Find Scanning Activity

Use the API to hunt for malicious behavior occurring in the scanning stage of an attack.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Processes executing extensive net commands

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "calculatedName",
                                            "values": [
                                                        "cmd.exe"
                                                      ],
                                            "filterType":"ContainsIgnoreCase"
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType":"Process",
                                                    "featureName":"children"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "calculatedName",
                                            "values": [
                                                        "net.exe"
                                                      ],
                                            "filterType":"ContainsIgnoreCase"
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid",
                                "iconBase64"
                              ]
            }'

Fake module suspicion

Use this request to investigate machines running processes with counterfeit modules.

In this query, you search for the following suspicious behaviors:

  • DB_servers = [“serverName1”, “serverName2”,….]

  • Web_servers = [“serverName1”, “serverName2”, ….]

  • Mail_servers = [“serverName1”, “serverName2”, ….]

Run this request for every type of server list.

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Machine",
                              "filters": [
                                          {
                                            "facetName": "elementDisplayName",
                                            "values": [
                                                        "DB_servers"
                                                      ],
                                            "filterType":"ContainsIgnoreCase"
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Machine",
                                                    "featureName": "processes"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "connections"
                                                   }
                            },
                            {
                              "requestedType": "Connection",
                              "filters": [
                                          {
                                            "facetName": "isExternalConnection",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "isResult": true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "direction",
                                "serverAddress",
                                "serverPort",
                                "portType",
                                "aggregatedReceivedBytesCount",
                                "aggregatedTransmittedBytesCount",
                                "remoteAddressCountryName",
                                "accessedByMalwareEvidence",
                                "ownerMachine",
                                "ownerProcess",
                                "dnsQuery",
                                "calculatedCreationTime",
                                "endTime",
                                "elementDisplayName"
                              ]
            }'

Database external connection

Use this request to investigate machines running processes with external connections.

In this query, you search for the following suspicious behaviors:

  • DB_servers = [“serverName1”, “serverName2”,….]

  • Web_servers = [“serverName1”, “serverName2”, ….]

  • Mail_servers = [“serverName1”, “serverName2”, ….]

Run this request for every type of server list.

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
                        "queryPath": [
                                      {
                                         "requestedType": "Machine",
                                         "filters": [
                                                      {
                                                        "facetName": "elementDisplayName",
                                                        "values": [
                                                                    "DB_servers"
                                                                  ],
                                                        "filterType":"ContainsIgnoreCase"
                                                      }
                                                    ],
                                         "connectionFeature": {
                                                                "elementInstanceType": "Machine",
                                                                "featureName": "processes"
                                                              }
                                      },
                                      {
                                         "requestedType": "Process",
                                         "connectionFeature": {
                                                                "elementInstanceType": "Process",
                                                                "featureName": "connections"
                                                              }
                                      },
                                      {
                                         "requestedType": "Connection",
                                         "filters": [
                                                        {
                                                          "facetName": "isExternalConnection",
                                                          "values": [
                                                                      true
                                                                    ]
                                                        }
                                                    ],
                                         "isResult": true
                                      }
                                   ],
                        "totalResultLimit": 1000,
                        "perGroupLimit": 100,
                        "perFeatureLimit": 100,
                        "templateContext": "SPECIFIC",
                        "queryTimeout": 120000,
                        "customFields": [
                                          "direction",
                                          "serverAddress",
                                          "serverPort",
                                          "portType",
                                          "aggregatedReceivedBytesCount",
                                          "aggregatedTransmittedBytesCount",
                                          "remoteAddressCountryName",
                                          "accessedByMalwareEvidence",
                                          "ownerMachine",
                                          "ownerProcess",
                                          "dnsQuery",
                                          "calculatedCreationTime",
                                          "endTime",
                                          "elementDisplayName"
                                        ]
                      }'