Tuesday, March 07, 2023

Threat Hunting with VirusTotal - Episode 2

Last week we conducted the second episode of our “Threat Hunting with VirusTotal” open training session, where we covered YARA services at VirusTotal. We focused on practical aspects of YARA rules providing real life examples of infamous malware and historical APT attacks. You can find the video recording on Brighttalk and Youtube, as well PDF version of the slides, where you can quickly copy-paste interesting rule patterns and explore attached documentation links. 
As in our previous session we received lots of inquiries that we decided to cover separately in this blog post.

1. Can you explain a bit more on the water mark usage in docs. How can we hunt using this? Also, how can we create a watermark as well?
As a quick example, here is the article describing the process of adding an invisible watermark in a PDF document. You can deploy a Livehunt YARA rule detecting this watermark and be notified every time your document is uploaded to VirusTotal.

2. Do you have tools helping you write YARA rules to find more easily nested item properties and syntax linting?
Recently we introduced a new YARA editor with pop-up suggestions, rule templates and new syntax highlighting, it's live on both Retrohunt and Livehunt, check it out!
Also you can leverage VT Diff to help you find the most relevant entities to detect.

New YARA rule editor was deployed recently on Retrohunt/Livehunt

3. Whom to reach out for accidentally uploaded sensitive files removal?
The official (and by far) fastest way is making request to our tech support, also available for any other technical questions.
4. Is VT aware of CrowdStrike's new memory scanning feature? Can we hunt process injected codes?
Scanning Memory dumps with YARA is something we are working in, so stay tuned for the latest updates in our social media and VT blog.

5. When might we expect to be able to search further back than a year in Retrohunt?
We are now collecting customers' feedback on this feature. If you are interested, please feel free to submit this form (visible after checking the “Full history” option) or to directly reach out

Express your interest in Full History Retrohunt

6. Are there courses for learning YARA that you recommend? Does Virustotal provide some kind of training for this subject? Is it free or paid? Do you suggest some kind of training to become a threat hunter?
Thank you for your interest! We are working on that kind of trainings and trying to find the best approach to deliver such content, stay tuned! At the moment, you can check out our Youtube channel for a number of tips & tricks videos as well as VirusTotal walkthrough materials. Plus, we have a dedicated “Applied YARA training”

7. Is VirusTotal planning to implement a built-in YarGen capability? So I can just search for samples, check which ones I want a rule for, and then create a rule?
You described the functionality of our own diff tool and YARA generator that we called VT Diff. You can find the quick demonstration at the end of the training session, as well as documentation provided here.

8. Would be nice to have an option to remove hits from VT Diff results that are clean codes from libraries, just like yarGen. Just an idea to consider :)
How can we delete/edit/update Diff results?
Thanks for your request! We will check this out.

9. Does VTDiff have limitations on what file types it can accept? For example, when I try to create a VTDiff session for OneNote extensions, with file type ".one" I get an error. But I don't get an error when creating a separate search for .exe files.
That depends on the specific error, but I assume you are getting “Need to give exclusion list for filetype one” error. Please check this manual for a quick fix.

10. How would you adjust the rule "SUSP_NVIDIA_Leak_Compromised_Cert_Mar22_1" if the timestomping was involved? Not sure if that can play a role based on the intel.
Compilation timestamp check is a nice way to filter out False Positives, but not the only one. If you want to avoid timestomping, you might want to use another legitimacy indicator, it could be the first submission date to VT (vt.metadata.first_submission_date) or any other signatures you find relevant to the original Nvidia software.

Rule to detect files signed with Nvidia leaked certificates

11. Can we use wildcards/regex while searching with the VT YARA module?
Absolutely! You are free to use wildcards for hexadecimal strings and regular expressions for text strings, just as in regular YARA.  

12. Can we expect to have the macho YARA module for Livehunt/Retrohunt rules? 
Historically there were a couple of security issues with this module, preventing it from being included in YARA distributions. Recently they’ve been fixed and we are now considering the possibility to include it in Livehunt/Retrohunt services.

