Lateral Movement Queries

As part of their attack cycle, attackers will attempt to move around your system to find vulnerabilities.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Each of these examples is formatted with the individual Element in the query on its own separate line, in bold text. Features (filters) applied to the Element follow the Element name in regular weight text. Each example also contains a description of the goal of the hunt and the explanatory statement of what you want to find.

Many processes opened from the same process

Goal: Find when many processes are opened from a single process.

Explanatory statement: I want to find examples when a large number of processes have the same parent process.

Construct this query:

Process Element

Parent process Element

Then you need to view details on the parent processes for the results. Note that for this query you may want to add a filter for certain characteristics of parent or child processes depending on what you are trying to find. Minimally, you should add columns to the results to display either signs of benign behavior or malicious behaviors which enable you to eliminate some of the results more quickly.

You also may need to run this query multiple times as you eliminate additional suspects.

View an example of a query to find results where many processes were created from the same parent process.