Find Penetration Vectors

Researching penetration vectors helps you find suspicious behavior associated with the penetration stage of an attack. Use these examples from the API to help you with the penetration stage of an attack.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Child Shell processes

Use the following request to locate suspicious behavior from child shell processes, such as initiating connections, creation of additional children, and so forth.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "productType",
                                            "values": [
                                                        "MS_OFFICE"
                                                      ],
                                            "filterType": "Equals"
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "children"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "productType",
                                            "values": [
                                                        "shell"
                                                      ],
                                            "filterType": "Equals"
                                          }
                                         ],
                              "isResult": true
                                      }
                                     ],
              "totalResultLimit": 100,
              "perGroupLimit": 10,
              "perFeatureLimit": 10,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "parentProcess",
                                "hasSuspicions",
                                "creationTime",
                                "endTime"
                              ]
            }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "-1417547681.9114014601243363792": {
        "simpleValues": {
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1495442695230"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1495442696368"
            ]
          },
          "hasSuspicions": {
            "totalValues": 1,
            "values": [
              "true"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "powershell.exe"
            ]
          }
        },
        "elementValues": {
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "-1417547681.-8191079222435001861",
                "name": "excel.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "shellOfNonShellRunnerSuspicion": 1495442710604
        },
        "filterData": {
          "sortInGroupValue": "-1417547681.9114014601243363792",
          "groupByValue": "powershell.exe"
        },
        "isMalicious": true,
        "suspicionCount": 1,
        "guidString": "-1417547681.9114014601243363792",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "hostingInjectedThreadSuspicion": {
        "potentialEvidence": [
          "hostingInjectedThreadEvidence"
        ],
        "firstTimestamp": 1506424896610,
        "totalSuspicions": 2
      },
      "shellOfNonShellRunnerSuspicion": {
        "potentialEvidence": [
          "shellOfNonShellRunnerEvidence"
        ],
        "firstTimestamp": 1495442710604,
        "totalSuspicions": 6
      },
      "maliciousScriptExecutionSuspicion": {
        "potentialEvidence": [
          "maliciousScriptExecutionEvidence"
        ],
        "firstTimestamp": 1495449698176,
        "totalSuspicions": 3
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 6,
    "queryLimits": {
      "totalResultLimit": 100,
      "perGroupLimit": 10,
      "perFeatureLimit": 10,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 6
      },
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": "children"
        },
        "count": 6
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

First Execution of a downloaded process

Use this response to manually review the behavior of a downloaded process after it runs the first time. The results include information such as whether the process has Suspicions, what the parent processes are, when the processes was created, and so forth.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "productType",
                                            "values": [
                                                        "MS_OFFICE"
                                                      ],
                                            "filterType": "Equals"
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "children"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "productType",
                                            "values": [
                                                        "shell"
                                                      ],
                                            "filterType": "Equals"
                                          }
                                         ],
                              "isResult": true
                            }
                           ],
              "totalResultLimit": 100,
              "perGroupLimit": 10,
              "perFeatureLimit": 10,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "parentProcess",
                                "hasSuspicions",
                                "creationTime",
                                "endTime"
                              ]
            }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "-1417547681.9114014601243363792": {
        "simpleValues": {
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1495442695230"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1495442696368"
            ]
          },
          "hasSuspicions": {
            "totalValues": 1,
            "values": [
              "true"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "powershell.exe"
            ]
          }
        },
        "elementValues": {
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "-1417547681.-8191079222435001861",
                "name": "excel.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "shellOfNonShellRunnerSuspicion": 1495442710604
        },
        "filterData": {
          "sortInGroupValue": "-1417547681.9114014601243363792",
          "groupByValue": "powershell.exe"
        },
        "isMalicious": true,
        "suspicionCount": 1,
        "guidString": "-1417547681.9114014601243363792",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "hostingInjectedThreadSuspicion": {
        "potentialEvidence": [
          "hostingInjectedThreadEvidence"
        ],
        "firstTimestamp": 1506424896610,
        "totalSuspicions": 2
      },
      "shellOfNonShellRunnerSuspicion": {
        "potentialEvidence": [
          "shellOfNonShellRunnerEvidence"
        ],
        "firstTimestamp": 1495442710604,
        "totalSuspicions": 6
      },
      "maliciousScriptExecutionSuspicion": {
        "potentialEvidence": [
          "maliciousScriptExecutionEvidence"
        ],
        "firstTimestamp": 1495449698176,
        "totalSuspicions": 3
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 6,
    "queryLimits": {
      "totalResultLimit": 100,
      "perGroupLimit": 10,
      "perFeatureLimit": 10,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 6
      },
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": "children"
        },
        "count": 6
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

DGA

Use the following query to search for malicious characteristics of a process. The search results return information including the process tree, command line arguments, and file path for each process.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                              {
                                "requestedType": "Process",
                                "filters": [
                                            {
                                              "facetName": "hasUnresolvedDnsQueriesFromDomain",
                                              "values": [
                                                          true
                                                        ],
                                              "filterType": null
                                            },
                                            {
                                              "facetName": "isImageFileSignedAndVerified",
                                              "values": [
                                                          false
                                                        ],
                                              "filterType": null
                                            }
                                           ],
                                "isResult": true
                              }
                            ],
              "totalResultLimit": 100,
              "perGroupLimit": 10,
              "perFeatureLimit": 10,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "parentProcess",
                                "commandLine",
                                "runningFromTempEvidence"
                              ]
            }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "238663834.732515597069342747": {
        "simpleValues": {},
        "elementValues": {
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "238663834.-4657682283329620233",
                "name": "explorer.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "connectionToBlackListDomainSuspicion": 1512308587363
        },
        "filterData": {
          "sortInGroupValue": "238663834.732515597069342747",
          "groupByValue": ""
        },
        "isMalicious": true,
        "suspicionCount": 1,
        "guidString": "238663834.732515597069342747",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "dualExtensionSuspicion": {
        "potentialEvidence": [
          "dualExtensionNameEvidence",
          "hiddenFileExtensionEvidence",
          "rightToLeftFileExtensionEvidence",
          "masqueradingAsMovieEvidence"
        ],
        "firstTimestamp": 1497359104508,
        "totalSuspicions": 6
      },
      "blackListModuleSuspicion": {
        "potentialEvidence": [
          "blackListModuleEvidence"
        ],
        "firstTimestamp": 1495443240721,
        "totalSuspicions": 12
      },
      "unknownUnsignedBySigningCompany": {
        "potentialEvidence": [
          "rareUnsignedForCompany",
          "unknownUnsignedEvidence"
        ],
        "firstTimestamp": 1495853838217,
        "totalSuspicions": 4
      },
      "dgaSuspicion": {
        "potentialEvidence": [
          "detectedInjectedEvidence",
          "manyUnresolvedRecordNotExistsEvidence",
          "highUnresolvedToResolvedRateEvidence",
          "hostingInjectedThreadEvidence"
        ],
        "firstTimestamp": 1495449309567,
        "totalSuspicions": 18
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 4414,
    "queryLimits": {
      "totalResultLimit": 100,
      "perGroupLimit": 10,
      "perFeatureLimit": 10,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 4414
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}