Find Attackers Performing Reconnaissance

Use the API to find examples of an attacker performing reconnaissance on your systems.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Host enumeration

Use this query to find evidence of a process trying to perform host enumeration and learn more about the domain host.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"domainHostEnumerationEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "isImageFileSignedAndVerified",
                                                                    "imageFile.maliciousClassificationType",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "imageFile.sha1String",
                                                                    "imageFile.md5String",
                                                                    "imageFile.companyName",
                                                                    "imageFile.productName",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Network enumeration

Use this query to find evidence of a process performing network enumeration.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"networkShareDiscoveryEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "isImageFileSignedAndVerified",
                                                                    "imageFile.maliciousClassificationType",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "imageFile.sha1String",
                                                                    "imageFile.md5String",
                                                                    "imageFile.companyName",
                                                                    "imageFile.productName",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"networkConfigurationDiscoveryEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "isImageFileSignedAndVerified",
                                                                    "imageFile.maliciousClassificationType",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "imageFile.sha1String",
                                                                    "imageFile.md5String",
                                                                    "imageFile.companyName",
                                                                    "imageFile.productName",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Query 3:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"systemNetworkConfigurationDiscoveryEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "isImageFileSignedAndVerified",
                                                                    "imageFile.maliciousClassificationType",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "imageFile.sha1String",
                                                                    "imageFile.md5String",
                                                                    "imageFile.companyName",
                                                                    "imageFile.productName",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Process enumeration

Use this query to find examples of a process performing process enumeration.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"processDiscoveryEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "elementDisplayName",
                                                                    "creationTime",
                                                                    "endTime",
                                                                    "commandLine",
                                                                    "isImageFileSignedAndVerified",
                                                                    "imageFile.maliciousClassificationType",
                                                                    "productType",
                                                                    "children",
                                                                    "parentProcess",
                                                                    "ownerMachine",
                                                                    "calculatedUser",
                                                                    "imageFile",
                                                                    "imageFile.sha1String",
                                                                    "imageFile.md5String",
                                                                    "imageFile.companyName",
                                                                    "imageFile.productName",
                                                                    "iconBase64",
                                                                    "ransomwareAutoRemediationSuspended",
                                                                    "executionPrevented",
                                                                    "isWhiteListClassification",
                                                                    "matchedWhiteListRuleIds"
                                                               ]
                            }'

Abnormal hour activity

Use these queries to find evidence of abnormal hour activities by users.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {"
                                                                                                                            elementInstanceType":"Process",
                                                                                                                            "featureName":"calculatedUser"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"User",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"irregularActivityHourEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "domain",
                                                                    "ownerMachine",
                                                                    "ownerOrganization.name",
                                                                    "isLocalSystem",
                                                                    "elementDisplayName"
                                                               ]
                            }'

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Process",
                                                                                                                            "featureName":"calculatedUser"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"User",
                                                                            "filters":[
                                                                                                    {
                                                                                                            "facetName":"hasSuspiciousProcessByUserInIrregularHoursEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                              ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields":[
                                                                    "domain",
                                                                    "ownerMachine",
                                                                    "ownerOrganization.name",
                                                                    "isLocalSystem",
                                                                    "elementDisplayName"
                                                               ]
                            }'