VirusTotal has released a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform.
File search modifiers can help refine output but the cheat sheet shows how they can be combined in real scenarios to find particular data.
More targeted searches
In a blog post published on Monday, Google security engineer Alexey Firsh provides examples of how the cheat sheet can be used to find files connected to certain entities, business groups, documents, networks and non-Windows malware samples.
Using a specific “entity” search modifier, analysts can search for files based on IP addresses, domains, URLs, or files. The plan should also include VirusTotal Collections in this collection of modifiers.
To help researchers follow a threat actor’s trail, Firsh notes that researchers can combine the malware family or campaign name with the antivirus engines’ verdict on VirusTotal.
This method is well suited to detect advanced attackers and would discover related data in collections curated by various users of the VirusTotal platform.
Search can be refined or mixed with queries based on crowdsourcing rules (YARA, IDS, Sigma).
VirusTotal’s cheat sheet covers examples of real cases where file search modifiers filter out data signed by specific vendors and emails from a certain server that may or may not have an attachment.
Searchers can also use keywords that find files for other operating systems than Windows, such as Android, macOS, and Symbian.
For Android, samples are processed using open-source Androguard tool for looking inside packages, including code strings, entity manifests, and certificate signatures.
A relatively new feature is searching for explicit package names. However, this only works with files indexed from March 2022.
VirusTotal Cheat Sheet (PDF) only has three pages at the moment, but it contains several categories of keyword combinations to find malicious or suspicious files.
It can also be a shortcut to link malware to the operations of known and unknown actors or to uncover new and hidden threats.
VirusTotal plans to update the cheat sheet with new options that would make finding information on the platform easier, faster and more targeted.