""
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "productType",
"values": [
"MS_OFFICE"
],
"filterType": "Equals"
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "children"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "productType",
"values": [
"shell"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"parentProcess",
"hasSuspicions",
"creationTime",
"endTime"
]
}
Response
{
"data": {
"resultIdToElementDataMap": {
"-1417547681.9114014601243363792": {
"simpleValues": {
"creationTime": {
"totalValues": 1,
"values": [
"1495442695230"
]
},
"endTime": {
"totalValues": 1,
"values": [
"1495442696368"
]
},
"hasSuspicions": {
"totalValues": 1,
"values": [
"true"
]
},
"elementDisplayName": {
"totalValues": 1,
"values": [
"powershell.exe"
]
}
},
"elementValues": {
"parentProcess": {
"totalValues": 1,
"elementValues": [
{
"elementType": "Process",
"guid": "-1417547681.-8191079222435001861",
"name": "excel.exe",
"hasSuspicions": false,
"hasMalops": false
}
],
"totalSuspicious": 0,
"totalMalicious": 0
}
},
"suspicions": {
"shellOfNonShellRunnerSuspicion": 1495442710604
},
"filterData": {
"sortInGroupValue": "-1417547681.9114014601243363792",
"groupByValue": "powershell.exe"
},
"isMalicious": true,
"suspicionCount": 1,
"guidString": "-1417547681.9114014601243363792",
"labelsIds": null,
"malopPriority": null
}
},
"suspicionsMap": {
"hostingInjectedThreadSuspicion": {
"potentialEvidence": [
"hostingInjectedThreadEvidence"
],
"firstTimestamp": 1506424896610,
"totalSuspicions": 2
},
"shellOfNonShellRunnerSuspicion": {
"potentialEvidence": [
"shellOfNonShellRunnerEvidence"
],
"firstTimestamp": 1495442710604,
"totalSuspicions": 6
},
"maliciousScriptExecutionSuspicion": {
"potentialEvidence": [
"maliciousScriptExecutionEvidence"
],
"firstTimestamp": 1495449698176,
"totalSuspicions": 3
}
},
"evidenceMap": {},
"totalPossibleResults": 6,
"queryLimits": {
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"groupingFeature": {
"elementInstanceType": "Process",
"featureName": "imageFileHash"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": null
},
"count": 6
},
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": "children"
},
"count": 6
}
]
},
"status": "SUCCESS",
"message": ""
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Process"
query_element_1_filter = "productType"
query_element_1_filter_value = "MS_OFFICE"
linking_element = "Process"
linking_feature = "children"
query_element_2 = "Process"
query_element_2_filter_value = "shell"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"Equals"}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_1_filter,"values":[query_element_2_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit":100,"perGroupLimit":10,"perFeatureLimit":10,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","parentProcess","hasSuspicions","creationTime","endTime"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "batchId": -1312043715, "actionType": "FileSearchStart", "actionArguments": { "@class": "com.cybereason.configuration.models.FileSearchParameters", "filters": [ { "fieldName": "fileName", "values": [ "ShadowAttack.exe" ], "operator": "Equals" } ], "maxAnswers": 20 }, "globalStats": { "stats": { "Pending": 0, "partialResponse": 0, "AbortTimeout": 0, "EndedWithSensorTimeout": 0, "UnauthorizedUser": 0, "FailedSendingToServer": 0, "GettingChunks": 0, "NewerInstalled": 0, "SendingMsi": 0, "None": 52, "MsiSendFail": 0, "EndedWithInvalidParam": 0, "Failed": 0, "InProgress": 0, "Disconnected": 0, "Aborted": 0, "FailedSending": 0, "MsiFileCorrupted": 0, "UnknownProbe": 0, "NotSupported": 0, "Primed": 0, "ChunksRequired": 0, "ProbeRemoved": 0, "Started": 0, "EndedWithTooManySearches": 0, "TimeoutSending": 0, "InvalidState": 0, "Timeout": 0, "EndedWithUnknownError": 0, "AlreadyUpdated": 0, "EndedWithTooManyResults": 0, "Succeeded": 0 } }, "finalState": false, "totalNumberOfProbes": 52, "initiatorUser": "[email protected]", "startTime": 1524400763922, "aborterUser": null, "abortTime": 0, "abortTimeout": false, "abortHttpStatusCode": null }
First Execution of a downloaded process
Use this response to manually review the behavior of a downloaded process after it runs the first time. The results include information such as whether the process has Suspicions, what the parent processes are, when the processes was created, and so forth.
