https://github.com/Neo23x0/vti-dorks

Awesome VirusTotal Intelligence Search Queries
https://github.com/Neo23x0/vti-dorks

Last synced: about 1 month ago
JSON representation

Awesome VirusTotal Intelligence Search Queries

• Host: GitHub
• URL: https://github.com/Neo23x0/vti-dorks
• Owner: Neo23x0
• License: unlicense
• Created: 2018-12-31T13:01:08.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2023-05-16T07:49:17.000Z (over 1 year ago)
• Last Synced: 2024-05-02T18:54:23.572Z (5 months ago)
• Size: 42 KB
• Stars: 320
• Watchers: 27
• Forks: 50
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - Neo23x0/vti-dorks - Awesome VirusTotal Intelligence Search Queries (Others)

README

        
# vti-dorks

Awesome VirusTotal Enterprise Search Queries (formerly Virustotal Intelligence or VTI) 

## Purpose

This repo lists useful Virustotal Enterprise search queries that are useful for threat hunting purposes. Please provide your favorite search queries as pull requests. 

## Generic

Show uploads named "payload" that have less than 5 antivirus eignes detecting them.

```

name:payload positives:5-

```

Show uploads named "exploit" that have less than 5 antivirus eignes detecting them. False positives are PDFs, web pages or documents with exploit descriptions.

```

name:exploit positives:5-

```

Show uploads that contain the keyword "obfus" in the filename and exclude android samples. (android samples obstruct view) The keyword "obfus" is often found in obfuscated malware samples. 

```

name:obfus NOT tag:android

```

Show executable files that identify as Microsoft software but are packed with an unusual packer and have less than 10 positive antivirus matches

```

metadata:"Microsoft Corporation" AND tag:peexe AND ( packer:rar OR packer:upx OR packer:themida OR packer:asprox ) AND positives:10-

```

Unknown origin - no description yet 

```

name:myvtfile.exe

```

Malware hosted on a government URL

```

itw:".gov" positives:5+

```

Find PE files submitted to VT, within n-seconds of compilation, that trigger at least 5 detections

```

subspan:300- positives:5+

```

You can tune it a bit using:

`submitter:US` - US submitter

`submitter:web` - web submitter

`submissions:2-` - submitted less then 2 times

## Mimikatz

Show samples with filenames starting with "mimi" (rare) that have less than 5 antivirus engines with matches. 

```

name:mimi* positives:5-

```

Show samples with filenames ending with "katz.exe" (rare) that have less than 5 antivirus engines with matches. 

```

name:*katz.exe positives:5-

```

Show samples with some antivirus engines matches. These are often obfuscated Mimikatz variants.

```

engines:mimikatz positives:5-

```

## Special Threat Related

Example way to find Shamoon using the resource names:

```

resource:"PKCS7" and resource:"X509"

```

Reference: https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/

## Location Based

Show samples submitted from Germany with low antivirus coverage that could be successful phishing campaigns.  

```

submitter:DE positives:2+ positives:10- (tag:doc OR tag:docx)

```

Show samples submitted from Taiwan with low antivirus coverage that could be successful NEW phishing campaigns (only 1 submitter).  

```

submitter:TW positives:1+ positives:20- filename:*.eml submissions:1

```

Malicious submissions from Qatar are rare and often interesting if you're after threats in the Middle Eastern region. 

```

submitter:QA positives:2+

```

Show samples submitted from Israel with the keyword "Syria" in the filename that have 2 or more antivirus engines matching. 

```

submitter:IL name:syria positives:2+

```

## macOS

Hunting signed macOS DMGs with minimum detections (often caused by heuristics) 

```

ls:2019-01-16+ type:dmg positives:2+ tag:signed

```

## ELF

Hunting for ELF binaries belonging to the MIRAI family

```

tag:elf AND p:2+ AND engines:Mirai

```

Hunting for ELF binaries excluding MIRAI and DDOS malware

```

tag:elf AND p:5+ NOT engines:Mirai NOT engines:DDOS

```

## Sandbox result searches

VTi has several Sandboxes that will scan the behavior of the submitted files; searching for categories combined with tags can be useful.

Search for ransomware using the Lastline sandbox:

```

lastline:RANSOM 

```

Searching for stealers in the pe format on C2AE sandbox. (STEALER/MALWARE/TROJAN are some keywords used by this sandbox)

```

c2ae:STEALER and tag:peexe

```

## Content Searches (New Feature)

Content searches cannot be combined with other conditions. 

Search for well-known mimikatz keyword in any type of sample. 

```

content:"sekurlsa::logonpasswords"

```

Detects phishing documents that ask the user to activate macros

```

content:"click enable editing"

content:"click enable content"

```

Detects exploit codes 

```

content:"] Shellcode"

```

## Sample Similarities and Pivoting

Content searches for malware similarities.

VT Feature Hash is an internal hash used by Virustotal.

```

similar-to:

```

Code Blocks is used to look for samples that contain the same pieces of code.

```

code-similar-to:

```

ImpHash is a well-known hash calculated with the Import Address Table to identify samples using the same imported functions.

```

imphash:

```

PE Rich Hash is a hash calculated from Rich Header.

```

rich_pe_header_hash:

```

TLSH is used to generate hash values which can then be analyzed for similarities.

```

tlsh:

```

SSDEEP is a fuzzing algorithm that can be used for the same purpose. 

```

ssdeep:

```

The other functions are used to identify similarity based on behavior identified with sandbox analysis. 

```

behash:

```

Files with a visually similar icon or thumbnail.

```

main_icon_dhash:

```

.NET files that were built in one project have the same GUID value

```

netguid:

```

Permhash is used to hash the declared permissions applied to Chromium-based browser extensions and APKs

```

permhash:

```