VT Intelligence Cheat Sheet
#1
Information 
Quote:
[Image: Logo_VT_Horizontal.png]


Many of you asked for this, and today we are happy to announce the release of our VTI Cheat Sheet with hints and examples on the most useful VT Intelligence queries and modifiers. Instead of providing a list of already documented search modifiers, we created something more specific and close to the real life cases, such as searching for files signed with leaked Nvidia certificates or recent samples from collections attributed to CozyBear.

You can find the PDF version of the Cheat Sheet here. In this post we are providing some of the clickable examples with additional explanations.

Entities

One of the basics of VT Intelligence is using the “entity” search keyword to directly specify the type of output you want to get. There are specific modifiers for every entity, here you can find direct links to documentation for file, URL, IP and Domain (Collection will be available soon, stay tuned). Here there are quick examples for each of them:entity:ip asn:"15169" communicating_files_max_detections:30+entity:domain downloaded_files_max_detections:20+entity:url p:3+ have:trackerentity:file tagConfusedigned p:10+entity:collection name:apt or tag:apt 

Specific group activities

There are a number of different ways to explore the latest footprints of certain threat actor in VT Intelligence. In case you don’t have any other inputs except the campaign or malware family name, you can leverage AV verdict VTI search:

engines:wellmess

If you want to search for a verdict from a certain vendor, you can specify it explicitly:kaspersky:wellmess OR eset:wellmess

Instead of getting file hashes as your search output, you can list all collections related to a specific actor/campaign:

entity:collection ( name:APT29 OR tag:APT29 OR name:CozyBear OR tag:CozyBear ) creation_date:2021-01-01+

[Image: 7BLgH7GheNQ8zdsuQpTlVlwh47K8oJWZyAgB8bHl...ss9tWzDMAM]
You can also search within a specific collection, which is very handy when dealing with collections containing a large number of entities:
collection:alienvault_60eff240c7c9cb4f24907049 entity:file type:pedll p:10+
You can get the collection ID from the browser address bar when navigating a specific collection or simply click “Share the collection” when there.
Another approach for getting files related to a specific threat actor is by leveraging crowdsourced detection rules: Yara, Sigma and IDS. We are always looking for solid and active repositories constantly updated with the latest malware signatures. You can find more details in our Contributors list
For example, the following query provides files matching YARA and IDS rules containing “APT29” or “CozyBear” in their names, as well as files detected by a specific Sigma rules:
crowdsourced_yara_rule:APT29 OR crowdsourced_ids:APT29 OR sigma_rule:976e44f1ea7fa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e OR

crowdsourced_yara_rule:CozyBear OR crowdsourced_ids:CozyBear OR sigma_rule:34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a

At the moment the only way to perform Sigma rules search is specifying the rule hash explicitly, you can find here the full list....
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06
GFYI [Official] Revo Uninstaller Pro v5...
"Share feedback...damien76 — 09:01
GFYI [Official] SpyShelter PRO v15 Chri...
Merry Christmas and ...damien76 — 08:56
GFYI [Official] IObit Christmas 2024 Bl...
Merry Christmas and ...damien76 — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>