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "productType",
"values": [
"MS_OFFICE"
],
"filterType": "Equals"
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "children"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "productType",
"values": [
"shell"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"parentProcess",
"hasSuspicions",
"creationTime",
"endTime"
]
}'
Response
{
"data": {
"resultIdToElementDataMap": {
"-1417547681.9114014601243363792": {
"simpleValues": {
"creationTime": {
"totalValues": 1,
"values": [
"1495442695230"
]
},
"endTime": {
"totalValues": 1,
"values": [
"1495442696368"
]
},
"hasSuspicions": {
"totalValues": 1,
"values": [
"true"
]
},
"elementDisplayName": {
"totalValues": 1,
"values": [
"powershell.exe"
]
}
},
"elementValues": {
"parentProcess": {
"totalValues": 1,
"elementValues": [
{
"elementType": "Process",
"guid": "-1417547681.-8191079222435001861",
"name": "excel.exe",
"hasSuspicions": false,
"hasMalops": false
}
],
"totalSuspicious": 0,
"totalMalicious": 0
}
},
"suspicions": {
"shellOfNonShellRunnerSuspicion": 1495442710604
},
"filterData": {
"sortInGroupValue": "-1417547681.9114014601243363792",
"groupByValue": "powershell.exe"
},
"isMalicious": true,
"suspicionCount": 1,
"guidString": "-1417547681.9114014601243363792",
"labelsIds": null,
"malopPriority": null
}
},
"suspicionsMap": {
"hostingInjectedThreadSuspicion": {
"potentialEvidence": [
"hostingInjectedThreadEvidence"
],
"firstTimestamp": 1506424896610,
"totalSuspicions": 2
},
"shellOfNonShellRunnerSuspicion": {
"potentialEvidence": [
"shellOfNonShellRunnerEvidence"
],
"firstTimestamp": 1495442710604,
"totalSuspicions": 6
},
"maliciousScriptExecutionSuspicion": {
"potentialEvidence": [
"maliciousScriptExecutionEvidence"
],
"firstTimestamp": 1495449698176,
"totalSuspicions": 3
}
},
"evidenceMap": {},
"totalPossibleResults": 6,
"queryLimits": {
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"groupingFeature": {
"elementInstanceType": "Process",
"featureName": "imageFileHash"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": null
},
"count": 6
},
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": "children"
},
"count": 6
}
]
},
"status": "SUCCESS",
"message": ""
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "firstExecutionOfDownloadedProcessEvidence",
"values": [
true
],
"filterType": null
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"parentProcess",
"hasSuspicions",
"creationTime",
"iconBase64",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"endTime"
]
}
Response
{
"data": {
"resultIdToElementDataMap": {
"-1417547681.9114014601243363792": {
"simpleValues": {
"creationTime": {
"totalValues": 1,
"values": [
"1495442695230"
]
},
"endTime": {
"totalValues": 1,
"values": [
"1495442696368"
]
},
"hasSuspicions": {
"totalValues": 1,
"values": [
"true"
]
},
"elementDisplayName": {
"totalValues": 1,
"values": [
"powershell.exe"
]
}
},
"elementValues": {
"parentProcess": {
"totalValues": 1,
"elementValues": [
{
"elementType": "Process",
"guid": "-1417547681.-8191079222435001861",
"name": "excel.exe",
"hasSuspicions": false,
"hasMalops": false
}
],
"totalSuspicious": 0,
"totalMalicious": 0
}
},
"suspicions": {
"shellOfNonShellRunnerSuspicion": 1495442710604
},
"filterData": {
"sortInGroupValue": "-1417547681.9114014601243363792",
"groupByValue": "powershell.exe"
},
"isMalicious": true,
"suspicionCount": 1,
"guidString": "-1417547681.9114014601243363792",
"labelsIds": null,
"malopPriority": null
}
},
"suspicionsMap": {
"hostingInjectedThreadSuspicion": {
"potentialEvidence": [
"hostingInjectedThreadEvidence"
],
