Table: lists several ATP queries that are commonly used in forensic analysis.
Query / Command
Establish a live connection with an endpoint
Complete a snapshot of live connected host
Full Dump and Process Dump of recorded data provides a snapshot of a live, connected host.
Snapshot provides detailed process history
The Full Dump and Process Dump contains detailed information about the endpoint, including process history.
Identify previously established connections with a specific endpoint or user
Trace network connections
Use query: type_id: 8007 (add column source IP port destination IP and port)
Trace logon events
Use the query: type_id: 8000
Trace file operations and executed processes
Use the query: type_id: (8005 8006)
Trace registry keys or value changes
Use the Load Point Quick Filter then if needed, use the query: process.file.name: *.scr
List all processes or files created by a specific user or endpoint
Use the query: type_id: (8001 8003) AND user_name: Xx* Where Xx is first two or more characters of the user name.
View applications that execute from non-standard directories
Use the query: enriched_data.category_name: "System File Launched Or Loaded From Unexpected Location"
View applications that execute from Windows Appdata directory
Use the query: enriched_data.category_name: "System File Launched Or Loaded From Unexpected Location" AND event_actor.file.normalized_path: "CSIDL_PROFILE\\AppData\\*"
View applications that execute from Download directory
Use the query: enriched_data.category_name: "System File Launched Or Loaded From Unexpected Location" AND event_actor.file.normalized_path: "CSIDL_PROFILE\\downloads\\*"
Monitor use of specific commands - Net use
Use the query: event_actor.file.name: netstat*
Find active local administrator accounts
Use the query: event_actor.user.sid: "*-500"
500 = Domain Admin
512 = Domain Admin Group
Full SID for Domain Admin is S-1-5-21domain-500
Monitor for type 3 (network) logon events
Use the query: type_id: 8001
Identify ransomware behavior
Disable macro scripts from MS Office files transmitted via email
Isolate detected machine
In ATP, right-click on the detected machine and select Isolate.
To isolate and rejoin endpoints from the ATP Manager, you must have a Quarantine Firewall policy in Symantec Endpoint Protection Manager that's assigned to a Host Integrity policy.
See the KB article Setting up Host Integrity for instructions and more information.
General malware behavior hunting
Identify creation of file types dropped from PDF: VBA, VBS, DOC, DOCX, XLS, XLSX, BAT, PS1, EXE, and DLL.
Use the query: event_actor.file.name: winword.exe AND type_id: 8003 AND operation: 1
Use the query: event_actor.cmd_line: *rundll32.exe then filter for event_actor.cmd.line
Identify changes to registry keys/values
Identify web based scripts
Identify malicious PowerShell executions
Symantec Endpoint Protection has PowerShell detection. ATP creates incidents from suspicious or malicious PowerShell executions (100173 and 100208)
Identify sessions initiated by PowerShell to the internet
Use the query: type_id: 8007 AND event_actor.file.name: powershell*
Identify PowerShell Connections to HTTP/S Ports
Search for network connections initiated by PowerShell to ports 80 and 443
Identify PowerShell or shell commands created by a process tree containing an MS Office product or browser.
Use the query: event_actor.file.name: winword.exe AND type_id: 8001 AND process.file.name: powershell*
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.