03 February 23, 08:13
Quote:Continue Reading
Any organization’s infrastructure might inadvertently be abused by attackers as part of a malicious campaign. It is therefore important to monitor any suspicious activity. VirusTotal can help you identify these threats and improve your threat detection and protection capabilities. In this post we will first analyze different available search modifiers and then we will provide different templates to quickly deploy infrastructure monitoring rules.
Hunting for infrastructure abuses
VirusTotal Intelligence allows you to search VT’s extensive dataset for domains, URLs, IP addresses and files. You can find some examples on using search modifiers in our previous blog post.
You can use entity: domain or entity: url along parent_domain (entity:domain parent_domain:file.io or entity:url parent_domain:file.io) search modifiers to find VT details on your infrastructure. You can always adjust the results with the antivirus detection ratio (positives or p keyword).
For IP addresses we can use the ip search modifier, also valid for IP ranges:The domain/URL/IP report shows the assigned category by antivirus vendors along with the detection ratio. One of the most interesting tabs is “Relations”, where we can check any suspicious samples communicating with it.
- Specific IP addresses: entity:ip (ip:34.125.68.133 OR ip: 34.125.118.189 ) p:20-
- IP range: entity:ip ip:34.120.0.0/13 p:13+
Indeed, we can use some additional modifiers to find networking entities having interesting relationships. We can also use them to immediately flag if there is any domain or IP in our infrastructure communicating with any suspicious file.
Files
The most generic (although noisy) way to find files potentially targeting your infrastructure is the static one checking files’ content. This returns any file matching your IP addresses, domains or URLs in its content’s strings. In this case it is not possible using IP ranges.
❗Please notice that the content search modifier can't be used in combination with the entity modifier in the same query.
(content:"google.com" or content:"162.125.248.18" or content:"https://teleline.site/m/br/ppt4/") p:20+
This type of query is useful when malware’s infrastructure is not obfuscated and statically found in the sample, which is not common.There is a better way through dynamic analysis. All samples in VirusTotal are detonated in several sandboxes, which produces valuable data on how it behaves dynamically.
Many samples implement anti-sandboxing techniques, so it is not always possible to get all the details.The best search modifier to find samples communicating with a given URL, domain or IP through sandbox detonation is behaviour_network:The contacted_ip search modifier also allows specifying IP address ranges:
- Communicating to a domain. Eg: entity: file behaviour_network: google.com
- Communicating to a url. Eg: entity: file behaviour_network: www.virustotal.com/gui/
- Communicating to an IP address. Eg: entity: file behaviour_network: 8.8.8.8
Besides dynamic execution, you can check if VirusTotal has ever seen any particular suspicious samples being downloaded from your infrastructure. For this you can use the “In the Wild” (itw) search modifier: entity:file itw:file.io p:1+
- Specific IP address communication. Eg: entity: file contacted_ip: 8.8.8.8
- Range communication. Eg: entity: file contacted_ip: 173.194.0.0/16
Do it yourself!
Let’s say you are interested in tracking fresh suspicious samples submitted to VirusTotal communicating your company’s infrastructure (in this case consisting of 2 IPs resolving to our file.io domain). The “first submission” (fs) search modifier gets us files submitted since december last year:
entity:file (contacted_ip:107.23.246.142 or contacted_ip:34.197.10.85) p:10+ fs:2022-12-01+
This query returns 4 files that are detected as malicious by at least 12 antivirus engines.
...