"firstTimestamp": 1506424896610,
"totalSuspicions": 2
},
"shellOfNonShellRunnerSuspicion": {
"potentialEvidence": [
"shellOfNonShellRunnerEvidence"
],
"firstTimestamp": 1495442710604,
"totalSuspicions": 6
},
"maliciousScriptExecutionSuspicion": {
"potentialEvidence": [
"maliciousScriptExecutionEvidence"
],
"firstTimestamp": 1495449698176,
"totalSuspicions": 3
}
},
"evidenceMap": {},
"totalPossibleResults": 6,
"queryLimits": {
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"groupingFeature": {
"elementInstanceType": "Process",
"featureName": "imageFileHash"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": null
},
"count": 6
},
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": "children"
},
"count": 6
}
]
},
"status": "SUCCESS",
"message": ""
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Process"
query_element_1_filter = "productType"
query_element_1_filter_value = "MS_OFFICE"
linking_element = "Process"
linking_feature = "children"
query_element_2 = "Process"
query_element_2_filter_value = "shell"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"Equals"}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_1_filter,"values":[query_element_2_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit":100,"perGroupLimit":10,"perFeatureLimit":10,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","parentProcess","hasSuspicions","creationTime","endTime"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "data": { "resultIdToElementDataMap": { "-1417547681.9114014601243363792": { "simpleValues": { "creationTime": { "totalValues": 1, "values": [ "1495442695230" ] }, "endTime": { "totalValues": 1, "values": [ "1495442696368" ] }, "hasSuspicions": { "totalValues": 1, "values": [ "true" ] }, "elementDisplayName": { "totalValues": 1, "values": [ "powershell.exe" ] } }, "elementValues": { "parentProcess": { "totalValues": 1, "elementValues": [ { "elementType": "Process", "guid": "-1417547681.-8191079222435001861", "name": "excel.exe", "hasSuspicions": false, "hasMalops": false } ], "totalSuspicious": 0, "totalMalicious": 0 } }, "suspicions": { "shellOfNonShellRunnerSuspicion": 1495442710604 }, "filterData": { "sortInGroupValue": "-1417547681.9114014601243363792", "groupByValue": "powershell.exe" }, "isMalicious": true, "suspicionCount": 1, "guidString": "-1417547681.9114014601243363792", "labelsIds": null, "malopPriority": null } }, "suspicionsMap": { "hostingInjectedThreadSuspicion": { "potentialEvidence": [ "hostingInjectedThreadEvidence" ], "firstTimestamp": 1506424896610, "totalSuspicions": 2 }, "shellOfNonShellRunnerSuspicion": { "potentialEvidence": [ "shellOfNonShellRunnerEvidence" ], "firstTimestamp": 1495442710604, "totalSuspicions": 6 }, "maliciousScriptExecutionSuspicion": { "potentialEvidence": [ "maliciousScriptExecutionEvidence" ], "firstTimestamp": 1495449698176, "totalSuspicions": 3 } }, "evidenceMap": {}, "totalPossibleResults": 6, "queryLimits": { "totalResultLimit": 100, "perGroupLimit": 10, "perFeatureLimit": 10, "groupingFeature": { "elementInstanceType": "Process", "featureName": "imageFileHash" }, "sortInGroupFeature": null }, "queryTerminated": false, "pathResultCounts": [ { "featureDescriptor": { "elementInstanceType": "Process", "featureName": null }, "count": 6 }, { "featureDescriptor": { "elementInstanceType": "Process", "featureName": "children" }, "count": 6 } ] }, "status": "SUCCESS", "message": "" }
DGA
Use the following query to search for malicious characteristics of a process. The search results return information including the process tree, command line arguments, and file path for each process.
