25 May 22, 09:36
Quote:Continue Reading
TL;DR: We implemented an Autocomplete feature for VirusTotal Intelligence queries
VirusTotal Intelligence is one of the most powerful, flexible and intuitive tools for security researchers around the world. It was designed with the idea of providing (almost) unlimited possibilities to VirusTotal users when searching across the VirusTotal dataset at Google speed ©. Most of the time our users simply search for some observable (hash, domain, IP address or URL) to get everything we know about it, however there are more than 50 modifiers that can be used (and combined) in any query to get what we are exactly looking for.
This is a very real need. Let’s say we search for a given string we know is related to some malware family, returning a few thousand results. How to further specify where we want this string to be found inside the sample? Should it be in the content of the malware, in its metadata, maybe in a signature? You get the idea, and this is not limited to string searches. You can check malware with a certain number of positive verdicts, seen during a particular time window, signed with a given key, triggering a specific crowdsourced YARA rule, etc. Our 2019 VirusTotal for investigators workshop (you can find the video here) dives into some interesting search modifier use cases. Here you can find a full list of Intelligence modifiers you can use in your queries, understanding and using them in your queries provides analysts with an incredibly powerful resource.
However, learning them by heart is not easy. At VirusTotal we spend most of our time dealing with them and still we hesitate from time to time. That’s why we implemented an Autocomplete feature that will offer you different possibilities on what modifier to use depending on what you are typing.
...