Many of you asked for this, and today we are happy to announce the release of our VTI Cheat Sheet with hints and examples on the most useful VT Intelligence queries and modifiers. Instead of providing a list of already documented search modifiers, we created something more specific and close to the real life cases, such as searching for files signed with leaked Nvidia certificates or recent samples from collections attributed to CozyBear.
You can find the PDF version of the Cheat Sheet here. In this post we are providing some of the clickable examples with additional explanations.
Entities
One of the basics of VT Intelligence is using the “entity” search keyword to directly specify the type of output you want to get. There are specific modifiers for every entity, here you can find direct links to documentation for file, URL, IP and Domain (Collection will be available soon, stay tuned). Here there are quick examples for each of them:
Specific group activities
There are a number of different ways to explore the latest footprints of certain threat actor in VT Intelligence.
In case you don’t have any other inputs except the campaign or malware family name, you can leverage AV verdict VTI search:
If you want to search for a verdict from a certain vendor, you can specify it explicitly:
Instead of getting file hashes as your search output, you can list all collections related to a specific actor/campaign:
You can also search within a specific collection, which is very handy when dealing with collections containing a large number of entities:
You can get the collection ID from the browser address bar when navigating a specific collection or simply click “Share the collection” when there.
Another approach for getting files related to a specific threat actor is by leveraging crowdsourced detection rules: Yara, Sigma and IDS. We are always looking for solid and active repositories constantly updated with the latest malware signatures. You can find more details in our Contributors list.
For example, the following query provides files matching YARA and IDS rules containing “APT29” or “CozyBear” in their names, as well as files detected by a specific Sigma rules:
At the moment the only way to perform Sigma rules search is specifying the rule hash explicitly, you can find here the full list.
Finally, searching for specific comments can bring valuable results. It’s important to note that there are many third-party solutions contributing with useful comments in VirusTotal. Some of the most popular and reputed ones include THOR APT scanner and Intezer:
Comments on suspected APT29 malware
The following query searches for files containing some APT actor aliases in their comments:
This also works for IPs, domains and URLs:
Documents
Any query can specify the document format for the results. For example, the following query provides recently created (using “generated” modifier) documents (thanks to the “type” modifier) with macros embedded (by using “tag”), detected at least by 5 AVs (“p” modifier):
A second example retrieves Excel files bundled with powershell scripts and uploaded to VT for the last 10 days:
There is plenty of cool stuff you can do with the “tag:” search modifier, here is the full list with dozens of different tags supported, and here you can find descriptions for the most common ones. For example, you can search for documents with obfuscated VBA code executing other files:
You can also use “type:document” to search for all the document formats (office, pdf, text, rtf, latex, etc). The following query returns all documents having “invoice” in its file name and used as email attachments:
Or documents exploiting any vulnerability published in 2022:
It's important to highlight that “tag” is one of the few modifiers supporting wildcards.
Many of you asked about language specific document searches during our Threat Hunting with VirusTotal session. The “lang:” keyword uses Exif language property to find files matching any language:
Non-Windows samples
We have dedicated keywords to perform searches for platforms such as Android, MacOS or even Symbian.
For Android, which is one of the most popular non-Windows platforms by number of malware samples, we use Androguard to process all ingested samples. You can query for any Androguard output which is stored under the umbrella “androguard:” keyword:
This includes all sorts of different types of processed data: code strings, manifest entities, certificate signatures, etc. For example, this example looks for APKs that mimic a legitimate app by using the same icon (“main_icon_dhash”), but signed with a different certificate:
However when looking for something specific it is better using “androguard_package:” to search for APKs with explicit package names (please note this only works for newly indexed files since March 2022):
Since this is a new search modifier, please feel free to share our feedback with us.
In some cases you can skip using any special keyword and build your query using APK internal paths only:
Here are some more examples for different platforms.
tag:iphone tag:signed p:5+ - signed iOS app packages detected by at least 5 AVs.
(type:apple OR type:mac) itw:cdn.discordapp.com - iOS/macOS files served from a given URL.
type:symbian name:"*spy*" - Symbian files (.sis) containing “spy” substring in its name.
Network
First of all, we encourage you to check the full list of network-related search modifiers for URLs, IPs and domains, as the list is too large to fit them all in this post.
However, network modifiers can save the day for different specific cases. Here are a bunch of practical examples.
If you are looking for botnet admin panels within a certain TLD (Top Level Domain) knowing only specific HTML meta information from the response, you can use this query:
In cases when you extracted the C2 endpoint from a malware sample and want to search for other servers using the same backend path:
You can even search for specific HTML body content with the “NOT parent_domain:” syntax to filter out legitimate results:
There are plenty of different ways to detect malicious domains mimicking legitimate ones, including favicon similarity. To get a specific dhash you can just click on the original file/website icon in Virustotal and it will produce the query for you. Then you can check for additional domains using this favicon but detected by different AVs:
Another approach is to use the “fuzzy_domain” keyword, which is based on Levenshtein distance and will get you domain names similar to a given one. The best use case for this is typosquatting attack detection. In the following example, we filter results using “urls_max_detections” to get only domains with URLs detected as malicious:
The following query is a bit more complicated. It can be used to search for any kind of suspicious activity within a specified subnet:
Instead of an IP range, you can specify the whole ASN:
Summarizing, the number of different options to query VT Intelligence can be overwhelming, but hopefully the above examples and our VTI Cheat Sheet will make your life easier. We will continuously update the VTI Cheat Sheet to keep it as fresh and useful as possible, we will be announcing every time there is any major update. In the meantime, we hope this will be useful for you, and as usual if you have any suggestions or just want to share feedback please feel free to reach out here.
Happy hunting!