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "hasUnresolvedDnsQueriesFromDomain",
"values": [
true
],
"filterType": null
},
{
"facetName": "isImageFileSignedAndVerified",
"values": [
false
],
"filterType": null
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"parentProcess",
"commandLine",
"runningFromTempEvidence"
]
}'
Response
{
"data": {
"resultIdToElementDataMap": {
"238663834.732515597069342747": {
"simpleValues": {},
"elementValues": {
"parentProcess": {
"totalValues": 1,
"elementValues": [
{
"elementType": "Process",
"guid": "238663834.-4657682283329620233",
"name": "explorer.exe",
"hasSuspicions": false,
"hasMalops": false
}
],
"totalSuspicious": 0,
"totalMalicious": 0
}
},
"suspicions": {
"connectionToBlackListDomainSuspicion": 1512308587363
},
"filterData": {
"sortInGroupValue": "238663834.732515597069342747",
"groupByValue": ""
},
"isMalicious": true,
"suspicionCount": 1,
"guidString": "238663834.732515597069342747",
"labelsIds": null,
"malopPriority": null
}
},
"suspicionsMap": {
"dualExtensionSuspicion": {
"potentialEvidence": [
"dualExtensionNameEvidence",
"hiddenFileExtensionEvidence",
"rightToLeftFileExtensionEvidence",
"masqueradingAsMovieEvidence"
],
"firstTimestamp": 1497359104508,
"totalSuspicions": 6
},
"blackListModuleSuspicion": {
"potentialEvidence": [
"blackListModuleEvidence"
],
"firstTimestamp": 1495443240721,
"totalSuspicions": 12
},
"unknownUnsignedBySigningCompany": {
"potentialEvidence": [
"rareUnsignedForCompany",
"unknownUnsignedEvidence"
],
"firstTimestamp": 1495853838217,
"totalSuspicions": 4
},
"dgaSuspicion": {
"potentialEvidence": [
"detectedInjectedEvidence",
"manyUnresolvedRecordNotExistsEvidence",
"highUnresolvedToResolvedRateEvidence",
"hostingInjectedThreadEvidence"
],
"firstTimestamp": 1495449309567,
"totalSuspicions": 18
}
},
"evidenceMap": {},
"totalPossibleResults": 4414,
"queryLimits": {
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"groupingFeature": {
"elementInstanceType": "Process",
"featureName": "imageFileHash"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": null
},
"count": 4414
}
]
},
"status": "SUCCESS",
"message": ""
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "hasUnresolvedDnsQueriesFromDomain",
"values": [
true
],
"filterType": null
},
{
"facetName": "isImageFileSignedAndVerified",
"values": [
false
],
"filterType": null
}
],
"isResult": true
}
],
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"parentProcess",
"commandLine",
"runningFromTempEvidence"
]
}
Response
{
"data": {
"resultIdToElementDataMap": {
"238663834.732515597069342747": {
"simpleValues": {},
"elementValues": {
"parentProcess": {
"totalValues": 1,
"elementValues": [
{
"elementType": "Process",
"guid": "238663834.-4657682283329620233",
"name": "explorer.exe",
"hasSuspicions": false,
"hasMalops": false
}
],
"totalSuspicious": 0,
"totalMalicious": 0
}
},
"suspicions": {
"connectionToBlackListDomainSuspicion": 1512308587363
},
"filterData": {
"sortInGroupValue": "238663834.732515597069342747",
"groupByValue": ""
},
"isMalicious": true,
"suspicionCount": 1,
"guidString": "238663834.732515597069342747",
"labelsIds": null,
"malopPriority": null
}
},
"suspicionsMap": {
"dualExtensionSuspicion": {
"potentialEvidence": [
"dualExtensionNameEvidence",
"hiddenFileExtensionEvidence",
"rightToLeftFileExtensionEvidence",
"masqueradingAsMovieEvidence"
],
"firstTimestamp": 1497359104508,
"totalSuspicions": 6
},
"blackListModuleSuspicion": {
"potentialEvidence": [
"blackListModuleEvidence"
