20 December 22, 06:30
Quote:Continue Reading
Many of you asked for this, and today we are happy to announce the release of our VTI Cheat Sheet with hints and examples on the most useful VT Intelligence queries and modifiers. Instead of providing a list of already documented search modifiers, we created something more specific and close to the real life cases, such as searching for files signed with leaked Nvidia certificates or recent samples from collections attributed to CozyBear.
You can find the PDF version of the Cheat Sheet here. In this post we are providing some of the clickable examples with additional explanations.
Entities
One of the basics of VT Intelligence is using the “entity” search keyword to directly specify the type of output you want to get. There are specific modifiers for every entity, here you can find direct links to documentation for file, URL, IP and Domain (Collection will be available soon, stay tuned). Here there are quick examples for each of them:entity:ip asn:"15169" communicating_files_max_detections:30+entity:domain downloaded_files_max_detections:20+entity:url p:3+ have:trackerentity:file tagigned p:10+entity:collection name:apt or tag:apt
Specific group activities
There are a number of different ways to explore the latest footprints of certain threat actor in VT Intelligence. In case you don’t have any other inputs except the campaign or malware family name, you can leverage AV verdict VTI search:
engines:wellmess
If you want to search for a verdict from a certain vendor, you can specify it explicitly:kaspersky:wellmess OR eset:wellmess
Instead of getting file hashes as your search output, you can list all collections related to a specific actor/campaign:
entity:collection ( name:APT29 OR tag:APT29 OR name:CozyBear OR tag:CozyBear ) creation_date:2021-01-01+
You can also search within a specific collection, which is very handy when dealing with collections containing a large number of entities:
collection:alienvault_60eff240c7c9cb4f24907049 entity:file type:pedll p:10+
You can get the collection ID from the browser address bar when navigating a specific collection or simply click “Share the collection” when there.
Another approach for getting files related to a specific threat actor is by leveraging crowdsourced detection rules: Yara, Sigma and IDS. We are always looking for solid and active repositories constantly updated with the latest malware signatures. You can find more details in our Contributors list.
For example, the following query provides files matching YARA and IDS rules containing “APT29” or “CozyBear” in their names, as well as files detected by a specific Sigma rules:
crowdsourced_yara_rule:APT29 OR crowdsourced_ids:APT29 OR sigma_rule:976e44f1ea7fa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e OR
crowdsourced_yara_rule:CozyBear OR crowdsourced_ids:CozyBear OR sigma_rule:34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a
At the moment the only way to perform Sigma rules search is specifying the rule hash explicitly, you can find here the full list....