VIRUS TOTAL INTELLIGENCE DORKS
Hello friends. 4 mounths ago I send an email to VT developer team, and I asked them a VirusTotal Intelligence account for using it my university lectures, books and Udemy trainings. I am very thankfull and I want to thank them, they send me a demo account. VT Intelligence is a powerfull platform for threat hunting, for finding related files urls, for searching smilar files or exploits and visualize all of this relations with graph tab. VT API is very useful for sending automatically requesting hash values. Today I am gonna show you some dorks for threat hunting and cyber threat intelligence analysis. For more information you can visit VT keywords page;
When a bit is changed all MD5 hash will change so If you want to search smilar or related files with a malicious file you can use ssdeep keyword for searching by using ssdeep hash value like this;
In this example we search for exploit tagged pdf files which are detected less tehn 10 AV.
With “smilar-to” keyword you can find smilar files like that;
In this example we search for files which are detected less then 10 AV and more then 1 AV and it is tagged as attachemnent and files type is docx, ms word file.
You can also specify the submitter for filtering uploaded location for spesific your searches;
In next example I am gonna search files whose size bigger then 1mb and it was uploaded more then 5 sources and it’s detected more than 10 AV;
You can also use behaivour and behavior_process keywords for threat hunting they are very useful for behavioral anlysis search pattern match;
We have searched for a file with attachment and this file opens powershell.exe and bypass execution policy.
Lets go on with graph for another example;
In this search I queried a malicious domain, thanks to VT for displaying to us all related files URL’s and records as a graph. You can change the view as tree like this;
Good byeee……………………
