Neo23x0/vti-dorks Neo23x0/vti-dorks

  • Stars
    star
    325
  • Rank 129,350 (Top 3 %)
  • Language
  • License
    The Unlicense
  • Created almost 6 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Neo23x0/vti-dorks
github

Neo23x0

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Awesome VirusTotal Intelligence Search Queries

vti-dorks

Awesome VirusTotal Enterprise Search Queries (formerly Virustotal Intelligence or VTI)

Purpose

This repo lists useful Virustotal Enterprise search queries that are useful for threat hunting purposes. Please provide your favorite search queries as pull requests.

Generic

Show uploads named "payload" that have less than 5 antivirus eignes detecting them.

name:payload positives:5-

Show uploads named "exploit" that have less than 5 antivirus eignes detecting them. False positives are PDFs, web pages or documents with exploit descriptions.

name:exploit positives:5-

Show uploads that contain the keyword "obfus" in the filename and exclude android samples. (android samples obstruct view) The keyword "obfus" is often found in obfuscated malware samples.

name:obfus NOT tag:android

Show executable files that identify as Microsoft software but are packed with an unusual packer and have less than 10 positive antivirus matches

metadata:"Microsoft Corporation" AND tag:peexe AND ( packer:rar OR packer:upx OR packer:themida OR packer:asprox ) AND positives:10-

Unknown origin - no description yet

name:myvtfile.exe

Malware hosted on a government URL

itw:".gov" positives:5+

Find PE files submitted to VT, within n-seconds of compilation, that trigger at least 5 detections

subspan:300- positives:5+

You can tune it a bit using: submitter:US - US submitter submitter:web - web submitter submissions:2- - submitted less then 2 times

Mimikatz

Show samples with filenames starting with "mimi" (rare) that have less than 5 antivirus engines with matches.

name:mimi* positives:5-

Show samples with filenames ending with "katz.exe" (rare) that have less than 5 antivirus engines with matches.

name:*katz.exe positives:5-

Show samples with some antivirus engines matches. These are often obfuscated Mimikatz variants.

engines:mimikatz positives:5-

Special Threat Related

Example way to find Shamoon using the resource names:

resource:"PKCS7" and resource:"X509"

Reference: https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/

Location Based

Show samples submitted from Germany with low antivirus coverage that could be successful phishing campaigns.

submitter:DE positives:2+ positives:10- (tag:doc OR tag:docx)

Show samples submitted from Taiwan with low antivirus coverage that could be successful NEW phishing campaigns (only 1 submitter).

submitter:TW positives:1+ positives:20- filename:*.eml submissions:1

Malicious submissions from Qatar are rare and often interesting if you're after threats in the Middle Eastern region.

submitter:QA positives:2+

Show samples submitted from Israel with the keyword "Syria" in the filename that have 2 or more antivirus engines matching.

submitter:IL name:syria positives:2+

macOS

Hunting signed macOS DMGs with minimum detections (often caused by heuristics)

ls:2019-01-16+ type:dmg positives:2+ tag:signed

ELF

Hunting for ELF binaries belonging to the MIRAI family

tag:elf AND p:2+ AND engines:Mirai

Hunting for ELF binaries excluding MIRAI and DDOS malware

tag:elf AND p:5+ NOT engines:Mirai NOT engines:DDOS

Sandbox result searches

VTi has several Sandboxes that will scan the behavior of the submitted files; searching for categories combined with tags can be useful.

Search for ransomware using the Lastline sandbox:

lastline:RANSOM

Searching for stealers in the pe format on C2AE sandbox. (STEALER/MALWARE/TROJAN are some keywords used by this sandbox)

c2ae:STEALER and tag:peexe

Content Searches (New Feature)

Content searches cannot be combined with other conditions.

Search for well-known mimikatz keyword in any type of sample.

content:"sekurlsa::logonpasswords"

Detects phishing documents that ask the user to activate macros

content:"click enable editing"
content:"click enable content"

Detects exploit codes

content:"] Shellcode"

Sample Similarities and Pivoting

Content searches for malware similarities.

