Recently we introduced a new YARA editor with pop-up suggestions, rule templates and new syntax highlighting, it’s live on both Retrohunt and Livehunt, check it out!
You described the functionality of our own diff tool and YARA generator that we called VT Diff. You can find the quick demonstration at the end of the training session, as well as documentation provided
here.
8. Would be nice to have an option to remove hits from VT Diff results that are clean codes from libraries, just like yarGen. Just an idea to consider 🙂
How can we delete/edit/update Diff results?
Thanks for your request! We will check this out.
9. Does VTDiff have limitations on what file types it can accept? For example, when I try to create a VTDiff session for OneNote extensions, with file type “.one” I get an error. But I don’t get an error when creating a separate search for .exe files.
That depends on the specific error, but I assume you are getting “Need to give exclusion list for filetype one” error. Please check
this manual for a quick fix.
10. How would you adjust the rule “SUSP_NVIDIA_Leak_Compromised_Cert_Mar22_1” if the timestomping was involved? Not sure if that can play a role based on the intel.
Compilation timestamp check is a nice way to filter out False Positives, but not the only one. If you want to avoid timestomping, you might want to use another legitimacy indicator, it could be the first submission date to VT (vt.metadata.first_submission_date) or any other signatures you find relevant to the original Nvidia software.
Rule to detect files signed with Nvidia leaked certificates
11. Can we use wildcards/regex while searching with the VT YARA module?
12. Can we expect to have the macho YARA module for Livehunt/Retrohunt rules?
Historically there were a couple of security issues with this module, preventing it from being included in YARA distributions. Recently they’ve been fixed and we are now considering the possibility to include it in Livehunt/Retrohunt services.
13. Are you planning the next episode?
Yes, our open training will be delivered quarterly.
14. When you have samples that have come back from a YARA rule, what is the best way to investigate them and check their relevance? Behavior tab? Content?
That depends on the specific samples. If we are talking about some short script you can instantly check its relevance in the Content tab. If it’s a compiled executable it makes sense to check the Behaviour tab first. Checking the Relations tab is also very important to me, you can quickly get lots of valuable info such as known distribution hosts/c2 address/dropped files/parent files/etc.
15. Can we do this with the free version? Can this feature be available for independent paid users?
VT Intelligence and VT Hunting are only available starting VT Enterprise packages.
16. Is there a library of hunts for certain malwares?
VirusTotal maintains a collection of crowdsourced rules provided by third parties, you can find details on the repositories we ingest in our
Contributors list. You can also explore all the YARA rules with
the recently introduced interface for VT Hunting, with filters for name and author also available.
You can now explore a full list of crowdsourced YARA rules used by Virustotal
17. Can the “vt” module be used as a file search modifier?
We are working on bringing the same functionality to VT Hunting and VT Intelligence services,
let us know if you miss anything.
18. Are there any threat intelligence operations you would recommend as a good first step towards leveraging automations using VTI API? Intent is to bring more awareness into threats that may impact an organization.
A high level example being malicious artifacts collected from an email protection platform to help generate content filters within VTI searches. In this particular case, what would be your recommendations for automation aimed at highlighting similar records of interest?
19. Decryption is cool, do you dump it from the mem?
Specific implementation depends on the sandbox. It’s usually based on crypto function hooks.
20. How can I download the YARA modules mentioned in the talk?
21. Is there any way to limit the access to my YARA rules in Livehunt, make them visible to me only, team, org, etc?
Your Livehunt rulesets are by default only visible to you. You can share it with any other VT accounts by specifying their email addresses:
Livehunt ruleset sharing options
22. Can we retrieve YARA job results via API?
Yes, you can leverage VT Hunting capabilities using our API, check out the documentation on
Retrohunt and
Livehunt. In particular, you can list Livehunt notifications with
this endpoint.
23. Which of the features you showed falls under quotas?
You can always check all of your current quotas in your work group control interface – https://www.virustotal.com/gui/group/*your_org_name*/users.
24. How do you determine the magic number in the condition?
The most popular way to do this is to check data at specific offset. For example, uint16(0) == 0x5A4D checks that the first two bytes are 0x5A4D, which is a little-endian representation of 4D5A – MZ signature of Windows executable files.
25. Is there a VT module for Android in YARA rule hunt?
Yes, there is a YARA
module for Androguard, which is an Android applications reverse engineering tool. We are now considering the possibility of including it into YARA distribution, so if you have any business needs to use it, please
reach out to us.
26. Do I need a special subscription to search for a year? I only see an option for 90 days.
Different options of VT subscription
27. When I’m searching for some samples I want to find them only if they are in ZIP/RAR/etc archives. My IOCs are for the files, but it’s the zips I want to uncover.
If you are using VT Intelligence searches, you can leverage the have:compressed_parents search modifier and then pivot to the parent files.
28. Thanks for the first seen tidbit. As far as the LiveHunt result alerts, do they repeat? I’ve set up a few and I think I’m getting alerted on the same samples.
Yes, that’s the point. You are getting alerted on both newly submitted and rescanned samples. To only get files that are new to VirusTotal feel free to use vt.metadata.new_file in your YARA rules.
29. How can we scale this? Is the point to update “detections” or essentially hunt for the newer functionalities on these samples found through livehunt/retrohunt?
That depends on specific business needs, but usually keeping your YARA rulesets fresh is one of the main goals of a threat hunter.
If you have any other questions, please feel free to
reach out.
Happy hunting!