],
"firstTimestamp": 1495443240721,
"totalSuspicions": 12
},
"unknownUnsignedBySigningCompany": {
"potentialEvidence": [
"rareUnsignedForCompany",
"unknownUnsignedEvidence"
],
"firstTimestamp": 1495853838217,
"totalSuspicions": 4
},
"dgaSuspicion": {
"potentialEvidence": [
"detectedInjectedEvidence",
"manyUnresolvedRecordNotExistsEvidence",
"highUnresolvedToResolvedRateEvidence",
"hostingInjectedThreadEvidence"
],
"firstTimestamp": 1495449309567,
"totalSuspicions": 18
}
},
"evidenceMap": {},
"totalPossibleResults": 4414,
"queryLimits": {
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"groupingFeature": {
"elementInstanceType": "Process",
"featureName": "imageFileHash"
},
"sortInGroupFeature": null
},
"queryTerminated": false,
"pathResultCounts": [
{
"featureDescriptor": {
"elementInstanceType": "Process",
"featureName": null
},
"count": 4414
}
]
},
"status": "SUCCESS",
"message": ""
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "myserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Process"
query_element_1_filter = "hasUnresolvedDnsQueriesFromDomain"
query_element_1_filter_2 = "isImageFileSignedAndVerified"
null = None
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True],"filterType":null},{"facetName":query_element_1_filter_2,"values":[False],"filterType":null}],"isResult":True}],"totalResultLimit":100,"perGroupLimit":10,"perFeatureLimit":10,"templateContext": "SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","parentProcess","commandLine","runningFromTempEvidence"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{ "data": { "resultIdToElementDataMap": { "238663834.732515597069342747": { "simpleValues": {}, "elementValues": { "parentProcess": { "totalValues": 1, "elementValues": [ { "elementType": "Process", "guid": "238663834.-4657682283329620233", "name": "explorer.exe", "hasSuspicions": false, "hasMalops": false } ], "totalSuspicious": 0, "totalMalicious": 0 } }, "suspicions": { "connectionToBlackListDomainSuspicion": 1512308587363 }, "filterData": { "sortInGroupValue": "238663834.732515597069342747", "groupByValue": "" }, "isMalicious": true, "suspicionCount": 1, "guidString": "238663834.732515597069342747", "labelsIds": null, "malopPriority": null } }, "suspicionsMap": { "dualExtensionSuspicion": { "potentialEvidence": [ "dualExtensionNameEvidence", "hiddenFileExtensionEvidence", "rightToLeftFileExtensionEvidence", "masqueradingAsMovieEvidence" ], "firstTimestamp": 1497359104508, "totalSuspicions": 6 }, "blackListModuleSuspicion": { "potentialEvidence": [ "blackListModuleEvidence" ], "firstTimestamp": 1495443240721, "totalSuspicions": 12 }, "unknownUnsignedBySigningCompany": { "potentialEvidence": [ "rareUnsignedForCompany", "unknownUnsignedEvidence" ], "firstTimestamp": 1495853838217, "totalSuspicions": 4 }, "dgaSuspicion": { "potentialEvidence": [ "detectedInjectedEvidence", "manyUnresolvedRecordNotExistsEvidence", "highUnresolvedToResolvedRateEvidence", "hostingInjectedThreadEvidence" ], "firstTimestamp": 1495449309567, "totalSuspicions": 18 } }, "evidenceMap": {}, "totalPossibleResults": 4414, "queryLimits": { "totalResultLimit": 100, "perGroupLimit": 10, "perFeatureLimit": 10, "groupingFeature": { "elementInstanceType": "Process", "featureName": "imageFileHash" }, "sortInGroupFeature": null }, "queryTerminated": false, "pathResultCounts": [ { "featureDescriptor": { "elementInstanceType": "Process", "featureName": null }, "count": 4414 } ] }, "status": "SUCCESS", "message": "" }