Threat Hunting with VirusTotal

[harlan4096]

We recently conducted our first “Hunting with VirusTotal” open training session, providing some ideas on how to use VT Intelligence to hunt for in-the-wild examples of modern malware and infamous APT campaigns. In case you missed it, here you can find the video recording available on Brighttalk.  We also created a PDF version of the slides with all the queries covered during the session and direct links to the documentation. We received lots of questions during the session that we decided to answer in this Q&A blog post. 

1.  How can we search for “have:itw” with a specific URL? “have:itw” is a search modifier you can include in your VT Intelligence queries to get all samples we found being distributed in the wild. You can specify any particular domain in your query, for instance the following example finds samples being distributed itw through discord:  itw:cdn.discordapp.com

2.  How can we convert the search queries to monitoring alerts? Good question, at the moment we are working on a solution to do this automatically, hopefully available very soon. In the meantime, there are two workarounds: execute your query through the API or, in some file-related cases, you can rely on the Yara VT module to create and deploy a Livehunt rule. 

3.  Is there any documentation on the VT website for all this info? Yes, here you can find general manuals and dedicated documentation for the API. Another good resource is our getting started site. You can find more resources linked in the training slides. 

4.  Can we have sessions on hunting part of VT like this. Yes, we will be having quarterly “Hunting with VT” sessions (at a minimum). 

5.  Can we use regex in queries? You can use regex in VT Grep queries. The following is an example using wildcards for a hexadecimal sequence of bytes: content:{686f6c61 ?? 6d756e646f}. There are no wildcards for most of the regular VT Intelligence queries with the exceptions of “name:” and “domain_regex:”, because we use full text search. In some cases you can achieve the same effect by combining search terms with the “AND” keyword. 

6.  Can you point out a location for all the most useful queries? We are working on a Cheat Sheet which will be available very soon, stay tuned. 7.  Can you see the content tab in the free version?This is only available to VT Enterprise customers. 

8.  Can you use wildcards in date notations when searching? Date notations are quite flexible even without wildcards. For example, for malware submitted to VT in January this year you can use the following: p:10+ fs:2022-01-01+ fs:2022-01-31-You can get malware submitted for the last 5 days with the following query:p:10+ fs:5d+ 

9.  What is your keyboard? Super nice sound. DROP CTRL + Kaihua Speed Silver + T0mb3ry SA Carbon 

10.  Does “crowdsourced...:malware_name” will give all the rules sigma/yara written for that malware? Not really. Rules are not assigned to any malware or actor in particular, so we need to rely on the name of the rule. For instance:crowdsourced_yara_rule:Sofacy OR crowdsourced_ids:Sofacy provides you with files detected by the Yara or IDS rules with “Sofacy” in its name. 

11.  Does Virustotal collect samples from sources other than user submitted files? For example, does it passively scrape the Android App store to check for new apps created by APTs? Yes! Just as an example, you can submit a file to VirusTotal from Process Explorer. Also, there are different research groups and other volunteers (thanks again to all of you!) who share new samples with the VT community. 

12.  How to fetch all the matched samples for a query by script instead of going through all pages? You can use this API endpoint. 

13.  Sometimes I tried to perform behavior search using powershell commands, but it doesn’t work for me. For example, this one. When clicking to the powershell command itself, returns no results. Also, doing something like behavior:"PAAjAGcAeABwACMAPgAgAFIAZQBnAGkAcwB" does not work. Thanks for the heads up! There is an issue when transforming super-long strings into a search query, we are already working on a fix. Regarding the second question, when doing a full text search unfortunately it is not possible to use substrings (unless it is a separate word). For example:behaviour_processes:"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EncodedCommand" - correctbehaviour_processes:"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EncodedCom" - incorrect
...

Continue Reading