VT Feature Hash is an internal hash used by Virustotal.

similar-to:<hashofthefile>

Code Blocks is used to look for samples that contain the same pieces of code.

code-similar-to:<hashofthefile>

ImpHash is a well-known hash calculated with the Import Address Table to identify samples using the same imported functions.

imphash:<IATHash>

PE Rich Hash is a hash calculated from Rich Header.

rich_pe_header_hash:<Richhash>

TLSH is used to generate hash values which can then be analyzed for similarities.

tlsh:<tlshash>

SSDEEP is a fuzzing algorithm that can be used for the same purpose.

ssdeep:<ssdeep_hash>

The other functions are used to identify similarity based on behavior identified with sandbox analysis.

behash:<hashofthefile>

Files with a visually similar icon or thumbnail.

main_icon_dhash:<icon_hash>

.NET files that were built in one project have the same GUID value

netguid:<GUID>

Permhash is used to hash the declared permissions applied to Chromium-based browser extensions and APKs

permhash:<permhash>

More Repositories

1

Loki

Loki - Simple IOC and YARA Scanner
Python
3,321
star
2

signature-base

YARA signature and IOC database for my scanners and tools
YARA
2,426
star
3

yarGen

yarGen is a generator for YARA rules
Python
1,518
star
4

auditd

Best Practice Auditd Configuration
1,448
star
5

Raccine

A Simple Ransomware Vaccine
C++
945
star
6

munin

Online hash checker for Virustotal and other services
Python
809
star
7

log4shell-detector

Detector for Log4Shell exploitation attempts
Python
729
star
8

Fenrir

Simple Bash IOC Scanner
Shell
680
star
9

yarAnalyzer

Yara Rule Analyzer and Statistics
Python
356
star
10

Fnord

Pattern Extractor for Obfuscated Code
Shell
295
star
11

BlueLedger

A list of my personal projects
166
star
12

DLLRunner

Smart DLL execution for malware analysis in sandbox systems
Python
141
star
13

god-mode-rules

God Mode Detection Rules
YARA
129
star
14

YARA-Performance-Guidelines

A guide on how to write fast and memory friendly YARA rules
122
star
15

evt2sigma

Log Entry to Sigma Rule Converter
Python
104
star
16

yaraQA

YARA rule analyzer to improve rule quality and performance
Python
93
star
17

Cyber-Search-Shortcuts

Browser Shortcuts for Cyber Security Related Online Services
78
star
18

exotron

Sandbox feature upgrade with the help of wrapped samples
Python
75
star
19

Loki2

LOKI2 - Simple IOC and YARA Scanner
Rust
73
star
20

ImpHash-Generator

PE Import Hash Generator
Python
72
star
21

Rewind

Immediate Virus Infection Counter Measures
C#
62
star
22

radiocarbon

Leak File Analyzer
Python
62
star
23

tiny-shells

All kinds of tiny shells
59
star
24

panopticon

A YARA Rule Performance Measurement Tool
YARA
58
star
25

LOLSecIssues

Cybersecurity's lighter side: a collection of the most amusing misunderstandings and missteps from newcomers to offensive security tools. A repository where naivetΓ© in infosec is met with humor.
57
star
26

ti-falsepositives

A collection of typical false positive indicators
Python
54
star
27

webshell-intel

Scan web server for known webshell names and responses
50
star
28

xorex

XOR Key Extractor
Python
48
star
29

Talks

Slides of my public talks
46
star
30

cyber-chef-recipes

Recipes for GCHQ's CyberChef Web App
35
star
31

sysmon-version-history

An Inofficial Sysmon Version History (Change Log)
32
star
32

littlesnitch-log-exporter

LittleSnitch Log Statistics Exporter
Python
32
star
33

YARA-Style-Guide

A specification and style guide for YARA rules
32
star
34

SkeletonKeyScanner

Scanner for the SkeletonKey Malware
Python
30
star
35

ThreatResearch-Reporting-Guide

Offensive Research Guide to Help Defense Improve Detection
29
star
36

prisma

Command Line STDOUT Colorer
Python
29
star
37

ReginScanner

Scanner for Regin Virtual Filesystems
Python
26
star
38

space-id

Invisible Watermarks with Space Characters in ASCII Files
Python
22
star
39

neolog

Windows Syslog Command Line Client
15
star
40

narsil

Spy Agency Teasing
Python
14
star
41

yara-uuid-generator

A tool that adds reproducible UUIDs to YARA rules
Python
13
star
42

WPWatcher

Wordpress Watcher is a wrapper for WPScan that manages scans on multiple sites and reports by email
Python
11
star
43

defensive-project-ideas

Ideas for projects for defensive research or blue teaming
10
star
44

agile-hacking

Collection of hacks that make use of the least available on victim systems
Visual Basic
8
star
45

CredsSpreader

A tool to spread canary credentials in your organisation
8
star
46

language-thor

Syntax Theme for THOR APT Scanner log files
5
star
47

yara-type-selectors

YARA rules to certain types of files without using YARA modules to avoid the performance impact
YARA
5
star
48

PassTweaker

Tweaks password files to match modern password requirements
Python
5
star
49

speedy

(Demo) - Only used to demonstrate a memory leak caused by Golang regexp
Go
4
star
50

loki-cloud

A flexible and lightweight way to execute LOKI on end systems
3
star
51

imphash-go

Imphash Generator
1
star