13. Are you planning the next episode?
Yes, our open training will be delivered quarterly.

14. When you have samples that have come back from a YARA rule, what is the best way to investigate them and check their relevance? Behavior tab? Content?
That depends on the specific samples. If we are talking about some short script you can instantly check its relevance in the Content tab. If it's a compiled executable it makes sense to check the Behaviour tab first. Checking the Relations tab is also very important to me, you can quickly get lots of valuable info such as known distribution hosts/c2 address/dropped files/parent files/etc. 

15. Can we do this with the free version? Can this feature be available for independent paid users?
VT Intelligence and VT Hunting are only available starting VT Enterprise packages.

16. Is there a library of hunts for certain malwares?
VirusTotal maintains a collection of crowdsourced rules provided by third parties, you can find details on the repositories we ingest in our Contributors list. You can also explore all the YARA rules with the recently introduced interface for VT Hunting, with filters for name and author also available.

You can now explore a full list of crowdsourced YARA rules used by Virustotal

17. Can the "vt" module be used as a file search modifier?
We are working on bringing the same functionality to VT Hunting and VT Intelligence services, let us know if you miss anything.

18. Are there any threat intelligence operations you would recommend as a good first step towards leveraging automations using VTI API? Intent is to bring more awareness into threats that may impact an organization. 
A high level example being malicious artifacts collected from an email protection platform to help generate content filters within VTI searches. In this particular case, what would be your recommendations for automation aimed at highlighting similar records of interest?
With API you can literally fetch all available information for any specific entity in VirusTotal. Here you can find our recent APIv2 to v3 migration guide where you can find some examples. 
For emails, you can automate the process of checking any attached file or uploading it to VirusTotal. Then you can check the number of submissions to understand the file's popularity or email parents to get other emails containing this file as an attachment. You can actually execute any other VT Intelligence query with our API, just as you do manually.

19. Decryption is cool, do you dump it from the mem? 
Specific implementation depends on the sandbox. It’s usually based on crypto function hooks.

20. How can I download the YARA modules mentioned in the talk?
Most of the specified modules are available by default in the official YARA build. The VT module is available only on Retrohunt/Livehunt. Additionally, you can always implement your own module and compile your custom build of YARA.

21. Is there any way to limit the access to my YARA rules in Livehunt, make them visible to me only, team, org, etc?
Your Livehunt rulesets are by default only visible to you. You can share it with any other VT accounts by specifying their email addresses:

Livehunt ruleset sharing options

22. Can we retrieve YARA job results via API?
Yes, you can leverage VT Hunting capabilities using our API, check out the documentation on Retrohunt and Livehunt. In particular, you can list Livehunt notifications with this endpoint.

23. Which of the features you showed falls under quotas?
You can always check all of your current quotas in your work group control interface - https://www.virustotal.com/gui/group/*your_org_name*/users.

Users group consumption

24. How do you determine the magic number in the condition?
The most popular way to do this is to check data at specific offset. For example, uint16(0) == 0x5A4D checks that the first two bytes are 0x5A4D, which is a little-endian representation of 4D5A - MZ signature of Windows executable files.

25. Is there a VT module for Android in YARA rule hunt?
Yes, there is a YARA module for Androguard, which is an Android applications reverse engineering tool. We are now considering the possibility of including it into YARA distribution, so if you have any business needs to use it, please reach out to us.

26. Do I need a special subscription to search for a year? I only see an option for 90 days.
Yes indeed, It is only available for Threat Hunter Pro subscribers.

Different options of VT subscription

27. When I'm searching for some samples I want to find them only if they are in ZIP/RAR/etc archives. My IOCs are for the files, but it's the zips I want to uncover.
If you are using VT Intelligence searches, you can leverage the have:compressed_parents search modifier and then pivot to the parent files. 

28. Thanks for the first seen tidbit. As far as the LiveHunt result alerts, do they repeat? I've set up a few and I think I'm getting alerted on the same samples.
Yes, that's the point. You are getting alerted on both newly submitted and rescanned samples. To only get files that are new to VirusTotal feel free to use vt.metadata.new_file in your YARA rules.

29. How can we scale this? Is the point to update "detections" or essentially hunt for the newer functionalities on these samples found through livehunt/retrohunt?
That depends on specific business needs, but usually keeping your YARA rulesets fresh is one of the main goals of a threat hunter.

If you have any other questions, please feel free to reach out.

Happy hunting!


Post a Comment